Qwiva Health Africa — Privacy Notice
Version: 1.0
Effective date: 14 June 2026
Last updated: 14 June 2026
1. Who we are
Qwiva Health Africa Limited ("Qwiva", "we", "us", "our") is a company incorporated in Kenya. We operate a clinical decision-support platform that provides verified Kenyan and East African health practitioners with evidence-based, source-grounded answers to clinical questions, delivered through our mobile application and web application (together, the "Platform").
This Privacy Notice explains what personal data we collect about you, why we collect it, the legal basis on which we process it, who we share it with, where it is processed, how long we keep it, and the rights you have. It applies to health practitioners who use or apply to use the Platform.
We are the data controller for the personal data described in this Notice. We are registered with the Office of the Data Protection Commissioner (the "ODPC") as a data controller and data processor.
2. The personal data we collect
We collect the following categories of personal data:
Identity data — your first and last name, your professional cadre (for example, medical practitioner, clinical officer, dental practitioner, nurse, or intern) and your specialty.
Contact data — your email address, mobile telephone number and country.
Professional registration data — your professional licence or registration number, the regulator with which you are registered, and any registration document you upload as evidence of your registration. This is treated as sensitive personal data.
Account and authentication data — your hashed login credentials, one-time verification codes, and session information.
Clinical query content — the clinical questions you submit to the Platform and your query and response history. Because your questions may contain health-related context, we treat this content with the protections applied to sensitive personal data.
Usage and technical data — information about how you interact with the Platform, your device, your IP address, and diagnostic and error logs.
Payment and payout data — where you take part in a paid research survey, your mobile-money number and the record of any honorarium paid to you.
We do not ask for, and you must not submit, information that identifies any individual patient. Where patient context is clinically relevant to your question, please express it in general terms that do not identify the patient.
3. How we collect your personal data
We collect personal data directly from you when you register for and use the Platform, when you complete verification, when you submit clinical queries, and when you take part in a research survey. We also generate usage and technical data automatically as you use the Platform.
We verify your professional registration data against the relevant public professional register. This means we may confirm or supplement the registration details you give us using information held by your professional regulator, for the sole purpose of verifying that you are a registered practitioner.
Providing your personal data is voluntary, but some of it is necessary to use the Platform. If you do not provide your identity, contact and professional registration data, we cannot verify you as a registered practitioner and cannot give you access to the clinical service. Providing data for research participation and marketing is entirely optional and is never a condition of using the core service.
4. Why we process your personal data, and our legal basis
We process your personal data for the following purposes, each on the legal basis set out below, in accordance with Section 30 of the Data Protection Act, 2019:
| Purpose | What this involves | Legal basis |
|---|---|---|
| Creating and operating your account | Registering you, authenticating you, and providing the Platform to you | Necessary for the performance of our contract with you (our Terms of Use) |
| Verifying your professional registration | Confirming that you are a genuine, currently registered health practitioner before granting access | Our legitimate interest in operating a safe, clinical-grade service for verified practitioners, supported by your consent at onboarding |
| Processing your clinical queries through our service providers outside Kenya | Generating source-grounded clinical answers using our retrieval and artificial-intelligence service providers | Your explicit consent to the cross-border processing of your data, including query content |
| Sending you one-time verification codes by SMS | Verifying your mobile number and securing your account | Necessary for the performance of our contract with you |
| Security, diagnostics and support | Keeping the Platform secure, diagnosing faults, and supporting you | Our legitimate interests, balanced against your rights |
| Research and survey participation, and paying honoraria | Inviting you to take part in surveys you choose to join, and paying any honorarium | Your separate, explicit consent given at the point of each survey |
| Sending you promotional or marketing communications | Telling you about features or offerings, where you have asked us to | Your separate, explicit consent, which you may withdraw at any time |
We rely on only one legal basis for each processing activity at a time, as required by the Data Protection (General) Regulations, 2021. We will not use your personal data for a new purpose that is incompatible with the purpose for which it was collected without seeking your consent.
5. Consent, and how to withdraw it
Where we rely on your consent — in particular for the cross-border processing of your data, for research participation, and for marketing — that consent is sought separately for each purpose. We do not bundle these consents together, and agreeing to one is not a condition of another.
You have the right to withdraw any consent at any time. Withdrawing consent is as easy as giving it: you can manage your consents in the Platform's settings, or contact us at privacy@qwiva.org. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. Where you withdraw consent for a particular purpose, we will stop the processing that depends on that consent.
Some messages are essential to the service and are not marketing — for example, verification codes, security alerts, account and billing notices, and legal or breach notifications. As long as you hold an account, you cannot opt out of these service messages, because we need them to operate the Platform safely and lawfully. Opting out of marketing does not stop these essential messages.
6. Who we share your personal data with, and where it is processed
Service providers who process data on our behalf
To provide the Platform, we use trusted service providers who process personal data on our behalf, on our instructions, under signed data processing agreements that require them to protect your data to a standard equivalent to that required by Kenyan law. Several of these providers are located outside Kenya. The categories of recipient are:
| Category of recipient | What they do for us | Data they process | Location |
|---|---|---|---|
| Cloud database and authentication providers | Store your account and registration data and manage sign-in | Identity, contact, registration, authentication data | Outside Kenya |
| Application and web hosting providers | Run our backend and deliver our web application | All categories (query content in transit) | Outside Kenya |
| Artificial-intelligence / language-model provider | Generate source-grounded clinical answers | Clinical query content | Outside Kenya |
| Vector-search provider | Retrieve relevant clinical sources | Query-derived data | Outside Kenya |
| SMS provider | Deliver one-time verification codes | Mobile number, verification code | Kenya |
| Diagnostics and analytics providers | Error monitoring and product analytics | Usage and technical data | Outside Kenya |
You may ask us at privacy@qwiva.org for the identity of the specific providers we use and the safeguards that apply to them.
What we do not do
We do not sell personal data that identifies you, and we do not share data that identifies you with survey sponsors or advertisers. Where we share data with third parties such as pharmaceutical companies, we share only anonymised, aggregate information from which you cannot be identified (see Sections 9 and 10).
Other disclosures
We may disclose personal data where the law requires or permits it — for example, to comply with a valid legal requirement, court order or regulatory obligation; to establish, exercise or defend legal claims; to protect the safety of any person; or in connection with a business transfer as described in Section 18. We may also share the limited information needed for adverse-event and payment recordkeeping as described in Section 11.
7. Transfers of your data outside Kenya
Because some of our service providers are located outside Kenya, your personal data — including your professional registration data and your clinical query content — is transferred and processed outside Kenya. We make these transfers on the following bases under Sections 48 and 49 of the Data Protection Act, 2019:
- Appropriate safeguards: each provider is bound by a signed data processing agreement imposing confidentiality, security, breach-notification and data-subject-rights obligations equivalent to Kenyan law.
- Your explicit consent: at onboarding we tell you specifically that your data, including your query content, is processed outside Kenya, we explain the risks, and we ask for your explicit consent to that transfer.
- Necessity: the transfer is necessary to provide the service you have asked us for.
You may ask us for more information about these safeguards at privacy@qwiva.org.
8. How long we keep your personal data
We do not keep your personal data for longer than necessary.
- Account and profile data is kept for as long as your account is active and is deleted on a verified deletion request, or after an extended period of inactivity.
- Clinical query and response history is kept to give you continuity of the service and can be deleted at your request.
- Verification documents are kept only as long as needed to evidence our verification decision.
- Payout records are kept for the period required by applicable financial and tax record-keeping rules.
- Data of applicants who are not verified is kept only briefly to administer the review and any appeal.
When you delete your account, we delete your personal data within a reasonable period, except for data we are required to keep by law (such as payout records) and anonymised information that no longer identifies you and that we retain for research and reporting.
9. Research surveys and sponsors
If you choose to take part in a research survey, including a survey commissioned by a third party such as a pharmaceutical company, your participation is voluntary and requires your separate consent.
No survey sponsor receives data that identifies you. Sponsors receive only aggregate findings — for example, the proportion of respondents who answered a question in a particular way — never your individual responses. Before we release any findings, we suppress or further group any result that is based on a small number of respondents, so that no one can be singled out by combining answers with details such as specialty or location. Qwiva keeps the only copy of survey responses that is linked to you. Any honorarium you earn is paid by us; your mobile-money number is not disclosed to the sponsor.
Some surveys may require us to contact you directly (for example by email) to invite you or to fulfil an honorarium payment. We will tell you in the invitation what information is needed so that you can decide whether to take part.
10. Anonymised data and future commercial uses
As Qwiva develops, we plan to introduce the commercial uses described below. We are not carrying out these activities yet. Before we begin any of them, we will obtain any consent the law requires and we will update this Privacy Notice. We describe them here so that you know our direction in advance.
Sale and sharing of anonymised data. We may in future share or sell anonymised, aggregate information to third parties, including pharmaceutical companies, for research, market-insight and commercial purposes. Any such information will be fully anonymised — aggregated, stripped of identifiers, and processed so that small groups are suppressed — so that neither you nor any patient can be identified from it, directly or indirectly. Anonymised information of this kind is not personal data. We will never sell data that identifies you, your patients, or your individual clinical queries.
Advertising and sponsored content. We may in future show advertising and sponsored content within the Platform, including content from pharmaceutical companies, and we may personalise that content based on your professional profile and interests (for example, your specialty or the clinical areas you engage with). If we introduce personalised advertising, we will:
- ask for your separate, opt-in consent before personalising advertising to you;
- give you a simple way to opt out of personalised advertising at any time, without losing access to the core clinical service;
- clearly label all advertising and sponsored content (for example, as "Advertisement", "Sponsored" or "Information from Industry") so you can always tell it apart from clinical answers; and
- never allow advertising or sponsors to influence the clinical answers the Platform gives you, and never disclose data that identifies you to an advertiser or sponsor.
Advertising will never be based on, and sponsors will never receive, data that identifies you or the content of your individual clinical queries.
11. Reporting of adverse events and survey payments
If, in the course of using the Platform or taking part in a survey, you report information about an adverse event involving a medicine or medical device, applicable pharmacovigilance and safety-reporting laws may require us to pass that report — including the contact details needed to follow it up — to the relevant manufacturer and regulatory authority. We will only use and share adverse-event information for that safety-reporting purpose. If you do not wish this information to be reported, do not submit adverse-event information.
Separately, if you receive an honorarium for taking part in a survey or sponsored programme, a sponsor or the survey company acting for it may be required to keep records of that payment for their own legal, tax and regulatory compliance. Where that applies, we may share the limited information needed for that recordkeeping. This does not include your survey responses in a form that identifies you.
12. Your rights
Under the Data Protection Act, 2019 you have the right to:
- be informed of the use to which your personal data is put;
- access the personal data we hold about you;
- have inaccurate or out-of-date personal data corrected;
- request the deletion of your personal data where the law allows;
- object to or restrict the processing of your personal data;
- request your personal data in a portable form where applicable; and
- withdraw consent at any time where processing is based on consent.
You also have the right not to be subject to a decision based solely on automated processing that significantly affects you. Qwiva's clinical answers are decision-support for you as a qualified practitioner; they are not automated decisions made about you, and we do not make automated decisions that produce legal or similarly significant effects on you.
To exercise any of these rights, contact us at privacy@qwiva.org. We respond within the timelines set by the Data Protection (General) Regulations, 2021: we will comply with an access request within seven (7) days, and with a request for rectification, erasure, restriction or objection within fourteen (14) days. We may need to verify your identity before acting on your request, and we do not charge a fee for exercising these rights.
If you are not satisfied with how we handle your personal data or your request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. You can reach the ODPC at www.odpc.go.ke or by email at info@odpc.go.ke.
13. Cookies and similar technologies
Our web application uses cookies and similar technologies. Some are strictly necessary to operate the Platform and keep you signed in; these cannot be switched off. Others support diagnostics and product analytics, and we use these only with your consent, which you can give or withdraw through the cookie controls presented to you and through your browser settings. If in future we use cookies or similar technologies for advertising, we will seek your consent for that purpose separately. If you reject non-essential cookies, the Platform will still work, though some features may be affected.
Some web browsers offer a "Do Not Track" setting. Because there is no common standard for how these signals should be interpreted, we do not currently respond to "Do Not Track" signals. You can manage tracking through the cookie controls and browser settings described above.
14. Third-party links
The Platform, and any advertising or sponsored content we may show in future, may contain links to websites we do not control. Those websites are governed by their own privacy policies, not this Notice, and we are not responsible for their content or their handling of your personal data. We encourage you to read the privacy policy of any site you visit through such a link.
15. How we protect your personal data
We apply technical and organisational measures to protect your personal data, including encryption of data in transit and at rest, access controls on a least-privilege basis, multi-stage identity verification, and monitoring. We design the Platform to collect the minimum data necessary and not to collect patient-identifying data.
You are responsible for keeping your account credentials confidential. No method of transmission or storage is completely secure; while we work to protect your personal data, we cannot guarantee absolute security.
16. Data breaches
If a personal data breach occurs that is likely to affect your rights, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of it, and we will notify you without undue delay where the law requires.
17. Children
The Platform is intended for use by registered health practitioners who are adults aged 18 or over. It is not intended for, or directed at, anyone under 18, and we do not knowingly collect personal data from any person under 18.
18. Business transfers
If Qwiva is involved in a merger, acquisition, financing, reorganisation or sale of assets, your personal data may be transferred as part of that transaction. Your personal data will continue to be protected in accordance with this Notice, and we will notify you of any change in the controller of your personal data.
19. Changes to this Notice
We may update this Privacy Notice as our processing changes. Where changes are significant, we will bring them to your attention by email or through the Platform before they take effect. The current version and its effective date are always shown at the top of this Notice.
20. Contact us
For any question about this Notice or about how we handle your personal data:
Qwiva Health Africa Limited
P.O. Box 2354, 00202
Kenyatta National Hospital,
Nairobi
Privacy enquiries: privacy@qwiva.org
General support: support@qwiva.org