Privacy Policy

1 Who We Are

Planeazzy Health Technologies Ltd ("Planeazzy", "we", "us", "our") is a technology company incorporated in Kenya, operating the Planeazzy digital health platform at planeazzy.com.

We are registered as a Data Controller with the Office of the Data Protection Commissioner (ODPC) of Kenya under the Kenya Data Protection Act, 2019 (KDPA). Our Data Protection Officer (DPO) can be contacted at the details in Section 14.

Our Platform Services

• Online appointment booking with hospitals, clinics, and specialist doctors across Kenya
• Hospital and clinic management dashboards for registered health facilities
• Appointment reminders and health notifications via SMS and email
• Emergency medical service coordination
• Telehealth consultation facilitation

2 Information We Collect

2.1 Information You Provide Directly

• Account registration: full name, email address, phone number, date of birth, gender, national ID number
• Health profile: medical history (optional), insurance details, known allergies, emergency contacts
• Appointment data: reason for visit, preferred doctor, service type, location preference
• Profile photos: images you upload to your account (stored securely, not shared publicly)
• Communications: messages sent to healthcare providers through our platform
• Payment information: we use third-party processors (M-Pesa, Stripe) and do not store card numbers

2.2 Information We Collect Automatically

• Device information (browser type, operating system, device model)
• IP address and approximate geographic location (county level)
• Platform usage logs: pages visited, features used, session duration
• Referral sources and search queries

2.3 Information from Third Parties

• Healthcare providers may add notes or records to your profile (with your consent)
• Insurance verification partners may confirm coverage status
• Government health databases (NHIF/SHA) with explicit patient consent only

3 How We Use Your Information

We use your information only for specific, declared purposes as required by Section 26 of the KDPA 2019:

• Service delivery: booking appointments, sending confirmations, reminders (SMS/email), coordinating with healthcare providers
• Account management: verifying identity, managing your profile, processing password resets
• Safety and emergency: sharing location/contact data with emergency services when life is at risk
• Platform improvement: anonymised and aggregated analytics to improve service quality
• Legal compliance: responding to lawful requests from regulatory bodies, courts, or law enforcement
• Fraud prevention: detecting and preventing unauthorized access or fraudulent activity
• Communications: sending service updates, policy changes, and security alerts

4 Legal Basis for Processing (KDPA 2019 Section 30)

We rely on the following lawful grounds for processing personal data:

• Consent (S.30(1)(a)): For health data, marketing, and optional features — you may withdraw at any time
• Contract (S.30(1)(b)): Processing necessary to fulfil our service agreement with you (booking appointments)
• Legal obligation (S.30(1)(c)): Compliance with Kenyan laws including the Health Act 2017, Data Protection Act 2019
• Vital interests (S.30(1)(d)): Emergency situations where processing is necessary to protect your life or another person's life
• Legitimate interests (S.30(1)(f)): Fraud prevention, platform security, service improvement (never overrides your fundamental rights)

5 Sharing & Disclosure

We Share Data With:

• Healthcare providers: hospitals, clinics, and doctors you book through our platform receive only the data necessary to provide your care
• Service providers: cloud hosting (AWS/Africa-based), SMS providers (Africa's Talking), email delivery (SendGrid) — all bound by data processing agreements
• Emergency services: your name, phone, and location may be shared with emergency responders when life is at risk
• Legal authorities: when required by a court order, subpoena, or statutory obligation under Kenyan law
• Business transfers: in a merger or acquisition, your data is transferred under equivalent privacy protections — you will be notified

6 Data Retention

We retain personal data for as long as necessary for the purposes stated, and as required by Kenyan law:

• Active account data: retained for the duration of your account plus 7 years (Health Act 2017 requirement for medical records)
• Appointment records: 7 years from appointment date
• Deleted accounts: anonymised within 30 days; legal records retained for 7 years
• Uploaded profile photos: deleted within 30 days of account closure
• System logs: 12 months maximum
• Inactive accounts: notified after 2 years of inactivity; deleted after 3 years unless you re-activate

7 Your Rights Under KDPA 2019

Under the Kenya Data Protection Act 2019 (Sections 26–34), you have the following rights as a data subject:

• Right to be informed (S.26): Know what data we hold and how it's used — this policy fulfils that obligation
• Right of access (S.26(a)): Request a copy of all personal data we hold about you within 21 days
• Right to rectification (S.26(b)): Correct inaccurate or incomplete personal data
• Right to erasure (S.26(e)): Request deletion of your data (subject to legal retention obligations)
• Right to restrict processing (S.26(c)): Object to certain types of processing
• Right to data portability (S.26(f)): Receive your data in a structured, machine-readable format
• Right to object (S.33): Object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making: Not be subject to solely automated decisions that significantly affect you

8 Health Information (Sensitive Data)

Health data receives the highest level of protection under the KDPA 2019. We apply additional safeguards:

• Explicit consent required: We obtain separate, specific, informed consent before collecting any health information
• Minimum necessary principle: We collect only the health data required to facilitate your appointment or care
• Access controls: Health data is accessible only to the specific healthcare provider(s) involved in your care, and to you
• Encryption: All health data is encrypted at rest (AES-256) and in transit (TLS 1.3)
• Audit logs: Every access to health records is logged with timestamp, user, and purpose
• No secondary use: Health data is never used for research, advertising, or insurance underwriting without explicit separate consent

9 Data Security

We implement industry-standard and KDPA-compliant technical and organisational security measures:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Bcrypt password hashing (cost factor 12+)
• Multi-factor authentication available for hospital accounts
• Regular security penetration testing by certified professionals
• Role-based access controls — staff access data only on need-to-know basis
• Intrusion detection and anomaly monitoring
• Automated backups with point-in-time recovery

Data Breach Response (KDPA Section 41)

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ODPC within 72 hours and notify affected data subjects without undue delay, as required by KDPA Section 41.

10 Cookies & Tracking

We use the following types of cookies:

• Essential cookies: Required for login sessions, security tokens, and basic platform functionality — cannot be disabled
• Performance cookies: Anonymous analytics to understand how the platform is used (opt-out available)
• Preference cookies: Remember your language and display preferences

We do not use tracking cookies for advertising or cross-site behavioural profiling. You can manage cookie preferences in your browser settings. Note that disabling essential cookies will prevent login.

11 Children's Privacy

Planeazzy is not directed at children under 18. We do not knowingly collect personal data from minors without verified parental or guardian consent as required by Section 32 of the KDPA 2019.

Parents or guardians may create accounts on behalf of minor dependants. In such cases, parental consent is required for all data processing, and the minor's data is treated with additional protective measures.

If you believe a minor has registered without consent, please contact privacy@planeazzy.com immediately and we will delete the account within 7 days.

12 Cross-Border Data Transfers

Your data is primarily stored and processed in Kenya and the African region. Where we transfer data internationally (e.g., cloud infrastructure, email delivery), we ensure:

• Transfers are to countries with adequate data protection laws, as assessed by the ODPC
• Standard contractual clauses or equivalent safeguards are in place as per KDPA Section 48
• Transfer impact assessments are conducted for high-risk transfers
• We document all cross-border transfers in our Records of Processing Activities (RoPA)

13 Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send email notification to all registered users at least 30 days before the change takes effect
• Display a prominent in-app notification
• For material changes affecting health data processing, we will obtain fresh explicit consent

14 Contact & Complaints

For privacy enquiries, data subject requests, or concerns: