Privacy Policy

Last updated: 29 October 2025

Linen Management Solutions ("LMS") provides a software-as-a-service platform that helps healthcare providers manage linen operations across facilities and contractors. This Privacy Policy explains how we process personal information in connection with our services.

We comply with the Protection of Personal Information Act, 2013 (POPIA). Terms such as responsible party, operator, personal information, and data subject are used as defined in POPIA.

1) Who we are & how to contact us

Responsible Party
Linen Management Solutions (LMS)
Registered address
South Africa (address on request)
Information Officer
Jaco Schoeman
Email
info@linenmanagement.co.za
Phone
+27 71 854 0304
Website
www.linenmanagement.co.za

Note: LMS serves hospitals and clinics. Only staff users (e.g., managers, nurses, and operational staff) use the application. No patient data is processed in the service.

2) Personal information we process

Account information

We collect a username and password selected by the user. Passwords are stored using industry-standard hashing. Users may update credentials at any time.

Operational information

To operate the service, we process data about movement of linen items within a hospital/clinic (e.g., item counts, locations, timestamps) and related operational context necessary for inventory, loss prevention, and stock-taking functionality.

Incident images

Users may capture and store incident-related images. These are stored on LMS infrastructure in a secure AWS environment, following security best practices.

What we do not collect

  • No patient or special-category health data.
  • No telemetry/analytics (e.g., IP/device fingerprints) outside what is strictly necessary for session security.
  • No customer file uploads (no CSV/API bulk imports).

3) Purposes and lawful justification (POPIA s11)

We process personal information only as permitted under POPIA, including: consent where applicable; processing necessary to conclude or perform a contract with your organisation; compliance with legal obligations; and our legitimate interests in delivering and improving a secure, reliable service for healthcare operations.

Purpose Lawful justification Typical data
Account provisioning & authentication Contract; legitimate interests; consent where required Username, password (hashed)
Operating the platform (linen tracking, stock-taking, reporting) Contract; legitimate interests Operational movement data, timestamps, facility context
Security & fraud prevention Legal obligation; legitimate interests Session identifiers, audit events
Support & service communications Contract; legitimate interests User account details

4) Cookies and similar technologies

We use strictly necessary session cookies for secure login and to maintain authenticated sessions. We do not use analytics or marketing cookies.

5) Who we share information with

  • Infrastructure: Amazon Web Services (AWS) — Africa (Cape Town) region (af-south-1).
  • Operator: Nuvio Software (Pty) Ltd — secure, closed environment management and support.
  • We do not share information for advertising or sell personal information.

6) Storage location & international transfers

LMS stores and processes data in South Africa only, using AWS infrastructure located in the Africa (Cape Town) region (af-south-1). No international transfers occur under this policy.

7) Security

  • Encryption: TLS in transit; encryption at rest for storage and backups.
  • Access control: Role-based access with least-privilege, strong authentication and credential hygiene.
  • Audit & monitoring: Administrative activity logging and review.
  • Vulnerability management: Regular patching and remediation workflow.
  • Backups & DR: Secure backups retained for a limited window and tested recovery procedures.
  • Segregation & environment hardening: Network segmentation and configuration baselines.
  • Incident response: Defined triage, containment and notification processes.

8) Retention

We retain personal information only for as long as is necessary for the purposes set out in this policy, and as required by law or contractual obligations. Default periods (unless your organisation requests different settings):

  • Account credentials: for the life of the account; deleted upon deactivation.
  • Operational movement data: 24 months by default for reporting and trend analysis.
  • Incident images: 12 months by default, unless required longer for investigation.
  • Backups: rolling retention up to 35 days.

Upon contract termination, LMS will delete or return customer data within 30 days, subject to backup cycles and any legal holds.

9) Your rights under POPIA

You have rights to access, correction, deletion/destruction, and to object to certain processing, among others. To exercise your rights, contact us at info@linenmanagement.co.za. We aim to respond within 30 days and may need to verify your identity.

Complain to the Information Regulator

You may lodge a complaint under section 74 of POPIA with the Information Regulator.

10) Children

Our services are intended for professional use by adult staff at hospitals and clinics. We do not knowingly process information about minors.

11) Marketing

LMS does not send marketing emails or newsletters. We may send service or security notifications related to your account.

12) Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the service or email.