Curis Data Policy
This Data Policy explains how Citrus Labs Limited collects, uses, stores, shares, and protects data through the Curis platform, specifically for Receptionist and Clinic Assistant account holders. All users are required to strictly adhere to this policy in accordance with Kenya's Data Protection Act (2019).
1. Introduction
a. About Curis
Curis is a digital platform built to streamline healthcare facility operations. It supports administrative users like receptionists and clinic assistants in managing appointments, patient interactions, and payment processes.
b. Policy Scope
This policy applies to all data accessed or entered through the Receptionist and Clinic Assistant interfaces on Curis.
c. Definitions of Terms
- "User": Authorized receptionist or clinic assistant using the Curis platform.
- "Data Subject": A patient whose personal or medical information is handled on Curis.
- "DPO": Data Protection Officer at Citrus Labs Limited.
2. Data Collection
Curis collects the following categories of data through the receptionist and clinic assistant interfaces:
a. Patient Data
- Personal Details: Full names, phone number, date of birth, gender, and ID number.
- Medical Notes: Basic triage information, symptoms, and non-diagnostic remarks.
- Notification Preferences: SMS/email consent and preferred contact method.
b. Appointment Data
- Booking Times: Appointment dates, times, and clinician schedules.
- Visit Reasons: Stated reason for visit and department referred to.
c. Staff Notes
Notes made by reception or clinic assistants during interactions with patients.
d. Payment Information
- MPesa Logs: Transaction codes, reference numbers, payment amounts.
- Invoice Records: Service items, consultation fees, and transaction status.
3. How We Use Data
All collected data is used solely for operational and service purposes:
- Patient Support: Ensure patients are registered, scheduled, and attended to accurately.
- Schedule Management: Coordinate clinician availability and optimize appointment flow.
- Billing Support: Generate invoices, log payments, and issue receipts.
- Communications: Send appointment reminders via SMS and email.
a. SMS Notifications
Used to send reminders, confirmations, or payment alerts.
b. Email Notices
Used for formal communication including appointment summaries and invoices.
c. Third-Party Sharing
Only shared with licensed third-party processors like SMS gateways or payment providers—under strict NDAs and compliance with the Data Protection Act.
4. Data Security
a. How Data is Stored
All data is encrypted and stored securely on cloud infrastructure within Kenya or in approved jurisdictions as per Kenya's Data Localization requirements.
b. Access Controls
Data access is governed by role-based permissions. Receptionists and clinic assistants are restricted to front-desk functionalities only.
i. Role-Based Permissions
Receptionists and assistants cannot view diagnostic reports or clinical records beyond their scope.
ii. Login Security
Two-factor authentication (2FA) is required for all Curis users. Session timeouts are enforced after periods of inactivity.
c. Breach Protocol
In the event of a data breach, affected facilities and the Office of the Data Protection Commissioner (ODPC) will be notified within 72 hours, as required by law.
5. Data Access Rights
Patients have full rights under Kenya's Data Protection Act:
- Right to Access: Patients can request to view data captured through Curis.
- Right to Rectification: Inaccuracies must be corrected upon patient request.
- Right to Restriction: Patients can request limited use or temporary suspension of their data processing.
Users must honor these rights when such requests are routed through the clinic's Data Protection Officer.
6. Compliance & Standards
a. Local Data Laws
Curis complies fully with:
- The Data Protection Act, 2019
- The Health Act, 2017
- KMPDC Guidelines for Electronic Health Records (2025 update)
b. Clinic-Level Audits
Regular audits may be conducted to verify data handling compliance by Curis users. Non-compliance may lead to termination of access and possible legal consequences.
7. Contact Information
For data-related queries or privacy concerns, contact:
- Email: legal@citruslabs.co.ke
- Phone: +254 112 400 000
- Mailing Address: P.O. Box 23983 - 00100, Nairobi, Kenya
- DPO Contact: data@citruslabs.co.ke
By continuing to use Curis, you confirm that you have read and understood this Data Policy and agree to adhere to it fully.