1. Introduction
DaktariHub ("we", "us", "our") is committed to protecting the privacy of our users and their patients. This Privacy Policy explains how we collect, use, store, and protect personal and medical data when you use the DaktariHub practice management platform ("Service").
This policy is designed to comply with the Kenya Data Protection Act, 2019 ("DPA") and the regulations issued by the Office of the Data Protection Commissioner of Kenya.
2. Data Controller
DaktariHub
Nairobi, Kenya
Email: [email protected]
3. Data We Collect
We collect the following categories of data:
| Category | Data Collected | Purpose |
|---|---|---|
| Account Data | Full name, email address, phone number, professional qualifications | Account registration, authentication, communication |
| Clinic Data | Clinic name, location, specialties, staff members | Practice setup and multi-staff access management |
| Patient Data | Patient names, ID numbers, dates of birth, phone numbers, medical records, clinical notes, prescriptions, lab results, triage data, appointment history | Electronic medical records and clinical care management |
| Billing Data | Invoices, receipts, payment amounts, M-Pesa transaction codes, insurance details | Payment processing and subscription management |
| Usage Data | Login timestamps, IP addresses, session data, audit logs of access to patient records | Security monitoring, access auditing, and service improvement |
4. How We Use Your Data
We use the data we collect to:
- Provide and operate the Service, including electronic medical records, billing, appointments, and procurement features.
- Authenticate users and enforce access controls (two-factor authentication, role-based permissions).
- Process subscription payments and manage billing cycles.
- Send transactional emails (account activation, OTP codes, password resets, billing notifications).
- Send SMS notifications related to your use of the Service (e.g., payment confirmations).
- Monitor for security threats and maintain audit logs of access to sensitive data.
- Improve the Service based on aggregated, anonymised usage patterns.
We do not use Patient Data for marketing, advertising, analytics, or any purpose other than providing the Service to you.
5. Legal Basis for Processing
Under the Kenya Data Protection Act, 2019, we process data on the following legal bases:
- Consent: You consent to our processing when you create an account and enter data into the Service.
- Performance of a contract: Processing is necessary to deliver the Service under your subscription agreement.
- Legitimate interest: Security monitoring, fraud prevention, and service improvement.
- Legal obligation: We may process data to comply with applicable laws and regulations.
6. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: All sensitive Patient Data (names, ID numbers, dates of birth, vitals, clinical notes, prescriptions, lab results) is encrypted before being stored. Even if the database were accessed directly, the data would be unreadable.
- Encryption in transit: All connections between your browser and DaktariHub are encrypted using HTTPS.
- Two-factor authentication: A one-time verification code is required on every login.
- Automatic session management: Sessions include screen lock after inactivity and automatic logout.
- Role-based access controls: Staff members can only access features appropriate to their role.
- Regular backups: Database backups are encrypted and stored in secure offsite cloud storage.
- Audit logging: Access to patient records is logged for security and accountability purposes.
7. Data Sharing & Third Parties
We do not sell, rent, or share Patient Data with any third party.
We use carefully selected third-party service providers solely to operate the Service in the following categories:
- Cloud hosting: Application and database hosting on secure, encrypted infrastructure.
- Email delivery: Transactional emails such as account activation, verification codes, and billing notifications. Only email addresses and message content are shared with the provider.
- SMS delivery: Transactional SMS notifications. Only phone numbers and message content are shared with the provider.
- Backup storage: Encrypted database backups stored in secure offsite cloud storage.
We require all third-party service providers to maintain appropriate data protection measures. We do not transfer data outside Kenya except where these service providers' infrastructure requires it, in which case appropriate safeguards are in place as required by the DPA.
8. Data Retention
- Active accounts: Your data is retained for as long as your account is active and your subscription is current.
- Suspended accounts: If your subscription lapses, your data is preserved in read-only mode. We do not delete data due to non-payment.
- Deleted accounts: If you request account deletion, we will permanently remove your data within a reasonable period, except where retention is required by law.
- Backups: Database backups are retained for a limited period and automatically purged thereafter.
- Audit logs: Access logs are retained for a limited period for security purposes.
9. Your Rights
Under the Kenya Data Protection Act, 2019, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Data portability: Request your data in a commonly used, machine-readable format.
- Object to processing: Object to processing of your data for specific purposes.
- Withdraw consent: Withdraw your consent at any time (this does not affect the lawfulness of processing before withdrawal).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. Patient Data & Your Obligations
As the healthcare provider, you are the data controller for Patient Data entered into the Service. DaktariHub acts as a data processor on your behalf. You are responsible for:
- Obtaining informed consent from patients before entering their data into the system.
- Ensuring the accuracy of Patient Data.
- Complying with all applicable healthcare regulations and the Kenya Data Protection Act.
- Responding to data subject access requests from your patients.
We will assist you in fulfilling your obligations by providing data export capabilities and responding to requests promptly.
11. Cookies & Tracking
DaktariHub uses only essential cookies required for the Service to function:
- Session cookie: Maintains your login session. Expires when you close the browser or after 12 hours.
- CSRF token: Protects against cross-site request forgery attacks.
We do not use advertising cookies, analytics trackers, or any third-party tracking scripts.
12. Children's Data
The Service may contain medical records of minor patients as part of normal healthcare practice. This data is entered by healthcare professionals and is subject to the same encryption, access controls, and privacy protections as all other Patient Data. The Service itself is not directed at children.
13. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify affected users via email within 72 hours of becoming aware of the breach.
- Notify the Office of the Data Protection Commissioner as required by the DPA.
- Provide details of the nature of the breach, the data affected, and the steps taken to mitigate it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date and notify registered users via email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.
15. Complaints
If you have any concerns about how your data is handled, or believe your data protection rights have been violated, please contact us directly at [email protected]. We take all complaints seriously and will investigate and respond within 30 days.
16. Contact Us
For any questions about this Privacy Policy or your data, contact us:
- Email: [email protected]
- Address: Nairobi, Kenya