Privacy Policy

This Privacy Policy describes how Riconets Ventures Limited (“Riconets,” “we,” “us,” or “our”) collects, uses, discloses, stores, and protects information when you access or use the AfyaFlow website at www.afyaflow.org, request a demonstration, create an account, subscribe to our services, or otherwise interact with AfyaFlow (collectively, the “Services”). We are committed to handling information responsibly and in line with applicable data protection laws in Kenya, including the Data Protection Act, 2019, and related regulations, where they apply to our role as a data controller or processor.

1. Who is responsible for your information?

For personal data processed in connection with marketing, account administration, billing, support, and operation of the AfyaFlow platform, the data controller is Riconets Ventures Limited, based in Nakuru, Kenya. You may contact us regarding privacy matters at afyaflow@riconets.com or by telephone or WhatsApp at +254 734 073 652.

Where your organisation uses AfyaFlow to manage patients, clinical workflows, or staff, your organisation is typically the data controller for patient and workforce records entered into the system. Riconets generally acts as a data processor on documented instructions from that organisation, subject to your agreement with us. This Policy explains our practices both when we act as a controller (for example, for our own customer relationship data) and the standards we apply when processing data on behalf of subscribing facilities.

2. Scope of this Policy

This Policy applies to:

• Visitors to our public website and landing pages;
• Individuals who request a product demonstration or contact us for sales support;
• Administrators and staff who register or are invited to use AfyaFlow on behalf of a clinic or hospital;
• End users who access patient portals or other interfaces we host, where we process data under agreement with a healthcare provider;
• Supplier portal users and other business contacts where relevant.

It does not govern third-party websites, payment networks, or integrations that link from the Services; those providers have their own policies.

3. Information we collect

We may collect the following categories of information, depending on how you use the Services:

3.1 Information you provide directly

• Identity and contact data: name, email address, telephone number, organisation or clinic name, job title, physical address, and similar details when you register, subscribe, request a demo, correspond with us, or complete forms.
• Account and security data: username, encrypted password, role assignments, and authentication events necessary to secure access to AfyaFlow.
• Billing and subscription data: plan selection, payment references, M-Pesa or other transaction identifiers where payments are processed, invoicing details, and records needed for accounting and tax compliance.
• Support and communications: messages you send to us (including email, chat, or ticketing content), feedback, survey responses, and call notes where applicable.

3.2 Information your organisation enters into AfyaFlow

Subscribing facilities may enter health-related and operational data about patients, appointments, prescriptions, laboratory results, billing, payroll, human resources, and other clinical or administrative records. Such data is processed to deliver the Services under contract with the facility. The facility remains responsible for the lawfulness of that processing (including consent or other legal bases under health-sector rules) unless we expressly agree otherwise in writing.

3.3 Automatically collected technical data

• Device and connection data: IP address, approximate location derived from IP, browser type, operating system, and device identifiers where available.
• Usage data: pages viewed, features used, timestamps, referring URLs, and diagnostic logs needed to maintain security, performance, and reliability.
• Cookies and similar technologies: as described in Section 6.

3.4 Information from third parties

We may receive limited information from payment service providers, authentication partners, or fraud-prevention tools to complete transactions or protect the Services. We may also receive professional contact details from publicly available sources or referrals where permitted by law.

4. Purposes and legal bases for processing

We use personal data for purposes that may include:

• Providing and improving the Services — account creation, hosting, configuration, troubleshooting, analytics on aggregated or de-identified usage, and product development.
• Contract performance — delivering features your organisation has subscribed to, processing payments, and managing the customer relationship.
• Legitimate interests — securing the platform, preventing abuse and fraud, enforcing our terms, internal reporting, and communicating service-related notices, balanced against your rights.
• Legal obligations — retaining records for tax or regulatory purposes, responding to lawful requests from competent authorities, and cooperating with courts where required.
• Consent — where we rely on consent (for example, certain marketing communications or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. How we share information

We do not sell your personal information. We may disclose information:

• To service providers (“subprocessors”) who assist us with hosting, infrastructure, email delivery, customer support tooling, security monitoring, analytics, or payment processing, under contracts that require appropriate confidentiality and data-protection measures.
• To professional advisers such as lawyers or auditors where necessary and subject to professional duties of confidentiality.
• For legal reasons if we believe disclosure is required by law, regulation, legal process, or to protect the rights, safety, or property of Riconets, our users, or the public.
• In connection with a business transaction such as a merger, acquisition, or asset sale, subject to appropriate safeguards and notice where required.

Where your organisation uses integrations (for example, messaging gateways or external laboratory systems), data may be shared with those third parties according to settings and agreements between your organisation and the integration provider.

6. Cookies, analytics, and similar technologies

We use cookies and similar technologies to operate the website, remember preferences, maintain sessions, measure traffic, and reduce automated abuse. Some forms (including demo requests and clinic registration) use Google reCAPTCHA v3 to assess interaction risk; Google may process technical data according to Google’s Privacy Policy. You can control cookies through your browser settings; disabling certain cookies may limit functionality.

7. International transfers

Our infrastructure or subprocessors may be located outside Kenya, including in jurisdictions recognised as offering adequate protection or where we implement appropriate safeguards (such as contractual clauses) consistent with applicable law. We assess transfer mechanisms to reduce risk to personal data.

8. Retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. Criteria include whether you still have an active relationship with us, whether data is needed for legal claims or regulatory obligations, and whether information can be aggregated or anonymised for analytics. Backup copies may persist for a limited period in accordance with our disaster recovery practices. Customer organisations may have additional retention rules configured within AfyaFlow for clinical records.

9. Security

We implement administrative, technical, and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include access controls, encryption in transit where appropriate, logging, and staff training. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your credentials.

10. Your rights

Subject to applicable law, you may have rights to request access to, correction of, deletion of, or restriction on processing of your personal data, to object to certain processing, to data portability where technically feasible, and to lodge a complaint with a supervisory authority. In Kenya, the Office of the Data Protection Commissioner oversees compliance with the Data Protection Act. To exercise rights against Riconets in our capacity as controller, contact us using the details below. Where your data is controlled by your employer or healthcare provider, you should ordinarily contact them first; we will assist as required by law and contract.

11. Children

AfyaFlow is intended for use by healthcare organisations and adults authorised to act on their behalf. It is not marketed to children for direct sign-up. Patient records concerning minors are processed solely as part of legitimate healthcare services arranged by the subscribing facility, which remains responsible for lawful bases and guardian involvement as required by law.

12. Marketing

We may send product updates, educational content, or promotional messages where permitted. You can opt out of marketing emails using the unsubscribe link or by contacting us. Transactional and service notices may continue where necessary.

13. Automated decision-making

We do not use personal data for solely automated decisions that produce legal or similarly significant effects on individuals without human review, except where required or permitted by law and disclosed to you.

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and adjust the “Last updated” date. Where changes are material, we will provide additional notice as appropriate (for example, by email or in-product notification). Continued use of the Services after the effective date constitutes acceptance of the updated Policy where permitted by law.

15. Contact us

For privacy questions, requests, or concerns, contact Riconets Ventures Limited:

• Email: afyaflow@riconets.com
• Phone / WhatsApp: +254 734 073 652
• Location: Nakuru, Kenya