StrideNotes Privacy Policy
Effective date: 2026-07-05
Last updated: 2026-07-05
Version: 1.0 (Beta)
1. Who we are
StrideNotes (available at stridenotes.co.za and app.stridenotes.co.za) is a practice management web application for veterinary physiotherapists registered with the South African Veterinary Council (SAVC).
StrideNotes is owned and operated by Flag Finder (Pty) Ltd, a private company registered in the Republic of South Africa ("Flag Finder", "we", "us", "our").
We are committed to protecting personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and the Electronic Communications and Transactions Act 25 of 2002.
Information Officer
| Name | Daniel Ponelat |
|---|---|
| privacy@stridenotes.com | |
| Company | Flag Finder (Pty) Ltd |
Please direct all privacy enquiries, access requests, complaints, and objections to the Information Officer at the address above.
2. Beta notice
StrideNotes is currently in beta. Features may change, and we may collect additional diagnostic and usage information to improve the Service. This policy will be updated as the Service evolves; material changes will be notified to registered users by email or in-app notice.
3. Our two roles under POPIA
StrideNotes is used by veterinary physiotherapy practitioners ("Users") to manage their practices, including records about their human clients ("Clients") and those Clients' animals ("Patients"). This creates two distinct roles under POPIA:
3.1 Flag Finder as Responsible Party
For personal information of Users (practitioners) — account details, billing information, usage data — Flag Finder is the responsible party. We determine why and how this information is processed, and this policy governs that processing directly.
3.2 Flag Finder as Operator
For personal information of Clients (pet owners) uploaded or entered into StrideNotes by a User — names, contact details, addresses, correspondence, and records associated with their animals — the User (or their practice) is the responsible party, and Flag Finder acts as an operator in terms of sections 20 and 21 of POPIA. In this role we:
- process Client personal information only on behalf of, and per the instructions of, the User;
- treat all such information as confidential;
- maintain the security safeguards described in section 9 below; and
- notify the User immediately where we reasonably believe Client personal information has been accessed or acquired by an unauthorised person.
Users are responsible for ensuring they have a lawful basis (such as consent or performance of a contract) to collect and process their Clients' personal information, and for responding to their Clients' data subject requests. We will assist Users in fulfilling those obligations where reasonably required.
Note on animal records: POPIA protects the personal information of natural and juristic persons. Animal medical records are not themselves personal information, but where they are linked to an identifiable owner they are stored and protected to the same standard as Client personal information.
4. Personal information we collect
4.1 From Users (practitioners)
- Identity and contact information: name, email address, phone number, practice name, SAVC registration number.
- Account credentials: login details (passwords are stored in hashed form only).
- Billing information: subscription plan, billing address, and payment records. Card details are captured and processed directly by our payment provider, Paystack — we do not store full card numbers.
- Content you create: SOAP notes, veterinary reports, templates, dictation recordings and transcriptions, and documents you upload.
- Technical and usage information: IP address, browser type, device information, log data, and in-app activity, collected for security, diagnostics, and service improvement.
- Communications: support requests and correspondence with us.
4.2 About Clients (entered by Users)
- Client name, contact details, and address;
- animal (Patient) details, medical documents, treatment records, and history;
- correspondence records, such as emailed SOAP notes and veterinary reports.
We collect this information only from the User; we do not collect information directly from Clients.
4.3 Voluntary or mandatory supply
Supplying personal information is voluntary. However, certain information (such as your name, email address, and payment details) is required to create an account and provide the Service — without it, we cannot register you as a User or process your subscription.
5. Purposes of processing
We process personal information to:
- create and administer User accounts and authenticate access;
- provide the core Service: client and patient record management, document storage, note-taking, dictation and AI-assisted transcription, and sending of SOAP notes and veterinary reports by email;
- process subscription payments and manage billing;
- provide customer support;
- secure the Service, prevent fraud and abuse, and maintain audit logs;
- improve and develop the Service, including analysing aggregated, de-identified usage data;
- comply with legal obligations; and
- send service communications, and (with consent or subject to section 69 of POPIA) direct marketing.
6. Lawful basis for processing
We process personal information in accordance with the conditions in Chapter 3 of POPIA. Processing is justified by one or more of the following (section 11): the data subject's consent; processing necessary to perform a contract (providing the Service to Users); compliance with a legal obligation; or our legitimate interests or those of the User, where these do not override the data subject's rights.
7. AI-assisted features (dictation and note generation)
StrideNotes offers dictation and AI-assisted note-generation features powered by third-party AI providers, currently Anthropic (Claude) and OpenAI.
- When a User uses these features, the relevant audio and/or text (which may include Client personal information and animal medical information) is transmitted to the AI provider's API for processing and returned to StrideNotes.
- These providers process data on servers located outside South Africa (primarily the United States) — see section 10 (cross-border transfers).
- Under our API agreements, these providers do not use data submitted via their APIs to train their models.
- AI features are initiated by the User; Users should ensure their Clients are informed that AI tools are used in the preparation of clinical notes.
AI-generated content is an aid, not a substitute for professional judgement. Users remain responsible for the accuracy of their clinical records.
