At PharmaSync, we take your privacy seriously. This Privacy Policy describes our practices for collecting, using, maintaining, protecting, and disclosing your information in compliance with:

• Kenya Data Protection Act 2019
• General Data Protection Regulation (GDPR) for international users
• Healthcare data confidentiality regulations
• Industry best practices for data protection

PharmaSync operates in dual data roles depending on the type of information:

• Data Controller: For your account information, billing data, usage analytics, and marketing communications
• Data Processor: For patient/prescription data you process through our Platform (you remain the Data Controller)

We have designated a Data Protection Officer (DPO) to oversee our privacy practices and handle data protection inquiries:

• Name: First name and last name
• Email Address: For account creation and communications
• Phone Number: For OTP verification and support
• Password: Hashed using bcryptjs (never stored in plain text)
• Profile Picture: Optional user photo

• Pharmacy Name: Your business name
• PPB License Number: Pharmacy and Poisons Board license
• Business Address: Physical location, county, region
• KRA PIN: Kenya Revenue Authority tax identification
• Business Logo: Optional branding
• Business Phone/Email: Customer-facing contact information

• M-PESA Phone Number: For payment processing
• Transaction History: Subscription payments, refunds
• Billing Information: Invoices, payment receipts
• Subscription Tier: Starter, Professional, or Enterprise
• Discount Codes: Applied promotional codes

Note: We do not store complete credit/debit card numbers. Payment processing is handled by third-party providers (Safaricom, payment gateways).

Important: For this sensitive healthcare data, you are the Data Controller and PharmaSync acts as a Data Processor on your behalf. You are responsible for obtaining patient consent and complying with healthcare data regulations.

• Product Information: Drug names, dosages, categories, batch numbers
• Expiry Dates: Batch expiration tracking
• Supplier Details: Names, contacts, payment terms
• Purchase Orders: Order history, pricing
• Inventory Levels: Stock quantities, locations

• Sales Records: Items sold, quantities, prices
• Payment Methods Used: Cash, M-PESA, card, insurance
• Receipts and Invoices: Transaction receipts with eTIMS data
• Refunds and Returns: Return reasons, amounts
• Customer Names/Contacts: For sales tracking (optional)

• IP Address: For security and fraud prevention
• Browser and Device Information: User agent, screen resolution
• Session Logs: Login times, session duration
• Analytics Data: PostHog usage patterns, feature adoption
• Error Logs: Application errors for debugging
• Cookies: Authentication tokens, preferences (see Section 11)

• SMS Messages: Sent via TextSMS to customers
• WhatsApp Messages: Customer communication (Professional/Enterprise)
• Emails: Sent via Resend (transactional) and Gmail (optional integration)
• Support Tickets: Communications with our support team
• Feedback Submissions: User surveys and feature requests

• Signup Source: How you found PharmaSync (e.g., Google, Facebook, referral)
• UTM Parameters: Campaign tracking (utm_source, utm_medium, utm_campaign)
• Referral Codes: Affiliate or referral program codes
• Landing Page: First page visited

• User Action Logs: Who created/modified/deleted records (Enterprise tier)
• Access Logs: Who accessed what data and when
• Configuration Changes: Settings modifications, role changes
• Export History: Data export requests

We use your data to provide the core PharmaSync platform features:

• User authentication and account management
• Inventory tracking and batch management
• POS transactions and sales recording
• Prescription management and dispensing
• Staff management and payroll processing
• Analytics and reporting dashboards

• Processing subscription payments via M-PESA and payment gateways
• Generating invoices and receipts
• Managing billing cycles and renewals
• Processing refunds and chargebacks
• Detecting and preventing payment fraud

We process your data to enable integrations with:

• KRA eTIMS: Tax invoice submission and compliance reporting
• DHA/NHIF/SHA: Insurance claims submission and patient verification
• SMS/WhatsApp: Customer notifications and marketing (with consent)
• Gmail/Drive: Email sending and document storage (if you enable)
• M-PESA: Payment collection for your sales

• Transactional Emails: Account verification, password resets, payment confirmations
• Service Notifications: System updates, downtime alerts, feature releases
• Support Communications: Responding to your inquiries
• Renewal Reminders: Upcoming subscription renewals

With your explicit consent, we may use your contact information for:

• Product updates and new feature announcements
• Educational content (webinars, tutorials, best practices)
• Promotional offers and discounts
• Industry news and pharmacy management tips

You can opt out of marketing communications at any time using the unsubscribe link in emails or from your account settings.

We use PostHog and internal analytics to:

• Understand feature usage patterns and user behavior
• Identify and fix bugs and performance issues
• Prioritize product development and feature requests
• Optimize user experience and interface design
• Generate anonymized industry benchmarks and reports

• Detecting suspicious account activity
• Preventing unauthorized access and data breaches
• Identifying fraudulent payment attempts
• Enforcing our Terms of Service
• Monitoring for malware and security threats

• KRA Reporting: Tax compliance via eTIMS integration
• PPB Compliance: Maintaining records for pharmacy inspections
• ODPC Reporting: Data breach notifications if required
• Legal Requests: Responding to valid court orders and regulatory inquiries

We may aggregate and anonymize data (removing all personal identifiers) to create:

• Industry benchmarks (e.g., "average pharmacy sales in Nairobi")
• Market research reports
• Academic and public health research (with ethical review)

Anonymized data cannot be traced back to individual pharmacies or patients.

You have given explicit consent for processing when you:

• Check the "I agree to Terms of Service and Privacy Policy" box during signup
• Opt-in to marketing communications
• Enable optional integrations (Gmail, WhatsApp)
• Upload sensitive healthcare data (prescriptions, patient information)

You can withdraw consent at any time, though this may limit your ability to use certain features.

Processing is necessary to fulfill our contract with you (Terms of Service):

• Providing the PharmaSync platform and features
• Processing subscription payments
• Delivering customer support
• Enabling third-party integrations (eTIMS, M-PESA)

We must process certain data to comply with Kenyan law:

• KRA Tax Compliance: Maintaining financial records for 7 years
• PPB Requirements: Maintaining prescription records for 5+ years
• ODPC Breach Notification: Reporting data breaches within 72 hours
• Court Orders: Responding to valid legal requests

We have a legitimate interest in processing data for:

• Fraud prevention and security monitoring
• Product improvement and analytics
• Network and information security
• Enforcing our Terms of Service

We balance our legitimate interests against your privacy rights. You have the right to object to processing based on legitimate interests.

In rare emergency situations, we may process data to protect vital interests (life or death situations), such as:

• Medical emergencies requiring access to prescription history
• Public health crises (e.g., pandemics, disease outbreaks)
• Safety threats requiring law enforcement cooperation

We share data with trusted third-party service providers:

• Safaricom (M-PESA): Payment processing for subscriptions and sales
• TextSMS: SMS notifications to customers
• Meta (WhatsApp Business): Customer communication (if enabled)
• Resend: Transactional email delivery
• Google (Gmail, Drive): Email and document storage (if you enable)
• PostHog: Product analytics and usage tracking
• Hosting Providers: Cloud infrastructure (databases, servers)

All service providers are bound by data processing agreements and must comply with data protection laws.

• Digital Health Agency (DHA): Patient verification and insurance claims
• NHIF/SHA: Public health insurance claims submission
• Private Insurance Providers: Claims processing (as you configure)

You control which insurance providers receive patient data through claims submission.

We may disclose data to authorities when legally required:

• Kenya Revenue Authority (KRA): Tax compliance via eTIMS
• Pharmacy and Poisons Board (PPB): Regulatory inspections
• Office of the Data Protection Commissioner (ODPC): Data protection investigations
• Law Enforcement: Valid court orders, subpoenas, or legal obligations

We will notify you of legal requests unless prohibited by law or in emergency situations.

In the event of a merger, acquisition, or sale of Novascape Technologies Ltd, your data may be transferred to the new entity. We will:

• Notify you via email before the transfer
• Ensure the new entity commits to this Privacy Policy
• Provide you the option to delete your account if you disagree

We may share data with other parties when you explicitly consent, such as:

• Enabling API access for custom integrations (Enterprise tier)
• Participating in industry research studies
• Requesting data portability to another platform

We may share anonymized, aggregated data publicly or with partners for:

• Industry benchmarking reports (e.g., "average pharmacy inventory turnover")
• Public health research (with ethical review)
• Marketing materials showcasing platform capabilities

Anonymized data cannot identify individual pharmacies or patients.

Data is shared among authorized users within your pharmacy (Tenant) based on:

• Role-Based Access: Enterprise tier has granular permissions
• Branch-Level Access: Multi-branch pharmacies control cross-branch visibility
• Audit Logs: Enterprise tier tracks who accessed what data

• In Transit: All data transmitted between your browser and our servers uses TLS/SSL encryption (HTTPS)
• At Rest: Database encryption using AES-256-CBC for sensitive fields
• Backups: Encrypted database backups with secure storage

• Hashing: Passwords hashed using bcryptjs (industry-standard)
• No Plain Text: We never store or transmit passwords in readable format
• Password Requirements: Minimum complexity enforced
• Password Reset: Secure token-based reset process

• Role-Based Access Control (RBAC): Enterprise tier has granular permissions
• Multi-Factor Authentication: OTP via SMS/email for account verification
• Email Verification: Required for account activation
• Session Management: Automatic logout after inactivity
• IP Monitoring: Suspicious login detection

• Firewalls: Network-level protection
• DDoS Protection: Traffic filtering and rate limiting
• Intrusion Detection: Monitoring for malicious activity
• Rate Limiting: Prevents brute-force attacks

• Security Audits: Regular code reviews and vulnerability scanning
• Penetration Testing: Third-party security assessments
• Patch Management: Timely updates for security vulnerabilities
• Input Validation: Protection against SQL injection, XSS attacks

• Staff Training: Data protection and security awareness
• Confidentiality Agreements: All employees sign NDAs
• Least Privilege: Staff access limited to necessary data
• Background Checks: Vetting of employees with data access

• Audit Logs: Comprehensive logging of data access (Enterprise tier)
• Anomaly Detection: Automated alerts for suspicious activity
• Security Incident Response: Dedicated team for breach response

• Daily Backups: Automated database backups
• Disaster Recovery Plan: Business continuity procedures
• Geographic Redundancy: Data replicated across multiple locations
• Recovery Testing: Regular testing of backup restoration

Disclaimer: No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Legal Requirement: Kenya Revenue Authority requires businesses to maintain financial records for 7 years for tax purposes.

• Sales records and invoices
• Payment transactions
• Tax submissions (eTIMS data)
• Purchase orders and supplier invoices
• Refunds and credit notes

Legal Requirement: Pharmacy and Poisons Board (PPB) requires prescription records to be maintained for at least 5 years.

• Prescription details (doctor, patient, medication)
• Dispensing records
• Controlled substances logs

Retention varies by subscription tier:

• Starter/Professional: 6 months of access logs
• Enterprise: 2 years of comprehensive audit logs

Legal Requirement: Kenya Employment Act requires maintaining employee records for the duration of employment plus 7 years.

• Staff attendance and leave records
• Payroll history
• Performance evaluations

• Active Consent: Retained while you remain opted-in
• Inactivity: Deleted after 2 years of no engagement
• Opt-Out: Removed from marketing lists within 30 days

Data retained while your account is active:

• User profile information
• Business/pharmacy details
• Subscription and billing information
• Settings and preferences

You have the right to request deletion of your personal data (Right to Erasure). We will:

• Process deletion requests within 30 days (Kenya Data Protection Act)
• Notify you when deletion is complete
• Delete all non-legally-required data

When you cancel your subscription:

• Days 1-90: Data retained (you can reactivate anytime)
• Day 90: Account permanently closed
• After Day 90: All non-legally-required data deleted

Recommendation: Export your data before canceling (use in-app export tools or request a data export).

• 6 Months Inactivity: Email warning about potential deletion
• 24 Months Inactivity: Account and data deleted (except legally required records)

Your data is primarily stored in:

• Kenya: Primary database servers
• East Africa Region: Backup and redundancy servers

Some third-party services process data outside Kenya:

• United States: PostHog (analytics), Meta (WhatsApp), Resend (email)
• European Union: Google (Gmail, Drive - if enabled)
• Kenya: Safaricom (M-PESA), DHA/NHIF (healthcare)

The Kenya Data Protection Act (Section 48) requires authorization from the Data Protection Commissioner for cross-border transfers to countries without adequate data protection laws.

We have conducted Data Protection Impact Assessments (DPIAs) and implemented appropriate safeguards. If ODPC authorization is required for specific transfers, we will obtain it before processing.

• Right to be Informed: We disclose all international transfers in this Privacy Policy
• Right to Object: You can object to transfers to specific countries (may limit functionality)
• Right to Information: Request details about transfer safeguards by contacting our DPO

You have the right to request a copy of all personal data we hold about you.

• Free of Charge: First request per year is free
• Response Time: 21 days (Kenya) or 30 days (GDPR)
• Format: Electronic copy (PDF, CSV, JSON)
• Includes: What data we have, how we use it, who we share it with

You can correct inaccurate or incomplete personal data.

• Self-Service: Update most data from your account settings
• Request: Email us for data you cannot edit yourself
• Response Time: Corrections made within 30 days

You can request deletion of your personal data when:

• Data is no longer necessary for its original purpose
• You withdraw consent (and no other legal basis exists)
• You object to processing and there are no overriding grounds
• Data was unlawfully processed

Exceptions (we cannot delete when):

• Required by law (7-year financial records, 5-year prescriptions)
• Needed for legal claims or ongoing disputes
• Public interest or archival purposes

You can limit how we process your data (we store but don't use) when:

• You dispute data accuracy (restricted until verified)
• Processing is unlawful but you don't want deletion
• We no longer need data but you need it for legal claims
• You object to processing (restricted pending outcome)

You can receive your data in a machine-readable format and transfer it to another service.

• Formats Available: CSV, JSON, Excel (tier-dependent)
• Includes: Inventory, sales, prescriptions, customers, suppliers
• In-App Tool: Data export from account settings
• Assistance: We can help migrate to another platform

You can object to processing in certain situations:

• Direct Marketing: Immediate opt-out (click unsubscribe)
• Legitimate Interests: We must stop unless we have compelling grounds
• Profiling/Analytics: Object to automated decision-making

Where processing is based on consent, you can withdraw it at any time.

• Marketing Emails: Click unsubscribe or update preferences
• Optional Integrations: Disable from settings (Gmail, WhatsApp)
• Analytics: Opt out of PostHog tracking

Withdrawing consent does not affect the lawfulness of processing before withdrawal. It may limit your ability to use certain features.

If you believe we have violated your data protection rights, you can complain to:

You can also lodge a complaint with your local data protection authority (e.g., EU supervisory authority if you are in Europe).

To exercise any of these rights:

• Email: datarights@pharmasync.co.ke or dpo@pharmasync.co.ke
• In-App: Account settings → Privacy & Data Rights
• Written Request: Mail to [PLACEHOLDER: Physical Address]

We may request identity verification to protect your data. We will respond within:

• 21 days: Kenya Data Protection Act requirement
• 30 days: GDPR requirement (extendable to 60 days if complex)

PharmaSync is a business-to-business (B2B) platform designed for licensed pharmacies. The Platform is not intended for use by individuals under 18 years of age.

We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

As a pharmacy management platform, we do not market to or target children. All users must be:

• 18 years or older
• Authorized pharmacy staff or owners
• Legally capable of entering into contracts

While the Platform itself is not for children, pharmacies using PharmaSync may process prescription data for minor patients (children under 18).

PharmaSync acts as a Data Processor for such patient data and processes it only on your instructions.

Cookies are small text files stored on your device by your web browser. We use cookies and similar technologies to provide and improve the Platform.

Strictly Necessary Cookies:

• next-auth.session-token: Session authentication (keeps you logged in)
• csrf_token: Security protection against cross-site request forgery
• Device ID: Multi-factor authentication

These cookies are essential for the Platform to function and cannot be disabled.

Functional Cookies:

• User Preferences: Language, timezone, theme (dark mode)
• UI Customization: Sidebar collapsed/expanded, table columns
• Last Visited Tenant: Auto-login to your default pharmacy

Analytics Cookies:

• PostHog: Product analytics, feature usage, session recordings
• Purpose: Understand how you use the Platform to improve it
• Control: You can opt out of PostHog tracking in account settings

When you first visit PharmaSync, we display a cookie consent banner allowing you to:

• Accept All: Enable all cookies (necessary, functional, analytics)
• Reject Optional: Only strictly necessary cookies
• Customize: Granular control over cookie categories

You can change your cookie preferences anytime from Account Settings → Privacy → Cookie Preferences.

Some third-party services set their own cookies:

• PostHog: Analytics tracking
• OAuth Providers: Google, Microsoft (if you use social login)
• Payment Processors: M-PESA, payment gateways

These third-party cookies are governed by the respective third party's privacy policy.

You can control cookies through:

• Browser Settings: Most browsers allow you to block or delete cookies
• In-App Settings: Account Settings → Privacy → Cookie Preferences
• PostHog Opt-Out: Account Settings → Privacy → Analytics Opt-Out

Note: Disabling necessary cookies will prevent you from logging in and using the Platform.

In addition to cookies, we use browser local storage and session storage for:

• Performance: Caching frequently accessed data (product lists, categories)
• User Experience: Preserving form data during navigation
• Offline Functionality: Temporary storage for offline mode (future feature)

Under the Kenya Data Protection Act 2019, we are required to:

• Notify ODPC: Report data breaches to the Office of the Data Protection Commissioner within 72 hours of becoming aware
• Notify Affected Users: Inform you without undue delay if the breach poses a high risk to your rights and freedoms
• Document Breaches: Maintain records of all data breaches

If we notify you of a breach, we will provide:

• Nature of the Breach: What happened and when it occurred
• Data Affected: What types of data were compromised
• Likely Consequences: Potential impact on you
• Mitigation Measures: Steps we have taken to contain the breach
• Recommendations: Actions you should take (e.g., change password)
• Contact Information: How to reach our DPO for questions

Your Responsibilities as Data Controller: If patient/prescription data is breached, you are responsible for:

• Notifying affected patients
• Reporting to ODPC if required
• Cooperating with our breach investigation

Our incident response process:

• Detection: Automated monitoring and user reports
• Containment: Immediate isolation of affected systems
• Investigation: Forensic analysis to determine scope and cause
• Remediation: Patching vulnerabilities, resetting credentials
• Notification: Informing ODPC, affected users, and authorities
• Post-Incident Review: Lessons learned and security improvements

The Platform may contain links to external websites (e.g., supplier websites, regulatory agency portals, help documentation). We are not responsible for the privacy practices or content of these third-party sites.

Recommendation: Review the privacy policy of any external website before providing personal information.

You can choose to enable optional third-party integrations:

• Gmail: Send emails from your pharmacy email address
• Google Drive: Backup documents and receipts
• WhatsApp Business: Customer communication

When you enable these integrations, you consent to data sharing with those providers. Their privacy policies apply to how they process your data.

Enterprise customers with API access can build custom integrations. If you use our API to connect to your own applications:

• Your Responsibility: You are the Data Controller for data processed by your custom applications
• Your Privacy Policy: You must have your own privacy policy if your app collects personal data
• Security: Secure your API keys and credentials

We may update this Privacy Policy from time to time to reflect:

• Changes in data protection laws or regulations
• New features or services
• Changes to our data processing practices
• Improvements based on user feedback

For material changes that affect how we process your data, we will notify you via:

• Email: To your registered email address
• In-App Notification: Prominent banner when you log in
• Updated "Last Updated" Date: At the top of this Privacy Policy

You will have 30 days to review changes before they take effect.

Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

If you disagree with changes to this Privacy Policy, you have the right to:

• Cancel your subscription before the effective date
• Export your data (data portability)
• Request deletion of your data (subject to legal retention requirements)

We are the Data Controller for:

• Account Data: Your name, email, phone, profile picture
• Business Data: Pharmacy name, address, PPB license, KRA PIN
• Billing Data: Subscription payments, invoices
• Usage Analytics: How you use the Platform (PostHog data)
• Marketing Data: Email campaigns, promotional communications

Our Decisions: We determine why and how this data is processed.

We are the Data Processor (acting on your instructions) for:

• Patient Data: Patient names, national IDs, contact information
• Prescription Data: Doctor details, medications, dosages
• Healthcare Data: Medical conditions inferred from prescriptions
• Insurance Claims: DHA, NHIF/SHA, private insurance data
• Customer Data: Your pharmacy's customer lists

Your Control: YOU are the Data Controller for this data. You determine why and how patient/prescription data is processed.

Our relationship as Data Processor is governed by a Data Processing Agreement (DPA) compliant with:

• Article 28 GDPR: Processor obligations
• Kenya Data Protection Act: Section 44 processor requirements

The DPA includes:

• Processing Instructions: We process data only as you instruct
• Confidentiality: Our staff are bound by confidentiality obligations
• Security Measures: Technical and organizational safeguards (Section 6)
• Subprocessors: List of third-party processors (Section 5)
• Audit Rights: You can audit our data processing practices
• Breach Notification: We notify you of breaches within 24 hours
• Data Return/Deletion: Upon termination, we return or delete your data

View our full Data Processing Agreement (Enterprise customers can request a signed DPA).

For all privacy and data protection inquiries:

For general privacy questions or feedback:

To exercise your data protection rights (access, rectification, erasure, etc.):

To lodge a complaint about our data processing practices:

• Explicit Consent Required: Processing healthcare data requires explicit consent from patients
• Encryption: All prescription and patient data encrypted at rest and in transit
• Access Controls: Strict role-based access to sensitive data
• Audit Logs: Every access to prescription data is logged (Enterprise tier)
• Anonymization: Healthcare data anonymized for analytics and research

We are committed to upholding patient confidentiality principles:

• Need-to-Know Basis: Access limited to authorized pharmacy staff
• No Unauthorized Disclosure: Patient data shared only with insurance providers (with consent) or as required by law
• Healthcare Professional Duty: You (the pharmacy) maintain primary responsibility for patient confidentiality

• Encrypted Storage: AES-256-CBC encryption for prescription records
• Access Logging: Who viewed which prescription and when (Enterprise)
• 5-Year Retention: PPB-compliant prescription record retention
• Secure Deletion: Cryptographic erasure after retention period

When submitting insurance claims (DHA, NHIF/SHA, private insurers):

• Minimum Necessary: Only required data fields shared with insurers
• Secure APIs: Encrypted transmission via HTTPS
• Patient Consent: Obtained before claim submission (your responsibility)
• Insurer Privacy Policies: Subject to DHA/NHIF privacy practices

If we use anonymized healthcare data for research:

• Explicit Consent: Separate consent obtained for research purposes
• Complete Anonymization: All patient identifiers removed (names, IDs, contacts)
• Ethical Review: Research approved by ethics committee
• Public Health Benefit: Research serves legitimate public health interests
• Right to Opt-Out: You can opt out of research participation