Who we are

This Privacy Policy explains how QarePlus Limited (“Qare+”, “we”, “our” or “us”) collects, uses, discloses and protects personal data when you use the Qare+ mobile and web platform (the “App”) available at https://qareplus.com and and the Qare+ mobile applications on Android and iOS. This Policy applies to both users/patients (people who request consultations) and practitioners (licensed doctors, hospitals and healthcare professionals who provide services via the App).

For the purposes of the Data Protection Act, 2019 (Kenya), QarePlus is the Data Controller in respect of personal data processed through the App.

Contact:
QarePlus Limited
Email: [email protected]

1. Scope and Legal Framework

This Policy is made pursuant to the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021 and sets out how we comply with the principles of lawful, fair and transparent processing of personal data. Where applicable, we adopt practices consistent with international data protection norms.

2. What personal data we collect

We may collect and process the following categories of personal data depending on the services you use and your role on the platform:

a.     Identity & Contact Data

• Full name, username, email address, phone number, profile photo/identification photo.

b.     Account & Authentication Data

• Login credentials (email/password) and identity provider data (Google, Apple ID token metadata), device ID.

c.     Location Data

• Approximate location or GPS coordinates, where you consent to share location for triage and matching to nearby practitioners.

d.     Health & Clinical Data (Special Category)

• Health-related information you provide (e.g., symptoms, medical history, medical reports, prescriptions, diagnostic images, lab results). Note: health data are sensitive and treated with heightened protections.

e.     Payment & Transaction Data

• Payment details and transactional records (payment provider reference, transaction amounts); we do not store full card numbers, card processing is performed by third-party PSPs.

f.      Usage, Diagnostics & Analytics

• Anonymous usage metrics, performance data, crash reports and technical logs collected via analytics or monitoring tools (Google Analytics, Firebase, Sentry, Microsoft Clarity etc.).

g.     User-Generated Content

• Photos, identification photos, uploaded medical reports, consultation notes and messages exchanged through the App.

3. Sources of personal data

Most personal data is provided directly by you (users or practitioners). We may also obtain data from:

1. Third-party identity providers (Google, Apple) when you use their sign-in services. Payment service providers (M-Pesa, card processors) for transaction confirmation. Analytics and monitoring services (Google Analytics, Firebase, Sentry, Microsoft Clarity). Practitioners, where they upload clinical notes, reports, or prescriptions.

4. Purposes of processing & lawful bases

We will process your personal data only where we have a lawful basis to do so. Typical purposes and lawful bases include:

1. Provision of the App & services: to connect patients with practitioners, provide triage, consultations, prescriptions and referrals (performance of a contract / legitimate interest).
2. Health care delivery / clinical reasons: to provide appropriate medical care and record keeping (vital interest / explicit consent / performance of contract). Because this includes health data, we will obtain explicit consent and apply stricter safeguards.
3. Payments and billing: to process payments, refunds and maintain financial records (performance of a contract / legal obligation).
4. Customer support & dispute resolution: to investigate and resolve complaints or disputes (legitimate interest / performance of a contract).
5. Security, fraud prevention & auditing: to protect users and the App (legitimate interest).
6. Analytics & product improvement: to analyze anonymized usage patterns and improve the App (legitimate interest; where profiling affects rights, we will seek consent, if required).
7. Legal & regulatory compliance: to comply with applicable laws, tax, regulatory and public health obligations (legal obligation).

We will distinguish and document the legal basis for each processing activity in our internal Record of Processing Activities (RoPA).

5. Consent — how we obtain and record it

1. Account and registration: by creating an account or signing in (email/password, Google, Apple) you expressly accept the Terms & Conditions and this Privacy Policy where required via a clickwrap. Clickwrap (explicit acceptance) is used as the primary method of consent collection.
2. Health data & sensitive processing: we will obtain explicit and informed consent before processing health (special category) data, and we will log and store the consent record (who consented, time, scope and version of policy).
3. Marketing communications: we will obtain separate opt-in consent for marketing messages and allow users to withdraw consent easily.
4. Withdrawal: you may withdraw consent at any time; withdrawal does not affect processing already lawfully completed prior to withdrawal. We will provide a clear in-app means and email route ([email protected]).

6. Sharing and disclosure of personal data

We will not sell your personal data. We may share your personal data as follows:

1. With practitioners and hospitals on the platform to enable consultations, triage and referrals. Practitioners receive the relevant clinical and contact data needed to provide care.
2. Third party processors: payment processors (M-Pesa, card PSPs), hosting providers, analytics and monitoring providers (Google Analytics, Firebase, Sentry, Microsoft Clarity) and support providers. Where we use processors,we use written data processing agreements requiring appropriate security and limited use.
3. Legal or regulatory bodies: where required by law, court order, public health obligations or to protect the rights of others.
4. Business transfers: in the event of a corporate sale, merger or reorganisation, personal data may be transferred subject to standard confidentiality and legal protections.

When we share data with third parties or international recipients, we ensure appropriate safeguards are in place (seeClause 9 below).

7. Joint ownership / User-generated content

1. User-generated clinical content: medical reports or photos uploaded by users and practitioners are co-owned in the sense that the user/practitioner retains rights in their clinical data while Qare+ may store and process such data to provide the service and for legitimate operational needs. Any use beyond service provision (e.g., analytics, research or marketing) will require explicit consent or de-identification.
2. Trademarks, software and platform materials: Qare+ retains ownership of trademarks, branding, design and software code.

