Biowell Emblem

PRIVACY POLICY

DNA
Quick Navigation

BIOWELL PRIVACY POLICY

1. Who we are

BioWell is a South African online medical platform providing structured metabolic weight and wellness management under the guidance of Dr GL Vosloo and a qualified clinical team.

BioWell acts as a practice management solution and operates as a private company registered in South Africa under the name Bio Well (PTY) LTD Reg number: 2025/921670/07.

For purposes of the Protection of Personal Information Act 4 of 2013 (POPIA), the responsible party in respect of personal information processed through the BioWell website and patient platform is Dr GL Vosloo.

All clinical services are delivered within a formal medical practice framework. All prescribing decisions are made by registered medical practitioners. BioWell does not operate as a pharmacy, a product reseller, or a marketplace for medical products.

BioWell’s website is accessible at https://www.bio-well.co.za , and the secure patient platform is hosted on infrastructure located in South Africa.

BioWell processes personal information in the course of providing regulated medical services. Health information collected through the platform constitutes special personal information under POPIA and is treated accordingly.

2. Formal statement of intent

BioWell recognises that the personal information it processes includes sensitive medical and health information. BioWell therefore commits to processing all personal information lawfully, fairly, and transparently in accordance with POPIA, applicable health records legislation, and the ethical rules of the Health Professions Council of South Africa (HPCSA).

This privacy policy records the principles that govern how personal information is collected, used, stored, disclosed, and protected in the course of delivering medical services through the BioWell website and patient platform. It is intended to provide clarity on the scope of processing activities and the safeguards applied to protect data subjects.

BioWell limits the collection of personal information to what is necessary for clinical assessment, treatment, prescription management, regulatory compliance, and related administrative functions. Personal information is not collected for speculative, unrelated, or excessive purposes.

BioWell does not treat personal information as a commercial asset. Personal information, particularly health information, is processed solely within the context of professional medical services and subject to strict confidentiality obligations.

BioWell maintains internal governance structures to ensure that personal information is handled in a manner consistent with statutory requirements, professional secrecy obligations, and accepted standards of medical confidentiality.

This policy sets out the principles that govern how personal information is handled across the BioWell website and patient platform. It is intended to provide clarity regarding BioWell’s approach to privacy, accountability, and regulatory compliance.

3. Policy scope

This policy applies to:

• The processing of personal information through the BioWell website, the secure patient platform, and any associated digital or administrative systems used in the delivery of BioWell’s medical services.

• The processing of personal information relating to patients, prospective patients, website users, and any individual who communicates with BioWell in connection with its services.

• The processing of personal information in electronic form and, where relevant, in physical form as part of clinical or administrative records.

This policy does not extend to third-party websites, platforms, or services that are not owned or controlled by BioWell, even where such platforms are linked from the BioWell website. Those entities are responsible for their own privacy practices.

This policy must be read together with any applicable terms of use, consent forms, and clinical documentation provided to patients during the course of treatment.

4. Entity or entities to which this policy applies

This policy applies to the responsible party identified in section 1 of this document, being Dr GL Vosloo, and to the processing of personal information carried out in the course of delivering medical services through the BioWell website and patient platform.

Where BioWell operates as a practice management, personal information processed in the course of clinical care is processed under the authority and oversight of the responsible party identified above.

Persons and entities bound by this policy include:

• All individuals whose personal information is processed by or on behalf of BioWell, including patients, prospective patients, website users, and any person who communicates with BioWell in connection with its services.

• All directors, officers, employees, contracted healthcare practitioners, administrative staff, and service providers who process personal information on behalf of the responsible party in connection with BioWell’s services.

Where external service providers process personal information for or on behalf of BioWell, they do so under written agreements that require compliance with POPIA and impose appropriate confidentiality and data protection obligations.

Nothing in this policy alters the professional obligations of registered medical practitioners. Clinical records remain subject to applicable medical, ethical, and statutory duties independent of this policy.

5. Information officer

BioWell has appointed an information officer in accordance with POPIA.

The information officer is responsible for overseeing compliance with applicable data protection laws, monitoring internal processing practices, responding to data subject requests, and serving as the point of contact for the Information Regulator.

The appointed information officer is Dr GL Vosloo.

Information officer email address: gerhard@bio-well.co.za.

All requests relating to personal information, including access, correction, or complaints, must be directed to the information officer in writing.

