RxReader
Read a script

Privacy & Data Handling

Last updated 2 June 2026

1. Who this covers

RxReader (“RxReader”, “we”, “us”) provides software that reads pharmacy prescriptions into structured data for review by qualified pharmacy staff. This notice explains what information we process, why, and how we protect it. It is written with the South African Protection of Personal Information Act, 2013 (POPIA) in mind.

2. Our role

When your pharmacy uses RxReader to process patient prescriptions, your pharmacy is the responsible party for that patient information and decides why and how it is processed. RxReader acts as an operator, processing prescription data only on your pharmacy’s instruction and only to provide the service. We do not process patient information for our own purposes.

3. Information we process

  • Prescription content — the uploaded image and the fields read from it, which may include patient name, age, identity number, prescriber name and HPCSA number, medicines, dosages and instructions. This is special personal information (health data) and is treated accordingly.
  • Account information — the email address and authentication details of pharmacy staff who sign in, and basic usage and billing records.
  • Operational logs — limited technical logs needed to run, secure, and debug the service.

4. Why we process it

We process prescription content solely to read it into structured data, run automated safety checks, and return the result to your pharmacy for human review. We process account and usage data to provide access, secure the service, support you, and bill for use. We do not sell personal information, and we do not use prescription content for advertising.

5. AI sub-processors

To read prescriptions and run safety checks, prescription content is transmitted to the third-party providers below under contractual terms. We require that your data is not used to train their models and is not retained beyond what is needed to return a result.
Anthropic
Optical reading, field validation, and clinical safety checks
OpenAI
Medicine-name correction against a candidate list
Supabase
Database and image storage hosting

These providers may process data outside South Africa (including in the European Union and the United States). Where personal information is transferred across borders, we rely on the provider’s contractual safeguards as permitted under POPIA section 72.

6. How we protect it

  • Access is invite-only; each organisation’s data is isolated from every other organisation at the database level.
  • Data is encrypted in transit and at rest by our hosting provider.
  • Access to production data is limited to what is needed to operate the service.

7. Retention

Prescription content is retained for as long as your pharmacy’s account requires it for review and record-keeping, or as your pharmacy instructs, after which it is deleted or de-identified. Account and billing records are kept as required by law.

8. Your rights

Patients and staff have the right, under POPIA, to ask what personal information is held, to have it corrected or deleted, and to object to processing. Because your pharmacy is the responsible party for patient information, patient requests are directed to your pharmacy; we will assist your pharmacy in responding.

9. Contact

Questions about this notice or about personal information can be sent to our Information Officer at [Information Officer name and email — to be completed].

See also our Terms of Use.