Curis Doctor Data Policy

About Curis Platform

Curis is a digital healthcare platform by Citrus Labs Limited that connects healthcare professionals with patients across Kenya.

Scope of Policy

This Data Policy governs the collection, use, and protection of data related to Doctors (Specialists) using the Curis platform.

Key Definitions

• Doctor: A licensed healthcare specialist using the Curis platform.
• Patient: A registered user receiving medical services.
• Platform: The Curis web and mobile applications.

Doctor Profile Data

• Professional Profile: Full name, specialization, clinic/hospital affiliations.
• License & Certification Info: Medical license number, issuing authority, certification scans.
• Schedule & Availability: Availability for appointments, off-days, and consultation slots.

Patient Data

Collected during consultations:

• Personal Information: Names, ID numbers, gender, date of birth.
• Medical History: Diagnoses, allergies, past treatments.
• Contact Information: Phone number, email.
• Prescriptions & Treatment Records: Issued prescriptions and treatment plans.

Appointment Data

• Booking Details: Date/time, reason for visit.
• Consultation Notes: Visit summaries, diagnosis.
• Follow-Up Instructions: Next steps, referral notes.

Payment & Billing Data

• M-Pesa Integration: Confirmation codes and transaction logs.
• Invoices & Receipts: Generated documents for patient reference.
• Transaction History: Full payment history linked to services.

Service Delivery

• Patient Management: Organizing and managing your patient interactions.
• Electronic Health Records: Access and update patient health records.
• Billing: Invoice generation and transaction tracking.

Platform Personalization

Customizing doctor dashboards based on usage and preferences.

Analytics & Reporting

Generating anonymized statistics to improve platform efficiency.

Communications

• Email Notifications: Appointment confirmations, updates.
• SMS Reminders: Upcoming consultations.
• Third-Party Sharing: Limited data sharing with:
  • Diagnostic Labs (test requests/results)
  • Partner Pharmacies (prescriptions)
  • Legal Authorities (upon valid court orders)

Data Storage Methods

Data is stored securely on encrypted cloud servers within data centers that meet international compliance.

Access Controls

• Role-Based Access: Only authorized users can access relevant data.
• Authentication Methods: Passwords and Two-Factor Authentication (2FA).
• Activity Monitoring: Logs of account access and activities.

Data Encryption

Data is encrypted in transit (TLS) and at rest (AES-256).

Retention Policy

• Active User Data: Retained indefinitely for ongoing services.
• Inactive User Data: Retained for 7 years, then deleted.
• Data Deletion Process: Users may request deletion after deactivation.

Breach Protocol

We will notify affected users and the Office of the Data Protection Commissioner (ODPC) within 72 hours of any data breach.

Right to Access

Doctors may request a copy of the data Curis holds about them.

• Request Process: Email legal@citruslabs.co.ke with verification.
• Response Time Frame: Within 14 business days.

Right to Rectification

Request correction of inaccurate profile or credential data.

Right to Deletion

Request account and data deletion, subject to legal record-keeping requirements.

Right to Restrict Processing

You may request temporary suspension of data usage.

Right to Data Portability

You may request your profile and appointment records in a portable digital format.

Local Data Laws

We comply with Kenya's Data Protection Act, 2019 and all applicable 2025 regulations.

Certifications

Our platform infrastructure is hosted on certified data centers.

Compliance Audits

Regular internal and third-party audits ensure compliance.