Skip to main content
Privacy Policy

Your data belongs
to you.

This Privacy Policy explains how Doctor's Bench EHR ("we," "us," or "the Platform"), operated by Convo Africa, collects, uses, stores, and protects your personal data and the personal data of your clients. We are committed to the highest standards of data privacy under Kenyan law and international best practice.

Effective Date: 1 March 2026 Last Reviewed: March 2026 Version 1.2
Effective: 1 March 2026 Version: 1.2 Jurisdiction: Republic of Kenya

1. Overview & Scope

This Privacy Policy governs the collection, use, processing, storage, and disclosure of personal data by Doctor's Bench EHR ("the Platform"), operated by Convo Africa, a social enterprise registered and operating in Nairobi, Kenya.

This Policy applies to:

  • Practitioners — mental health professionals, counsellors, psychologists, and clinic administrators who register and use the Platform.
  • Clients / Patients — individuals whose personal health data is entered into the Platform by practitioners.
  • Visitors — anyone who accesses the doctorsbench.care website.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. Practitioners who use the Platform to process client data do so as independent Data Controllers in relation to their clients' data, and are themselves subject to the Kenya Data Protection Act 2019.

Plain-English Summary
We collect the minimum data needed to run the Platform. All data is encrypted and stored in Kenya. We do not sell your data or use it for advertising. You and your clients have full rights over your data under Kenyan law.

2. Legal Framework & Compliance

Doctor's Bench EHR processes personal data in compliance with the following legal frameworks and standards:

Kenya Data Protection Act, No. 24 of 2019 Kenya Digital Health Act, No. 15 of 2023 Data Protection (General) Regulations, 2021 Data Protection (Registration) Regulations, 2021 EU General Data Protection Regulation (GDPR) HIPAA — Health Insurance Portability & Accountability Act Kenya Health Act, 2017 Kenya Constitution, Article 31 — Right to Privacy

Kenya DPA 2019 — Core Principles (Section 25)

In accordance with Section 25 of the Kenya Data Protection Act 2019, we adhere to the following data processing principles for all personal data we handle:

Principle How We Apply It Legal Reference
Lawfulness, Fairness & Transparency We process data only on valid legal grounds. We inform all data subjects clearly about how their data is used. DPA s.25(a)
Purpose Limitation Data collected for one purpose is not repurposed without a new legal basis and notification to the data subject. DPA s.25(b)
Data Minimisation We collect only the data strictly necessary for the specified purpose. We do not collect data "just in case." DPA s.25(c)
Accuracy We take reasonable steps to ensure data is accurate and up to date. Data subjects may correct inaccurate records within 14 days of request. DPA s.25(d)
Storage Limitation Data is retained only as long as necessary for its stated purpose. See Section 9 (Data Retention) for specific schedules. DPA s.25(e)
Integrity & Confidentiality All data is protected with industry-standard encryption (AES-256) and strict access controls. See Section 8 (Security Measures). DPA s.25(f)
Accountability We maintain records of all processing activities and can demonstrate compliance to the Office of the Data Protection Commissioner (ODPC) on request. DPA s.25(g)

GDPR Alignment

While Doctor's Bench EHR primarily serves Kenyan practitioners and clients, the Kenya DPA 2019 is modelled closely on the EU GDPR. We voluntarily align our practices with GDPR standards — including Article 9 requirements for special category health data, the right to erasure, data portability, and Data Protection Impact Assessments (DPIAs) for high-risk processing — to ensure the highest standard of protection for all users.

HIPAA-Informed Design

Although HIPAA is a US federal law, Doctor's Bench EHR is designed to meet HIPAA's technical and administrative safeguard standards as a matter of international best practice. This includes implementation of minimum necessary access, audit controls, automatic logoff, and transmission security — consistent with the HIPAA Security Rule (45 CFR §164.312).

Kenya Digital Health Act 2023

Under the Kenya Digital Health Act No. 15 of 2023 and its draft Health Information Management Regulations, health data controllers must implement security measures consistent with prevailing ICT Authority standards and international best practices. We comply with these obligations through our encryption architecture, breach notification procedures, and Kenya-based data storage.

KMPDC Compliance Notice
Effective 1 January 2025, the Kenya Medical Practitioners and Dentists Council (KMPDC) requires all healthcare facilities to hold a valid Certificate of Data Handler and/or Processor issued by the ODPC. Convo Africa has completed this registration. Practitioners using Doctor's Bench EHR to process client health data should independently ensure their own ODPC certification if required under the KMPDC directive.

