Data Protection Policy
Introduction
AfyaApex Tech Solutions Ltd (“Apex Tech Solutions”, “we”, “our” or “us”) is committed to protecting the privacy and security of all personal data processed in the course of our operations. This Data Protection Policy outlines our practices for collecting, processing, storing, and safeguarding personal data in accordance with the Data Protection Act, 2019 of Kenya. We aim to ensure transparency, uphold your data protection rights, and maintain high standards of information security.
Scope and Applicability
This Policy applies to all personal data processed by Apex Tech Solutions, whether collected online via our website, mobile applications, or through other channels. It covers data relating to our Subscribers (healthcare facilities), their staff, and Patients, as well as any other individuals whose personal data we may process in connection with our Services.
Data Protection Principles
In line with the Data Protection Act of Kenya, we adhere to the following key principles:
Lawfulness, Fairness, and Transparency: We process personal data in a manner that is lawful, fair, and transparent to the data subject.
Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.
Data Minimization: We collect only the personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy: We take reasonable steps to ensure that the personal data we process is accurate, complete, and up-to-date.
Storage Limitation: Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
Accountability: We are responsible for, and must be able to demonstrate, compliance with these principles.
Lawful Bases for Processing
Under the Data Protection Act of Kenya, Apex Tech Solutions processes personal data only where there is a lawful basis. These may include:
Consent: Where the individual has provided explicit consent for one or more specific purposes.
Contractual Necessity: Where processing is necessary for the performance of a contract to which the data subject is a party.
Legal Obligation: Where processing is necessary to comply with a legal obligation.
Legitimate Interests: Where processing is necessary for our legitimate interests, provided these interests are not overridden by the rights and freedoms of the data subject.
Rights of Data Subjects
Data subjects have the following rights under the Data Protection Act of Kenya:
Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.
Right of Access: Individuals can request access to their personal data and obtain information about how it is processed.
Right to Rectification: Individuals have the right to have inaccurate personal data corrected or completed if it is incomplete.
Right to Erasure: In certain circumstances, individuals have the right to request that their personal data be deleted.
Right to Restrict Processing: Individuals have the right to request that the processing of their personal data be restricted.
Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
Right to Object: Individuals have the right to object to the processing of their personal data on grounds relating to their particular situation.
Rights in Relation to Automated Decision-Making: Individuals have rights regarding decisions made solely on automated processing.
Data Collection and Use
Personal Data Collected
We may collect the following types of personal data:
Contact Information: Names, email addresses, phone numbers, and addresses.
Identification Data: Identification numbers, authentication credentials, and other account-related information.
Healthcare Data: Patient records, treatment histories, billing information, and related clinical data.
Usage Data: Information about how users interact with our Services, including device details, IP addresses, and log data.
Payment Information: Transaction details processed through our secure payment systems.
Purpose of Processing
The personal data we collect is used for the following purposes:
Providing and maintaining our Services.
Managing subscriptions, billing, and payments.
Facilitating patient management, appointment scheduling, and clinical record keeping.
Enhancing and personalizing the user experience.
Conducting data analysis, research, and system improvements.
Complying with legal, regulatory, and contractual obligations.
Communicating with data subjects regarding updates, support, and marketing (subject to consent where applicable).
Data Sharing and Transfers
Sharing with Service Providers
We share personal data with trusted third-party service providers who help us operate our platform. These providers are bound by contractual obligations to protect your data and process it only for the purposes we specify.
Sharing in Legal and Corporate Situations
In certain circumstances, we may need to share personal data:
Legal Disclosures: To comply with legal obligations, respond to subpoenas, or enforce our legal rights.
Corporate Transactions: In the event of a merger, acquisition, or sale of assets, where personal data may be transferred to a third party, with appropriate safeguards in place.
International Data Transfers
Your personal data may be transferred to and processed in countries outside Kenya, including jurisdictions with data protection laws that may differ from those in Kenya. We ensure that such transfers are made with appropriate safeguards, such as standard contractual clauses or other legal mechanisms approved by relevant authorities.
Data Security Measures
We take the security of your personal data seriously and have implemented appropriate technical and organizational measures to safeguard your information.
These measures include:
Encryption: Secure data transmission via SSL/TLS and encryption at rest.
Access Controls: Strict access protocols to ensure that only authorized personnel can access personal data.
Regular Audits: Routine security audits and risk assessments to identify and mitigate potential vulnerabilities.
Incident Response: Procedures to detect, report, and manage data breaches in a timely and effective manner.
Employee Training: Ongoing training for staff and contractors on data protection best practices and legal obligations.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods may vary based on the type of data and the applicable legal or regulatory requirements. After the retention period expires, personal data will be securely deleted or anonymized.
Your Responsibilities
While we take extensive measures to protect your personal data, you also play a crucial role. We encourage you to:
Use strong, unique passwords for your accounts.
Keep your account credentials confidential.
Notify us immediately of any suspected unauthorized access or security breaches.
Updates to This Policy
We may update this Data Protection Policy periodically to reflect changes in our practices, legal requirements, or technology. Any material changes will be communicated via our website and, where appropriate, by email. Your continued use of our Services after such updates constitutes your acceptance of the revised policy.
Contact Us
If you have any questions, concerns, or requests regarding this Data Protection Policy or our data practices, please contact us at:
APEX TECH SOLUTIONS LTD
Email: info@apextechsolutions.co.ke
Phone: +254 748 70 70 94
Website: www.afyadynamics.com
By using our Services, you acknowledge that you have read, understood, and agree to this Data Protection Policy. We are dedicated to protecting your personal data and ensuring compliance with the Data Protection Act of Kenya. If you have any concerns or questions about our data protection practices, please do not hesitate to get in touch.