At PharmaSync, we treat privacy as a foundational obligation, not a compliance checkbox. This Privacy Policy describes our practices for collecting, processing, storing, and disclosing your information in compliance with:

• Kenya Data Protection Act 2019 (KDPA 2019) — our primary legal framework for all data processing
• Health Act 2017 — governing healthcare data confidentiality standards
• Kenya Information and Communications Act (KICA) — electronic communications and data standards
• Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) — transaction monitoring obligations
• Pharmacy and Poisons Act (Cap 244) — pharmaceutical records retention
• Healthcare data confidentiality principles and industry best practices

We have designated a Data Protection Officer (DPO) to oversee our data protection practices, ensure KDPA compliance, and handle all data protection inquiries:

PharmaSync is registered with the Office of the Data Protection Commissioner (ODPC) as required under Section 19 of the Kenya Data Protection Act 2019.

• Full name and display name
• Email address (primary identifier for authentication)
• Phone number
• Password (stored as a bcrypt hash — we never store plain-text passwords)
• Profile photo (optional, uploaded via secure storage)
• Job title and role within your pharmacy

• Pharmacy or business name and trading name
• Pharmacy and Poisons Board (PPB) registration and license number
• Kenya Revenue Authority (KRA) PIN for eTIMS tax compliance
• Business physical address and postal address
• Business logo and branding assets
• Bank account details for payroll and business transactions
• Subscription tier and account settings

• M-Pesa registered phone number for payment processing
• Transaction history (sales, purchases, refunds, adjustments)
• Billing history and subscription payment records
• Discount codes and promotional redemptions
• Invoice data submitted to KRA eTIMS

• Product catalogue: names, SKUs, classifications, drug schedules
• Stock levels, batch numbers, and expiry dates
• Supplier company names, contact details, and addresses
• Purchase orders, goods received notes, and supplier invoices
• Stock transfer records between branches
• Wastage, damage, and adjustment records

• Point-of-sale transaction records and receipts
• Payment method, amounts, and payment status per transaction
• Refunds, returns, and credit note records
• Layaway and credit account transactions
• Wholesale order records
• Till reconciliation and cash management data

• Employee personal information: name, ID/passport number, date of birth, gender
• Employment details: job title, department, branch assignment, hire date
• Salary and compensation details for payroll processing
• Bank account information for payroll disbursement
• Emergency contact information
• Attendance records and clock-in/clock-out logs
• Leave requests, approvals, and leave balances
• Performance review notes and ratings
• KRA PIN for payroll tax compliance (PAYE)
• NHIF and NSSF membership numbers

• IP address and approximate geographic location (country/city level)
• Browser type, version, and operating system
• Session identifiers and authentication tokens
• Pages visited, features used, and session duration
• Error logs and diagnostic crash reports
• Device identifiers for session management
• Internal product analytics (aggregated usage patterns)

• SMS messages sent to customers via HostPinnacle (prescription reminders, loyalty notifications)
• WhatsApp messages (if WhatsApp Business integration is enabled by your pharmacy)
• Email communications including transactional and promotional emails
• Support tickets and help desk conversations
• In-app notifications and alert acknowledgements

• User action logs: record of all CREATE, UPDATE, DELETE operations with timestamp and user identity
• Login history and session access logs
• Configuration change logs: settings modifications, role changes, permission updates
• Data export history: who exported what data and when
• Failed authentication attempts and suspicious access events
• API access logs for enterprise integrations

We use your information to operate, maintain, and improve the PharmaSync platform, including:

• Processing sales transactions, managing inventory, and generating reports
• Managing prescription workflows from creation through dispensing
• Authenticating users and enforcing role-based access controls
• Managing staff payroll and HR records
• Sending transactional communications (receipts, alerts, reminders)

• Processing M-Pesa payments via Safaricom APIs
• Managing subscription billing and renewal
• Generating and submitting invoices to KRA eTIMS
• Processing refunds and credit notes

• KRA eTIMS: Tax invoice management and compliance reporting — required by law
• SHA (Social Health Authority): Insurance claims and patient verification — planned integration, will require explicit configuration by tenant
• HostPinnacle SMS: Sending SMS notifications to customers and patients
• M-Pesa (Safaricom): Payment collection and reconciliation

• Sending prescription-ready and refill reminder notifications
• Loyalty program balance updates and reward notifications
• Appointment reminders (if appointment module is enabled)
• Transactional receipts and order confirmations

We will only send marketing communications to you if you have explicitly opted in. You may withdraw your consent at any time by unsubscribing from any marketing email or contacting privacy@pharmasync.co.ke.

• Product update announcements and new feature notifications
• Educational content and pharmacy management best practices
• Industry news and regulatory update summaries
• Promotional offers for subscription upgrades

We use internal analytics tools to understand how PharmaSync is used and improve the product. All analytics data used for product development purposes is aggregated and de-identified — we do not profile individual users for commercial purposes.

• Detecting and investigating unauthorized access attempts
• Monitoring for suspicious transaction patterns
• Preventing data breaches and system abuse
• Enforcing our Terms of Service and Acceptable Use Policy

• KRA: Tax reporting, eTIMS invoice submission, PAYE payroll records
• Pharmacy and Poisons Board (PPB): Regulatory inspections and audit submissions
• ODPC: Compliance with data subject rights requests and regulatory orders
• Responding to lawful court orders, subpoenas, and law enforcement requests
• Financial Reporting Centre (FRC): Anti-money laundering compliance and suspicious transaction reporting

We may use fully anonymized, aggregated data (where no individual can be identified) for industry research, trend analysis, and benchmarking reports. This data cannot be re-linked to any individual or pharmacy.

For marketing communications, non-essential cookies, optional data sharing with third-party integrations, and any processing not covered by another lawful basis. Consent is freely given, specific, informed, and withdrawable at any time.

For processing necessary to provide the PharmaSync services you have subscribed to, including account management, feature delivery, billing, and subscription management.

For processing required to comply with applicable Kenyan law, including KRA tax reporting (eTIMS), PPB regulatory compliance, ODPC data protection obligations, Financial Reporting Centre AML reporting, and responses to lawful court orders.

For security monitoring, fraud prevention, product analytics (aggregated), audit logging, service improvement, and maintaining the safety and integrity of the platform. We balance our legitimate interests against your rights and freedoms and only rely on this basis where our interests are not overridden by your fundamental rights.

In rare emergency circumstances where processing is necessary to protect the vital interests of a data subject (e.g., a patient safety situation), we may process data on this basis without prior consent, subject to appropriate safeguards and documentation.

We share data with the following third-party processors who assist us in delivering PharmaSync services. All service providers are bound by Data Processing Agreements that require them to protect your data and process it only on our instruction.

• Social Health Authority (SHA): patient insurance claim submission and verification — planned integration, will be enabled only with tenant configuration and patient consent
• Private insurance providers: as configured by your pharmacy for specific patient insurance schemes
• Such sharing is governed by the Health Act 2017 and KDPA 2019 and requires appropriate legal basis

• Kenya Revenue Authority (KRA): Tax invoice data via eTIMS integration — legally required
• Pharmacy and Poisons Board (PPB): Regulatory compliance data and controlled substance records as required by law
• Office of the Data Protection Commissioner (ODPC): In response to investigations or regulatory orders
• National Computer and Cybercrimes Coordination Committee (NC4): Cybersecurity incident reporting
• Financial Reporting Centre (FRC): Suspicious transaction reports under POCAMLA
• Law enforcement agencies in response to lawful court orders, subpoenas, or warrants

In the event of a merger, acquisition, sale of assets, or restructuring, your data may be transferred to a successor entity. We will provide at least 30 days' advance notice and offer you the option to delete your data before any transfer occurs.

We will share data with additional third parties only where you have provided explicit, informed consent. You may withdraw such consent at any time.

We may share or publish anonymized, aggregated data (where no individual, patient, or pharmacy is identifiable) for research, industry reports, and benchmarking purposes.

• Data is shared with your staff only in accordance with the role-based access controls (RBAC) you configure
• Branch-level access controls restrict data visibility to the appropriate branch
• All internal data access is recorded in immutable audit logs
• System administrators within your organization can access audit logs for compliance purposes

• All data transmitted between your browser and PharmaSync is encrypted using TLS 1.2+ (HTTPS)
• Healthcare and prescription data is encrypted at rest using AES-256
• Database backups are encrypted using strong encryption standards
• API communications use token-based authentication with short-lived access tokens

• Passwords are hashed using bcrypt with a strong cost factor — plain-text passwords are never stored
• Minimum password complexity requirements are enforced
• Password reset flows use time-limited, single-use tokens delivered to verified email addresses
• Failed login attempt monitoring and temporary account lockouts

• Granular role-based access control (RBAC) with 25+ permission types
• Principle of least privilege: users access only what their role requires
• Session-based authentication with 8-hour token expiry
• Multi-branch access controls with branch-level data isolation
• Administrative actions require elevated permissions and are fully audited

• Content delivery and DDoS protection via Cloudflare
• Firewall rules and rate limiting on all API endpoints
• Web application firewall (WAF) protection
• Regular network vulnerability scans

• Protection against OWASP Top 10 vulnerability classes (SQL injection, XSS, CSRF, etc.)
• Input validation and output encoding throughout the application
• Dependency scanning and regular security patch management
• Secure development lifecycle practices

• Security awareness training for all staff with access to production systems
• Background checks for personnel with access to sensitive data
• Documented security policies and incident response procedures
• Vendor security assessments for all data processors

• 24/7 system monitoring for anomalies and security events
• Immutable audit logs for all data access and modification events
• Automated alerting for suspicious activity patterns
• Regular review of access logs by authorized security personnel

• Automated database backups retained for 30 days
• Recovery Point Objective (RPO): 24 hours
• Recovery Time Objective (RTO): 8 hours
• Backups stored in encrypted form in a geographically separate location
• Regular restoration tests to validate backup integrity

Retention: 7 years — required by the Tax Procedures Act / KRA. Includes sales records, purchase invoices, payment records, and payroll data.

Retention: 5 years — required by the Pharmacy and Poisons Act (Cap 244).

Retention: 7 years — required by the Insurance Act (Cap 487).

Retention: 7 years — required by the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA). Applies to all transaction records subject to anti-money laundering monitoring.

Retention: Duration of employment + 7 years — required by the Employment Act 2007 / KRA. Includes employment contracts, payroll records, leave records, and performance data.

• Starter and Professional plans: 6 months
• Enterprise plan: 2 years
• Extended audit log archiving is available as an Enterprise add-on

Marketing opt-in data is retained until you withdraw consent or until 2 years of inactivity, whichever comes first. You may withdraw consent at any time.

Account registration data, profile information, and subscription records are retained while your account remains active and for the applicable period after account closure.

We will process verified deletion requests within 30 days. However, we may be required to retain certain data beyond your deletion request where applicable law mandates retention (see sections 7.1–7.6 above). We will inform you of any data retained beyond your deletion request and the legal basis for doing so.

Upon account closure, your data enters a 90 days grace period during which you may restore your account. After the grace period, data is permanently deleted subject to the statutory retention periods in sections 7.1–7.6.

Accounts inactive for 6 months will receive a warning notification. Accounts inactive for 24 months will be scheduled for deletion following final notice and opportunity to export your data.

Your primary data is stored on servers located in Kenya and the East Africa region. We prioritize data residency within Kenya to support KDPA 2019 compliance and minimize cross-border transfer obligations.

• United States: AI services (limited anonymized/aggregated data only)
• Global (with Kenyan edge nodes): Cloudflare — file storage and content delivery
• Kenya: Safaricom (M-Pesa), KRA eTIMS, HostPinnacle (SMS), SHA (planned)

• Standard Contractual Clauses (SCCs) with all international data processors
• Data Processing Agreements (DPAs) requiring KDPA-equivalent protections
• End-to-end encryption for all international data transmissions
• Data minimization: only the minimum necessary data is transferred internationally
• Anonymization or aggregation of data before transfer where technically feasible

All international data transfers comply with Section 48 of the KDPA 2019, which requires that data transferred outside Kenya receives equivalent protection to that provided under the KDPA. We conduct due diligence on the data protection standards of all recipient countries.

Per ODPC 2024 Guidance on Cross-Border Data Transfers, we conduct Transfer Impact Assessments (TIAs) for all international data transfers. These assessments evaluate the legal framework of the recipient country, the nature of data transferred, and the risks to data subjects.

You have the right to request information about the specific safeguards in place for any international transfer of your data. Contact our DPO at dpo@pharmasync.co.ke with any transfer-related inquiries.

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data. We will respond to verified access requests within 21 days.

You have the right to have inaccurate or incomplete personal data corrected. We will process rectification requests within 30 days of verification.

You have the right to request deletion of your personal data where there is no longer a legal basis for processing. This right is subject to exceptions where retention is required by law (see Section 7 of this policy for applicable retention periods).

You have the right to request that we restrict processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful but you prefer restriction over deletion.

You have the right to receive your personal data in a structured, commonly used, machine-readable format. PharmaSync supports data export in the following formats:

• CSV (Comma-Separated Values) — for spreadsheet applications
• JSON — for technical/API integrations
• Excel (.xlsx) — for business reporting

You have the right to object to processing of your personal data where it is based on legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal of consent can be made by contacting us at privacy@pharmasync.co.ke.

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe we have violated your data protection rights:

To exercise any of the above rights, please contact us using the details below. We will verify your identity before processing your request and respond within the applicable statutory timeframe.

The rights described above are not absolute. Applicable limitations include:

• Statutory retention obligations under Kenyan law (see Section 7)
• Where processing is necessary for the establishment, exercise, or defence of legal claims
• Where granting access would adversely affect the rights of another person
• Where law enforcement or regulatory investigations require confidentiality

PharmaSync is a B2B (business-to-business) platform designed exclusively for use by registered pharmacies and licensed healthcare professionals. The platform is not intended for use by persons under 18 years of age. We do not knowingly collect personal data directly from minors.

Your pharmacy may process prescription and healthcare data for minor patients as part of providing pharmacy services. As the Data Controller for such data, your pharmacy is responsible for:

• Obtaining appropriate parental or guardian consent before processing minor patient data
• Complying with all additional protections required under the Children's Act 2022 and KDPA 2019 for minor data subjects
• Applying enhanced confidentiality standards to minor patient records
• Ensuring minor patient data is accessed only by authorized healthcare personnel

Cookies are small text files stored on your device by your web browser when you visit PharmaSync. They allow the platform to remember your session, preferences, and settings across page loads and visits.

On your first visit to PharmaSync, a cookie consent banner will be displayed allowing you to accept or decline non-essential cookies. Strictly necessary cookies are set regardless of your consent choice as they are required for the platform to function securely.

In addition to cookies, PharmaSync uses browser local storage and session storage to store user interface state, draft form data, and application preferences. This data is stored on your device only and is not transmitted to our servers.

• Browser settings: you may configure your browser to block or delete cookies — note that blocking strictly necessary cookies will prevent login
• In-app settings: you may manage functional and analytics cookie preferences through your account settings
• Opting out of analytics cookies will not affect your access to any PharmaSync features

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by Section 39 of the Kenya Data Protection Act 2019.

For cybersecurity incidents and computer misuse events, we will notify the National Computer and Cybercrimes Coordination Committee (NC4) within 24 hours of detection, as required by Section 38 of the Computer Misuse and Cybercrimes Act 2018.

Where a breach is likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay via the contact information held in your account. Notification will be sent as soon as practicable after our initial assessment and containment activities.

Our breach notifications will include:

• A description of the nature of the breach
• The categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• Contact details of our DPO for further inquiries

If you suspect a data breach originating from within your pharmacy (e.g., unauthorized staff access, phishing of a staff account), please report it immediately to:

Prompt reporting enables faster containment and reduces the risk to patients and customers.

PharmaSync maintains a documented Incident Response Plan covering: detection and triage, containment and eradication, regulatory notification (ODPC within 72 hours, NC4 within 24 hours), user notification, post-incident review, and remediation. The plan is reviewed and tested annually.

PharmaSync monitors for suspicious transaction patterns as part of our obligations under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA). Automated monitoring flags transactions that meet certain risk criteria for internal review by compliance personnel.

Data processed for AML monitoring purposes is retained for 7 years as required by POCAMLA and is accessible only to authorized compliance personnel.

As a financial services-adjacent platform handling prescription medication payments, tenants using PharmaSync may have independent obligations to report suspicious transactions to the Financial Reporting Centre (FRC). Tenants must report suspicious transactions to the FRC within 7 working days of the transaction coming to the attention of a responsible officer, as required by Section 13 of POCAMLA.

PharmaSync may contain links to external websites, regulatory portals (e.g., KRA, PPB, NHIF), and partner platforms. These external sites have their own privacy policies, and we have no responsibility or liability for their content or privacy practices.

Certain optional integrations (e.g., Gmail/Drive for document management, WhatsApp Business for patient communication) may be enabled by your pharmacy administrator. When enabled:

• Data shared with these platforms is governed by their respective privacy policies
• Your pharmacy, as Data Controller, is responsible for ensuring a lawful basis exists for sharing data with these services
• You may disable optional integrations at any time through your account settings
• Disabling an integration does not delete data already shared with that platform

Enterprise subscribers may be granted API access to integrate PharmaSync with their own systems. API access is governed by separate API Terms of Use, and data accessed via API remains subject to this Privacy Policy and the applicable Data Processing Agreement.

We may update this Privacy Policy from time to time to reflect changes in our practices, new regulatory requirements, or improvements to the platform. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

For material changes — those that significantly affect your rights or our data processing practices — we will provide at least 30 days' advance notice via:

• Email notification to the primary account administrator email address
• In-platform notification banner on your PharmaSync dashboard
• Updated Last Updated date on this page

Your continued use of PharmaSync after the effective date of any policy update constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should discontinue use of the platform before the effective date.

If you disagree with material changes to this Privacy Policy, you have the right to cancel your subscription without penalty before the effective date of the changes. In such cases, we will provide a pro-rata refund for any unused subscription period.

PharmaSync (Novascape Technologies Ltd) acts as the Data Controller for the following categories of data only:

• Account registration data (name, email, phone of account administrators)
• Billing and subscription data
• Aggregated and anonymized usage analytics for product improvement
• Marketing communications to opted-in contacts
• Internal staff data (Novascape Technologies Ltd employees)

For all other data categories, PharmaSync acts as a Data Processor under your instruction as the Data Controller:

• Patient and prescription data
• Healthcare and medical records
• Insurance and SHA claims data
• Customer and loyalty program data
• Staff and employee records
• Transaction and financial records specific to your pharmacy
• Inventory and supplier records

Our Data Processing Agreement (DPA), compliant with Section 44 of the KDPA 2019, governs the relationship between your pharmacy as Data Controller and PharmaSync as Data Processor. A copy of our DPA is available upon request by contacting legal@pharmasync.co.ke.

PharmaSync is designed to support your obligations under the Health Act 2017 and professional pharmacy ethics regarding patient confidentiality:

• Patient data is accessible only to staff with explicitly granted permissions
• Branch-level access controls prevent staff from accessing patient data from other branches
• All access to patient records is logged in the immutable audit trail
• PharmaSync staff do not access patient-identifiable data except where necessary for technical support, with your authorization

• Prescription records are encrypted at rest using AES-256 encryption
• Prescription records are retained for 5 years per the Pharmacy and Poisons Act (Cap 244)
• Prescription data is never shared with third-party marketing or advertising platforms
• Prescription export functions are restricted to authorized roles and are fully audit-logged

Patient insurance data (including SHA claims and private insurer claims) is shared only:

• When the relevant insurance integration is enabled by your pharmacy administrator
• To the specific insurer relevant to the patient's claim
• With appropriate patient consent or under the lawful basis of contract performance (insurance claim processing)
• In accordance with the Insurance Act (Cap 487) and applicable insurer agreements

SHA integration, when available, will require explicit configuration and appropriate data sharing agreements.

Any use of patient healthcare data for research purposes (beyond the operational purposes described in this policy) requires:

• Explicit, separate consent from each data subject
• Full anonymization of data where consent is not feasible
• Ethics review and approval from an appropriate body
• Compliance with the Health Act 2017 research data provisions
• Prior notification to the ODPC where required