Curis Patient Data Policy

1.1 About Curis

Curis is a digital healthcare platform owned and managed by Citrus Labs Limited, built to connect patients with licensed medical professionals and provide seamless health services.

1.2 Scope of Policy

This Policy applies to all patient data collected and processed through Curis.

1.3 Key Definitions

• Personal Data: Any information that can identify you (e.g., name, ID number, health history).
• Processing: Any operation on personal data including collection, storage, sharing, and deletion.
• Data Subject: The individual whose data is being processed — in this case, you as the Patient.

2.1 Personal Information

• Full Name
• ID Number
• Date of Birth
• Gender

2.2 Contact Details

• Phone Number
• Email Address
• Physical Address (optional)

2.3 Medical History

• Health conditions
• Medication history
• Previous consultations
• Diagnostic results

2.4 Appointment Details

• Appointment requests
• Booking dates and times
• Attending doctor

2.5 Payment Information

We collect and store:

• M-Pesa transaction codes
• Invoice records
• Billing history

3.1 Service Provision

• Scheduling and confirming appointments
• Sharing medical records with your selected healthcare provider
• Processing payments for services rendered

3.2 Personalized Health Insights

To improve your experience, we may offer tips or reminders based on your medical history.

3.3 Platform Communications

We may contact you through:

• Email: appointment confirmations, receipts, and updates
• SMS: reminders, urgent notifications, or feedback requests

3.4 Data Sharing (With Consent)

We may share your data with:

• Authorized Health Providers: for treatment purposes only
• Legal Authorities: when required by law (e.g., court orders or investigations)

We will never sell your data to third parties.

4.1 Storage

All data is securely stored in encrypted databases, located in compliant data centers.

4.2 Access Controls

Only authorized personnel have access to patient data based on job role.

4.3 Encryption

All data in transit and at rest is encrypted using AES-256 and HTTPS protocols.

4.4 Retention Policy

• Active Data: Retained during account use
• Archived Data: Retained for 7 years after last activity, per Kenyan medical data laws
• Deletion Requests: Honored upon request unless legally restricted

4.5 Breach Protocol

In case of a data breach, we will notify affected patients and the Office of the Data Protection Commissioner (ODPC) within 72 hours as per law.

5.1 Right to Access

You can request a copy of your data through our secure access form.

5.2 Right to Rectify

You can correct any incorrect or outdated information.

5.3 Right to Deletion

You may request deletion of your data unless retention is required by law.

5.4 Right to Restrict Processing

You may object to certain uses of your data.

5.5 Right to Data Portability

You can request your medical records in a portable format (e.g., PDF).

How to Exercise These Rights

Send your request to legal@citruslabs.co.ke. We respond within 14 days as per Kenyan law.

6.1 Kenyan Data Laws

This policy complies with the Data Protection Act, 2019 and all regulations by the ODPC.

6.2 International Standards

We align with global best practices such as GDPR, though local Kenyan law takes precedence.

6.3 Certifications

Our systems follow ISO/IEC 27001 principles for information security.

• Email: legal@citruslabs.co.ke
• Phone: +254 112 400 000
• Mailing Address: P.O. Box 23983 - 00100, Nairobi, Kenya

Data Protection Officer (DPO): Available via the email above

File a Complaint

If you believe your data rights have been violated, you can file a complaint through our secure complaint form or contact our DPO directly.