Home » USSD Privacy Policy

Privacy Policy, Callback Service

Last updated: 05/10/2022

Your privacy is important to us. We process your personal data in various contexts if you use the Callback Service to participate in a telemedical consultation via phone. In the process, we respect your right to data protection, your privacy, and your other rights and freedoms.

1 Scope of this privacy poilicy

This privacy policy applies to our callback service which enables users to book a consultation with a health care professional via USSD followed by the actual consultation by phone.

To learn more about on how we process your personal data when you are using our website, please see the separate privacy policy on the use of the website.

The Callback Service is provided exclusively to users in Kenya.

2 Controller’s name and contact details

The controller responsible for the data processing described in this privacy policy is:

Curalie Health Limited
The Promenade Westlands, General Mathenge Road Westlands, P.O BOX 1730,
Westlands, Nairobi, Kenya
e-mail: omron.blauo@curalie.com
Phone: +49 162 62 66 448

Your personal data may also be processed by other data controllers in the course of your use of the Callback Service and complementary services, like payment providers.

Please note that Curalie Health Limited, the payment provider and cooperation partners act in the course of these activities as separate data controllers.. You are welcome to contact Curalie Health Limited on all matters concerning data protection and/or privacy.

3 Data protection officer contact details

The data protection officer can be reached at the above address, Attn.: Data Protection Officer, or at dataprotection@curalie.com.

4 Content, scope and purposes of processing of personal data

There is no contractual or statutory obligation to provide the data described below. However, please note that if you do not do so, we may not be able to provide the Callback Service or we may be able to do so only with limitations.

4.1 Booking process (USSD Service)

The Callback Service is realized through an USSD booking service (“USSD Service”) in a first step. To this end, you can book a phone consultation by entering a specific USSD code in your phone menu. The USSD code consists of numbers, pound signs, and asterisks. It is activated using the dial function. You can then make an appointment with a doctor for a phone consultation and conclude your booking by paying via M-PESA. Afterwards, you will receive a notice that your booking has been successful.

We will process information on the appointment itself as well as your contact details (name and phone number). If this data is not already stored in our systems, it will be collected for the first time within the scope of the booking process and then stored for possible future treatment. Please see Sec. 7 for detailed information about our data storage periods.

4.2 Technical provision of the phone call

The telecommunication service provider is the controller for the technical provision of the phone call.

4.3 Phone consultation

Contents and results of the phone consultation will be documented by the health care professional in a documentation system (“CuraliePro”). Thereby, especially health data will be stored to create a source of information for appropriate and effective medical treatment both, for present and future treatment.

The data storage in Curalie Pro is based on the treatment contract between the data subject and Curalie Health Limited, and required in order to perform this contract.

As Curalie Pro is provided by the German Curalie GmbH as service provider and data processor (see Sec. 5.1), the transfer to Curalie GmbH located in Germany is covered by a data processing agreement between Curalie Health Limited and Curalie GmbH and additionally based on your express consent, which you grant during the USSD Service. Please note that your consent is voluntary. However, if you do not consent, we are not able to provide the Callback Service to you.

You can withdraw your consent at any time without giving reasons, e.g. via email to dataprotection@curalie.com , effective for the future. The processing of your data before the withdrawal remains unaffected by this.

4.4 Data processing for customer support

If you contact us as a customer in case of problems or questions, we process your contact details (e.g., your name, e-mail address orphone number) to be able to respond to your concern.

In this case, your personal data is processed because we have a legitimate interest in supporting our customers in using our products and being able to offer them support and – to the extent that health data is processed to this end – on the basis of the consent granted by the user.

5 Possible recipients of your data

In addition to the other scenarios explicitly described in this privacy policy, your personal data may be disclosed to the following categories of recipients:

5.1 Service Providers as data processors

To provide the functions as described in this privacy policy, we occasionally rely on external services providers, for example to technically provide our services or to host these services. Such data processors may process your personal data only according to our instructions and are bound by a comprehensive data processing agreement.

This might include data processors which are located outside Kenya.

Every data transfer outside Kenya is covered by additional safeguards to ensure that your data is protected. Such safeguards are implemented e.g., through comprehensive technical and organisational measures that are state of the art and taken to cover all data protection risks, which includes – but is not limited to – a comprehensive pseudonymization of personal data, or through contractual obligations that are legally binding to and implemented by every entity concerned with the data transfer and contain enforceable data subject rights as stated in Sec. 6 (so-called “Binding Corporate Rules”).

