Privacy Policy
Effective date: 5 July 2026
Report Buddy ("we", "us", "our") is a report-writing tool for neuropsychologists, operated from South Africa and available at report-buddy.com. This policy explains what personal information we collect, how we use it, and the choices you have. It is written to comply with the Protection of Personal Information Act, 2013 (POPIA). Where users or data subjects are located in the European Union, we also aim to meet the requirements of the General Data Protection Regulation (GDPR).
1. Our two roles
We handle personal information in two distinct capacities, and your rights differ depending on which category applies:
- Your account information. For information about you as a user (your name, email address, and usage of the service), we are the responsible party (POPIA) or controller (GDPR).
- Patient assessment data you enter. For information about your patients, you (or your practice) are the responsible party or controller, and we act only as an operator (POPIA) or processor (GDPR) on your instructions. Our processing of this data is governed by the data processing terms in our Terms of Service.
2. Information we collect
Account information. When you sign up we collect your name and email address through our authentication provider, Clerk. If you sign in with a third-party account (such as Google), we receive the profile details that provider shares. We also record the country you connect from (derived from your IP address by our hosting provider) as part of your account profile.
Patient assessment data. When you create a report you enter a patient reference, age, gender, dominant hand, and assessment results, and the service generates report text from those inputs. You must not enter information that directly identifies a patient, such as a real name, identity number, or contact details. The patient reference should be a pseudonym or initials that only you can link to the patient.
Usage information. We record events about how the service is used (for example when a report is generated) together with your user ID and a timestamp. We use this for billing and to improve the product.
Technical information. We collect anonymous, cookieless page analytics through Vercel Analytics, and error and performance data through Sentry. Sentry is configured not to receive IP addresses, cookies, or request contents, and its session replays mask all on-screen text before anything leaves your browser.
3. How we use information
- To provide the service, including generating report content.
- To bill you: your first three reports are free, after which we invoice you at the end of each month for the reports you generated in that month.
- To respond to support requests.
- To monitor errors, keep the service secure, and improve it.
Where the GDPR applies, our legal bases are the performance of our contract with you and our legitimate interest in securing and improving the service. We do not sell personal information and we do not use patient assessment data for advertising or to train third-party AI models.
4. Service providers (sub-processors)
We rely on the following providers to run the service. Each processes data on our behalf under a data processing agreement:
- Convex (United States): database hosting, including patient assessment data and generated reports.
- Clerk (United States): authentication and account management.
- Vercel (United States): application hosting and anonymous analytics.
- Sentry (United States): error and performance monitoring.
5. Cross-border transfers
The providers above store data in the United States. This means personal information is transferred outside South Africa (and, where applicable, outside the European Union). We only use providers that commit to appropriate safeguards, such as data processing agreements and standard contractual clauses, as permitted by section 72 of POPIA and Chapter V of the GDPR.
6. Retention and deletion
We keep your account information for as long as your account is active. Reports and the assessment data in them remain available to you until you delete them or ask us to delete your account. To delete your account and its data, email us at robyn.truter@gmail.com and we will complete the deletion within 30 days, except for records we must keep for legal or billing purposes.
7. Your rights
Under POPIA (and the GDPR, where it applies) you may ask us to access, correct, or delete the personal information we hold about you, or object to our processing of it. Contact us at robyn.truter@gmail.com and we will respond within a reasonable time. If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa (inforeg.org.za) or, in the EU, with your local supervisory authority.
Requests from patients about assessment data should be directed to the clinician who created the report, since only they can identify the patient behind a reference. We will assist our users in fulfilling such requests.
8. Cookies
We only use cookies that are strictly necessary to keep you signed in (set by Clerk). We do not use advertising or tracking cookies. Our analytics (Vercel Analytics) works without cookies and does not identify individual visitors.
9. Security
All data is encrypted in transit. Access to production data is limited to those who need it to operate the service. If a data breach occurs that affects your personal information, we will notify you and the relevant regulator as required by POPIA section 22 and, where applicable, GDPR Articles 33 and 34.
10. Children
The service is intended for practicing healthcare professionals and is not directed at children. Assessment data about minors may be entered by clinicians in the course of their practice; the clinician remains responsible for the lawful basis of that processing.
11. Changes to this policy
We may update this policy from time to time. If we make material changes we will notify you by email or through the service before the changes take effect. The effective date at the top of this page shows when it was last revised.
12. Contact
Questions about this policy or our handling of personal information can be sent to robyn.truter@gmail.com.