6. Defined terms

For purposes of this policy, the following terms bear the meanings assigned to them below. These definitions apply throughout this document unless the context indicates otherwise:

• “Applicable data protection laws” means POPIA and any other South African legislation, regulations, or binding guidelines governing the protection, processing, or retention of personal information.

• “Personal information” has the meaning assigned to it in POPIA and includes any information relating to an identifiable, living natural person and, where applicable, an identifiable existing juristic person. This includes information such as identity details, contact information, financial information, and health or clinical information.

• “Special personal information” has the meaning assigned to it in POPIA and includes, among other categories, information concerning a person’s health, biometric information, religious or philosophical beliefs, race or ethnic origin, and criminal behaviour. In the context of BioWell, this includes medical history, laboratory results, prescription information, and clinical assessments.

• “Processing” means any operation or activity performed in relation to personal information, whether by automated or non-automated means, including collection, receipt, recording, organisation, storage, updating, retrieval, use, dissemination, restriction, or deletion.

• “Data subject” means any natural person to whom personal information relates, as defined in POPIA.

• “User” means any individual who accesses or uses the BioWell website or secure patient platform, including patients, prospective patients, and any person who interacts with BioWell in connection with its services.

• “Responsible party” means the entity identified in section 1 of this policy that determines the purpose of and means for processing personal information.

• “Operator” means a person or entity that processes personal information on behalf of the responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party.

• “Patient” means a data subject who receives or seeks to receive medical services through BioWell.

• “Platform” means the BioWell website and secure patient interface through which medical consultations, communication, and administrative functions are conducted.

Singular terms include the plural and vice versa, where the context requires. References to legislation include amendments and subordinate legislation issued under that legislation.

7. User/data subject rights

A data subject whose personal information is processed by or on behalf of BioWell is entitled to exercise the rights afforded under POPIA and other applicable law. These rights are subject to statutory limitations, professional obligations, and lawful retention requirements.

A data subject has the right to:

• Be informed that personal information is being collected and to receive sufficient information regarding the purpose of such collection.

• Request confirmation as to whether BioWell holds personal information relating to them.

• Request access to personal information held by BioWell, subject to identity verification and any lawful grounds for refusal.

• Request correction of personal information that is inaccurate, incomplete, misleading, or out of date.

• Request deletion or destruction of personal information where it is no longer authorised to be retained in terms of applicable law. This right does not apply where BioWell is required to retain records in terms of legal, regulatory, or professional obligations.

• Object, on reasonable grounds relating to their particular situation, to the processing of personal information where such processing is not required by law.

• Object to the processing of personal information for direct marketing purposes. BioWell does not conduct direct marketing of prescription medicines.

• Not be subject to a decision based solely on automated processing that produces legal consequences or similarly significant effects, unless permitted by law.

• Withdraw consent where processing is based on consent. Withdrawal of consent does not affect processing that occurred prior to withdrawal and does not override lawful retention obligations.

• Lodge a complaint with the Information Regulator if they believe that their personal information has been processed unlawfully.

The exercise of these rights is subject to the verification procedures set out in this policy and may be limited where disclosure would infringe the rights of another person, compromise professional confidentiality, or conflict with legal obligations.

8. Patient rights under POPIA

Note: The summary below is provided for clarity and accessibility. It does not replace POPIA or limit any rights afforded to data subjects under the Act. In the event of any inconsistency between this policy and POPIA, the provisions of POPIA will prevail. Data subjects are encouraged to consult the most recent version of POPIA for the full statutory framework.

Where BioWell processes personal information in the course of providing medical services, each patient, as a data subject, has the following rights, subject to the limitations and conditions set out in POPIA and in applicable health records legislation:

Right to be notified of collection

A data subject has the right to be notified that personal information is being collected and to be informed of the purpose of collection, the categories of information collected, and any other information required by POPIA.

Right to be notified of a security compromise

Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, BioWell must notify the affected data subject and the Information Regulator.

Right of access

A data subject has the right to request confirmation as to whether BioWell holds personal information about them and to request access to that information, subject to lawful limitations, including those relating to professional confidentiality, third-party rights, and clinical considerations.

Right to request correction, destruction, or deletion

A data subject may request correction, destruction, or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. BioWell will consider such requests in accordance with POPIA and applicable medical record retention requirements. Where the law requires retention of medical records, deletion may not be possible.

Right to object to processing

A data subject may object, on reasonable grounds relating to their particular situation, to the processing of personal information where processing is based on legitimate interests or public interest grounds, as contemplated in POPIA.

