Dental Network Kenya ("the Platform", "we", "us", "our") is the data controller as defined under Section 2 of the Kenya Data Protection Act, 2019 (Act No. 24 of 2019).

We are registered with the Office of the Data Protection Commissioner (ODPC) of Kenya.

For all data protection enquiries, subject access requests, or complaints: dentalnetworkkenya@gmail.com

Data Protection Officer: Available at the above address. Response time: within 5 business days.

(a) Identity Data: Full name, email address, phone number, national ID or passport number (required only for professional credential verification).

(b) Professional Data: KMPDC registration number, KDA membership details, practice certificates, specialisation records — collected from dental professionals and clinics.

(c) Health Data (Sensitive): Appointment preferences, treatment categories of interest, and any health information you voluntarily share. We treat all health-related data as sensitive personal data under Section 2 of the Act.

(d) Device & Usage Data: IP address, browser type and version, pages visited, session duration, search terms used on the platform, click events, and error logs. This data is collected automatically when you use the Platform.

(e) Location Data: General location (county/town) selected by you, and GPS coordinates if you grant location permission on your device. Location data is processed in real-time to display nearby clinics and is not persistently stored without your consent.

(f) Communications Data: Content of messages you send to us via contact forms, email, or support channels.

We process personal data only where we have a lawful basis under Section 30 of the Kenya Data Protection Act, 2019:

(a) Consent: For optional analytics cookies, marketing communications, and processing of sensitive health data. You may withdraw consent at any time without detriment.

(b) Contractual Necessity: For creating and managing your account, processing subscription payments, and delivering the core platform services.

(c) Legal Obligation: Where processing is required by Kenyan law, including SHA/SHIF regulatory requirements, KMPDC data sharing obligations, or court orders.

(d) Legitimate Interests: To prevent fraud, maintain platform security, improve our services, and conduct anonymised analytics. We balance these interests against your rights and will not override them where your privacy interests are stronger.

Health information constitutes sensitive personal data under Section 2 of the Kenya Data Protection Act, 2019. We apply heightened standards to any health-related information:

• Explicit consent is obtained before any health data is processed.

• Health data is stored encrypted at rest using AES-256 encryption.

• Health data is transmitted exclusively via TLS 1.3 encrypted connections.

• Access to health data is restricted to authorised personnel on a strict need-to-know basis.

• We do not use health data for profiling, advertising, or automated decision-making.

• We comply with KMPDC clinical data handling guidelines in all health data processing activities.

We share personal data only in the following circumstances:

(a) Dental Professionals: When you interact with a clinic or dentist profile, your contact details are shared to the extent necessary to facilitate your enquiry.

(b) Insurance Providers: SHA/SHIF and private insurers, only when you initiate a referral or claim process through our platform.

(c) Payment Processors: Regulated payment service providers for billing purposes. These parties are bound by data processing agreements.

(d) KMPDC & KDA: For the purposes of credential verification, in accordance with our statutory obligations.

(e) Law Enforcement: Where required by a valid legal order, court order, or regulatory authority direction under Kenyan law.

(f) Service Providers: Cloud hosting (Supabase/AWS), analytics providers (with anonymised data only), and error monitoring tools (Sentry). All service providers are subject to data processing agreements.

We DO NOT sell, rent, or trade personal data with third parties for marketing or commercial purposes.

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Patient appointment data and health-adjacent records: 7 years from the date of the appointment, in line with Kenyan medical records guidance.

• Professional credentials and KMPDC records: For the duration of the active clinic/dentist account, plus 2 years following account closure.

• User account data: For the life of the account, plus 90 days following deletion request (to allow for recovery and fraud investigation).

• Analytics data: Aggregated and anonymised after 26 months. Individual session logs are retained for 90 days.

• Communication records: 3 years from the date of communication.

You may request deletion of your account and personal data at any time. Certain data will be retained beyond your request where required by law or legitimate business necessity, and we will notify you of any such retention.

Under the Kenya Data Protection Act, 2019 (Act No. 24 of 2019), you have the following rights:

(a) Right of Access: To request a copy of all personal data we hold about you (Section 26).

(b) Right to Rectification: To request correction of inaccurate or incomplete data (Section 27).

(c) Right to Erasure: To request deletion of your personal data where there is no legitimate reason for continued processing (Section 38).

(d) Right to Object: To object to processing based on legitimate interests or for direct marketing purposes (Section 32).

(e) Right to Data Portability: To receive your data in a structured, machine-readable format (Section 32(2)).

(f) Right to Withdraw Consent: At any time, without detriment to your continued use of the platform for non-consent-based processing.

(g) Right to Complain: To lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

To exercise any of these rights, email: dentalnetworkkenya@gmail.com. We will respond within 21 days. No fee is charged for standard requests.

We implement industry-standard technical and organisational measures to protect your personal data:

• All data is stored on Supabase-managed PostgreSQL databases with row-level security (RLS) policies.

• Encryption at rest: AES-256 for all sensitive and health-related data.

• Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers.

• Access control: Role-based access controls (RBAC) with principle of least privilege for all staff and systems.

• Authentication: Secure session management with httpOnly, SameSite cookies and CSRF protection.

• Monitoring: Error monitoring via Sentry. Security logs are reviewed regularly.

• Penetration testing: Conducted periodically against our API and web application surfaces.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ODPC within 72 hours as required by the Act, and will notify you without undue delay where the breach is high risk.

We use essential cookies (required for platform functionality), optional analytics cookies (with your consent), and optional preference cookies. Full details are available in our Cookie Policy at /cookies.

We use Sentry for error monitoring, which may collect anonymised diagnostic data including error stack traces and device information. No identifiable health data is captured by Sentry.

Google Maps is integrated for clinic location services. Google's use of data from this integration is governed by Google's Privacy Policy.

Our primary data processing infrastructure (Supabase) is hosted within jurisdictions that maintain adequate data protection standards. Where data is transferred outside Kenya, we ensure that appropriate safeguards are in place including:

• Standard Contractual Clauses (SCCs) where applicable.

• Confirmation that the receiving jurisdiction provides an adequate level of data protection.

• Explicit consent where required.

Our platform is not directed at children under the age of 18. We do not knowingly collect personal data from minors.

If a parent or guardian wishes to access or delete a child's data that may have been inadvertently collected, please contact us at dentalnetworkkenya@gmail.com.

For paediatric dental appointment searches made by parents or guardians, we treat all data under the adult account holder's rights and consent framework.

We will notify registered users of material changes to this Privacy Policy by email at least 14 days before the changes take effect.

The "Last Updated" date at the top of this policy reflects the most recent version.

For minor or non-material changes (corrections, clarifications), we will update the policy without prior notice. We encourage you to review this policy periodically.

Continued use of the platform following notification of changes constitutes acceptance of the updated policy.