5.2 Law enforcement agencies and injured third parties; further government agencies

If necessary to investigate an unlawful or abusive use of the service or for purposes of asserting rights, personal data may be forwarded to law enforcement agencies and, where applicable, to injured third parties. However, this takes place only if and when there are concrete indications of unlawful or abusive behavior. Disclosure may also occur if this serves to enforce terms of use or other agreements. Our legitimate interest in data processing in this case lies in ensuring the proper functioning of our services and, where applicable, establishing, exercising, or defending against legal claims.

We may also be legally obligated to provide information in response to inquiries from certain public bodies,  including law enforcement agencies, government agencies that impose fines for regulatory offenses, and fiscal authorities.

5.3 Affiliates / corporate transformations

As our business evolves, the structure of our company may transform by changing our legal form or establishing, acquiring, or selling subsidiaries or parts or elements of our company. In the case of transactions like these, we may disclose your data together with the part of the company that is being transferred. Each time we disclose personal data to third parties within the scope described above, we ensure that this takes place in compliance with applicable data protection and privacy laws.

6 Your rights as a data subject

As a data subject whose personal data are being processed, you have the following rights in particular:

  • Right of access to information: You have the right to access information on the personal data concerning you.
  • Right of rectification: You have the right to have inaccurate personal data concerning you rectified or incomplete personal data concerning you completed.
  • Right of erasure: You can also obtain from us the erasure of your personal data if there is no further legal basis for its processing, for example if your data are no longer required for the purposes for which they were collected or otherwise processed.
  • Right to restriction of processing: You have the right to obtain from us the restriction of processing of your personal data; in such a case, the data will be blocked from any and all processing. This right applies in particular if there is any dispute between us concerning the accuracy of the personal data.
  • Withdrawal of consent: You have the right to withdraw your consent at any time – for example via the contact channels mentioned in Sec. 2 above – with effect for the future. Should you wish to exercise this right, please note that the lawfulness of data processing that has already occurred before such withdrawal is not affected.
  • Right to data portability: Where we process your personal data to perform a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, commonly used and machine-readable format to the extent that you have provided the data to us.
  • Right to object: Furthermore, you can object to the processing of data for reasons arising from your particular situation. However, this applies only in cases in which we process data to fulfill a legitimate interest of Curalie Health Limited or a third party. If you can present that there is such a reason and we cannot assert any compelling legitimate interest in continuing the processing, we will no longer process these data for the purpose in question.

If you wish to assert any of your rights as a data subject with regard to personal data processed under our responsibility as a controller or have any questions regarding data protection and/or privacy within our organization, you can contact us using the contact channels mentioned in Sec. 2 above. After your inquiry has been answered conclusively, we will erase your inquiry three years after the end of the relevant calendar year.

In the event that you wish to assert your rights as a data subject toward third-party providers or cooperation partners, you can contact these entities at any time to do so. For means of contacting your healthcare institution, please see the healthcare institution’s data protection and privacy information.

Finally, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of personal data. The supervisory authority with jurisdiction over Curalie Health Limited is: Office of the Data Protection Commissioner, P.O Box 30920-00100, G.P.O Nairobi, e-mail: info@odpc.go.ke, phone: +254 796 954 269 (Safaricom), +254 752 896 867 (Airtel), +254 778 048 164 (Telkom).

7 Duration of storage of data

Unless otherwise described in this privacy policy, we erase personal data in principle when the purpose for storage thereof no longer applies. There may be an ongoing purpose, in particular, if the data is still needed in order to provide contractual services or to be able to review and abide by or defend against legal claims. Subject to statutory or contractual obligations of retention, we erase data processed on the basis of consent in principle as soon as you withdraw consent. We check at regular intervals whether the purpose of storage has ceased to apply or retention remains necessary.

In the case of statutory retention obligations, which may apply for a period of up to 30 years in the case of health data, such data will not be erased until after the relevant retention period has elapsed. In this case, we archive these data sets and restrict any further processing.

7. Updates

We reserve the right to adjust the content of this privacy policy at any time. This typically occurs when the services used are further developed or adjusted.