Data Protection & Privacy Policy

Introduction

CARESPHERE WELLNESS ("we," "our," "us") is a Nairobi-based health advisory and care coordination firm. We are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, services, or interact with us.

We operate in strict compliance with the Kenya Data Protection Act (DPA) No. 24 of 2019, the General Data Protection Regulation (GDPR) (EU) 2016/679, and align our practices with HIPAA (Health Insurance Portability and Accountability Act) standards for protected health information.

Information We Collect

We collect several types of information to provide and improve our health governance services:

Personal Identification Information

• Identity Data: Full name, date of birth, gender, government-issued ID numbers (where required for medical referrals).
• Contact Data: Email addresses, phone numbers, residential address, and emergency contact details.
• Health Data: Medical history, health risk assessments, diagnostic results, treatment plans, medication lists, and care coordination records (collected with explicit consent).
• Financial Data: Payment information, insurance details, billing addresses (processed securely via third-party payment gateways).
• Technical Data: IP address, browser type, device information, and website usage analytics (via cookies).

Sensitive health data is only collected when necessary for providing health governance services and always with your explicit, informed consent.

How We Use Your Information

• To provide executive health risk assessments and personalized health reports.
• To coordinate care across healthcare providers, including appointment scheduling, referrals, and follow-ups.
• To communicate with you regarding consultations, health updates, and wellness insights.
• To process payments, insurance claims, and manage billing.
• To improve our website, services, and user experience through analytics.
• To comply with legal obligations, regulatory requirements, and professional standards (KMPDC).

Legal Basis for Processing (GDPR & DPA Compliance)

Under the Kenya Data Protection Act and GDPR, we process your personal data based on one or more of the following legal grounds:

• Consent: You have given explicit consent for processing your health data (e.g., for health risk assessments).
• Contractual Necessity: Processing is necessary for the performance of a service agreement or pre-contractual steps.
• Legal Obligation: Compliance with Kenyan healthcare regulations (KMPDC, Ministry of Health).
• Legitimate Interests: For administrative, security, and quality improvement purposes that do not override your fundamental rights.
• Vital Interests: Where processing is necessary to protect someone's life or health (emergency situations).

Data Sharing & Disclosure

We do not sell your personal data. We may share information only in the following circumstances:

• Healthcare Providers: With your consent, we share relevant health information with hospitals, laboratories, specialists, and other healthcare professionals involved in your care coordination.
• Insurance Partners: For claim processing and insurance navigation (with your authorization).
• Service Providers: Third-party vendors who assist with IT, payment processing, data storage, and analytics (under strict confidentiality agreements).
• Legal Compliance: When required by Kenyan law, court order, or regulatory authority (KMPDC, ODPC).
• Emergency Situations: To protect vital interests in medical emergencies.

Data Security

We implement robust technical and organizational measures to protect your data:

• Encryption: All data transmitted between your browser and our servers uses TLS 1.3 encryption.
• Secure Storage: Personal and health data stored in encrypted databases with access controls.
• Access Control: Role-based access — only authorized clinical and administrative personnel can access sensitive data.
• Regular Audits: Quarterly security assessments and compliance audits.
• Breach Notification: We maintain incident response protocols and will notify affected individuals and the Office of the Data Protection Commissioner (ODPC) within 72 hours of a confirmed breach.

Your Privacy Rights

Under the Kenya Data Protection Act and GDPR, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention requirements.
• Right to Restrict Processing: Limit how we use your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw previously given consent at any time.
• Right to Lodge a Complaint: File a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe your rights have been violated.

To exercise any of these rights, contact our Data Protection Officer at dpo@carespherewellness.co.ke or call +254 712 155 510.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy, or as required by Kenyan healthcare regulations:

• Health Records: Retained for a minimum of 10 years following the last interaction, in compliance with KMPDC medical records retention guidelines.
• Financial Records: Retained for 7 years to comply with tax and auditing requirements.
• Website Analytics: Retained for 26 months (anonymized).
• Marketing Data: Retained until you unsubscribe or withdraw consent.

After retention periods expire, data is securely deleted or anonymized.

Cookies & Tracking Technologies

Our website uses cookies to enhance user experience, analyze traffic, and personalize content. We use:

• Essential Cookies: Required for basic website functionality (cart, navigation).
• Analytics Cookies: Google Analytics to understand user behavior (anonymized IP addresses).
• Preference Cookies: Remember your settings and preferences.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect website functionality.

Children's Privacy

Our services are directed to adults aged 18 and above. We do not knowingly collect personal information from children under 18. If we discover that a child under 18 has provided us with personal data, we will delete it immediately. For children's health services (with parental consent), data is handled under strict parental oversight.

International Data Transfers

CARESPHERE WELLNESS operates primarily in Kenya. However, we may transfer data to countries with equivalent data protection standards (e.g., EU under GDPR adequacy decisions) or under strict contractual safeguards (Standard Contractual Clauses). Any international transfers comply with Kenya DPA Section 48 and GDPR Chapter V requirements.

Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

• CARESPHERE WELLNESS - Data Protection Office
• Westlands, Chiromo Lane, Medical Suites, 3rd Floor, Nairobi, Kenya
• +254 712 155 510
• dpo@carespherewellness.co.ke (Data Protection Officer)
• Carespherewellness@gmail.com (General Inquiries)

Office of the Data Protection Commissioner (ODPC) - Kenya:
For unresolved complaints, you have the right to lodge a complaint with the ODPC at www.odpc.go.ke or P.O. Box 3097 - 00100, Nairobi, Kenya.