Privacy Policy

HimStrong Telehealth Limited
Effective Date: 19 March 2026
Last Updated: 12 April 2026

1. About This Privacy Policy

HimStrong Telehealth Limited (“HimStrong,” “we,” “our,” or “us”) is committed to protecting your privacy and handling your personal data lawfully, fairly, and securely.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use our website, digital platform, telehealth questionnaires, communication channels, customer support, and related services (together, the “Platform” or “Services”).

This Privacy Policy is intended to comply with applicable Kenyan law, including the Data Protection Act, 2019, the Data Protection (General) Regulations, 2021, the Health Act, 2017, and the Digital Health Act, 2023. Kenya’s data-protection framework also gives effect to the constitutional right to privacy under Article 31.

By using our Platform or Services, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

HimStrong Telehealth Limited is a company registered in Kenya and operates a technology-enabled telehealth platform. The Company provides a technology-enabled platform designed to connect users with duly licensed telehealth professionals. All clinical services are rendered exclusively by independent healthcare practitioners and affiliated medical facilities. Details of our licensed partners can be accessed through the Platform.

Our Platform may support services such as:

  • online health assessments,
  • telehealth coordination,
  • patient onboarding,
  • wellness education,
  • care support,
  • prescription coordination where applicable,
  • pharmacy and laboratory coordination where applicable,
  • and related digital health services.

Depending on the nature of the service, HimStrong may act as a data controller, data processor, or both, while licensed healthcare professionals, pharmacies, laboratories, and partner facilities may independently process certain patient or medical data within their own legal and professional responsibilities. The ODPC defines a data controller as the entity that determines the purpose and means of processing personal data.

We have appointed a Data Protection Officer (DPO) in accordance with the Kenya Data Protection Act, 2019 (Section 24). For any data protection or privacy-related inquiries, you may contact our DPO at privacy@himstrong.com.

3. Scope of This Policy

This Privacy Policy applies to personal data collected when you:

  • visit our website.
  • create an account.
  • complete a health or onboarding questionnaire.
  • request telehealth or wellness-related services.
  • communicate with us by email, SMS, WhatsApp, telephone, or chat.
  • make a payment.
  • upload documents, prescriptions, images, or other information.
  • interact with our support, fulfilment, or care coordination teams.

4. Persons Eligible to Use the Service

Our Services are generally intended for persons aged 18 years and above.

Where a service may lawfully involve a minor, we may require the participation, consent, or authorization of a parent, guardian, or other legally authorized person. Under Kenya’s Health Act, informed consent is central to healthcare delivery, subject to limited exceptions such as emergencies or other lawful circumstances.

If we learn that personal data has been collected from a child without the required lawful authority or consent, we may suspend the service or delete the information where legally appropriate.

5. Personal Data We Collect

The personal data we collect depends on how you interact with us and the Services you use.

5.1 Identity and Contact Data

This may include:

  • full name.
  • phone number.
  • email address.
  • date of birth.
  • gender.
  • national ID number, passport number, or alien ID where necessary.
  • postal address.
  • physical address.
  • emergency contact details where relevant.

5.2 Account and Verification Data

This may include:

  • username.
  • password.
  • account credentials.
  • one-time passwords (OTP).
  • verification codes.
  • communication preferences.
  • account security settings.

5.3 Health and Medical Data

Because we operate in the telehealth environment, we may collect sensitive health-related information, including:

  • symptoms.
  • condition-related concerns.
  • treatment interests.
  • health questionnaire responses.
  • medical history.
  • medication history.
  • prescription information.
  • follow-up details.
  • consultation-related notes.
  • laboratory or diagnostic information where applicable.

Under Kenyan law, health data is sensitive personal data and must be handled with enhanced protection. The Health Act also protects the confidentiality of information concerning a user’s health status, treatment, or stay in a health facility, except in circumstances permitted by law.

5.4 Payment and Transaction Data

This may include:

  • billing details.
  • transaction references.
  • order history.
  • payment confirmations.
  • limited payment verification data.

Where payment is processed through third-party payment providers, those providers may process your payment information under their own legal and security obligations.

5.5 Technical and Usage Data

When you use our Platform, we may collect:

  • IP address.
  • browser type.
  • device type.
  • operating system.
  • app or website activity.
  • session data.
  • page visits.
  • time stamps.
  • referral source.
  • diagnostic and crash information.
  • cookie-related data.

5.6 Communication Data

This may include:

  • support requests.
  • chat messages.
  • email communications.
  • call notes.
  • WhatsApp or SMS messages.
  • feedback, reviews, and complaint information.

6. How We Collect Your Data

We collect personal data in several ways:

6.1 Information You Give Us Directly

You may provide data when you:

  • register on the Platform.
  • complete forms or questionnaires.
  • contact support.
  • request consultation or fulfilment services.
  • make a purchase.
  • upload documents or images.
  • subscribe to updates.

6.2 Information Collected Automatically

We may automatically collect technical and usage information through cookies, logs, analytics tools, and similar technologies when you use our Platform.

6.3 Information from Third Parties

We may receive personal data from:

  • licensed healthcare professionals.
  • pharmacies.
  • laboratories.
  • payment processors.
  • courier or delivery providers.
  • identity verification providers.
  • IT and cloud service providers.
  • regulatory or public sources where lawful.

7. Legal Basis for Processing

We process personal data only where we have a lawful basis under Kenyan law. Depending on the context, processing may be based on:

  • your consent.
  • performance of a contract with you.
  • compliance with a legal obligation.
  • protection of your vital interests.
  • provision of healthcare or management of health systems and services where permitted by law.
  • our legitimate interests, provided those interests are not overridden by your rights and freedoms.

Where sensitive personal data is involved, including health information, we apply additional safeguards and only process such data on legally permitted grounds.

8. How We Use Your Personal Data

We may use your personal data for the following purposes:

8.1 To Provide Our Services

We use your data to:

  • create and manage your account.
  • process health assessments and questionnaires.
  • support access to telehealth services.
  • coordinate with licensed healthcare providers, laboratories, pharmacies, and fulfilment partners where applicable.
  • communicate about consultations, prescriptions, orders, and support.

8.2 To Operate and Improve Our Platform

We use data to:

  • maintain and improve the Platform.
  • troubleshoot technical issues.
  • analyze user experience.
  • improve safety, functionality, and performance.
  • develop new services and features.

8.3 To Communicate with You

We may contact you regarding:

  • account verification.
  • appointment or order updates.
  • payment confirmations.
  • prescription or fulfilment updates.
  • customer support.
  • service notices.
  • important legal or security notifications.

8.4 For Compliance, Safety, and Fraud Prevention

We may use your data to:

  • verify identity.
  • prevent fraud, abuse, and misuse.
  • investigate suspicious activity.
  • comply with legal and regulatory obligations.
  • protect our users, healthcare partners, systems, and business.

8.5 Marketing and Service Updates

Where permitted by law, we may send updates about offers, wellness content, new services, or promotions. You may opt out of marketing communications at any time.

9. Health Information and Confidentiality

Because HimStrong operates in a health context, some personal data you provide may be confidential patient or health information.

The Health Act, 2017 provides that information concerning a user, including information relating to health status, treatment, or stay in a health facility, is confidential except where disclosure is allowed by law. The same Act also sets out the importance of informed consent in the provision of health services.

We therefore handle health-related information with heightened care and disclose it only where:

  • you have consented.
  • it is necessary for your care, treatment, fulfilment, laboratory support, or related service delivery.
  • disclosure is required by law, court order, or regulatory requirement.
  • disclosure is necessary to protect life, health, safety, or public interest as permitted by law.

10. Cookies and Similar Technologies

We may use cookies, pixels, session tools, and similar technologies for purposes such as:

  • keeping you signed in.
  • remembering your settings.
  • improving functionality.
  • measuring traffic and performance.
  • improving the security and reliability of the Platform.

You can manage cookies through your browser settings. However, disabling cookies may affect certain features of the Platform. For more detail, see our Cookie Policy.

11. When We Share Personal Data

We do not sell your personal data as part of our ordinary business operations.

We may share personal data where necessary and lawful with:

11.1 Healthcare and Clinical Partners

Including:

  • licensed doctors and healthcare professionals.
  • partner clinics and medical facilities.
  • laboratories.
  • pharmacies.
  • care coordination and treatment fulfilment partners.

11.2 Service Providers

Including:

  • payment processors.
  • hosting and cloud providers.
  • cybersecurity vendors.
  • customer support software providers.
  • SMS, email, and communications providers.
  • logistics and delivery providers.
  • fraud prevention and identity verification providers.

