Privacy Policy

This Privacy Policy explains how ("we," "us," or "our") collects, uses, and protects your personal information when you use our [App Name] platform (the "Platform").

In compliance with the Kenya Data Protection Act (DPA), 2019, we are the Data Controller for the personal data we process.

Contact Us (Data Protection Officer):
Email: [email protected]

We collect data to provide and improve our service. This data is divided into two categories:

A. Personal Data

• Identity Data: Name, date of birth, National ID number.
• Contact Data: Email address, phone number, physical address.
• Financial Data: Payment card details (processed by our secure payment provider), health insurance information.
• Technical Data: IP address, device ID, app usage data.

B. CRITICAL: Sensitive Personal Data

Given the nature of our service, we must collect "Sensitive Personal Data" as defined by the DPA, 2019. We treat this data with the highest level of care.

• Health Data: Medical history, symptoms, diagnoses, e-prescriptions, test results, and medications.
• Biometric Data: Biometric identifiers if used for authentication.
• Family Details: Information about your dependents (e.g., children) if you add them to your account for healthcare services.

We will never process this sensitive data without your explicit consent or as is strictly necessary for providing medical treatment or fulfilling a legal obligation.

We only use your data when the law allows us to. Our legal bases for processing are:

• Performance of a Contract: To create your account, fulfill your pharmacy orders, and provide customer support.
• Explicit Consent: For collecting and processing your Sensitive Personal Data for healthcare purposes. You may withdraw this consent at any time.
• Legal Obligation: To comply with mandatory Kenyan laws (see Section 4).
• Legitimate Interests: To improve our app, prevent fraud, and secure our systems.

We do not sell your personal data. We only share it in the following limited circumstances:

• Partner Pharmacies & Providers: To fulfill your e-prescription or medical consultation.
• Payment Processors: To securely process your payments.
• MANDATORY: Government & Regulatory Bodies: We are required by Kenyan law to share specific data with government agencies. This includes:
  • Kenya Revenue Authority (KRA): Transaction and invoice data for mandatory eTIMS compliance.
  • Social Health Authority (SHA): Registration and claims data to process your health insurance.
  • Pharmacy and Poisons Board (PPB): For regulatory audits and prescription validation as required.

To provide our service, your data may be stored on secure cloud servers located outside of Kenya (e.g., in Europe or the United States).

When we do this, we ensure your data is protected by adequate data protection safeguards as required by the DPA, 2019. This includes using Standard Contractual Clauses or ensuring the provider is in a country with adequate data protection laws.

We retain your data only for as long as necessary.

MANDATE: Health Records: In accordance with the Kenya Digital Health Act, 2023, your personal health information and medical records will be retained for a mandatory period of 20 years.

Other data (e.g., technical logs) will be retained for a shorter period as necessary.

Under the Kenya DPA, you have the following rights over your personal data. You can exercise these rights at any time by contacting us at [email protected].

• The Right to be Informed: (This policy is part of that right).
• The Right to Access: Request a copy of the data we hold about you.
• The Right to Correction: Ask us to rectify inaccurate or incomplete data.
• The Right to Erasure: Request deletion of your data (Note: this is limited by our legal obligation to retain health records, see Section 6).
• The Right to Object to Processing: Object to our processing for marketing or other reasons.
• The Right to Data Portability: Request your data in a structured, machine-readable format.
• The Right to Withdraw Consent: Withdraw your consent for processing sensitive data at any time.

We uphold all rights under the Kenya National Patients' Rights Charter, 2013, including your absolute right to confidentiality and informed consent.

We are committed to resolving your privacy concerns. Please contact our DPO first. If you are unsatisfied, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).