Privacy Policy — docto.co.za
Last Updated: 23 June 2026
1. Introduction
Khula Information Systems cc. ("Docto", "we", "us", or "our"), trading as Docto and operating docto.co.za (the "Site"), takes your privacy seriously. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Site and services.
This policy is written in plain language so you understand exactly how your information is handled.
Terms used in this Privacy Policy have the meanings given to them in the Protection of Personal Information Act 4 of 2013 ("POPIA") and our Terms and Conditions, unless otherwise defined here.
2. Who We Are (Responsible Party)
The Responsible Party for your personal information under POPIA is:
Khula Information Systems cc. Trading as: Docto Address: 1 Nirvana Drive, Lenasia, South Africa Website: docto.co.za Email: privacy@docto.co.za
For POPIA enquiries, requests, and complaints, please contact our Information Officer at privacy@docto.co.za.
3. What Personal Information We Collect
When you use the Site, we may collect the following categories of personal information:
3.1 Information you provide directly
- Identity information: your first name and surname
- Contact details: email address and telephone number
- Booking information: the Provider you selected, your preferred appointment date and time, and the nature of the appointment (e.g. general practitioner, specialist, dentist, or allied health professional)
We do not collect your South African ID number, medical records, diagnoses, prescriptions, clinical notes, or any other detailed health information through the Site. Docto is a scheduling platform only.
3.2 Information collected automatically
When you visit the Site, we automatically collect certain information using our own first-party analytics:
- Technical data: IP address, browser type and version, operating system, and device type
- Usage data: the searches you run (such as the specialty, area, and search radius), the doctors you select or whose profiles you view, pages visited, and the site or link that referred you
- Approximate location: an approximate city, province, and country derived from your IP address (see Section 7.3)
- Cookie data: see Section 7 (Cookies) below
We use our own analytics, built into the Site and stored in our own infrastructure. We do not use Google Analytics or any third-party advertising or cross-site tracking service.
4. Why We Collect Your Personal Information (Purposes of Processing)
We process your personal information for the following lawful purposes under POPIA:
| Purpose | Lawful Basis |
|---|---|
| To facilitate the booking of appointments with Providers | Performance of a service you requested |
| To send you booking confirmations, reminders, and account notifications | Performance of a service / legitimate interest |
| To allow the selected Provider to prepare for and fulfil your appointment | Performance of a service you requested |
| To improve and optimise the Site and Services | Legitimate interest |
| To detect and prevent fraud, abuse, or security threats | Legitimate interest / legal obligation |
| To comply with applicable laws and regulations | Legal obligation |
| To send you direct marketing communications (with your consent) | Consent (opt-in) |
| To conduct anonymised statistical and analytical research | Legitimate interest |
We will not process your personal information for any purpose incompatible with the purposes listed above without your prior consent.
5. Direct Marketing
We currently send only transactional communications (booking confirmations, reminders, and account-related notices). We may in future send you health-related information, tips, or promotional communications from Docto.
If and when we do so, we will:
- Only send marketing communications to you if you have opted in to receive them;
- Include a clear and easy unsubscribe mechanism in every marketing communication;
- Stop sending marketing communications promptly upon your request.
To opt out of marketing at any time, email us at privacy@docto.co.za or click "unsubscribe" in any marketing email.
6. Who We Share Your Personal Information With
We treat your personal information with care and do not sell, rent, or trade it to third parties for their own promotional purposes. We may share your information in the following circumstances:
6.1 Healthcare Providers
When you book an appointment, we share the necessary booking details (your name, contact details, and appointment information) with the Provider you have selected, to enable them to fulfil the appointment.
6.2 Service Providers and Technology Partners
We use trusted third-party service providers who assist us in operating the Site, including:
- Cloud hosting and infrastructure providers that host the Site and our database (see Section 8 on cross-border transfers)
- A geolocation service that converts an IP address into an approximate location, such as a city or province, for our statistics (see Section 7.3)
- Email and SMS delivery services for sending booking confirmations and notifications
We do not use third-party analytics providers such as Google Analytics. Our analytics are first-party and are stored in our own database.
All third-party service providers are required to handle your personal information in accordance with applicable data protection laws and are prohibited from using it for any other purpose.
6.3 Legal Requirements
We may disclose your personal information if required to do so by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Docto, our users, or the public.
6.4 Business Transfers
In the event of a merger, sale, acquisition, or restructuring of Khula Information Systems cc., your personal information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy, and you will have the opportunity to request deletion of your data.
6.5 What We Do NOT Share
- We do not share your personal information with medical aids, health insurers, or any third party for advertising or profiling purposes.
- We do not share clinical or health data through the Site (as we do not collect it).
7. Cookies and Analytics
7.1 What Are Cookies?
Cookies are small text files placed on your device when you visit the Site. They help us understand how the Site is used and improve your experience.
7.2 Cookies We Use
| Cookie Type | Purpose | Examples |
|---|---|---|
| Essential cookies | Required for the Site to function (e.g. login session management, security) | Login session cookie |
| Analytics cookie | A first-party, anonymous identifier that lets us count unique visitors and understand how the Site is used | docto_sid — first-party, random, contains no personal information |
We do not currently use advertising or retargeting cookies. If this changes, we will update this policy and seek your consent where required.
7.3 Our Analytics and Approximate Location
We use our own first-party analytics to understand how the Site is used — for example, which specialties and areas people search for, which doctor profiles are selected and viewed, and how many people visit. This information is collected directly by us and stored in our own database. We do not use Google Analytics or any similar third-party analytics service, and we do not use analytics or advertising cookies that track you across other websites.
To recognise repeat visits and count unique visitors, we set a single first-party cookie containing a random, anonymous identifier (see Section 7.2). It contains no name, email address, or other information that identifies you.
To understand roughly where our visitors are located (at the level of a city or province), we send your IP address to a third-party geolocation service, which returns only an approximate location. We use that approximate location for our statistics. We automatically remove the full IP address from our analytics records after 90 days, retaining only the approximate location for longer-term trends.
7.4 Managing Cookies
You can control or disable cookies through your browser settings. Disabling essential cookies may affect the functionality of the Site. To learn more about managing cookies, visit allaboutcookies.org.
8. Cross-Border Transfers of Personal Information
The Site is hosted on international cloud infrastructure (such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform). This means your personal information may be transferred to and stored on servers located outside the Republic of South Africa.
We take reasonable steps to ensure that any international transfers of your personal information are made only to countries or recipients that provide an adequate level of protection for personal information, or are subject to appropriate contractual safeguards consistent with POPIA.
By using the Site and providing your personal information, you acknowledge that your information may be processed outside South Africa as described in this policy.
9. How Long We Keep Your Personal Information (Retention)
We retain your personal information for as long as is necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
In general:
- Booking records: retained for a reasonable period after your last use of the Site to allow you to access your booking history, and thereafter deleted or anonymised.
- Account information: retained for as long as your account is active, and for a reasonable period thereafter.
- Analytics data: retained to help us understand and improve the Site. The full IP address is removed from analytics records after 90 days; the remaining records contain no information that identifies you and may be kept in that anonymised form indefinitely.
You may request deletion of your personal information at any time by contacting us at privacy@docto.co.za. Please note that deletion of your information by Docto does not automatically result in deletion by any Provider you may have visited — you must contact them separately.
10. Security of Your Personal Information
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, misuse, alteration, or destruction. These include:
- Secure (HTTPS) data transmission;
- Access controls restricting who can access personal data within our organisation;
- Contractual security obligations imposed on our service providers.
No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. In the event of a security compromise that materially affects you, we will notify you and the Information Regulator as required by POPIA.
11. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
Right of access — You may request a copy of the personal information we hold about you.
Right to correction — You may request that we correct inaccurate, incomplete, misleading, or out-of-date personal information.
Right to deletion — You may request that we delete your personal information, subject to our legal obligations to retain certain records.
Right to object — You may object to the processing of your personal information on grounds relating to your particular situation, or object to direct marketing at any time.
Right to data portability — Where technically feasible, you may request that your personal information be provided to you in a structured, commonly used format.
Right to lodge a complaint — If you believe we have processed your personal information unlawfully or in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 Email: inforeg@justice.gov.za Website: inforegulator.org.za
To exercise any of your rights, contact our Information Officer at privacy@docto.co.za. We will respond within a reasonable time and in accordance with POPIA.
12. Children's Privacy
The Site and Services are not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@docto.co.za and we will take prompt steps to delete that information.
13. Links to Third-Party Sites
The Site may contain links to third-party websites, including Provider websites. This Privacy Policy applies only to docto.co.za. We are not responsible for the privacy practices of any third-party site, and we encourage you to read the privacy policies of any site you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will post the revised policy on the Site with an updated "Last Updated" date. Where changes are material, we will notify you by email or by a prominent notice on the Site. Your continued use of the Site after any changes constitutes your acceptance of the updated policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact:
Information Officer — Khula Information Systems cc. Trading as Docto Address: 1 Nirvana Drive, Lenasia, South Africa Email: privacy@docto.co.za Website: docto.co.za
This Privacy Policy was last updated on 23 June 2026.