Privacy Policy

DaktariDesk is committed to protecting your privacy and ensuring compliance with the Kenya Data Protection Act 2019. This policy explains how we collect, use, store, and protect your personal data.

Last updated: February 2026

01Data Controller

02Data We Collect

03Purpose of Collection

04Your Rights

05Data Retention

06Data Security

07Third-Party Services

08Consent & Withdrawal

09Policy Updates

SECTION 01

Data Controller

The data controller responsible for your personal data is:

DaktariDesk

Nairobi, Kenya

Email: privacy@daktaridesk.com

SECTION 02

Data We Collect

Account Information

Name and email address (from Google Sign-In)

Phone number (provided during setup)

Clinic/organization name

Google OAuth refresh token (encrypted)

Calendar Data

Calendar event titles and descriptions

Appointment dates and times

Patient names (extracted from events)

Patient phone numbers (extracted from events)

Payment Information

Payment details processed by Paystack (we do not store card numbers)

Billing history and subscription status

Usage Data

Reminder delivery status (sent, delivered, failed)

Patient responses (confirmed, cancelled, rescheduled)

Service usage analytics (anonymized)

SECTION 03

Purpose of Collection

We collect and process your data for the following purposes:

Service delivery: Sending appointment reminders via WhatsApp and SMS

Calendar integration: Accessing your Google Calendar to detect appointments

Patient communication: Extracting patient contact information from calendar events

Account management: Authentication, authorization, and account administration

Billing: Processing subscription payments and maintaining billing records

Service improvement: Analyzing usage patterns to improve our service (anonymized data only)

Legal compliance: Fulfilling legal obligations under Kenyan law

SECTION 04

Your Rights Under the Kenya Data Protection Act

Under Section 26 of the KDPA, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete data.

Right to Deletion

Request deletion of your personal data (subject to legal retention requirements).

Right to Restrict Processing

Request that we limit how we use your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Withdraw Consent

Withdraw consent at any time without affecting prior processing.

To exercise your rights: Email us at privacy@daktaridesk.com with your request. We will respond within 30 days as required by the KDPA.

SECTION 05

Data Retention

Data Type	Retention Period
Account information	While account is active
Calendar sync data	Synced daily, not stored long-term (24-48 hours)
Appointment records	12 months from appointment date
Billing records	7 years (Kenyan tax requirements)
Google refresh tokens	Until revoked or account closed

Upon account closure, we delete your personal data within 30 days, except where retention is required by law.

SECTION 06

Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit: All data transmitted using TLS 1.3 (256-bit encryption)

Encryption at rest: Sensitive data encrypted using AES-256-GCM

Token security: Google refresh tokens stored in encrypted private database schema

Access control: Row-level security ensures users only access their own data

Regular audits: Periodic security assessments and vulnerability testing

Secure hosting: Infrastructure hosted on SOC 2 compliant providers

SECTION 07

Third-Party Services

We share data with the following third parties to provide our service:

Google

Calendar access via OAuth. Google processes your calendar data according to their Privacy Policy. Privacy Policy.

Meta (WhatsApp Business)

Message delivery via WhatsApp Business API. Patient phone numbers and message content are transmitted for delivery.

Africa's Talking

SMS delivery when WhatsApp is unavailable. Patient phone numbers and message content are transmitted for delivery.

Paystack

Payment processing. We do not store your card details; Paystack handles all payment information securely.

Supabase

Database and authentication infrastructure. Data is stored in Supabase's secure cloud infrastructure.

We never sell your personal data to third parties.

SECTION 09

Policy Updates

We may update this Privacy Policy from time to time. When we make changes:

We will notify you via email at least 14 days before changes take effect

The "Last updated" date at the top of this page will be revised

Continued use of DaktariDesk after changes take effect constitutes acceptance

Material changes affecting your rights will require explicit re-consent

Questions About This Policy?

If you have any questions about this Privacy Policy or how we handle your data, please contact our Data Protection team.

Contact Privacy Team