NICOLAI — Privacy & POPIA Notice
Legal

Privacy notice & POPIA statement.

How NICOLAI handles personal information when you enquire, request a Practice Visibility Review, or engage with us as a client. Aligned to the Protection of Personal Information Act (POPIA), Act 4 of 2013.

Responsible party
NICOLAI (trading name)
Information Officer
Nic Malherbe
Last updated
May 2026
Contents
  1. Who we are
  2. What information we collect
  3. Why we collect it
  4. How we use it
  5. Who we share it with
  6. How long we keep it
  7. Where it is stored
  8. Your POPIA rights
  9. How we keep it secure
  10. Cookies and analytics
  11. Children
  12. Changes to this notice
  13. Contact and complaints

Who we are

NICOLAI is a digital marketing consultancy for South African private healthcare practices, operated by Nic Malherbe.

Trading name
NICOLAI
Operator
Nic Malherbe
Physical address
Cape Town, South Africa — full address available on request
Information Officer
Nic Malherbe — [email protected]

NICOLAI is the responsible party as defined in POPIA in respect of the personal information described in this notice.

What information we collect

We only collect information we actually need to respond to enquiries, deliver our services, and meet our compliance obligations.

When you enquire or contact us

  • Your name and surname
  • Your practice or business name
  • Your discipline and city
  • Your website and Google Business Profile URLs, where provided
  • Your WhatsApp number, mobile number, or email address — whichever you use to contact us
  • The content of messages you send us

When you request a Practice Visibility Review

  • Publicly available information about your practice — Google Business Profile, website content, social profiles, online reviews, directory listings
  • Information you voluntarily share about how you currently handle patient enquiries online

When you become a client

  • Billing details — entity name, VAT number where applicable, billing email
  • Practice contact information needed to operate the agreed services
  • Access credentials for platforms you ask us to manage on your behalf — for example Google Business Profile, Meta Business Suite, WhatsApp Business, or your website CMS

From this website

  • Enquiry form submissions — name, email, practice name, message
  • Analytics data — pages visited, session duration, device type, general location (city/country). See the Cookie Notice for detail.
  • Data collected by third-party tools including Google Analytics (GA4), Meta Pixel, and any GoHighLevel tracking active on the site
What we do not collect. NICOLAI does not collect or process clinical patient records, medical history, identifiable patient health information, or any special personal information as defined in POPIA section 26. If your agreed scope requires us to interact with any patient-facing system, we operate strictly as your operator under a written operator agreement and process only what is necessary for the agreed purpose.

Why we collect it

We process your personal information for the following purposes, on the following lawful bases under POPIA section 11:

  • To respond to your enquiry — consent and steps preceding the conclusion of a contract.
  • To prepare and deliver a Practice Visibility Review — consent and our legitimate interest in assessing whether a working relationship is appropriate.
  • To deliver the services you engage us to deliver — performance of a contract.
  • To send service updates, reports, and invoices — performance of a contract.
  • To improve this website and understand how it is used — our legitimate interest, balanced against your right to object.
  • To meet our legal, accounting, and compliance obligations — compliance with an obligation imposed by law.

We do not use your information for direct marketing of unrelated products or services without your express prior consent.

How we use it

In practical terms, we use your information to:

  • Reply to messages you send us via the enquiry form, WhatsApp, or email
  • Compile your Practice Visibility Review and deliver the written report
  • Prepare a written proposal and scope of services
  • Set up and operate the platforms, accounts, and workflows in your agreed scope
  • Produce monthly performance reports
  • Issue invoices and manage billing
  • Respond to questions and requests under POPIA

Who we share it with

We do not sell personal information. We share it only with carefully selected operators who help us deliver the services you have engaged us for, and only to the extent necessary.

Communications
WhatsApp Business (Meta), email providers
Website & forms
GoHighLevel (form submissions, tracking, CRM)
Analytics
Google Analytics GA4, Meta Pixel
Productivity & storage
Google Workspace
Marketing platforms
Where specifically in scope — Google Business Profile, Google Ads, Meta Business Suite, your website host
Professional advisors
Accountants and legal counsel, where strictly required

Each operator is bound by their own privacy terms and, where appropriate, a written agreement with NICOLAI requiring confidentiality and appropriate security safeguards.

We may also disclose personal information where we are required to do so by law, by a regulator, or by a court of competent jurisdiction.

How long we keep it

We do not keep personal information longer than we need to.

  • Enquiries that do not become engagements — up to 24 months from last contact, then deleted or anonymised.
  • Practice Visibility Review records — up to 24 months from delivery.
  • Client engagement records — for the duration of the engagement plus five years, as required by South African tax and accounting law.
  • Financial and invoicing records — five years, per the Tax Administration Act.
  • Access credentials — rotated or revoked at the end of an engagement.
  • Website analytics data — retained according to the default retention settings of each analytics provider, typically 14 months for GA4.

Where it is stored

Most of the platforms we use store data outside of South Africa, including in the United States and the European Union. We rely on the safeguards each platform offers under their own data protection commitments and, where applicable, the cross-border transfer provisions in POPIA section 72.

If you have questions about a specific platform, contact the Information Officer below.

Your POPIA rights

As a data subject under POPIA, you have the right to:

  1. Be notified that personal information is being collected, and that there has been a breach involving your information.
  2. Ask us to confirm what personal information we hold about you, and to provide a copy.
  3. Ask us to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained.
  4. Object to the processing of your personal information on reasonable grounds.
  5. Withdraw consent at any time, where consent is the basis we rely on.
  6. Complain to the Information Regulator.

To exercise any of these rights, contact the Information Officer at [email protected]. We will respond within a reasonable period and, where the law requires it, within the timeframes set by POPIA.

How we keep it secure

We take reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised access, and unauthorised disclosure. These include:

  • Access controls and strong authentication on all systems we use
  • Encryption in transit for client communication and stored credentials
  • Two-factor authentication on critical accounts
  • Minimum-necessary access — only the people who need access have it
  • Written agreements with third-party processors who handle personal information on our behalf

No system is perfectly secure. If we become aware of a security compromise involving your personal information, we will notify you and the Information Regulator as required by POPIA.

Cookies and analytics

This site uses cookies, analytics tools, and third-party tracking technologies including Google Analytics (GA4), Meta Pixel, and GoHighLevel. See the Cookie Notice for the full list, what each technology does, and how to manage your preferences.

Children

NICOLAI’s services are directed at registered healthcare practitioners. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact the Information Officer and we will delete it promptly.

Changes to this notice

We may update this notice from time to time. Material changes will be reflected in the “Last updated” date at the top of the page. If a change materially affects how we use information we already hold about you, we will let you know directly where it is reasonable to do so.

Contact and complaints

If you have a question, a request, or a concern about how NICOLAI handles your personal information, contact the Information Officer first:

Information Officer
Nic Malherbe

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Complaints email
[email protected]
NICOLAI

Practice growth for South African private healthcare. Built inside healthcare, not adjacent to it.

Site
Legal
Contact

NICOLAI is designed to handle personal information responsibly and in line with POPIA principles. This notice does not constitute legal advice. For specific legal guidance on POPIA compliance for your practice, consult a qualified South African attorney.

NICOLAI · © 2026. All rights reserved.
POPIA · HPCSA-aware · Human in the loop