3. Data Controller Information

For the purposes of the Kenya Data Protection Act 2019:

Data Controller
Convo Africa — operating at convo.africa and doctorsbench.care. Registered in Nairobi, Kenya. Registered with the Office of the Data Protection Commissioner (ODPC) as a Data Controller and Data Processor.
Data Protection Officer (DPO)
Our designated DPO can be contacted at privacy@doctorsbench.care. The DPO is responsible for overseeing compliance with this Policy and the Kenya DPA 2019, and acts as the primary contact point for the ODPC and for data subject rights requests.

Where a practitioner uses Doctor's Bench EHR to process the personal health data of their clients, the practitioner acts as an independent Data Controller in respect of that client data. Convo Africa acts as a Data Processor on behalf of the practitioner for those records. This relationship is governed by the Data Processing Agreement embedded in our Terms of Service (see the Terms of Service tab).

4. Data We Collect

4a. Practitioner Data

When you register as a practitioner, we collect:

  • Identity data: full name, professional designation, and national ID or passport number (for account verification)
  • Professional credentials: registration number, licensing body (e.g. Kenya Counsellors and Psychologists Association)
  • Contact data: email address, phone number, clinic name and physical address
  • Financial data: M-Pesa number or bank account details for wallet withdrawals (collected and stored via PCI-DSS-compliant payment processors — we do not store full card numbers)
  • Account data: username, encrypted password hash, session logs, and account settings

4b. Client / Patient Data (Special Category — Health Data)

Special Category Data
Client health and mental health data constitutes "sensitive personal data" under Section 2 of the Kenya DPA 2019 and "special category data" under GDPR Article 9. This data receives the highest level of protection we apply. It is processed only for the provision of clinical care, stored with AES-256 encryption, and never shared without explicit consent or a lawful legal basis.

Practitioners may enter client data into the Platform. We process this data solely on their instructions as a Data Processor. The categories of client data that may be stored include:

  • Identity: name, date of birth, contact number, gender, next of kin details
  • Health data: presenting concerns, diagnosis, mental health history, medication, risk assessments
  • Session records: session notes (including Smart Notes drafts and approved notes), treatment plans, progress records
  • Consent records: records of client consent to treatment and data processing
  • Financial data: invoices and payment records relating to sessions (not full payment card numbers)

4c. Usage & Technical Data

We automatically collect limited technical data to operate and improve the Platform:

  • IP address, browser type, device type, operating system
  • Pages visited, features used, session duration (for improving the Platform — not used to profile users)
  • Error logs and performance metrics

We do not use advertising cookies, third-party tracking pixels, or sell usage data to any third party.

5. Lawful Basis for Processing

Under Section 30 of the Kenya DPA 2019, we rely on the following lawful bases:

Data Category Lawful Basis Details
Practitioner account data Contract (s.30(b)) Necessary to perform our contract with you as a subscriber.
Practitioner financial data Contract & Legal Obligation Required to process payments and comply with tax and financial regulations.
Client health records Consent + Healthcare Provision (s.30(a) & s.30(d)) Practitioners must obtain explicit consent from clients before entering their health data. Processing is also permitted under s.30(d) as necessary for healthcare provision.
Platform usage data Legitimate Interests (s.30(f)) We have a legitimate interest in improving the Platform. This does not override your rights.
Legal compliance Legal Obligation (s.30(c)) Some data retention is required by Kenyan law.

Consent: Where we rely on consent, it is freely given, informed, specific, and unambiguous, consistent with Section 30(a) of the DPA and GDPR Article 7. You may withdraw consent at any time without penalty, though this may affect your ability to use certain features.

6. Purposes of Processing

  • Providing, operating, and improving the Doctor's Bench EHR Platform
  • Enabling practitioners to store, access, and manage clinical records securely
  • Generating Smart Notes drafts from session interactions (see Section 14)
  • Processing payments and managing wallet balances
  • Sending transactional communications (account notifications, appointment reminders, invoices)
  • Monitoring Platform security and preventing fraud or unauthorised access
  • Complying with Kenyan legal and regulatory obligations
  • Responding to data subject rights requests

We do not: sell personal data to third parties, use client health data for advertising or marketing, use data to train AI models without explicit opt-in consent, or share data across unrelated Convo Africa services without a separate legal basis.

7. Data Storage & Location

All data is stored in Kenya
All personal data processed by Doctor's Bench EHR is stored on cloud infrastructure physically located within the Republic of Kenya. This is consistent with Section 50 of the Kenya Data Protection Act 2019, which empowers the Cabinet Secretary to prescribe that certain processing be effected through servers or data centres located in Kenya. We meet this standard by default for all health data.

Our cloud infrastructure is hosted with ISO 27001-certified providers operating Kenyan data centres. All stored data is encrypted at rest using AES-256 encryption. All data in transit is protected using TLS 1.3. Backups are encrypted and stored in geographically separate but still Kenya-based locations.

