Privacy Policy
How AfyaX protects your personal data in compliance with the Kenya Data Protection Act, 2019
Policy Summary
AfyaX is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal information when you use our healthcare commerce platform. We comply with the Kenya Data Protection Act, 2019 and industry best practices for handling sensitive commercial and healthcare-related data.
Contents
Data We Collect
AfyaX collects only the information necessary to operate the healthcare commerce platform and meet regulatory requirements.
Business Information
- Business name and registration number
- KRA PIN
- Business address and location
- Business telephone and email
- Certificate of incorporation
Individual Information
- Contact person name and designation
- Personal email and phone number
- Professional license numbers
- Superintendent/practitioner details
- Account login credentials
Transaction Data
- Order history and details
- Payment records and wallet balances
- Invoice and settlement information
- Delivery addresses and confirmations
- Commission and fee records
Licensing Data
- PPB Facility Registration Number
- PPB License Number and status
- Professional practice licenses
- License validity periods
- Verification documents
Technical Data
- IP addresses and device information
- Browser type and version
- Platform interaction logs
- Session duration and activity
- Performance and error data
Data We DO NOT Collect
- Patient medical records
- Sensitive health information
- Full payment card details
- Biometric data
- Genetic data
Special Categories of Data
As a healthcare commerce platform, we may process certain special categories of data subject to additional protections:
| Data Category | How We Process | Safeguards |
|---|---|---|
| Professional License Numbers | Used for verification and compliance only | Encrypted storage, restricted access |
| Business Financial Records | Transaction processing and reconciliation | Segregated from personal data |
| Location Data | Delivery and fulfillment | Minimized to necessary detail |
| Regulatory Compliance Data | PPB verification and audit trails | Timestamped, immutable logs |
How We Collect Data
Direct Registration
Information you provide when creating an account, applying as a buyer or seller, or completing your profile.
Transaction Activity
Data generated through orders, payments, and platform interactions.
Verification Documents
Documents uploaded for PPB license verification and compliance checks.
Support Communications
Information shared when contacting our support team or customer service.
Purpose of Processing
| Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Account Management | Business information, contact details | Contract performance |
| Transaction Processing | Financial data, order details | Contract performance |
| Regulatory Compliance | Licensing data, verification documents | Legal obligation |
| Fraud Prevention | Technical data, transaction patterns | Legitimate interest |
| Platform Improvement | Usage analytics, performance data | Legitimate interest |
| Dispute Resolution | All relevant transaction data | Legal obligation |
Legal Basis for Processing
Under the Kenya Data Protection Act, 2019, we process your data based on the following legal grounds:
Contract Performance
Processing necessary to fulfill our contractual obligations to you, including account management, order processing, and payments.
Legal Obligation
Processing required to comply with legal and regulatory requirements, including PPB verification, tax reporting, and audit trails.
Legitimate Interests
Processing for fraud prevention, platform security, and business improvement where our interests do not override your rights.
Consent
Where required, we will ask for your consent for specific processing activities. You may withdraw consent at any time.
Data Sharing & Disclosure
AfyaX shares your data only in limited circumstances and with appropriate safeguards:
Transaction Counterparties
Buyers and sellers see necessary information to complete transactions: business name, contact details, order information, and delivery addresses.
Regulatory Authorities
When required by law, we may share data with PPB, KRA, or other regulatory bodies for compliance and oversight purposes.
Service Providers
Payment processors, logistics partners, and cloud infrastructure providers (under strict data processing agreements).
Legal Requirements
To comply with court orders, legal obligations, or to protect the rights and safety of AfyaX and its users.
Data Storage & Security
Encryption
TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls
Strict role-based permissions and multi-factor authentication
Audit Logging
All access to sensitive data is logged and monitored
Security Certifications & Compliance
Data Retention
We retain your data only as long as necessary for the purposes for which it was collected:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account Information | Active account + 5 years | Business continuity |
| Transaction Records | 7 years | Regulatory requirement (KRA, PPB) |
| Verification Documents | 5 years after license expiry | Compliance and audit trails |
| Audit Logs | 7 years | Legal and security requirements |
| Support Communications | 3 years | Service improvement |
| Anonymized Analytics | Indefinite | Business intelligence (anonymized) |
Upon expiration of the retention period, data is securely deleted or anonymized.
Your Rights
Under the Kenya Data Protection Act, 2019, you have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate information
- Right to Erasure: Request deletion (subject to legal retention)
- Right to Restriction: Limit processing in certain circumstances
- Right to Portability: Receive data in structured format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time
- Right to Lodge Complaint: Complain to the Office of the Data Protection Commissioner
Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer:
dpo@afyax.health
+254 700 123456
Data Protection Officer
AfyaX, Nairobi, Kenya
We will respond to your request within 30 days as required by law.
Cookies & Tracking Technologies
AfyaX uses cookies and similar technologies to enhance your experience, analyze platform usage, and maintain security.
Essential Cookies
Required for platform functionality, authentication, and security. Always active.
Functional Cookies
Remember your preferences and settings. Optional.
Analytics Cookies
Help us understand how visitors use the platform. Optional.
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.
Children's Privacy
AfyaX is a B2B healthcare commerce platform and is not intended for use by children. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a child has provided us with personal information, please contact us immediately.
Contact Information
For privacy-related inquiries, data subject requests, or questions about this policy:
AfyaX
Nairobi, Kenya
Office of the Data Protection Commissioner
If you are not satisfied with our response, you have the right to lodge a complaint with the ODPC:
www.odpc.go.ke
Policy Updates
This Privacy Policy may be updated periodically to reflect changes in our practices or legal requirements. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after any changes constitutes acceptance of the updated policy.