Privacy Policy

Last updated: March 2026

1. Who We Are

Care Consult is a private clinical advisory and care coordination firm based in Ikigai Westlands, Peponi Rd, Nairobi, Kenya. We act as your counsel and coordinator within the healthcare system, helping you navigate specialist referrals, medical appointments, and clinical decision-making.

For the purposes of the Kenya Data Protection Act, 2019 (“Kenya DPA”), Care Consult is the data controller responsible for your personal data.

2. What Data We Collect

We may collect and process the following categories of data:

Personal identification data: full name, email address, phone number, date of birth, national ID or passport number (where required for hospital registration).
Health data: medical records, diagnoses, test results, imaging reports, treatment histories, prescription records, and any information you provide about your medical situation. Under the Kenya DPA, health data is classified as sensitive personal data.
Payment data: M-Pesa phone numbers, transaction references, and card payment confirmations. We do not store full card numbers on our systems.
Communications data: messages sent through the client portal, emails, and consultation notes.
Technical data: IP address, browser type, device information, and anonymised usage analytics collected via our self-hosted analytics platform.

3. Why We Collect Your Data

We process your personal data for the following purposes:

To deliver our clinical advisory and care coordination services.
To coordinate appointments, specialist referrals, and hospital visits on your behalf.
To generate clinical reports, second-opinion summaries, and care plans.
To process payments and issue invoices.
To communicate with you about your case, appointments, and account.
To comply with legal obligations and maintain audit trails as required by Kenyan law.
To improve our services through anonymised, aggregated analytics.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under the Kenya DPA:

Explicit consent (Section 30): For all health data and sensitive personal data, we obtain your explicit, informed consent before processing. You may withdraw consent at any time.
Contractual necessity: Processing required to fulfil our engagement agreement with you.
Legitimate interest: For service improvement and security purposes, where such interests do not override your fundamental rights.
Legal obligation: Where we are required to retain records under Kenyan law.

5. How We Store and Protect Your Data

Your data is stored on encrypted servers hosted in Kenya by HostAfrica Kenya, ensuring compliance with data residency requirements. We implement the following security measures:

Encryption at rest and in transit for all personal and health data.
Row-level security policies ensuring you can only access your own data.
Role-based access controls limiting staff access to only the data necessary for their role.
Nightly encrypted backups to our Kenya-based server infrastructure.
Secure document storage with access logging and audit trails.

6. Who We Share Your Data With

We only share your personal data with third parties in the following circumstances:

Your assigned care team: The counsel and coordinators managing your case.
Specialists and hospitals: Only with your explicit consent, and only the information necessary for the referral or appointment.
Payment processors: M-Pesa (Safaricom) and IntaSend for transaction processing only.
Legal requirements: Where disclosure is required by a court order or Kenyan law.

We do not sell, rent, or trade your personal data to any third party.

7. Data Retention

We retain your data for the following periods:

Health records: Retained in accordance with the Digital Health Act, 2023 and applicable medical record retention requirements under Kenyan law.
Financial records: Retained for seven years as required by the Kenya Revenue Authority.
Account data: Retained for the duration of our engagement and for a reasonable period thereafter, unless you request earlier deletion.
Analytics data: Anonymised and aggregated; not linked to your identity.

8. Your Rights

Under the Kenya Data Protection Act (Section 26), you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to data portability: Receive your data in a structured, commonly used format.
Right to withdraw consent: Withdraw your consent at any time without affecting the lawfulness of prior processing.
Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at privacy@careconsult.co.ke. We will respond within 30 days.

9. Cookies and Analytics

We use a self-hosted, privacy-focused analytics platform (Umami) to understand how visitors use our website. This platform:

Does not use cookies or track personal data.
Does not collect IP addresses or fingerprint browsers.
Is hosted on our own Kenya-based server, so no data is sent to third parties.
Collects only anonymised page views and referral sources.

We do not use third-party tracking cookies, advertising pixels, or social media trackers on our website.

10. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Website: www.odpc.go.ke
Email: complaints@odpc.go.ke

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with a revised “last updated” date. Where changes are material, we will notify you via email or through the client portal.

12. Contact Us

For any questions about this privacy policy or our data practices, please contact:

Care Consult
Ikigai Westlands, Peponi Rd, Nairobi, Kenya
Email: privacy@careconsult.co.ke
Phone: +254 20 5002010