Privacy Policy
Equity Afya Limited — Data Protection & Privacy
This privacy policy ("Policy") will help you understand what information we collect, why we collect it, how we use it, including if and how we share the information with third parties, and the choices you have in relation to your information.
This privacy policy ("Policy") describes the way Equity Afya, collects information/data from you, how we store, use, process and disclose such information, and the steps we take to protect such information.
"We", "our" and "us" refer to Equity Afya. "You" and "your" refer to the current and former visitors to our Website, User and/ or his/her/its Authorized Representative (defined below), directors or owners, as applicable.
DEFINITIONS
"Authorized Representative" means the employee or authorised representative of the User who is specifically authorized to visit Equity Afya Website on behalf of the User.
"Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing:" have the meanings given to them in the Data Protection Legislation.
"Data Protection Legislation:" means all applicable data privacy laws and all other Legislation that apply to a party's use of Personal Data, including laws on electronic communications privacy, together with any applicable guidance issued by the relevant regulatory authority.
"Data Protection Legislation" means the Kenya Data Protection Act, 2019, its Regulations, any amendments thereto, and all other applicable laws relating to privacy, data protection, electronic communications, and cybersecurity, together with any applicable guidelines or directives issued by the Office of the Data Protection Commissioner (ODPC).
"Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they signify agreement to the processing of their Personal Data.
"Health Data" means Personal Data relating to the physical or mental health of an individual, including information about the provision of health services.
"Special Categories of Personal Data" means data that is sensitive in nature, including health data, biometric data, genetic data, financial information, and any other sensitive categories as defined under applicable law.
"Biometric Data" means Personal Data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a person, which allows for unique identification.
"Anonymisation" means the process of removing identifiers from Personal Data so that the Data Subject can no longer be identified.
"Pseudonymisation" means the processing of Personal Data in such a way that it can no longer be attributed to a specific Data Subject without additional information.
"Data Retention Period" means the period for which Personal Data is stored before it is securely deleted, anonymised, or archived as required by law.
"Recipient" means a natural or legal person, public authority, or any other body to whom Personal Data is disclosed.
"Third Party" means any natural or legal person other than the Data Subject, Controller, Processor, or persons authorised to process the Personal Data.
"Cross-Border Data Transfer" means the movement of Personal Data outside the jurisdiction of Kenya in accordance with the applicable Data Protection Legislation.
"Supervisory Authority" means the Office of the Data Protection Commissioner (ODPC) or any successor regulatory body responsible for monitoring the application of Data Protection Legislation.
"Legitimate Interest" means a valid business or operational reason for processing Personal Data, provided such interest is not overridden by the Data Subject's rights and freedoms.
WHO WE ARE
Equity Afya ("EQA") is a healthcare network operating under a franchise model. Our mission is to deliver affordable, high-quality, and accessible healthcare services to communities. We are committed not only to providing exemplary medical services but also to safeguarding your personal data.
Scope
This policy applies to all interactions with our clinics and visitors to our website.
CONTACT INFORMATION
The Data Protection Officer for Equity Afya can be contacted at eafiadpo@equitybank.co.ke. If you have questions about our Privacy Policy, please contact us or write to us here:
16th Floor, Britam Towers
Hospital Road, Upper Hill
Nairobi, Kenya
P.O. Box 75104-00200
INFORMATION WE COLLECT
We collect and process your personal information for the purposes described in this Privacy Policy, in compliance with applicable data protection laws and on an appropriate lawful basis. Our principal processing activities are set out below.
Data Collected Directly from You
| Personal Data | Purpose | Lawful Basis |
|---|---|---|
| Full Name | Patient registration and record creation | Legal obligation |
| Date of Birth | Patient registration and record creation | Legal obligation |
| Phone Number | Patient registration and record creation | Contractual Necessity |
| National ID/Passport Number | Patient registration and record creation | Legal Obligation |
| Social Health Authority (SHA) Number | Patient registration and record creation | Legal Obligation |
| Email address | Patient registration and record creation (Not mandatory) | Contractual Necessity |
| Sensitive Personal Data | Purpose | Lawful Basis |
|---|---|---|
| Gender | Patient registration and record creation | Contractual Necessity |
| Next of Kin Details | In case of complications | Contractual Necessity |
| Health Information | Provision of healthcare services | Contractual Necessity |
| Biometric Data | Patient authentication and authorization for access of services | Legitimate Interest |
| Financial data | Settlement of accrued claims during hospital visit | Contractual Necessity |
| Marital Status | To manage insurance dependents, determine next‑of‑kin, support emergency contacts, and coordinate family‑based care where relevant. | Contractual Necessity |
Data Collected from Third Parties
| Personal Data | Purpose | Lawful Basis |
|---|---|---|
| Insurance Membership Details | To confirm coverage limits, preauthorization for procedures/tests, process claims and settlement | Contractual Necessity |
| Payer Information (Employee Schemes) | To facilitate billing, process corporate claims, and manage employer-linked health benefits. | Contractual Necessity |
Data Collected Through Automated means
| Personal Data | Purpose | Lawful Basis |
|---|---|---|
| Cookies | To improve user experience | Legitimate Interest |
| IP Address | To secure our systems, prevent unauthorized access, and support delivery of our online services. | Legitimate Interest |
The categories of Personal Data described above are not exhaustive and may vary depending on the nature of the services provided. Any Personal Data processed by us, whether specifically listed or not, shall be handled in accordance with applicable data protection and privacy laws, including the Kenya Data Protection Act, and in line with established principles of lawfulness, fairness, transparency, and data minimization.
LAWFUL BASIS FOR PROCESSING
Your personal data is processed where Equity Afya has a lawful basis to do so. We maintain appropriate safeguards to ensure the confidentiality and integrity of your personal information is upheld.
Our processing activities are based on the following lawful basis, as permitted by the Law:
- Consent
We rely on your consent only where no other lawful basis applies. Where consent is relied upon, you may withdraw it at any time by emailing us at eafiadpo@equitybank.co.ke - Performance of a Contract
Where processing is necessary to provide you with medical and related services - Legal Obligation
Where processing is necessary to comply with statutory and regulatory requirements - Protection of Vital Interest
In emergencies where you are unable to provide consent, enabling immediate medical intervention. - Public Interest in Healthcare
To support public health initiatives and compliance with healthcare standards. - Legitimate Interests
We may process your personal data where necessary for the legitimate interests of Equity Afya. We place appropriate safeguards to ensure your rights and freedoms are not overridden.
DATA SUBJECT RIGHTS
Your rights in relation to your personal data are set out below:
- Right to be informed – Transparency about how personal data is collected, used, and shared.
- Right of access – Access to personal data held about you, subject to lawful limitations.
- Right to rectification – Correction of inaccurate or incomplete personal data.
- Right to erasure – Deletion of personal data.
- Right to restrict processing – Limitation of processing.
- Right to object – Objection to certain processing.
- Right to data portability – Transfer of personal data in a structured, commonly used or machine-readable format.
- Rights regarding automated decision-making – Protection from decisions based solely on automated processing.
To exercise any of these rights, please contact us at eafiadpo@equitybank.co.ke, https://equity.custhelp.com/app/ask or visit our premises.
DATA SHARING
We treat your Personal Data, including sensitive health information, as confidential and do not disclose it to third parties except where there is a clear and lawful basis for doing so, in accordance with the Kenya Data Protection Act and applicable health sector laws.
Where necessary, your Personal Data may be shared with authorized recipients strictly on a need-to-know basis. These may include healthcare professionals involved in your care (for continuity and quality of treatment), laboratories and diagnostic providers, insurers or payers (including relevant public health schemes), regulatory authorities, or service providers who support our operations under appropriate contractual and confidentiality obligations.
Such sharing is undertaken only where it is required for the provision of healthcare services, compliance with legal or regulatory obligations, the establishment, exercise, or defense of legal claims, or for other legitimate interests pursued by the Facility, provided that your fundamental rights and freedoms are not overridden. In all cases, we implement appropriate safeguards to ensure that your Personal Data remains protected and is used solely for authorized and lawful purposes.
DATA STORAGE AND RETENTION
We implement appropriate organizational and technical safeguards to protect Personal Data against unauthorized or unlawful access, disclosure, alteration, loss, or destruction, in line with our obligations as a data controller under the Kenya Data Protection Act, as well as applicable health sector laws and regulatory guidance, including the Health Act and the Digital Health Act.
Personal Data, including sensitive health information, is retained only for as long as necessary to fulfil the purposes for which it was collected. These purposes include, but are not limited to, provision of healthcare services, continuity of care, compliance with legal and regulatory obligations, audit and accountability requirements, insurance and claims processing, and the management of complaints, disputes, or potential litigation.
Retention periods are determined in accordance with applicable law, regulatory expectations, and the Facility's internal records retention schedule. In applying the storage limitation principle, the Facility ensures that Personal Data is not kept longer than is necessary for lawful purposes. Upon expiry of the applicable retention period, or where there is no longer a valid legal basis for continued processing, Personal Data is securely destroyed, deleted, or irreversibly anonymized, unless it is required to be retained for a lawful purpose such as an ongoing investigation, legal hold, or regulatory requirement.
ASSIGNMENT, CHANGE OF CONTROL, AND TRANSFER
All our rights and obligations under our Privacy Policy are freely assignable by us to any of our affiliates, in connection with a merger, acquisition, restructuring, or sale of assets, or by operation of law or otherwise, and we may transfer your information to any of our affiliates, successor entities, or new owner.
DISCLAIMER
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Check these policies before you submit any personal data to these websites
We may amend or update our Policy. Please revisit this page periodically to stay aware of any changes to this Policy, which we may update from time to time. We will provide you notice of material amendments to this Policy, as appropriate, and update the "Last Modified" date at the top of this Policy. Your continued use of our Services confirms your acceptance of our Policy, as amended. If you do not agree to our Policy, as amended, you must stop using our Service