8. Sharing and disclosure of personal information
We do not sell personal information. We share it only with:
8.1 Service providers (operators/sub-operators)
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Application hosting | Germany (EU) |
| Supabase | Database and file storage | EU (Paris, France) |
| Resend | Transactional email delivery (incl. SOAP notes and reports sent to Clients) | United States |
| Anthropic | AI dictation/note generation | United States |
| OpenAI | AI dictation/note generation | United States |
| Paystack | Payment processing | South Africa / Nigeria |
Each provider is bound by contractual terms requiring confidentiality and security safeguards consistent with POPIA.
8.2 Other disclosures
- Recipients designated by the User: e.g. Clients or referring veterinarians to whom a User sends reports.
- Legal requirements: where disclosure is required by law, court order, or a regulator with appropriate authority.
- Business transfers: if Flag Finder is involved in a merger, acquisition, or sale of assets, personal information may be transferred subject to this policy's protections, with notice to Users.
9. Security safeguards (section 19 of POPIA)
We implement appropriate, reasonable technical and organisational measures to protect personal information, including:
- encryption of data in transit (TLS/HTTPS) and at rest;
- password hashing and access controls with role-based permissions;
- logical separation of each practice's data;
- hosting with reputable providers maintaining recognised security certifications;
- regular backups and access logging; and
- confidentiality obligations on all personnel and service providers.
No system is perfectly secure. Users must keep their credentials confidential and notify us immediately of suspected unauthorised access.
Breach notification (section 22 of POPIA)
Where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects (or, for Client data, the relevant User as responsible party) as soon as reasonably possible.
10. Cross-border transfers (section 72 of POPIA)
Some of our service providers store or process personal information outside South Africa:
- European Union (Germany): application hosting and database storage. The EU has data protection laws (GDPR) that provide an adequate level of protection substantially similar to POPIA.
- United States: email delivery and AI processing. These providers are bound by contractual data processing agreements imposing obligations substantially similar to POPIA's conditions for lawful processing.
By using StrideNotes, Users consent to these transfers, and warrant that they have obtained any necessary consent from, or given the necessary notice to, their Clients.
11. Retention and deletion
- We retain personal information only as long as necessary for the purposes above, or as required by law.
- User account data is retained for the life of the account and deleted or de-identified within a reasonable period after account closure, except where retention is required by law (e.g. tax and financial records, typically 5 years).
- Client and Patient records are retained under the control of the User. Users should consider their own record-keeping obligations, including SAVC rules and any applicable minimum retention periods for clinical records, before deleting records.
- On termination of a User's account, we will make practice data available for export for a reasonable period, after which it will be deleted from live systems and, in due course, from backups.
12. Your rights as a data subject (sections 23–25 of POPIA)
Data subjects have the right to:
- Access: request confirmation that we hold your personal information and a copy or description of it (also under the Promotion of Access to Information Act 2 of 2000 — "PAIA");
- Correction: request correction or updating of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading information;
- Deletion: request destruction or deletion of personal information that we are no longer authorised to retain;
- Objection: object, on reasonable grounds, to processing based on legitimate interests;
- Withdraw consent: where processing is based on consent, withdraw it at any time (this does not affect prior lawful processing);
- Opt out of direct marketing: at any time, free of charge;
- Not be subject to automated decision-making that has legal consequences for you, within the meaning of section 71 of POPIA; and
- Complain to the Information Regulator (details in section 16).
To exercise these rights, contact the Information Officer (section 1). We will respond within a reasonable time and may need to verify your identity. Clients of practitioners should direct requests to their practitioner (the responsible party for their records); we will assist the practitioner in fulfilling the request. For information on requesting access to records under PAIA, see our PAIA Manual.
13. Direct marketing (section 69 of POPIA)
We will only send direct marketing by electronic communication to Users who have consented, or to existing customers in respect of similar services, and every message will include an opt-out. We do not use Client information for marketing.
14. Cookies and similar technologies
The Service uses cookies and similar technologies that are strictly necessary for authentication, security, and session management, and may use limited analytics to understand usage and improve the Service. You can control cookies through your browser settings, but disabling essential cookies will prevent the app from functioning.
15. Children
StrideNotes is a professional tool intended for use by registered practitioners aged 18 or older. We do not knowingly collect personal information from children. Where a User records a Client who is a minor, the User is responsible for ensuring competent consent (e.g. from a parent or guardian) as required by section 35 of POPIA.
16. The Information Regulator (South Africa)
If you believe we have processed your personal information unlawfully, you may lodge a complaint with the Information Regulator:
| Address | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 |
|---|---|
| Postal | P.O. Box 31533, Braamfontein, Johannesburg, 2017 |
| Email (enquiries) | enquiries@inforegulator.org.za |
| Email (complaints) | POPIAComplaints@inforegulator.org.za |
| Website | https://inforegulator.org.za |
17. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be notified to registered Users by email or prominent in-app notice before taking effect. Continued use of the Service after the effective date of changes constitutes acceptance.
18. Contact
Flag Finder (Pty) Ltd
Information Officer: Daniel Ponelat
Email: privacy@stridenotes.com
Website: https://stridenotes.co.za
PAIA Manual: Download PAIA Manual (PDF)