8. Cross-border transfers

Your data is stored and processed on servers located in the United States of America. The transfer and processing of personal data outside Kenya will be on one of the legally permitted bases under the Data Protection Act, 2019, including:

1. Appropriate safeguards (standard contractual clauses, binding corporate rules, or equivalent safeguards); or
2. Explicit consent from the data subject for the transfer (where required); or
3. Other lawful bases under the Act in narrowly defined circumstances.

We maintain contractual and technical safeguards and will provide data subjects with information about the safeguards used on request. If you have concerns about cross-border storage you may request localised hosting or deletion.

9. Security and retention

a.     Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. Measures include (but are not limited to): encryption of data in transit, access controls, logging and monitoring, regular security testing, vulnerability scanning, use of secure hosting and secure coding practices. However, no system is perfectly secure; in the event of a data breach we will notify the Office of the Data Protection Commissioner and affected data subjects in accordance with the Act and Regulations.

b.     Retention

We retain data only for as long as necessary to fulfil the purpose for which it was collected, to comply with legal obligations or to resolve disputes. Typical retention periods:

1. Account information & contact data: retained while account is active and for up to seven (7) years after account closure. This allows us to comply with legal, tax, and anti-fraud obligations, resolve disputes, and enforce our agreements. Where records are no longer required, they are securely deleted or anonymised.
2. Health records & clinical notes: retained for a minimum of seven (7) years from the date of last entry or treatment, in line with professional and medical record obligations and relevant medical practice guidelines.
3. Transactional/payment records: retained for at least seven (7) years from the end of the financial year in which the transaction occurred in accordance with tax and financial record requirements.
4. Analytics and logs: retained in aggregated or anonymized form; raw logs held for limited technical retention window of a maximum of two (2) years, unless needed longer for security or legal reasons.

We will delete or anonymize data once retention periods expire, unless legal obligations require continued storage.

10. Data subject rights & how to exercise them

Under the Data Protection Act you have rights including:

1. Right of access: obtain a copy of the personal data we hold about you.
2. Right to rectification: correct inaccurate or incomplete data.
3. Right to erasure (right to be forgotten): request deletion of data in certain circumstances.
4. Right to restriction of processing: request limitation of processing in specific cases.
5. Right to data portability: receive your data in a structured, machine-readable format or have it transferred to another controller where technically feasible.
6. Right to object: object to processing based on legitimate interests or direct marketing.
7. Right to withdraw consent: where processing relies on consent.

To exercise any right, contact us at [email protected] with the subject line “Data Subject Rights Request”. We will respond within timescales required by law and may ask for proof of identity to verify requests. If you are not satisfied with our response, you can lodge a complaint with the Office of the Data Protection Commissioner (see Clause 12).

11. Data breach notification

If we become aware of a notifiable personal data breach, we will notify the Office of the Data Protection Commissioner within the statutory timeline and where required, notify affected data subjects without undue delay, providing details of the breach, likely impact and remedial measures.

12. Complaints and supervisory authority

If you believe we have not complied with this Policy or the Data Protection Act you may first contact us at [email protected] (Customer Support). If you remain dissatisfied, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Office of the Data Protection Commissioner
Britam Tower, 12th & 13th Floor, Hospital Road, Upper Hill, Nairobi, Kenya.
Email: [email protected]

13. Cookies, analytics and automated decision-making

1. Cookies & similar technologies: we use cookies and local storage to provide, protect and improve the App. You can control cookie preferences through the App or your browser/device settings.
2. Analytics & monitoring: we use Google Analytics, Firebase, Microsoft Clarity and Sentry for performance, error tracking and usage analytics. These collect device and usage data which we use in aggregated or pseudonymised form to improve services.
3. Automated decision-making / profiling: we may use automated tools to assist in matching users to nearby practitioners and for basic triage. No solely automated decision that produces legal or similarly significant effects will be made without human review and users may request explanation of any automated decision affecting them.

14. Payments, refunds and cancellation (data-related points)

1. Payment processing: payments are processed by third-party providers (M-Pesa, card PSPs). We do not retain full card numbers. Transactional metadata (transaction ID, amount, date) is retained for records and refunds.
2. Refunds & cancellations: the App’s cancellation and refund policy applies (see T&Cs and in-app policy). For refunds we process the minimum data required to validate and complete the refund. Refund timings are as follows:

1. M-Pesa refunds processed within 4–6 hours; and
2. Card refunds within 5 business days.

15. Practitioners: Additional notes on clinical confidentiality and responsibilities

1. Practitioners’ obligations: practitioners must comply with applicable health professional regulations, preserve patient confidentiality, obtain informed clinical consent where required, and only access patient data necessary for the provision of care. Practitioners are data controllers for their clinical records as required under professional guidelines when they determine clinical purposes; Qare+ remains a controller/processor for App operations and platform records.
2. Data sharing between practitioner and patient: clinical notes, prescriptions and medical reports are shared with the patient and stored for continuity of care. Any secondary use (research, aggregated analytics) will require explicit consent or de-identification.

16. Changes to this Policy

We may update this Policy to reflect changes in the law, the App or our processing activities. We will publish the revised policy on the App and website with an updated “Last updated” date. Material changes will be notified to users by in-app notice or email where required.

17. Contact & Data Protection Officer (DPO)

If you have questions about this Policy or wish to make a data subject rights request, contact [email protected] If QarePlus appoints a DPO or an alternate contact, contact details will be posted here.

Privacy Policy