Privacy Policy

We collect the following categories of information to provide and improve our Services:

We use the information we collect for the following purposes:

• Healthcare Management: Tracking your medications, chronic conditions, vitals, and adherence to prescribed treatment plans.
• Medication Reminders: Sending timely reminders via WhatsApp and in-app notifications to help you stay on track with your medication schedule.
• Cost Estimation: Providing hospital cost estimates, benchmark pricing data, and SHA coverage calculations to help you plan for medical expenses.
• Investment Management: Managing your health wallet, processing deposits, tracking Britam MMF investment returns, and providing portfolio insights.
• Insurance Coordination: Facilitating claims, verifying coverage, and coordinating with your linked insurance provider.
• Caregiver Support: Sharing relevant health updates with caregivers you have explicitly linked and authorized.
• Platform Improvement: Analyzing usage patterns to improve our Services, fix issues, and develop new features.
• Legal Compliance: Meeting regulatory requirements under Kenyan and Ugandan data protection laws, financial regulations, and healthcare standards.

Our WhatsApp bot provides the following services to users who opt in:

• Medication Reminders: Scheduled messages reminding you to take your medications at the prescribed times.
• Dose Tracking: Recording your dose confirmations and maintaining your adherence history and streak data.
• Caregiver Alerts: Notifying your linked caregivers if you miss doses beyond the configured escalation window (30-minute re-prompt, 60-minute caregiver notification).
• Health Updates: Sharing vitals summaries, adherence reports, and wellness tips based on your health profile.

We do not sell your personal information. We share your data only in the following limited circumstances:

• Insurance Partners: We share relevant health and claims data with your linked insurance provider only with your explicit consent and only to the extent necessary to process claims and verify coverage.
• Caregivers: If you link a caregiver through our CareLink feature, they will receive adherence updates and health alerts that you have authorized. You can revoke caregiver access at any time.
• Healthcare Providers: When you use our hospital access features, we share verification and coverage information with the treating facility to facilitate your admission and treatment.
• Financial Partners: Transaction data is shared with our banking partner (Diamond Trust Bank) and investment partner (Britam) solely for processing deposits, withdrawals, and investment transactions.
• Corporate Employers: If you are enrolled through a corporate health scheme, your employer may receive aggregate (non-identifiable) utilization data. Your individual health records are never shared with your employer.
• Legal Requirements: We may disclose information when required by law, court order, or governmental authority, or to protect the rights, safety, or property of MintCare, our users, or the public.

We implement robust technical and organizational measures to protect your data:

• Encryption at Rest and in Transit: All sensitive data is encrypted using AES-256-GCM encryption. Data in transit is protected with TLS 1.2 or higher.
• PII Masking: Personally identifiable information is masked in logs, analytics, and internal systems to prevent unauthorized exposure.
• Field-Level Access Controls: Access to sensitive data fields is restricted based on role-based access control (RBAC) policies. Staff members can only access the minimum data necessary for their function.
• Secure Authentication: User accounts are protected with PIN-based authentication, encrypted session tokens stored in HttpOnly cookies, and optional biometric authentication on mobile devices.
• Audit Logging: All access to sensitive data is recorded in an append-only audit log for accountability and incident investigation.
• Infrastructure Security: Our services are hosted on secured cloud infrastructure with network isolation, IP allowlisting for payment webhooks, and regular security assessments.

Under the Kenya Data Protection Act (2019), the Uganda Data Protection and Privacy Act (2019), and applicable regulations, you have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you. You can view most of your data directly in your account dashboard.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data. You can update your profile information directly in the app.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements. Deletion of financial records may be subject to regulatory retention periods.
• Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
• Right to Data Portability: You may request your health data in a structured, machine-readable format (FHIR-compatible export is available).
• Right to Object: You may object to processing of your data for certain purposes, including analytics and marketing communications.
• WhatsApp Opt-Out: You can stop WhatsApp messages at any time by sending STOP or by updating your preferences in Settings.

To exercise any of these rights, contact us at [email protected] or call +254 709 783 000. We will respond to your request within 30 days.

We retain your personal data for as long as necessary to provide our Services and fulfill the purposes described in this policy. Specific retention periods include:

• Account Data: Retained for the duration of your account and for up to 2 years after account closure.
• Health Records: Retained for up to 7 years after the last recorded activity, in compliance with healthcare record-keeping requirements.
• Financial Records: Retained for up to 7 years as required by financial regulations and tax laws in Kenya and Uganda.
• WhatsApp Messages: Conversation data is retained for up to 1 year after your last interaction with the bot. Adherence records derived from messages are retained as part of your health records.
• Audit Logs: Retained for a minimum of 5 years for security and compliance purposes.
• Analytics Data: Aggregated, non-identifiable analytics data may be retained indefinitely for platform improvement purposes.

When data is no longer needed, it is securely deleted or anonymized in accordance with our data disposal procedures.

MintCare Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected], and we will take steps to delete such information. Dependants under 18 may be added to a family health plan by their parent or legal guardian, who provides consent and manages the child's health data on their behalf.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our platform with a revised "Last updated" date, and where appropriate, through in-app notifications or email. Your continued use of the Services after such changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or the Personal Data Protection Office (Uganda) if you believe your data protection rights have been violated.