No personal health data is transferred outside Kenya unless the practitioner specifically exports a client record for a legitimate clinical purpose. Where any processing does occur outside Kenya, we ensure it is subject to adequate data protection safeguards pursuant to Section 49 of the DPA — including contractual protections equivalent to those offered under this Policy.

8. Security Measures

We implement a layered security architecture consistent with HIPAA's Technical Safeguards (45 CFR §164.312), ISO/IEC 27001, and the Kenya ICT Authority's Information Security standards:

L1
Encryption at Rest & in Transit
All stored data is encrypted with AES-256. All data in transit is protected with TLS 1.3. Database fields containing health data are individually encrypted at the field level.
AES-256TLS 1.3Field-level encryption
L2
Access Controls & Authentication
Role-based access controls (RBAC) ensure practitioners can only access their own client data. Clinic/Team plan accounts support supervisor and admin roles with scoped permissions. All accounts require strong passwords and support two-factor authentication (2FA).
RBAC2FAMinimum necessary access
L3
Audit Logging & Monitoring
Every access to patient records, every data export, and every login event is recorded in an immutable audit log. Automated monitoring alerts our security team to unusual access patterns in real time, consistent with HIPAA's Audit Control standard (§164.312(b)).
Immutable audit logsReal-time monitoringHIPAA §164.312(b)
L4
Secure Development & Infrastructure
Our engineering team follows OWASP secure development guidelines. The Platform is hosted on ISO 27001-certified cloud infrastructure. Regular penetration testing is conducted. All dependencies are monitored for vulnerabilities and patched promptly.
ISO 27001OWASPPenetration testing
L5
Automatic Session Timeout
Sessions automatically expire after a period of inactivity, consistent with HIPAA's Automatic Logoff standard (§164.312(a)(2)(iii)). Users are required to re-authenticate to resume access.
HIPAA §164.312(a)(2)(iii)Session expiry
L6
Data Backup & Disaster Recovery
Daily encrypted backups are stored in a separate Kenya-based facility. Our disaster recovery plan ensures a Recovery Time Objective (RTO) of under 4 hours and a Recovery Point Objective (RPO) of under 1 hour for critical health data.
Daily encrypted backupsRTO <4hrKenya-based storage

9. Data Retention

We retain personal data only for as long as is necessary for its stated purpose or as required by Kenyan law, consistent with Section 25(e) of the DPA 2019:

Data Type Retention Period Basis
Client health records 7 years from last session, or until erasure requested Kenya Health Act 2017 minimum retention; practitioner clinical obligation
Session notes 7 years from date of session Clinical best practice; Kenyan professional standards
Practitioner account data Duration of subscription + 2 years after account closure Contractual and legal compliance requirements
Financial / billing records 7 years Kenya Revenue Authority requirements
Audit logs 3 years Security monitoring and breach investigation capability
Smart Notes drafts (unapproved) 72 hours, then automatically deleted Data minimisation — unapproved AI drafts are temporary
Website visitor logs 90 days Security monitoring

When data reaches the end of its retention period, it is securely deleted using methods that prevent reconstruction, consistent with ISO 27001 media sanitisation standards.

10. Data Sharing & Disclosure

We do not sell, rent, or trade personal data. We share personal data only in the following limited circumstances:

  • Your instruction: Practitioners may share client records with co-therapists, supervisors, or referral clinicians using the Platform's built-in team sharing feature. This sharing is authorised by the practitioner and subject to their own duty of care.
  • Service providers: We engage a small number of third-party processors (cloud hosting, payment processing, SMS delivery) under strict data processing agreements that prohibit them from using the data for any other purpose.
  • Legal obligation: We disclose data where required by Kenyan law, court order, or a directive from the ODPC or other lawful authority.
  • Protection of life: Where disclosure is necessary to prevent serious harm to a person's life, consistent with Section 30(e) of the DPA.
  • Business transfer: If Convo Africa undergoes a merger or acquisition, data may be transferred to the successor entity, subject to equivalent privacy protections and advance notice to users.

All third-party processors are required to: (a) process data only on our documented instructions, (b) maintain appropriate technical and organisational security measures, (c) not engage sub-processors without our prior consent, and (d) assist us in meeting data subject rights obligations. See our Sub-Processor List for current service providers.

11. Cross-Border Transfers

Section 49 of the Kenya DPA 2019 prohibits transfer of personal data outside Kenya unless adequate safeguards are in place. Our default position is to store and process all data within Kenya. In the limited cases where a sub-processor (such as an international SMS gateway) processes data outside Kenya, we ensure:

  • The recipient country provides an adequate level of data protection, or
  • We have entered into Standard Contractual Clauses (SCCs) or equivalent contractual protections, or
  • The data subject has given explicit informed consent for the transfer

Health (clinical) data is never transferred outside Kenya under any circumstances, except where a practitioner exports a specific client record for a legitimate clinical referral purpose, with the client's consent on file.