Right not to be subject to solely automated decision-making

A data subject has the right not to be subject to a decision based solely on automated processing of personal information which produces legal consequences for them or significantly affects them, unless permitted under POPIA.

Right to lodge a complaint

A data subject has the right to lodge a complaint with the Information Regulator if they believe that there has been interference with the protection of their personal information.

Right to institute civil proceedings

A data subject has the right to institute civil proceedings in respect of an alleged interference with the protection of their personal information, as provided for in POPIA.

All rights are exercised in accordance with POPIA and other applicable laws governing medical records and professional conduct. The procedures for exercising these rights, including verification requirements and response timeframes, are set out later in this policy.

9. Personal information that may be collected

BioWell processes personal information only to the extent necessary to provide regulated medical services and to operate its website and secure patient platform. The categories of personal information collected depend on the nature of the interaction with BioWell and whether an individual proceeds to clinical consultation and treatment.

BioWell may collect the following categories of personal information:

Identification information

Information used to verify and confirm identity, including full name, identity number or passport number, date of birth, gender, and any other information required to establish a patient record.

Contact information

Residential address, postal address, email address, mobile number, and other contact details required for communication and delivery of services.

Health and clinical information

Medical history, current medical conditions, past diagnoses, family medical history where relevant, medication history, allergies, body composition information, laboratory results, metabolic assessments, clinician notes, treatment plans, prescription records, and ongoing monitoring data submitted through the platform.

Lifestyle and behavioural information

Information relating to diet, exercise patterns, sleep, stress levels, alcohol consumption, smoking status, and other lifestyle factors relevant to metabolic health and clinical assessment.

Financial and transaction information

Billing information, payment confirmations, transaction references, and limited payment-related data necessary to process consultation fees or treatment-related charges. BioWell does not store full card details where payments are processed through third-party payment providers.

Communications

Records of correspondence between a user and BioWell, including emails, platform messages, consultation notes, support requests, and administrative communications.

Technical and usage information

IP address, browser type, device type, operating system, date and time of access, pages visited, session activity, and other technical information collected through standard website and platform technologies.

Uploaded content

Documents, laboratory reports, identification documents, images, or other materials voluntarily uploaded by a user through the patient platform.

Personal information is collected directly from the data subject in most cases. Where relevant and lawful, information may also be obtained from healthcare providers, laboratories, pharmacies, or other authorised third parties with the data subject’s knowledge or consent.

10. Purpose of processing personal information

BioWell processes personal information strictly for defined, lawful, and medically necessary purposes connected to the provision of regulated healthcare services and the operation of its website and patient platform.

BioWell processes personal information in order to:

• Assess clinical suitability, conduct consultations, establish diagnoses where applicable, develop treatment plans, prescribe medication where clinically indicated, monitor patient progress, and maintain accurate medical records in accordance with professional and legal standards.

• Evaluate risk factors, review laboratory results, assess contraindications, manage dose adjustments, document adverse events, and ensure ongoing medical supervision throughout the course of treatment.

• Manage appointments, maintain patient files, process billing, communicate with patients, and administer the operational aspects of the medical practice.

• Issue prescriptions within defined clinical parameters and coordinate with licensed pharmacies for the lawful dispensing and delivery of medication.

• Comply with obligations imposed by POPIA, health records legislation, professional regulatory bodies, taxation authorities, and other applicable legal requirements.

• Establish, exercise, or defend legal claims; respond to lawful requests from courts or regulators; and protect the rights, safety, and property of patients, practitioners, and the practice.

• Maintain the integrity, security, and functionality of the website and patient platform, detect unauthorised access, prevent fraud, and ensure appropriate system performance.

Personal information is not processed for purposes unrelated to the delivery of medical care and lawful practice administration. BioWell does not sell personal information or use health data for commercial exploitation.

11. Educational and informational communications

BioWell may, with the user’s prior consent where required under POPIA, communicate educational and service-related information by electronic means.

Such communications are limited to:

• Information relevant to metabolic health, weight management, and the structured use of prescription therapies.

• Updates regarding clinical guidance, safety notices, or changes affecting patient care.

• Practice-related updates concerning appointments, platform functionality, or administrative matters.

• Invitations to access published educational content, articles, or medically grounded insights developed by the clinical team.

BioWell does not engage in the direct marketing of prescription medicines to the public. Communications will not promote specific scheduled medicines, publish medicine prices, guarantee clinical outcomes, or encourage the selection of a particular pharmaceutical product.

Where consent is required for electronic communications, it will be obtained in advance and may be withdrawn at any time. Each communication will include a clear mechanism to opt out of non-essential communications.

Service-related communications necessary for the provision of medical care, regulatory compliance, or patient safety may be issued irrespective of marketing consent, as they form part of the clinical and administrative obligations of the practice.

All communications are issued within the ethical framework governing medical practitioners and in accordance with applicable health and advertising standards.

12. Identification of governing laws

This policy and the processing of personal information by or on behalf of BioWell are governed by the laws of the Republic of South Africa.

Personal information is processed in accordance with:

• The Protection of Personal Information Act 4 of 2013 (POPIA).

• The National Health Act 61 of 2003.

• The Health Professions Act 56 of 1974.

• The ethical rules and professional guidelines issued by the Health Professions Council of South Africa (HPCSA).

• The Medicines and Related Substances Act 101 of 1965, where relevant to prescription management.

• Consumer Protection Act 68 of 2008.

• Electronic Communications and Transactions Act 25 of 2002.

• All applicable regulations, codes of conduct, and binding guidelines issued under the above legislation.

Where cross-border processing of personal information occurs, such processing will take place only in compliance with section 72 of POPIA and any other applicable legal requirements.

Nothing in this policy limits the application of mandatory statutory obligations imposed on medical practitioners or healthcare entities under South African law.

13. Acknowledgment of doctor–patient confidentiality and privilege

All personal information processed in the course of providing medical services through BioWell is subject to professional confidentiality obligations imposed on registered medical practitioners under South African law.

Information disclosed by a patient during consultation, whether through the secure online platform or any associated communication channel, is treated as confidential medical information. Such information forms part of the patient’s clinical record and is protected by statutory, ethical, and common law duties of confidentiality.

Registered medical practitioners operating through BioWell are bound by the ethical rules of the HPCSA, which impose strict obligations regarding the preservation of patient confidentiality. Disclosure of patient information may occur only where:

• The patient has provided informed consent.

• Disclosure is required by law.

• Disclosure is authorised by a court of competent jurisdiction.

• Non-disclosure would pose a serious risk to the patient or to another person, as permitted under applicable law and ethical guidelines.

Confidentiality obligations apply to all members of the clinical team and to administrative personnel who access personal information in the course of their duties. Access to clinical information is restricted to those with a legitimate professional or operational need.

Nothing in this policy diminishes or overrides the professional secrecy obligations that attach to the doctor–patient relationship under South African law.

14. Minor’s personal information

BioWell’s medical services are intended for adults. The platform is not designed for use by persons under the age of 18 years.

BioWell does not knowingly collect or process personal information relating to a child, as defined in applicable law, without lawful authority. Where personal information relating to a person under the age of 18 years is provided to BioWell, such information will be processed only where processing is:

• Carried out with the consent of a competent person as defined in POPIA.

• Necessary for the establishment, exercise, or defence of a legal claim.

• Required by law or authorised in terms of applicable health legislation.

• Necessary to protect the legitimate interests of the child.

Where a competent person provides consent on behalf of a child, BioWell may take reasonable steps to verify the identity and authority of that person before processing the child’s personal information.

If BioWell becomes aware that personal information of a child has been collected without the necessary legal basis or consent, reasonable steps will be taken to delete or restrict such information, subject to any lawful retention obligations.

Nothing in this section limits the duties imposed on registered medical practitioners under applicable health legislation in circumstances where treatment of a minor is permitted or required by law.

15. Interacting with the platform

Use of the BioWell website and secure patient platform may involve the submission of information and the automatic collection of certain technical data necessary for functionality and security.

User-submitted content

Where a user submits information through contact forms, consultation forms, or the secure patient platform, that information is recorded as part of the relevant administrative or clinical record. Information submitted for medical consultation forms part of the patient’s health record and is treated as confidential medical information.

Uploaded documents and media

Users may be required to upload identification documents, laboratory results, images, or other supporting material through the secure patient platform. Such uploads are stored within secure systems and are accessible only to authorised personnel with a legitimate clinical or administrative need. Uploaded materials form part of the patient record where relevant to clinical care.

Public comments

BioWell does not operate a public comment function on its website. If this position changes, any public-facing interaction functionality will be governed by appropriate privacy and moderation controls.

Cookies and similar technologies

The BioWell website uses standard website technologies, including cookies and session-based tools, to support functionality, maintain secure sessions, and analyse website performance. Cookies may collect limited technical information such as IP address, browser type, device information, and interaction data.

Cookies are not used to access health records or confidential patient information. Users may configure their browser settings to restrict or disable cookies; however, certain website features may not function correctly if cookies are disabled.

Embedded content and third-party integrations

Pages on the BioWell website may include embedded content or links to third-party services. Embedded content behaves in the same manner as if the user had visited the external website directly. BioWell does not control the privacy practices of third-party websites and is not responsible for their data processing activities.

Users are encouraged to review the privacy policies of any external websites they access through links or embedded content on the BioWell website.

Security of online interaction

All interactions involving medical information occur through secure, access-controlled systems designed to protect confidentiality and maintain the integrity of patient records. Users are responsible for safeguarding their login credentials and for notifying BioWell promptly if they suspect unauthorised access to their account.

16. Sources of personal information

BioWell collects and processes personal information from a range of lawful sources, depending on the nature of the engagement with the user or patient and the services provided.

Direct collection from the data subject

Personal information is collected directly from the data subject when a user completes online forms, schedules consultations, participates in medical assessments, uploads documentation, communicates with the clinical team, or otherwise interacts with the BioWell website or secure patient platform. Clinical information provided during consultation forms part of the patient’s medical record.

Healthcare providers and laboratories

Where relevant to treatment, personal information may be obtained from licensed laboratories, healthcare practitioners, or pharmacies involved in the patient’s care, with the patient’s knowledge or lawful basis for such processing.

Service providers and operators

BioWell may engage third-party service providers to support the operation of its website, secure patient platform, payment processing, and administrative systems. These entities process personal information only on behalf of BioWell, under written agreements that require compliance with POPIA and appropriate confidentiality safeguards.

Regulators and lawful authorities

Personal information may be received from or disclosed to regulatory authorities, courts, or other lawful bodies where required by law or where necessary to comply with statutory obligations.

Public records

In limited circumstances, BioWell may verify information against publicly available records where necessary to confirm identity, comply with legal obligations, or protect against fraud.

Automated technologies

Certain technical information is collected automatically when a user accesses the BioWell website or secure platform. This includes device information, IP address, browser type, and usage data generated through cookies or similar technologies necessary for system functionality and security.

BioWell does not obtain personal information from covert or unlawful sources. All collection and processing activities are conducted in accordance with applicable data protection laws and within the context of delivering regulated medical services.

17. Lawful bases for processing

BioWell processes personal information only where there is a lawful basis for doing so under POPIA and other applicable legislation. The lawful basis relied upon will depend on the nature of the information and the context in which it is processed.

Consent

Where required by law, BioWell processes personal information on the basis of the data subject’s informed consent. Consent may be obtained electronically through the website or secure patient platform. A data subject may withdraw consent at any time, subject to lawful retention obligations and the consequences that withdrawal may have on the provision of services.

Contractual necessity

Personal information is processed where it is necessary for the conclusion or performance of a contract with the data subject. This includes processing required to provide medical consultations, administer treatment plans, manage prescriptions, and facilitate payment for services rendered.

Legal obligation

BioWell processes personal information where required to comply with applicable legal or regulatory obligations, including obligations arising under POPIA, health records legislation, professional regulatory frameworks, taxation laws, and lawful directives issued by competent authorities.

Legitimate interests

Personal information may be processed where it is necessary for the legitimate interests of BioWell or a third party, provided that such interests are not overridden by the rights and freedoms of the data subject. Legitimate interests may include maintaining platform security, preventing fraud, protecting the integrity of clinical records, and managing operational risk.

Public interest

In limited circumstances, processing may occur where necessary for reasons of public interest, including the protection of public health or compliance with statutory reporting obligations, as permitted under applicable law.

Establishment, exercise, or defence of legal claims

Personal information may be processed where necessary for the establishment, exercise, or defence of legal claims, including responding to complaints, regulatory investigations, or litigation.

Where special personal information is processed, including health information, such processing is conducted in accordance with the additional safeguards and lawful grounds required under POPIA, as addressed in the following section.

18. Data sharing and disclosures

BioWell does not sell personal information and does not disclose personal information to third parties except where necessary for the lawful provision of medical services, compliance with legal obligations, or the protection of legitimate interests.

Personal information may be disclosed to the following categories of recipients, where lawful and strictly necessary:

Healthcare and pharmacy partners

Licensed laboratories, pharmacies, and other healthcare practitioners involved in a patient’s care may receive relevant clinical information to facilitate diagnosis, prescription fulfilment, and continuity of treatment.

Service providers and operators

BioWell engages third-party service providers to support the operation of its website, secure patient platform, administrative systems, and data infrastructure. These may include information technology providers, cloud hosting providers, system administrators, and cybersecurity service providers. Such entities act as operators and process personal information only on behalf of BioWell under written agreements requiring confidentiality and compliance with POPIA.

Payment processors

Where payments are made through third-party payment platforms, limited transaction-related information may be processed by payment service providers, including Yoco, Ozow, Mastercard, and Visa, subject to change. BioWell does not store full card numbers where payment processing is handled by regulated external providers.

Professional advisers

Personal information may be disclosed, where necessary, to legal advisers, auditors, insurers, or other professional advisers for purposes of compliance, risk management, or the establishment, exercise, or defence of legal claims.

Regulators and statutory bodies

Personal information may be disclosed to regulatory authorities, including the Health Professions Council of South Africa, the South African Health Products Regulatory Authority, the Information Regulator, or other competent bodies, where required by law or in connection with a lawful investigation or oversight function.

Courts and law enforcement

Personal information may be disclosed where required by a court order, subpoena, statutory directive, or other lawful process issued by a competent authority. Disclosure to law enforcement will occur only where legally mandated or where failure to disclose would constitute a breach of legal duty.

Insurers and indemnity providers

Where necessary for professional indemnity purposes or insurance claims, limited personal information may be disclosed to insurers or indemnity providers, subject to confidentiality safeguards.

All disclosures are limited to the minimum information necessary to fulfil the relevant purpose. Where possible, personal information is shared in a restricted or pseudonymised form. Confidential medical information remains subject to professional secrecy obligations and is not disclosed beyond what is legally and ethically permissible.

19. Data retention and records management

BioWell retains personal information only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal, regulatory, and professional obligations.

Clinical records

Health and clinical information forms part of the patient’s medical record and is retained in accordance with applicable health legislation and the ethical guidelines of the Health Professions Council of South Africa.

Medical records are retained for the minimum period prescribed by law and professional regulation, and may be retained for longer where required for medico-legal protection, ongoing care, or the establishment, exercise, or defence of legal claims.

Administrative and financial records

Billing records, payment confirmations, and related financial documentation are retained in accordance with taxation legislation, accounting standards, and statutory retention requirements.

Communications

Correspondence and platform communications are retained where relevant to the clinical record or necessary for regulatory compliance, dispute resolution, or operational continuity.

Technical and system logs

Technical data, access logs, and security monitoring records are retained for as long as reasonably necessary to maintain system integrity, detect unauthorised access, and comply with security obligations.

Deletion and destruction

Where personal information is no longer required for a lawful purpose and is not subject to statutory retention requirements, it will be securely deleted or destroyed in a manner that prevents reconstruction or recovery.

Legal holds

Where BioWell is subject to actual or anticipated litigation, investigation, or regulatory review, relevant personal information may be retained beyond standard retention periods until the matter is resolved.

Retention periods are reviewed periodically to ensure continued compliance with applicable legislation and professional standards.

20. Access to personal information and exercise of rights

A data subject has the right to request access to personal information held by or on behalf of BioWell, subject to identity verification and lawful limitations.

Requests for access must be submitted in writing to the information officer using the contact details provided in this policy. BioWell may require sufficient information to verify the identity of the requester before releasing any personal information.

Upon receipt of a valid request, BioWell will:

• Confirm whether personal information relating to the requester is held.

• Provide access to such personal information, where disclosure is lawful and does not infringe the rights of another person.

• Advise of any lawful grounds for refusal or limitation of access.

Access to medical records may be subject to professional considerations and applicable health legislation. In certain circumstances, access may be provided through a healthcare practitioner where required to protect the well-being of the patient or another person.

Where personal information is found to be inaccurate, incomplete, misleading, or outdated, the data subject may request correction. Requests for deletion or destruction will be considered in accordance with statutory retention obligations and professional regulatory requirements.

BioWell will respond to requests within the timeframes prescribed by POPIA and other applicable legislation. Where a request is refused, written reasons will be provided, and the data subject will be informed of the right to lodge a complaint with the Information Regulator.

The exercise of data subject rights does not override lawful retention obligations, professional confidentiality duties, or restrictions imposed by court order or statute.

Requests can be sent to: support@bio-well.co.za.

21. Data security measures

BioWell implements appropriate technical and organisational measures to protect personal information against loss, misuse, unauthorised access, disclosure, alteration, or destruction. Security safeguards are designed with regard to the sensitivity of health information and the risks associated with online medical platforms.

Technical safeguards

BioWell uses secure, access-controlled systems for the storage and management of clinical and administrative records. Safeguards include:

• Encryption of data in transit and, where applicable, at rest.
• Role-based access controls restricting access to personal information on a need-to-know basis.
• Secure authentication mechanisms for platform access.
• System monitoring and logging to detect unauthorised access or anomalous activity.
• Segregation of clinical data from general website content and administrative systems.

Organisational safeguards

BioWell maintains internal policies and procedures governing the handling of personal information. These include:

• Confidentiality undertakings binding staff, healthcare practitioners, and service providers.
• Access controls limiting information to individuals with legitimate operational or clinical roles.
• Defined protocols for responding to security incidents and suspected data breaches.
• Ongoing review of data protection practices to ensure continued compliance with applicable law.

Hosting and storage

Personal information processed through the BioWell platform is stored on infrastructure located in [confirm jurisdiction(s) of hosting servers]. Where cloud-based services are used, such services are subject to contractual data protection safeguards and must comply with POPIA requirements regarding cross-border data transfers.

Security incidents

In the event of a security compromise affecting personal information, BioWell will act in accordance South African regulations, including notifying affected data subjects and the Information Regulator where required by law.

No system can guarantee absolute security. BioWell takes reasonable steps to safeguard personal information but cannot warrant that unauthorised access will never occur. Users are responsible for maintaining the confidentiality of their login credentials and notifying BioWell promptly of any suspected unauthorised access.

22. Verification of identity

Identity verification forms part of the onboarding and consultation process. Users may be required to submit identifying information, including legally recognised identification details, to establish and confirm their identity before accessing clinical services. BioWell may take reasonable steps to validate such information against documentation provided through the platform.

Verification measures are applied to:

• Confirm that the individual registering on the platform is the person to whom the personal information relates.
• Ensure that medical consultations and prescriptions are issued to the correct individual.
• Prevent impersonation, identity misuse, or fraudulent access to clinical services.
• Maintain the integrity and accuracy of patient records.

Where a person acts on behalf of another individual, BioWell may require proof of authority and identity before processing personal information or providing access to services.

BioWell may suspend or restrict access to the platform where identity verification requirements are not met or where submitted information appears inconsistent, inaccurate, or potentially fraudulent.

Verification procedures are conducted in a manner proportionate to the sensitivity of the services provided and the nature of the personal information processed.

23. Automated decision-making and profiling

BioWell does not make clinical decisions based solely on automated processing of personal information.

Medical assessments, treatment plans, prescription decisions, and dose adjustments are made by registered medical practitioners exercising independent clinical judgement.

The secure patient platform may use structured digital tools to organise information, flag risk factors, or support administrative processes, but such tools do not replace clinician oversight.

BioWell does not engage in automated profiling for commercial purposes, behavioural advertising, or product promotion.

Where automated systems are used to support platform functionality, including appointment scheduling, data organisation, risk flagging, or security monitoring, such systems operate under defined parameters and are subject to human review where they may affect a user’s access to services or clinical care.

If automated processing is introduced in future in a manner that could produce legal effects or similarly significant consequences for a data subject, BioWell will ensure that appropriate safeguards are implemented in accordance with POPIA, including the right to request human intervention.

24. Website, cookies, digital tracking technologies, and external links

BioWell’s website and secure patient platform use standard digital technologies to enable functionality, maintain secure sessions, and improve system performance.

Cookies and similar technologies

The website may use cookies, session identifiers, and related technologies to:

• Enable secure login and session management.
• Remember user preferences within a session.
• Analyse website performance and usage patterns.
• Support security monitoring and fraud prevention.

Cookies do not grant BioWell access to a user’s device beyond the data generated through website interaction. Health records and clinical information are not accessible through cookies.

Users may configure their browser settings to decline or restrict cookies. Disabling cookies may affect the functionality of certain website features or the secure patient platform.

Analytics and tracking

Where analytics tools are used to assess website performance or user interaction patterns, such tools collect aggregated or technical data. BioWell does not use tracking technologies for behavioural advertising or the promotion of prescription medicines.

Third-party websites and external links

The BioWell website may contain links to external websites or embedded content operated by third parties. Such third-party platforms are not controlled by BioWell and are governed by their own privacy policies and data protection practices.

Accessing external websites through links provided on the BioWell website is at the user’s discretion. BioWell is not responsible for the privacy practices, content, or security of third-party websites.

Users are encouraged to review the privacy policies of any third-party websites they visit.

25. Complaints

BioWell is committed to addressing concerns regarding the processing of personal information promptly and transparently.

A data subject who believes that their personal information has been processed unlawfully, inaccurately, or in a manner inconsistent with this policy may submit a written complaint to the information officer using the contact details provided in this policy.

Complaints can be directed to: support@bio-well.co.za / gerhard@bio-well.co.za

Complaints should include sufficient detail to enable BioWell to understand the nature of the concern and to identify the relevant information or processing activity.

BioWell will:

• Acknowledge receipt of the complaint.
• Investigate the matter within a reasonable timeframe.
• Respond in writing with findings and, where appropriate, corrective measures.

If a data subject is not satisfied with BioWell’s response, or believes that their rights under POPIA have been infringed, they have the right to lodge a complaint with the Information Regulator of South Africa.

Contact details for the Information Regulator are available on the official website of the Information Regulator.

Nothing in this section limits a data subject’s right to institute civil proceedings in respect of an alleged interference with the protection of personal information, as provided for under POPIA.

26. Limitation of liability and disclaimers

BioWell does not warrant or guarantee that the website, secure patient platform, or any related systems will be free from interruption, error, unauthorised access, or technical failure. To the extent permitted by law, BioWell shall not be liable for any loss or damage arising from circumstances beyond its reasonable control, including cyber incidents, third-party service disruptions, or force majeure events.

Nothing in this policy excludes or limits any liability that cannot lawfully be excluded under South African law.

BioWell is not responsible for the privacy practices, security measures, or content of third-party websites or external platforms that are not owned or controlled by BioWell.

Users are responsible for safeguarding their login credentials and for ensuring that information submitted through the platform is accurate and complete. BioWell is not liable for consequences arising from inaccurate, incomplete, or misleading information provided by a user.

This privacy policy governs the processing of personal information. It does not constitute medical advice, a treatment guarantee, or a representation regarding clinical outcomes. Clinical decisions remain subject to professional judgement and applicable medical standards.

27. Amendments and version control

BioWell may update or amend this privacy policy from time to time to reflect changes in applicable law, regulatory guidance, clinical practice, operational processes, or platform functionality.

Where material changes are made, the updated version of the policy will be published on the BioWell website and secure patient platform. The “effective date” and “last updated” fields at the beginning of this document will indicate when the current version came into force.

Continued use of the BioWell website or secure patient platform after the publication of an updated policy constitutes acknowledgment of the revised terms, subject to any rights afforded under POPIA.

BioWell retains prior versions of this privacy policy for internal governance and compliance purposes. Historical versions may be made available upon reasonable request, subject to operational considerations.

Users are encouraged to review this policy periodically to remain informed of how personal information is processed and protected.

28. Contact details of the responsible party and information officer

All queries, requests, or concerns relating to the processing of personal information must be directed to the responsible party identified in section 1 of this policy or to the appointed information officer.

Responsible party

Name: Dr GL Vosloo
ID number: 8809225071089
Entity: Dr GL Vosloo medical practice / BioWell (Pty) Ltd

Information officer

Name: Dr Gerhardus Louwrens Vosloo
Designation: Information Officer
Email address: gerhard@bio-well.co.za

Written requests relating to access, correction, deletion, objection, or any other data subject right under POPIA must be submitted to the information officer using the contact details above.

Where required, requests may need to be accompanied by sufficient information to enable identity verification, as described in this policy.

Important: Access to the BioWell platform and participation in the programme is conditional upon electronic acceptance of this document on the platform.

PRIVACY POLICY ENDS

User acknowledgement and agreement

Before you continue

Please read the BioWell terms and conditions and the BioWell privacy policy carefully before proceeding. These documents explain the nature of the BioWell programme, your rights and responsibilities, how your personal information is processed, and the legal framework governing your participation.

By proceeding, you confirm that you have read and understood these documents and that you agree to be bound by them.

You will be required to provide electronic confirmation before accessing consultations or services.

Required confirmations