Privacy Policy

Important: This policy applies to Sr. Freda's Medical Centre ("we", "us", "our") and its website at https://sr-fredah-medical-centre.vercel.app. We are committed to protecting the privacy of all patients, website visitors, and staff in accordance with the Kenya Data Protection Act, 2019.

1. Information We Collect

1.1 Information You Provide Directly

When you use our website or visit our facility, we may collect:

• Personal identification: Full name, national ID number, date of birth, gender.
• Contact details: Phone number, email address, physical address.
• Health information: Medical history, diagnosis, treatment records, prescription details, test results — only when you are a patient.
• Appointment details: Preferred date, time, department, and reason for visit submitted via our online booking form.
• Communications: Messages sent through our contact form, email, or WhatsApp.
• Financial data: Payment method (SHA insurance number, M-Pesa transaction reference). We do not store full card numbers.

1.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• IP address and approximate location
• Browser type and operating system
• Pages visited and time spent on pages
• Referring website URL
• Device type (desktop, mobile, tablet)

This is collected via Google Analytics and standard web server logs for the purpose of improving our website performance.

2. How We Use Your Information

We use your information to:

• Provide medical care, process appointments, and manage your patient record
• Communicate appointment confirmations, reminders and follow-ups
• Process SHA insurance claims and payment transactions
• Respond to enquiries submitted via our contact form
• Improve the quality and safety of our healthcare services
• Comply with legal and regulatory reporting obligations (Ministry of Health, SHA, PEPFAR)
• Analyse website usage to improve the user experience
• Send health education communications (only with your consent)

3. Health Data (Special Category)

Medical and health information is classified as sensitive personal data under the Kenya Data Protection Act 2019. We process it only where:

• You have given explicit consent (e.g. online appointment booking)
• It is necessary to provide direct healthcare to you
• It is required by law (e.g. mandatory disease notifications to public health authorities)
• It is necessary to protect your vital interests or the interests of others

Your health records are stored securely and are accessible only to authorised clinical and administrative staff directly involved in your care.

4. Data Sharing

We do not sell your personal data. We may share it with:

• SHA (Social Health Authority) — for insurance claim processing and patient eligibility verification.
• PEPFAR / USAID programme coordinators — anonymised or aggregated data for programme reporting only.
• Ministry of Health — mandatory disease surveillance and health statistics reporting.
• Referral facilities — when we refer you to a specialist or higher-level care facility, with your knowledge.
• Technology service providers — including our website hosting provider (Vercel) and database provider (Supabase), who are contractually bound to keep data confidential and process it only on our behalf.
• Legal authorities — only when required by a valid court order or applicable law.

5. Data Retention

Patient records are retained for a minimum of 7 years from the date of last treatment, or 7 years after a minor patient reaches adulthood, in accordance with Kenya Ministry of Health guidelines.

Website enquiry and contact form data is retained for 24 months unless you request earlier deletion.

Analytics data (Google Analytics) is retained for 26 months as per Google's standard retention settings.

6. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete information
• Erasure — request deletion of your personal data (where legally permissible)
• Restriction — ask us to restrict how we process your data
• Objection — object to certain types of processing
• Portability — receive your data in a structured, machine-readable format
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact our Data Protection Officer at srfredamc@gmail.com or call +254700000000.

7. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to:

• Remember your preferences and settings
• Analyse traffic via Google Analytics (anonymised)
• Ensure security and prevent abuse

You can control cookies through your browser settings. Disabling cookies may affect some website functionality. We do not use cookies to serve targeted advertisements.

8. Security

We implement industry-standard security measures including:

• HTTPS encryption on all web traffic
• Role-based access control for staff systems
• Encrypted database storage (Supabase)
• Regular security audits and staff training

Despite our best efforts, no internet transmission is 100% secure. We encourage you not to share sensitive health information over unencrypted channels.

9. Third-Party Links

Our website contains links to external websites (e.g. SHA, USAID, PEPFAR, Ministry of Health). We are not responsible for the privacy practices of those sites and encourage you to read their respective privacy policies.

10. Children's Privacy

We provide medical services to children, and parental or guardian consent is obtained for patients under 18 years of age. Online appointment bookings for minors must be made by a parent or legal guardian.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the updated version on this page with a revised "last updated" date. Continued use of our website after any changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related enquiries, data access requests or complaints, please contact:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya.