Skip to main content
DawaTrack

Privacy Policy

Last updated: 21 May 2025

1. Introduction

DawaTrack ("we", "our", "us") operates a cloud-based healthcare management platform for pharmacies, clinics, hospitals, dispensaries, and veterinary practices across Africa. This Privacy Policy explains what personal data we collect when you register or use our services, how we use it, and the rights you have over it.

2. Data We Collect

  • Account data: name, email address, phone number, facility name, and licence number provided during sign-up.
  • Billing data: M-Pesa transaction identifiers and subscription tier. We do not store raw card numbers.
  • Operational data: inventory records, patient/customer records, prescriptions, sales, and purchasing data that you or your staff enter into the platform.
  • Usage data: log files, IP addresses, browser type, and pages visited — collected automatically to maintain service security and performance.
  • Cookies: strictly necessary cookies for authentication and CSRF protection (always on), plus — only with your consent — analytics cookies. We do not use third-party advertising cookies. You choose when you first visit and can change your mind at any time.

3. How We Use Your Data

  • Provision and maintenance of your isolated tenant portal.
  • Processing subscription payments via Safaricom M-Pesa.
  • Sending transactional emails (account confirmation, password reset, subscription notices).
  • Improving platform reliability and diagnosing technical issues.
  • Complying with applicable law and regulatory obligations.

We do not sell your data to third parties or use it for advertising profiling.

4. Data Storage & Security

Each pharmacy tenant is stored in an isolated PostgreSQL schema; no other tenant can access your data. Data is encrypted in transit (TLS 1.2+) and at rest on our hosted infrastructure. Access to production databases is restricted to authorised engineers and requires multi-factor authentication.

5. Data Retention

We retain your operational data for as long as your subscription is active. Upon account closure you may request a full data export. We will permanently delete your schema within 30 days of a verified deletion request unless retention is required by law.

6. Third-Party Services

We use the following sub-processors:

  • Safaricom M-Pesa — payment processing.
  • Cloudinary — image storage for product photos.
  • SendGrid / SMTP provider — transactional email delivery.

Each processor is bound by a data processing agreement consistent with applicable data protection law.

7. Your Rights

Subject to applicable law, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (subject to retention obligations).
  • Export your data in machine-readable format via the built-in data export feature.
  • Withdraw consent — though this may affect your ability to use the service.

To exercise any right, email us at privacy@dawatrack.com.

8. Children's Privacy

DawaTrack is a business-to-business platform intended for use by healthcare professionals. We do not knowingly collect personal data from individuals under the age of 18.

9. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, notify registered account holders by email at least 14 days before the change takes effect.

10. Data Protection Officer & Contact

In accordance with the Kenya Data Protection Act, 2019, we have appointed a Data Protection Officer (DPO) who is responsible for overseeing our handling of personal data and answering any questions about this policy.

DawaTrack Data Controller
Data Protection Officer: Data Protection Officer
Email: privacy@dawatrack.com

Contact our Data Protection Officer →

© 2026 DawaTrack · Terms of Service