11.3 Regulators and Authorities

We may disclose personal data to regulators, courts, law enforcement agencies, professional bodies, or public authorities where required by law or necessary to establish, exercise, or defend legal rights.

11.4 Corporate Transactions

If our company is involved in a merger, acquisition, restructuring, financing, or sale of assets, personal data may be transferred as part of that process, subject to appropriate safeguards.

12. Cross-Border Transfers

Some of our technology providers or service partners may store or process data outside Kenya. Where that happens, we will take reasonable steps to ensure the transfer is lawful and that your personal data remains adequately protected, consistent with the Data Protection Act and its Regulations. The ODPC’s General Regulations address data-subject rights and related processing safeguards within Kenya’s data-protection regime.

13. Your Rights

Under Kenya’s data protection framework, you have the following rights regarding your personal data:

  • Right of Access: You may request access to the personal data we hold about you.
  • Right to Rectification: You may request correction of any inaccurate, incomplete, or outdated personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to applicable legal and regulatory retention requirements.
  • Right to Restrict Processing: You may request that we limit how your personal data is used in certain circumstances.
  • Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: You may object to the processing of your personal data where such processing is based on legitimate interests or used for direct marketing.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.
  • Right Related to Automated Decision-Making: You have the right not to be subject to decisions made solely through automated processing that significantly affect you.

Subject to legal and operational requirements, you may contact us to exercise your rights. We may request reasonable verification of identity before acting on your request.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

14. Data Retention

We retain personal data only for as long as reasonably necessary for:

  • providing the requested services.
  • patient support and fulfilment.
  • legal, regulatory, and tax compliance.
  • dispute resolution.
  • fraud detection and prevention.
  • enforcing our agreements.
  • internal recordkeeping and audit requirements.

Retention periods may vary depending on the nature of the data, the service involved, and our legal obligations.

Where data is no longer required, we will securely delete, anonymize, or de-identify it, unless continued retention is required by law.

15. Data Security

We use reasonable administrative, technical, and organizational measures to protect personal data from unauthorized access, loss, misuse, disclosure, alteration, or destruction.

These safeguards may include:

  • password protection.
  • encryption in transit where appropriate.
  • access controls.
  • staff confidentiality obligations.
  • audit and monitoring procedures.
  • secure hosting and cybersecurity practices.

Kenya’s legal framework also addresses cyber-related offences and unlawful access to systems, which supports the broader protection of digital services and user data.

Although we take reasonable steps to secure personal data, no system can be guaranteed to be completely secure. You are responsible for keeping your login credentials confidential.

16. Marketing Communications

Where permitted by law, we may send promotional or educational communications by email, SMS, WhatsApp, or similar channels.

You may opt out of marketing messages at any time by:

  • clicking the unsubscribe link where available.
  • replying with the relevant opt-out instruction where applicable; or
  • contacting us directly.

Please note that even if you opt out of marketing, we may still send important non-promotional messages relating to your account, service, payments, prescriptions, orders, appointments, or security.

17. Third-Party Platforms and Links

Our Platform may contain links to third-party services, payment providers, pharmacies, clinics, laboratories, delivery partners, or other external websites. We are not responsible for the privacy or security practices of third parties. Any personal data you submit to such third parties will be governed by their own policies.

18. Changes to This Privacy Policy

We may amend or update this Privacy Policy from time to time to reflect:

  • changes in our services.
  • changes in technology.
  • legal or regulatory updates.
  • changes in our business operations or privacy practices.

When we make material changes, we will post the updated policy on our Platform and revise the “Last Updated” date.

19. Contact Us

If you have any questions, requests, or complaints regarding this Privacy Policy or the way we handle your personal data, please contact us:

HimStrong Telehealth Limited
Attn: Privacy / Data Protection Team
Email: privacy@himstrong.com
Phone: +254 700 123 456
General support: support@himstrong.com
Postal Address: Nairobi, Kenya
Physical Address: Kenya — online-first platform; correspondence as directed above.

Regulatory Note:
HimStrong Telehealth Limited operates within the Kenyan legal environment for digital health and personal-data protection. Our privacy practices are designed to align with the Data Protection Act, 2019, the Health Act, 2017, and the Digital Health Act, 2023.