Skip to content

Privacy Policy

Last updated: April 2026

Kenya DPA 2019 Compliant

Full compliance with the Kenya Data Protection Act 2019.

Encryption at Rest

Sensitive patient data is encrypted using industry-standard Fernet encryption.

Full Audit Trail

Every data access is logged and retained for 7 years per regulation.

Data Subject Rights

Patients can request access, correction, or deletion of their data.

1. Introduction

Nexora Africa Ltd ("we", "us", "our") operates the Vitora HMIS platform. This Privacy Policy explains how we collect, use, and protect personal data in compliance with the Kenya Data Protection Act 2019 (DPA).

2. Data We Collect

Through Vitora HMIS, healthcare facilities may process:

  • Patient data: Names, date of birth, gender, contact information, national ID, medical records, and clinical encounters.
  • Staff data: Names, roles, credentials, shift schedules, and authentication information.
  • Facility data: Organization details, department structures, and operational configurations.
  • Marketing site data: Name, email, phone number, and facility information submitted through our contact and demo request forms.

3. How We Use Data

Data is processed for the following purposes:

  • Providing healthcare management services to registered facilities.
  • Compliance with SHA (Social Health Authority) reporting requirements.
  • KHIS/DHIS2 mandatory health information reporting.
  • Clinical decision support through TibaBot AI.
  • Responding to demo requests and enquiries.

4. Data Protection Measures

  • Fernet field-level encryption for sensitive identifiers (national ID, phone numbers).
  • JWT-based authentication with refresh token rotation.
  • Role-based access control with sensitive patient filtering.
  • Comprehensive audit logging with 7-year retention.
  • Offline-first architecture ensures data remains within facility control.

5. Data Sharing

We do not sell personal data. Data may be shared with SHA and KHIS/DHIS2 as required by Kenyan law. Patient data processed by TibaBot AI remains within the system and is not sent to external servers.

6. Your Rights

Under the Kenya DPA 2019, data subjects have the right to:

  • Access their personal data.
  • Request correction of inaccurate data.
  • Request deletion of their data (subject to legal retention requirements).
  • Object to processing of their data.
  • Data portability.

7. Contact Us

For privacy-related enquiries, contact our Data Protection Officer at privacy@nexora.africa.

Contact Us