1. Introduction
This Privacy Policy explains how Synergy Designs (“we”, “us”, “our”) collects, uses, stores, and protects your information when you use the SwiftScripts mobile application (“the App”).
We are committed to protecting the privacy and confidentiality of your personal information and that of your patients in full compliance with the Protection of Personal Information Act (POPIA), Act 4 of 2013 and all applicable South African legislation.
By using the App, you consent to the data practices described in this Privacy Policy. Please read this policy carefully alongside our Terms and Conditions.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, and authentication credentials (password or Google Sign-In token).
- Doctor profile: Practice name, registration number, qualifications, practice address, contact number, and digital signature.
- Patient records: Names, ID numbers, dates of birth, addresses, contact details, diagnoses, and medication history that you enter into the App.
2.2 Information Collected Automatically
- Device identifiers: Hashed device identifiers for licence validation (we never collect raw hardware IDs).
- Subscription status: Purchase records and licence key validation data.
- Verification tokens: Cryptographic tokens generated when you sign documents (these contain no patient data).
3. How Your Data Is Stored
Zero patient data on our servers. All patient information is stored exclusively on your device, encrypted at rest with AES-256 encryption via SQLCipher. Our servers never receive, process, or store any patient-identifiable information.
3.1 On-Device Storage
| Data |
Storage Location |
Encryption |
| Patient records, prescriptions, clinical documents |
Local device only |
AES-256 (SQLCipher) |
| Database encryption key |
Device secure keystore (iOS Keychain / Android Keystore) |
Hardware-backed |
| Digital signature |
Local device only |
AES-256 (SQLCipher) |
3.2 Server-Side Storage
Our servers store only the following non-clinical data:
- Your user account details (name, email, authentication credentials).
- Doctor profile metadata (practice name, registration number — no patient data).
- Subscription and licence status.
- Hashed device identifiers for licence validation.
- Document verification tokens (cryptographic hashes — contain no patient data).
4. How We Use Your Information
We use the information we collect to:
- Provide the App’s core services: Generate prescriptions, sick notes, medical certificates, and referral letters.
- Authenticate your identity: Verify your account and manage access.
- Manage subscriptions: Process and validate licence keys and in-app purchases.
- Verify document authenticity: Enable QR code scanning to confirm that documents were generated by a registered practitioner through SwiftScripts.
- Improve the App: Analyse anonymised, aggregated usage patterns to enhance functionality and user experience.
We do not use your information or patient data for advertising, marketing to third parties, or any purpose unrelated to the App’s clinical functionality.
5. Cloud Backup
The encrypted Cloud Backup feature is available on the Pro + Cloud subscription plan and during the 14-day free trial.
5.1 Zero-Knowledge Encryption
We cannot read your backup data. Cloud backups are encrypted on your device before transmission using a zero-knowledge architecture. Only you can decrypt your data using your backup password.
- A random AES-256 Data Encryption Key (DEK) is generated on your device.
- The DEK is wrapped with a Key Encryption Key (KEK) derived from your chosen backup password using PBKDF2 with 100,000 iterations.
- Encrypted data is transmitted over HTTPS/TLS and stored on servers located in South Africa.
5.2 Backup Password
You are solely responsible for remembering your backup password. Because of our zero-knowledge design, we cannot recover your data if you lose your backup password. There is no password reset mechanism for backups.
6. Third-Party Services
The App integrates with the following third-party services:
| Service |
Purpose |
Data Shared |
| Firebase Authentication |
User sign-in and account management |
Email, name, authentication tokens |
| Google Sign-In |
Optional sign-in method |
Google account email and name |
| Apple App Store / Google Play Store |
In-app subscription billing |
Purchase receipts (no patient data) |
These services are governed by their own privacy policies. No patient data is ever shared with any third-party service.
7. Data Sharing and Disclosure
We do not sell, rent, trade, or otherwise share patient data with any third party — ever.
We may disclose your non-clinical account information only in the following limited circumstances:
- Legal obligation: When required by South African law, regulation, or a valid court order.
- Safety: To protect the rights, safety, or property of Synergy Designs, our users, or the public.
- Business transfer: In connection with a merger, acquisition, or sale of assets, provided the acquiring entity agrees to honour this Privacy Policy.
8. Data Security
We implement multiple layers of security to protect your information:
- AES-256 encryption for all patient data stored on-device (SQLCipher).
- Hardware-backed key storage (iOS Keychain / Android Keystore) for encryption keys.
- Optional biometric authentication (Face ID, Touch ID, fingerprint) and PIN lock.
- Automatic app lock when the App is placed in the background.
- HTTPS/TLS encryption for all network communication.
- Zero-knowledge cloud backup with PBKDF2-derived key wrapping.
- QR code verification with cryptographic document signing for tamper detection.
9. Your Rights Under POPIA
As a data subject under the Protection of Personal Information Act (POPIA), you have the right to:
- Access: Request confirmation of whether we hold personal information about you and request access to that information.
- Correction: Request that we correct or update inaccurate or incomplete personal information.
- Deletion: Request the deletion of your personal information, subject to any legal retention obligations.
- Objection: Object to the processing of your personal information on reasonable grounds.
- Data portability: Request your personal information in a structured, commonly used format.
- Withdraw consent: Withdraw your consent to the processing of your personal information at any time.
- Lodge a complaint: Submit a complaint to the Information Regulator if you believe your personal information has been mishandled.
To exercise any of these rights, please contact us at info@synergydesigns.co.za.
9.1 Patient Data
Because all patient data is stored locally on your device and never transmitted to our servers (except as encrypted cloud backups that we cannot decrypt), you retain full control over patient data at all times. You are the responsible party under POPIA for any patient data you process through the App. We act as an operator only in respect of encrypted Cloud Backup data.
10. Data Retention
- On-device data: Remains on your device for as long as the App is installed. Uninstalling the App permanently deletes all local data.
- Account data: Retained for as long as your account is active. Upon account deletion, your account data is permanently removed within 30 days.
- Cloud backups: Retained for 90 days after account termination, after which they are permanently deleted.
- Verification tokens: Retained for the lifetime of the document’s validity period (typically 6 months from the date of issue).
11. Children’s Privacy
SwiftScripts is designed for use by registered healthcare practitioners and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at info@synergydesigns.co.za and we will take steps to delete that information.
s
12. International Data Transfers
All server-side data is stored on servers located in South Africa, in compliance with POPIA data residency requirements. We do not transfer personal information outside of South Africa unless required by the third-party services listed in Section 6 (e.g., Firebase Authentication), which maintain their own data protection standards and compliance certifications.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- The updated policy will be posted at this URL.
- The “Last Updated” date at the top will be revised.
- We may notify you via an in-app notification or email.
Continued use of the App after changes are published constitutes your acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us: