Data Processing Policy
& Privacy Notice
Platform Statement: Zimasa is a technology and engagement platform. It does not provide medical care, make clinical decisions, or replace licensed medical judgment. AI is used for decision support only — humans remain responsible for all clinical and coverage outcomes.
Introduction
Zimasa Health Limited ("Zimasa", "we", "us", or "our") is committed to protecting personal data and handling it lawfully, fairly, transparently, and securely.
This Data Processing Policy and Privacy Notice explains how Zimasa collects, uses, stores, shares, transfers, retains, and protects personal data in connection with:
- the Zimasa platform and mobile applications
- health engagement and wellness services
- payer, employer, and provider integrations
- telehealth and related healthcare coordination services
- customer support, compliance, fraud prevention, and security
- connected devices, wearables, Health Connect, and other approved integrations
This document is intended to serve both as:
- a public-facing privacy notice for users and stakeholders; and
- a formal data processing policy describing Zimasa's data handling approach.
Scope
This Policy applies to personal data processed by Zimasa relating to:
- members / consumers / end users
- patients and telehealth users
- dependants and guardians
- employees and job applicants
- customers, payers, employers, brokers, and partners
- healthcare and wellness providers
- suppliers, consultants, and contractors
- website visitors and app users
This Policy applies whether the personal data is collected:
- directly from the data subject
- from an employer, payer, provider, or partner
- through the Zimasa website, app, platform, APIs, or support channels
- through approved device integrations, wearables, or Health Connect
- through lawful third-party integrations and processors
Zimasa's Role in Data Processing
Depending on the service and context, Zimasa may act as a Data Controller or Data Processor.
Where Zimasa acts as a Data Controller
Zimasa generally acts as a Data Controller where it determines the purposes and means of processing personal data for:
- account creation and platform administration
- direct-to-consumer services
- user support and communications
- analytics, service improvement, fraud prevention, and platform security
- wellness engagement services offered directly by Zimasa
- consent and preference management
- compliance with legal and regulatory obligations
Where Zimasa acts as a Data Processor
Zimasa may act as a Data Processor where it processes personal data on behalf of:
- employers
- payers / insurers / TPAs
- healthcare or wellness providers
- enterprise customers
- other lawful platform partners
In such cases, Zimasa processes data only on documented instructions, subject to applicable law and contractual obligations.
Clinical and Provider Data Responsibility
Where healthcare or telehealth services are delivered by a licensed provider, that provider remains responsible for its own clinical, professional, and statutory obligations in relation to patient care and clinical decision-making. Zimasa does not provide diagnosis, prescribe treatment, or replace professional medical judgment.
Definitions
Categories of Personal Data We Collect
Zimasa may collect and process the following categories of personal data, depending on the service used.
5.1 Identity & Account Data
- Full name, username, date of birth
- Gender / sex where relevant
- National ID / passport / member number
- Login credentials
- Profile photo where uploaded
5.2 Contact Data
- Phone number, email address
- Postal or physical address
- Emergency or guardian contact details
5.3 Eligibility, Membership & Benefits
- Employer or payer membership details
- Policy, scheme, or program information
- Dependant relationships and enrollment status
- Wallet, allowance, benefit, or coverage information
5.4 Health & Wellness Data
- Wellness goals and preferences
- Self-reported health information and screening results
- Health conditions or risk indicators voluntarily submitted
- Wellness assessment responses and care coordination information
- Telehealth-related information where applicable
5.5 Activity, Fitness & Device Data
- Step count / daily steps
- Walking, running, workout, or exercise activity
- Movement summaries and activity streaks
- Sleep summaries where connected
- Heart rate or similar wearable-derived wellness data
- Data from device sensors, wearables, or Health Connect
5.6 Location Data
- Precise and approximate location data
- Place-based service lookup data
- Location-related metadata
Used for: finding nearby providers, service discovery, dispatch / routing, fraud prevention, service security.
5.7 Technical & Usage Data
- Device type, OS, browser type, app version
- IP address, device identifiers
- Session data, crash data
- App interaction and usage analytics
5.8 Communications & Support Data
- Support messages and customer care interactions
- Complaints, feedback, and call notes
- Support ticket history
5.9 Payment & Transaction Data
- Payment status, transaction references
- Billing details, wallet funding and benefit utilization records
- Refund records
Zimasa does not intentionally store full card data unless handled by an authorized payment service provider under appropriate safeguards.
5.10 Employment & Supplier Data
- Identification, HR and payroll data
- Performance or contractual records
- Tax, statutory compliance, and banking information
How We Collect Personal Data
We may collect personal data:
- directly from you when you register, use the platform, fill in forms, or contact us
- from your employer, payer, insurer, broker, provider, or benefit sponsor
- from healthcare or wellness providers you engage through the platform
- from APIs, integrations, and approved third-party systems
- from device sensors, wearables, and Health Connect, where you enable such access
- from website cookies or analytics tools, subject to applicable notice and consent requirements
- from public authorities, regulators, or lawful public sources where permitted
Purposes of Processing
7.1 Service Delivery
- Creating and managing accounts, verifying identity and eligibility
- Providing platform access and features
- Supporting wellness, engagement, and care coordination services
- Enabling provider booking, service access, and benefit utilization
7.2 Wellness and Activity Tracking
- Tracking participation, goals, and engagement
- Recording and displaying step count / daily steps, activity logs, streaks, and progress
- Supporting rewards, nudges, challenges, and participation insights
- Personalizing wellness programs and interventions
7.3 Location-Based Services
- Helping users find nearby providers and services
- Showing relevant location-based options
- Supporting logistics, dispatch, and service routing where applicable
- Fraud monitoring and anomaly detection
7.4 Telehealth and Care Support
- Scheduling appointments and enabling consultations
- Recording service interactions where relevant
- Supporting lawful quality, safety, and regulatory obligations
Where telehealth services are delivered through the platform, the licensed provider acts as the Clinical Data Controller for patient records and clinical information. Zimasa acts as a Processor or Intermediary and does not control the purpose or clinical content of those records. Telehealth services facilitated through Zimasa are subject to applicable KMPDC standards and licensing requirements.
7.5 Customer Support and Communications
- Responding to inquiries and complaints
- Providing service notices and operational messages
- Managing incidents and resolving disputes
7.6 Analytics, Security, and Improvement
- Monitoring platform performance and improving features
- Fraud detection, prevention, and information security
- Aggregated insights and reporting
Where personal data is used to generate aggregated, anonymized, or de-identified insights, such insights do not identify individual users and may be used by Zimasa to improve the platform and generate population-level analytics.
7.7 Legal and Regulatory Compliance
- Complying with the Data Protection Act, 2019 and related laws
- Responding to lawful requests by regulators and authorities
- Maintaining records required by law and exercising or defending legal claims
7.8 Marketing and Engagement
Where permitted by law, Zimasa may use contact data and user preferences to share service updates, educational content, offers, and wellness communications. Users can opt out of non-essential marketing communications at any time.
Lawful Basis for Processing
Depending on the context, Zimasa relies on one or more of the following lawful bases:
Where we rely on consent, you may withdraw that consent at any time, subject to legal or contractual limits.
Sensitive Personal Data
Zimasa recognizes that some of the data it processes is sensitive personal data, including:
- Health and wellness data
- Telehealth-related information
- Dependant and children's data
- Biometric or wearable-derived data where applicable
- Location data in sensitive contexts
We apply enhanced controls to such data, including role-based access, need-to-know restrictions, contractual safeguards, and technical security measures.
Children's and Dependants' Data
Where Zimasa processes children's or dependants' data, it does so only where:
- such processing is necessary for service delivery, eligibility, guardianship, or care coordination
- appropriate consent, authorization, or lawful basis exists
- additional safeguards appropriate to the sensitivity of the data are applied
Parents, guardians, or authorized members may be required to act on behalf of minors or dependants in certain contexts.
Data Accuracy
Zimasa takes reasonable steps to keep personal data accurate and up to date. Users and partners are encouraged to promptly update personal data where details change. Where inaccurate or incomplete data is identified, Zimasa will take reasonable steps to correct or complete it.
Sharing of Personal Data
Zimasa may share personal data where necessary and lawful with the following categories of recipients:
12.1 Employers, Payers, and Sponsors
Where relevant to the service model, we may share eligibility, utilization, reporting, or program participation data with employers, insurers/payers/TPAs, scheme administrators, and benefit sponsors, subject to applicable law, contract, consent, and product design.
12.2 Healthcare and Wellness Providers
We may share data with healthcare, telehealth, wellness, or fitness providers for appointment scheduling, service provision, care coordination, claims or benefit administration, and quality and safety obligations.
12.3 Service Providers and Sub-Processors
We may use third parties to support cloud hosting, communications, customer support, analytics, payment processing, security monitoring, identity verification, and integrations. Such providers are required to process personal data under appropriate confidentiality, security, and contractual controls.
12.4 Regulators, Authorities, and Legal Processes
We may disclose personal data where required by law, by a regulator, by court order, to respond to lawful investigations, or to protect rights, safety, or property.
12.5 Corporate Transactions
Where Zimasa is involved in a merger, acquisition, restructuring, financing, or asset transfer, personal data may be disclosed subject to appropriate safeguards and lawful basis.
No Sale of Health Data or Sensitive User Data
Zimasa does not sell health data or other sensitive personal data.
Zimasa does not use or transfer health data, including Health Connect data, for:
Any sharing of health data is limited to lawful service delivery, support, compliance, security, or other disclosed purposes.
Cross-Border Transfers
Zimasa's platform is hosted on Oracle Cloud Infrastructure (OCI), with primary data residency in the Africa / Middle East region. Zimasa may also process or store personal data in other jurisdictions through trusted service providers and infrastructure partners, where lawful and appropriate.
Where personal data is transferred across borders, Zimasa will take reasonable steps to ensure appropriate safeguards are in place, which may include:
- contractual protections and confidentiality obligations
- access controls and security certifications or equivalent safeguards
- transfer risk assessments where appropriate
- compliance with applicable Kenyan law
Security Measures
Zimasa implements reasonable technical, organizational, and administrative measures to protect personal data against unauthorized access, loss, misuse, disclosure, alteration, or destruction.
Access controls & role-based permissions
Encryption in transit and at rest
Logging, monitoring & auditing
Secure development & testing practices
Vendor due diligence
Backup & recovery controls
No system is completely secure, but Zimasa takes reasonable steps appropriate to the sensitivity of the data processed.
Retention of Personal Data
Zimasa retains personal data only for as long as reasonably necessary for the purpose for which it was collected, or as required by law, regulation, contractual obligation, fraud prevention, dispute resolution, tax, audit, or security requirements.
| Data Category | Indicative Retention Period |
|---|---|
| Account and profile data | For the life of the account and up to 24 months after closure unless longer retention is required |
| Wellness and activity data, including step data | While the account is active and up to 24 months after closure unless deleted sooner or required for lawful claims, fraud, audit, or analytics obligations |
| Support and communication records | Up to 24 months after resolution, unless legal or regulatory retention is required |
| Security logs and audit records | 12 to 24 months, depending on sensitivity and security needs |
| Payment and transaction records | Up to 7 years or longer if required by law, tax, audit, or dispute resolution obligations |
| Employment, payroll, and supplier records | As required by employment, tax, contractual, and statutory obligations |
| Telehealth and clinical coordination records (where Zimasa acts as Processor) | Retained by or on instruction of the relevant Provider as Clinical Data Controller, in accordance with applicable law, KMPDC requirements, and patient safety obligations. Zimasa does not independently determine the retention period for clinical records. |
| Backup copies | Retained for limited operational continuity periods and then overwritten or securely deleted in the normal course |
Where a longer period is required by law, regulation, court order, clinical retention obligation, fraud investigation, or legal claim, Zimasa may retain relevant data for longer.
Data Deletion and Account Closure
Users may request deletion of their personal data or closure of their account by contacting Zimasa through the designated support or privacy channels.
When you request deletion, we will:
- Verify your identity and authority
- Review applicable retention obligations
- Delete or anonymize eligible data
- Restrict or archive data required by law
We aim to complete eligible deletion actions within 30 days, subject to complexity and lawful retention obligations.
We may still retain limited data for:
- Legal compliance and fraud prevention
- Tax or financial reporting
- Dispute resolution and legal claims
- Clinical or patient safety obligations
- Backup restoration cycles
Marketing and Communications
Zimasa may send: service and operational communications, account and security alerts, wellness reminders and engagement prompts, product updates and educational content, and promotional communications where permitted.
You may opt out of non-essential marketing communications at any time through the unsubscribe function, account preferences, or by contacting Zimasa. Operational or service-critical notices may still be sent where necessary.
AI, Profiling, and Automated Processing
Zimasa may use analytics, rules, or AI-assisted tools to support personalization, engagement prompts, risk flagging, support workflows, and analytics and service improvement.
AI Boundaries
Zimasa's AI-assisted tools are intended to support service delivery and operational efficiency. They are not intended to replace licensed clinical judgment, make autonomous diagnoses, prescribe treatment, or make fully automated adverse decisions. Clinical responsibility remains at all times with licensed providers. Human oversight is required for all clinical and coverage outcomes.
Where legally required, Zimasa will provide appropriate notice and rights relating to profiling or automated decision-making.
Your Data Subject Rights
Subject to applicable law, you may have the right to:
Requests may be submitted using the contact details in Section 21 below.
Complaints and Contact Details
For privacy questions, requests, or complaints, please contact:
Data Protection / Privacy Contact
Not satisfied with our response?
You may lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.
Visit ODPC KenyaThird-Party Services and Links
Zimasa's platform or website may contain links to third-party services, partner platforms, or provider systems. Zimasa is not responsible for the privacy practices of independent third parties except where Zimasa is itself acting as Controller or Processor in respect of the relevant data. Users should review the privacy notices of those third parties where applicable.
Changes to This Policy
Zimasa may update this Policy from time to time to reflect legal or regulatory changes, platform or service changes, new integrations or processing activities, or security or operational improvements.
Where material changes are made, Zimasa will take reasonable steps to notify users or stakeholders as appropriate. The latest version will be published on the relevant website or platform.
Version 2.0 · Effective 1 March 2026