UkuqalaLegal & Compliance

Privacy Policy

How we collect, use, and protect your personal and health data

Effective 1 May 2026Version 1.0

This Policy applies to all users in Cameroon, across African Union member states, and EU/EEA users. Where jurisdictional requirements conflict, the stricter standard applies.

1

Introduction and Identity of the Data Controller

Ukuqala Health Technologies (“Ukuqala”, “we”, “us”, or “our”) operates a telemedicine and clinical decision-support platform. We provide digital health services connecting licensed physicians with patients across Africa, with primary operations in Cameroon.

This Privacy Policy describes how we collect, process, store, share, and protect personal data — including sensitive health data — in connection with the Platform. It applies to all users: physicians, patients, clinic administrators, and visitors.

Data Controller

Ukuqala Health Technologies — Republic of Cameroon

[email protected]
2

Scope and Territorial Applicability

This Policy applies to users across the following jurisdictions:

  • Cameroon: Law No. 2024/017 (Personal Data Protection) · Law No. 2010/012 (Cybersecurity)
  • African Union member states: Malabo Convention (entered into force 8 June 2023)
  • Nigeria: Nigeria Data Protection Act (NDPA) 2023
  • South Africa: Protection of Personal Information Act (POPIA) 2021
  • Kenya: Data Protection Act 2019
  • Ghana: Data Protection Act 2012
  • Senegal / Côte d'Ivoire: National data protection legislation
  • EU / EEA users: GDPR (EU) 2016/679 · ePrivacy Directive 2002/58/EC
3

Data We Collect

Identity & Contact Data

  • Full legal name, professional title, medical license number
  • National ID (for physician verification)
  • Email address, phone number, physical address
  • Profile photograph

Authentication Data

  • Encrypted password credentials
  • OTP logs via SMS (Africa's Talking)
  • Two-factor authentication event logs
  • Session tokens (never stored in plaintext)

Physician Credential Data

  • Medical degree and specialty certificates
  • ONMC / national medical council registration
  • Hospital/clinic affiliation letters
  • Annual practice certificates, CME records

Health & Clinical Data (Patients)

  • Blood group, allergies, chronic conditions
  • Vital signs (BP, HR, temp, O₂ saturation, glucose, BMI)
  • SOAP clinical notes, ICD-10 diagnoses
  • Prescriptions, referrals, medical certificates
  • AI symptom intake records, RSE risk scores

Financial & Transaction Data

  • Consultation fee payment records
  • Mobile money transaction references (MTN, Orange)
  • Invoice and receipt data
  • No full payment card numbers are stored

Technical & Usage Data

  • IP addresses, browser type, device identifiers
  • Pages visited, features used, session duration
  • Error logs and crash reports
4

Legal Basis for Processing

We process personal data only when we have a lawful basis:

Data CategoryLegal Basis
Account registration and identityContract performance
Health and clinical dataExplicit consent + health care provision necessity
Physician credential verificationLegal obligation + legitimate interest
Payment processingContract performance
Platform security, fraud preventionLegitimate interest
AI-assisted clinical featuresExplicit consent + health care provision
Analytics and platform improvementLegitimate interest (anonymised only)
Regulatory reporting (notifiable diseases)Legal obligation (MINSANTE, WHO IHR)

For sensitive health data, we rely on explicit written or digital consent combined with the necessity for health care provision, as required under Cameroon Law 2024/017, GDPR Article 9, and equivalent African data protection statutes.

5

How We Use Your Data

For Patients:

  • Enabling telemedicine consultations with verified physicians
  • Maintaining your longitudinal medical record
  • Generating prescriptions, referrals, and medical certificates
  • Sending appointment reminders and health alerts
  • Enabling AI-assisted symptom intake and risk stratification
  • Facilitating QR-based record sharing with authorised providers

For Physicians:

  • Verifying credentials against national medical council registries
  • Enabling clinical documentation (notes, prescriptions, referrals)
  • Facilitating doctor-to-doctor case collaboration
  • Providing AI-powered clinical decision support
  • Processing consultation fee payments
  • Supporting MINSANTE regulatory compliance
6

Data Sharing and Third-Party Processors

We do not sell personal data. We share data only under strict contractual data protection obligations:

RecipientPurposeData Shared
Agora RTCVideo consultation infrastructureSession metadata only
Mistral AIClinical AI suggestionsAnonymised symptom data; no patient identifiers
Africa's TalkingSMS-based OTP and alertsPhone number, OTP token
MTN Mobile Money / Orange MoneyPayment processingTransaction amount, phone number, reference ID
SupabaseDatabase hosting and authenticationEncrypted patient records
ONMC (Cameroon)Physician license verificationLicense number and name
MINSANTE / WHOMandatory disease reportingAnonymised/aggregated epidemiological data only
7

Data Retention

Data CategoryRetention PeriodLegal Basis
Medical records and clinical data10 years from last consultationLaw 2010/012; professional standards
Communications metadata (SMS, calls)10 yearsLaw 2010/012 Art. 41
Financial / payment records7 yearsTax and audit obligations
Physician verification documentsAccount duration + 5 yearsRegulatory compliance
Inactive account data3 years after last activityLegitimate interest
AI interaction logs2 years (anonymised after 6 months)Platform safety
Technical / server logs12 monthsSecurity and fraud prevention
8

Your Data Rights

RightDescriptionHow to Exercise
AccessObtain a copy of all personal data we holdEmail [email protected]
RectificationCorrect inaccurate or incomplete dataAccount settings or email request
ErasureRequest deletion (subject to retention obligations)Written request to [email protected]
PortabilityReceive data in machine-readable formatWritten request; 30-day delivery
RestrictionLimit processing while a dispute is resolvedWritten request
Withdraw ConsentWithdraw consent at any timeAccount settings or email
ComplaintLodge a complaint with supervisory authoritySee Section 14 of full policy

All requests are responded to within 30 days. We may require identity verification before fulfilling requests.

9

Security Measures

Encryption at rest

AES-256 for all stored health data

Encryption in transit

TLS 1.3 for all transmissions

Authentication

Mandatory 2FA for all physician accounts

Access controls

Role-based access (RBAC)

Audit logging

Immutable trails on all record access

Penetration testing

Regular third-party security assessments

10

Data Breach Notification

In the event of a personal data breach, we will notify affected individuals within 72 hours of becoming aware, and we will notify the relevant data protection authority as required by applicable law.

To report a suspected security incident: [email protected]

11

Supervisory Authorities and Complaints

Cameroon

Autorité de Protection des Données à Caractère Personnel (under Law 2024/017)

Nigeria

Nigeria Data Protection Commission (NDPC)

South Africa

Information Regulator — inforegulator.org.za

Kenya

Office of the Data Protection Commissioner (ODPC)

Ghana

Data Protection Commission (DPC)

Senegal

Commission de Protection des Données Personnelles (CDP)

EU / EEA users

Competent supervisory authority in your EU member state

We encourage you to contact [email protected] first — we are committed to resolving concerns directly.

This policy was prepared in accordance with Cameroon Law No. 2024/017, Law No. 2010/012, the African Union Malabo Convention, GDPR (EU) 2016/679, and applicable national data protection statutes across African jurisdictions. Effective 1 May 2026 · Version 1.0