Privacy Policy

Path Systems Inc. (“Path.systems”, “we”, “us”, or “our”) operates the path.systems cloud-based Laboratory Information System. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and related services (collectively, the “Service”).

We are committed to protecting the privacy of our users, their patients, and all individuals whose data is processed through our platform. This policy is designed to comply with the Protection of Personal Information Act, 2013 (POPIA) of South Africa, the Health Insurance Portability and Accountability Act (HIPAA) of the United States, and other applicable data protection laws.

2.1 Account Information

When you create an account, we collect your name, email address, phone number, organization name, and role within the organization. If you sign up through a single sign-on (SSO) provider, we receive the profile information made available by that provider.

2.2 Patient Health Information (PHI)

As a Laboratory Information System, our platform processes Protected Health Information on behalf of our customers (laboratories). This includes patient names, identification numbers (SA ID, passport), dates of birth, contact details, medical aid information, lab test orders, test results, clinical notes, referring doctor details, and billing records. We process this data solely as a data processor on behalf of the laboratory (the data controller).

2.3 Usage Data

We automatically collect information about how you interact with the Service, including IP addresses, browser type, device information, pages visited, features used, and timestamps. This data is used for security monitoring, performance optimization, and service improvement.

2.4 Integration Data

When you configure integrations (HL7, FHIR, webhooks, billing export), we store connection details such as endpoint URLs, IP addresses, port numbers, facility identifiers, and test code mappings. Credentials (API keys, certificates) are encrypted at rest.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process laboratory orders, results, and billing on behalf of your organization
• Authenticate users and enforce access controls
• Facilitate integrations with instruments, reference laboratories, EMR systems, and billing software
• Send transactional communications (account verification, password resets, critical result notifications)
• Monitor for security threats, unauthorized access, and system anomalies
• Maintain audit logs as required by healthcare regulations
• Improve and optimize the Service based on aggregated, de-identified usage patterns
• Comply with legal obligations and respond to lawful requests

We process personal information under the following legal bases:

• Contractual necessity — to perform our obligations under the service agreement with your organization
• Legal obligation — to comply with healthcare regulations, tax laws, and lawful requests from authorities
• Legitimate interest — to maintain security, prevent fraud, and improve the Service
• Consent — where required by applicable law, such as for marketing communications

We do not sell, rent, or trade personal information. We may share data in the following circumstances:

• With your organization — patient data is accessible to authorized users within your organization according to role-based access controls
• Integration partners — when you configure integrations, data is transmitted to the connected systems (reference labs, EMR systems, billing software) as directed by your organization
• Infrastructure providers — we use SOC2-certified cloud infrastructure providers who process data on our behalf under strict data processing agreements
• Legal requirements — we may disclose information when required by law, court order, or government regulation
• Business transfers — in the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction

We implement industry-standard security measures to protect your data:

• AES-256-GCM encryption for data at rest, with per-organization encryption keys
• TLS 1.3 encryption for all data in transit
• Role-based access controls with multi-factor authentication support
• Immutable audit logging of all data access and modifications
• Automated daily backups with 30-day retention and point-in-time recovery
• Regular penetration testing and vulnerability scanning
• SOC2 Type II annual certification
• Security incident response plan with 72-hour notification commitment

We retain personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data — retained for the duration of the subscription plus 90 days
• Patient health information — retained per your organization's data retention policy and applicable healthcare regulations
• Audit logs — retained for 7 years per healthcare regulatory requirements
• Usage data — retained for 24 months in identifiable form, then aggregated
• Integration logs — retained for 12 months

Upon account termination, data is retained for 90 days to allow for data export, then permanently deleted from all primary systems within 30 days. Backups containing deleted data are purged within the normal backup rotation cycle (30 days).

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data, subject to legal retention requirements
• Data portability — request your data in a structured, machine-readable format (JSON or PDF)
• Objection — object to processing based on legitimate interest
• Restriction — request restriction of processing in certain circumstances

For patient data rights requests, please contact the laboratory (data controller) that holds your records. Laboratories can facilitate these requests through the Path.systems platform.

To exercise your rights as a platform user, contact us at privacy@path.systems. We will respond within 30 days.

Our primary data center is located in South Africa. For customers in other regions, data may be stored in the EU or US at your organization's election. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses and adequacy assessments.

Our platform uses essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Our marketing website may use anonymized analytics to understand traffic patterns.

The Service is designed for use by healthcare professionals and laboratory staff. We do not knowingly collect information from individuals under the age of 18 for account registration. Patient data for minors is processed on behalf of the laboratory as part of clinical care.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

If you have questions about this Privacy Policy or our data practices, contact us: