1. Introduction

Novascape Technologies Ltd. ("we", "us", "our", or "PharmaSync") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our pharmacy management software service.

This policy applies to all users of PharmaSync services, including pharmacy owners, staff members, and administrators who access our cloud-based pharmacy management platform.

By using PharmaSync, you acknowledge that you have read, understood, and agree to the collection and use of your personal information as described in this Privacy Policy.

2. Data Controller Information

Novascape Technologies Ltd. is the data controller for your personal information. We are a company registered in Kenya and are subject to Kenya's Data Protection Act, 2019.

3. Information We Collect

We collect different types of information to provide and improve our services:

3.1 Personal Information:

• Name, email address, phone number, and job title
• Account credentials and authentication information
• Pharmacy license information and professional credentials
• Billing and payment information

3.2 Business Information:

• Pharmacy name, address, and contact details
• Business registration and license numbers
• Supplier and vendor information
• Product inventory and transaction data

3.3 Technical Information:

• IP addresses, browser type, and device information
• Usage patterns and feature interactions
• Error logs and system performance data
• Session information and login timestamps

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Provision:

• Providing access to PharmaSync software features
• Processing pharmacy transactions and inventory management
• Generating reports and analytics for your business
• Maintaining user accounts and access controls

4.2 Communication:

• Sending service updates and important notifications
• Providing customer support and technical assistance
• Responding to inquiries and support requests
• Sending billing and payment notifications

4.3 Business Operations:

• Processing payments and managing subscriptions
• Improving our services based on usage patterns
• Ensuring security and preventing fraud
• Complying with legal and regulatory requirements

5. Legal Basis for Processing

Under Kenya's Data Protection Act, 2019, we process your personal data based on the following legal grounds:

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following limited circumstances:

6.1 Service Providers:

• Cloud hosting providers for data storage and processing
• Payment processors for billing and subscription management
• Technical support and maintenance providers
• Email and communication service providers

6.2 Legal Requirements:

• Compliance with court orders and legal processes
• Cooperation with law enforcement investigations
• Regulatory reporting to pharmaceutical authorities
• Protection of our rights and property

7. Data Security Measures

We implement comprehensive security measures to protect your personal information:

7.1 Technical Security:

• End-to-end encryption for data transmission (TLS 1.3)
• AES-256 encryption for data at rest
• Multi-factor authentication for admin accounts
• Regular security audits and penetration testing

7.2 Access Controls:

• Role-based access control (RBAC) system
• Principle of least privilege for staff access
• Regular access reviews and deprovisioning
• Audit logging for all data access activities

7.3 Operational Security:

• Regular automated backups with encryption
• 24/7 security monitoring and incident response
• Regular software updates and patch management
• Staff security training and awareness programs

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this privacy policy:

Secure Deletion: When the retention period expires, we securely delete or anonymize your personal information using industry-standard data destruction methods.

9. Your Rights Under Kenya's Data Protection Act

You have the following rights regarding your personal information:

9.1 Access Rights:

• Right to access your personal data we hold
• Right to receive a copy of your data in a portable format
• Right to know how your data is being processed

9.2 Control Rights:

• Right to rectification of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") under certain conditions
• Right to restrict processing of your data
• Right to object to processing based on legitimate interests

9.3 Consent Rights:

• Right to withdraw consent at any time
• Right to opt-out of marketing communications

10. Cross-Border Data Transfers

Your personal data is primarily processed and stored within Kenya. However, some of our service providers may be located outside Kenya:

• We ensure all international transfers comply with Kenya's Data Protection Act
• We use appropriate safeguards such as standard contractual clauses
• We only transfer data to countries with adequate data protection laws
• We maintain the same level of protection for transferred data

Current International Service Providers: Cloud hosting services (AWS - Ireland region), Payment processing (Stripe - EU), Email services (SendGrid - US with Privacy Shield certification).

11. Cookies and Tracking Technologies

PharmaSync uses cookies and similar tracking technologies to enhance your experience and analyze Service usage:

Types of Cookies We Use:

• Essential Cookies: Required for basic Service functionality and security
• Performance Cookies: Help us understand how you use the Service to improve performance
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Collect anonymized usage statistics

Cookie Management: You can control cookies through your browser settings. However, disabling essential cookies may affect Service functionality.

Third-Party Tracking: We may use third-party analytics services that employ cookies to help us understand Service usage patterns.

Cookie Retention: Cookies are retained for varying periods based on their purpose, typically ranging from session-only to 12 months.

12. Children's Privacy

Age Restrictions: Our Service is designed for adult users in professional pharmacy environments. We do not knowingly collect personal information from children under 18 years of age.

Parental Controls: If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at support@pharmasync.co.ke.

Data Deletion: Upon becoming aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

Account Verification: We reserve the right to verify the age of users and may request identification to ensure compliance with this policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service improvements.

Notification Methods:

• Email notification to your registered address for material changes
• In-app notifications within the PharmaSync dashboard
• Updates posted on our website at pharmasync.co.ke
• SMS notification for critical privacy-related changes

Effective Date: Changes will become effective 30 days after notification, except for changes required by law which may be effective immediately.

Your Rights: If you disagree with changes to this Privacy Policy, you may terminate your account before the changes take effect.

Version Control: We maintain previous versions of this Privacy Policy for reference. The current version date is always displayed at the top of the policy.

14. Data Breach Notification

In compliance with Kenya's Data Protection Act, 2019, we have established procedures for data breach detection, response, and notification:

Our Response Process:

• Immediate containment and assessment of the breach within 24 hours
• Notification to regulatory authorities within 72 hours where required
• User notification without undue delay for high-risk breaches
• Implementation of remedial measures to prevent future incidents

What We'll Tell You: Breach notifications will include the nature of the breach, categories of data involved, likely consequences, and measures taken to address the breach.

Your Actions: In the event of a breach, we may recommend specific actions such as changing passwords or monitoring accounts for unusual activity.

Prevention Measures: We employ robust security measures including encryption, access controls, and regular security audits to prevent data breaches.

15. Contact Information and Complaints

For privacy-related inquiries, data requests, or complaints, please contact us using the information below:

Response Time: We aim to respond to privacy inquiries within 5 business days and resolve complaints within 30 days.

Regulatory Complaints: If you are not satisfied with our response, you may lodge a complaint with:

Required Information: When contacting us about privacy matters, please include your account details, the nature of your inquiry, and any relevant reference numbers.

Business Hours: Monday to Friday, 8:00 AM - 5:00 PM (East Africa Time)