1. Introduction

Afia Sync LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal information, including Protected Health Information (PHI), processed through our Electronic Health Records (EHR) platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use Afia Sync.

This policy applies to all users of the Afia Sync platform, including healthcare providers, administrators, and authorized personnel ("you" or "User").

2. Information We Collect

2.1 Patient Health Information

As an EHR platform, Afia Sync processes various types of patient health information, including:

• Demographic Information: Names, dates of birth, addresses, contact information, identification numbers
• Medical Records: Diagnoses, treatment plans, medications, allergies, medical history
• Clinical Data: Vital signs, lab results, imaging reports, progress notes
• Appointment Information: Scheduling data, provider assignments, visit summaries
• Billing Information: Insurance details, payment records, claims data

2.2 User Account Information

We collect information necessary to provide our services, including:

• Registration Data: Name, email address, phone number, professional credentials
• Login Information: Username, encrypted passwords, authentication tokens
• Profile Information: Job title, department, facility affiliation
• Preferences: Language settings, notification preferences, dashboard configurations

2.3 Technical Information

We automatically collect certain technical information:

• Usage Data: Log files, access times, features used, session duration
• Device Information: IP addresses, browser type, operating system, device identifiers
• Performance Data: System response times, error logs, application performance metrics
• Security Logs: Authentication attempts, access patterns, security events

2.4 Communication Data

We may collect information from your communications with us:

• Support Interactions: Help desk tickets, chat logs, phone call records
• Feedback: Surveys, feature requests, user experience feedback
• Training Records: Participation in training sessions, certification completion

3. How We Use Information

3.1 Primary Purposes

We use the information we collect for the following primary purposes:

• Healthcare Operations: Facilitating patient care, treatment coordination, and clinical decision-making
• Platform Functionality: Providing EHR services, user authentication, and system operations
• Compliance: Meeting regulatory requirements under HIPAA, POPIA, and other applicable laws
• Quality Assurance: Ensuring data accuracy, system reliability, and service quality

3.2 Secondary Purposes

With appropriate safeguards and where legally permitted, we may use information for:

• Service Improvement: Analyzing usage patterns to enhance platform features and performance
• Research and Analytics: Creating anonymized, aggregated reports for healthcare research
• Training and Education: Developing training materials and best practice guidelines
• Business Operations: Billing, customer support, and platform administration

3.3 Legal Bases for Processing (POPIA Compliance)

Our legal bases for processing personal information include:

• Consent: Where you have provided explicit consent for specific processing activities
• Contractual Necessity: Processing required to fulfill our service agreement with you
• Legal Obligation: Compliance with healthcare regulations and legal requirements
• Legitimate Interests: Improving our services while ensuring your fundamental rights are protected

4. Data Security Measures

4.1 Technical Safeguards

We implement comprehensive technical security measures:

Encryption:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• End-to-end encryption for sensitive communications

Access Controls:

• Multi-factor authentication (MFA) for all user accounts
• Role-based access control (RBAC) with principle of least privilege
• Automated session timeouts and account lockout policies

Infrastructure Security:

• Hosting on Microsoft Azure with SOC 2 Type II compliance
• Regular security patches and updates
• Intrusion detection and prevention systems
• 24/7 security monitoring and incident response

5. Your Rights and Choices

5.1 Access Rights

You have the right to:

• Access personal information we hold about you
• Receive a copy of your information in a structured, machine-readable format
• Understand how your information is being processed

5.2 Correction and Amendment

You may:

• Request correction of inaccurate or incomplete information
• Update your account information through the platform
• Request amendments to patient records in accordance with healthcare regulations

5.3 Data Portability

You have the right to:

• Export your data from Afia Sync
• Receive data in a standard format for transfer to another system
• Request assistance with data migration upon account termination

6. International Data Transfers

6.1 Data Residency

Afia Sync stores all data in the Microsoft Azure South Africa North region to ensure data residency within South Africa and compliance with local data protection laws.

6.2 Cross-Border Transfers

In limited circumstances, personal information may be transferred outside South Africa:

• For technical support and system maintenance (with appropriate safeguards)
• To comply with legal obligations or court orders
• With your explicit consent for specific purposes

7. Regulatory Compliance

7.1 HIPAA Compliance

Afia Sync is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA):

• Business Associate Agreements (BAAs) available for covered entities
• Implementation of required administrative, physical, and technical safeguards
• Regular compliance audits and risk assessments

7.2 POPIA Compliance

We comply with the Protection of Personal Information Act (POPIA):

• Lawful processing of personal information
• Implementation of appropriate security measures
• Respect for individual rights and freedoms
• Transparent information processing practices

8. Contact Information and Complaints

8.1 Privacy Officer

For privacy-related questions or concerns, contact our Privacy Officer:

8.2 Data Protection Authority

You have the right to lodge a complaint with the Information Regulator of South Africa: