Privacy Policy

RelyCare ("RelyCare", "we", "us", or "our") is committed to protecting the privacy and security of the personal and professional information entrusted to us by therapy clinics, practitioners, and the patients they serve. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights under applicable data protection law including the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

This Policy applies to all users of the RelyCare platform, including clinic owners, practitioners, administrative staff, and any other authorised users (collectively "Users"). By accessing or using RelyCare, you agree to the terms of this Privacy Policy.

1. Who We Are

RelyCare is operated by Adham Yasser, trading as RelyCare ("the Operator"), with primary contact at adham@relycare.app. RelyCare is a software-as-a-service (SaaS) platform that provides AI-powered clinical documentation and parent communication automation tools specifically designed for therapy practices.

As the entity providing the RelyCare platform to clinics and practitioners, RelyCare acts as a data processor in relation to patient and session data submitted by clinics, and as a data controller in relation to account and billing data collected directly from Users.

2. Information We Collect

2.1 Account and Registration Information

When you create a RelyCare account, we collect:

• Full name
• Email address and password (stored encrypted)
• Clinic name
• Billing and subscription information (processed via our payment provider; we do not store card details)

2.2 Clinical and Session Data

RelyCare processes the following professional data submitted by authorised users of the platform:

• Session audio recordings captured during therapy sessions — processed immediately and deleted immediately after processing (not stored)
• Uploaded audio files — processed immediately and deleted immediately after processing (not stored)
• AI-generated session notes and transcriptions derived from session audio (text only)
• Patient names, ages, assessments, and therapy goals
• Session attendance records and therapy progress data
• Professional assessments, cue hierarchy data, and trial accuracy metrics

2.3 Parent and Caregiver Communication Data

RelyCare's WhatsApp assistant processes messages exchanged between parents or caregivers and the automated assistant on behalf of the clinic. This includes:

• Phone numbers of parents and caregivers
• Content of WhatsApp messages sent to and received from the assistant
• Message timestamps and delivery status

This data is processed strictly to provide the parent communication feature and is linked to the relevant patient record within the clinic's account.

2.4 Usage and Technical Data

We automatically collect certain technical information when you use the platform:

• IP address, browser type, and device information
• Pages visited, features used, and session duration
• Error logs and crash reports
• API usage metrics

This data is used solely for platform security, performance monitoring, and product improvement. It is never sold or shared with third parties for marketing purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing the Service

• Processing session audio to generate session notes and clinical summaries
• Operating the WhatsApp parent communication assistant
• Storing and displaying patient records, session notes, and therapy progress
• Managing user accounts, subscriptions, and access controls

3.2 Communication

• Sending account-related notifications (billing, security alerts, product updates)
• Responding to support requests and enquiries
• Sending product updates and feature announcements (you may opt out at any time)

3.3 Platform Improvement

• Analysing anonymised usage patterns to improve product features
• Monitoring system performance and diagnosing technical issues
• Conducting internal research to improve AI accuracy and clinical documentation quality

We do not use identifiable patient data for model training without explicit written consent from the clinic. Anonymised and aggregated data may be used to improve our AI systems.

3.4 Legal and Compliance

• Complying with applicable laws and regulatory requirements
• Enforcing our Terms of Service
• Responding to lawful requests from government authorities

4. Legal Basis for Processing

We process personal data on the following legal bases:

• Contract performance: Processing necessary to provide the RelyCare service under our agreement with you.
• Legitimate interests: Processing for platform security, fraud prevention, and product improvement where these interests are not overridden by your rights.
• Legal obligation: Processing required to comply with applicable law.
• Explicit consent: For special category health data (session audio, session notes, patient clinical records), we rely on the explicit consent of the clinic and the informed consent obtained by the clinic from its patients and their parents or caregivers as required by POPIA.

Clinics using RelyCare are responsible for obtaining all necessary consents from their patients and parents prior to processing clinical data through the platform. RelyCare provides guidance on consent requirements but is not responsible for the clinic's compliance with their own obligations as data controller.

5. Data Sharing and Third Parties

We do not sell your personal data. We do not share personal data with third parties for advertising or marketing purposes. We share data with the following categories of third-party service providers solely to operate the RelyCare platform:

5.1 Infrastructure and Database

Supabase: Our primary database and backend infrastructure provider. All data stored in RelyCare is hosted on Supabase's servers. Supabase processes data under a Data Processing Addendum compliant with GDPR and applicable data protection law.

5.2 AI Processing

Google Gemini: Session audio and transcripts are sent to Google's Gemini AI API for session note generation. We send only the clinical content necessary for note generation. We do not send patient names or personally identifiable information to AI APIs where it can be avoided. Data sent to Google is governed by their data processing terms.

5.3 Communication

WhatsApp / Meta: Parent communication is delivered via the WhatsApp platform. Message content processed through WhatsApp is subject to Meta's privacy policy in addition to this Policy.

5.4 Payments

Paddle / Polar: Subscription billing is processed by our payment provider. We do not store payment card details. Billing data is governed by the payment provider's privacy policy.

All third-party processors are bound by data processing agreements that require them to process data only on our instructions and to implement appropriate security measures.

6. Data Security

We implement appropriate technical and organisational security measures to protect your data against unauthorised access, disclosure, alteration, or destruction. Our security measures include:

• All data is encrypted in transit using TLS 1.2 or higher
• All retained data is encrypted at rest using AES-256 encryption
• Session audio is processed in real-time and immediately deleted — never stored or retained
• Access to production data is restricted to authorised personnel only
• Row-level security policies restrict each clinic's access to their own data only
• Regular security reviews and vulnerability assessments
• Incident response procedures for data breach notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected parties and the relevant supervisory authority as required by applicable law within 72 hours of becoming aware of the breach.

7. Data Retention

We practice minimal data retention. We only retain data for as long as strictly necessary to provide the service:

• Account data is retained for the duration of your subscription and for 30 days following account termination, after which it is permanently deleted
• Session audio recordings (recorded live or uploaded) are processed immediately and deleted immediately after processing is complete. Audio is never stored or retained
• Session notes and professional documentation (text) are retained for the duration of the subscription to support your practice records
• Upon account termination, you may request an export of your data by contacting us at adham@relycare.app within 30 days. After this period, all data is permanently deleted from our systems
• Billing records are retained for 7 years as required by financial regulations

Clinics are responsible for maintaining their own professional records in accordance with their professional regulatory body's record-keeping requirements. RelyCare is not a substitute for a compliant professional record management system.

8. Your Rights

Under POPIA and, where applicable, GDPR, you have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to correction: You may request that inaccurate or incomplete data be corrected.
• Right to deletion: You may request deletion of your personal data, subject to our legal obligations to retain certain records.
• Right to object: You may object to processing of your data where we rely on legitimate interests as the legal basis.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at adham@relycare.app. We will respond within 30 days. We may require identity verification before processing your request.

9. International Data Transfers

RelyCare is operated from Egypt and serves customers primarily in South Africa. Your data is stored on Supabase infrastructure which may process data in multiple regions. Where data is transferred outside South Africa, we ensure appropriate safeguards are in place including standard contractual clauses and data processing agreements with all third-party processors. For users in the European Economic Area (EEA), data transfers are governed by the Standard Contractual Clauses under the EU GDPR.

10. Dependents's Data

RelyCare is used by therapy clinics that treat children, including minors under the age of 18. Patient data relating to minors is treated as highly sensitive. Clinics using RelyCare are responsible for obtaining appropriate parental consent prior to submitting any data relating to minor patients to the platform. RelyCare does not knowingly collect data directly from children.

11. Cookies and Tracking

The RelyCare web application uses essential cookies required for platform functionality including session authentication and security. We also use PostHog, a product analytics platform, to understand how users interact with the platform and to improve our product. PostHog may set cookies and collect anonymised usage data such as pages visited, features used, and session duration. PostHog does not have access to patient or session data. We do not use advertising cookies or third-party tracking cookies for marketing purposes. You may disable non-essential cookies in your browser settings, but this may affect analytics functionality.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email at least 14 days before the changes take effect. The current version of this Policy will always be available at relycare.app/privacy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa at inforeg.org.za or, for EU residents, with the relevant supervisory authority in your jurisdiction.