12. Your Rights

Under the Kenya Data Protection Act 2019 (Sections 26–34) and aligned with GDPR Chapter III, you have the following rights in relation to your personal data. We respond to all valid requests within 30 days (or 14 days for correction requests under Section 27(3) of the DPA).

Right to Access
DPA s.26 · GDPR Art.15

You may request a copy of all personal data we hold about you and information about how it is processed.

Right to Rectification
DPA s.27 · GDPR Art.16

You may request correction of inaccurate or incomplete data. We will action corrections within 14 days of a valid request.

Right to Erasure
DPA s.34 · GDPR Art.17

You may request deletion of your personal data. We will comply unless retention is required by law (e.g. clinical records under the Kenya Health Act).

Right to Data Portability
DPA s.33 · GDPR Art.20

You may request your data in a structured, machine-readable format (JSON or PDF) to transfer to another service provider.

Right to Object & Restrict
DPA s.32 · GDPR Art.18–21

You may object to processing based on legitimate interests, or request restriction of processing while a complaint is investigated.

Right to Lodge a Complaint
DPA s.56 · GDPR Art.77

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

To exercise any of these rights, contact our DPO at privacy@doctorsbench.care with your name, account email, and a description of your request. We may need to verify your identity before processing a request.

13. Children's Data

Under Section 33 of the Kenya DPA 2019 and Article 260 of the Constitution of Kenya, a child is a person under 18 years of age. Where practitioners use the Platform to manage records for clients under 18:

  • Practitioners must ensure that appropriate parental or guardian consent has been obtained before entering a child's data into the Platform.
  • The Platform applies the same or greater security measures to children's records as to adult records.
  • Children's health data is treated as sensitive personal data and never shared without explicit legal authority.

The Platform is not a consumer-facing service and is not directed at children directly. Children do not register as practitioners or interact with the Platform without a practitioner intermediary.

14. Smart Notes & AI Processing

Human oversight — always
Smart Notes are always a draft. No AI-generated note is ever saved to a client record without the practitioner's explicit review and approval. This is a non-negotiable design principle, not a default setting. It is consistent with Section 32(d) of the Kenya DPA 2019, which gives data subjects the right to object to automated decision-making.

Smart Notes processes the content of practitioner-entered session information to generate a draft clinical note. The following principles govern this processing:

  • No autonomous decisions: Smart Notes is an assistive tool. It does not make clinical decisions, diagnoses, or recommendations. All clinical judgement remains entirely with the practitioner.
  • Draft only: All Smart Notes output is a draft that requires practitioner approval. Unapproved drafts are automatically deleted after 72 hours.
  • No training on client data: Client health data entered into Doctor's Bench EHR is not used to train, fine-tune, or improve AI models — except with explicit, separately-obtained opt-in consent from both the practitioner and the client.
  • Encryption during processing: Session data passed to the Smart Notes engine is encrypted in transit and processed in isolated, access-controlled environments. It is not retained by the AI processing layer after the draft is generated.
  • Right to opt out: Practitioners may disable Smart Notes at any time from their account settings without affecting any other platform functionality.

15. Data Breach Response

In the event of a personal data breach, we follow a structured incident response procedure consistent with Section 43 of the Kenya DPA 2019 and GDPR Article 33:

  • 1Contain: Immediately isolate and contain the breach to prevent further data loss or exposure.
  • 2Assess: Determine the nature, scope, and likely consequences of the breach within 24 hours.
  • 3Notify the ODPC: Where the breach is likely to result in risk to the rights and freedoms of individuals, we notify the ODPC within 72 hours of becoming aware of the breach, as required by the DPA and GDPR Article 33.
  • 4Notify affected users: Where the breach poses a high risk to individuals, we notify affected practitioners and, where appropriate, advise them to notify affected clients, without undue delay.
  • 5Remediate: Address the root cause, implement additional controls, and document the incident in our breach register.

All security incidents and breach investigations are documented in an immutable incident log maintained by our DPO.

16. Data Protection Officer

We have designated a Data Protection Officer (DPO) as required under Section 24 of the Kenya DPA 2019. The DPO's responsibilities include advising on compliance with the DPA, monitoring internal data protection activities, acting as the first point of contact for data subjects, and liaising with the ODPC.

Contact our DPO
privacy@doctorsbench.care
Doctor's Bench EHR · Convo Africa, Nairobi, Kenya

17. Changes to This Policy

We review this Privacy Policy at least annually or whenever there are significant changes to the Platform or applicable law. Material changes will be communicated to registered practitioners by email at least 30 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy. Prior versions of this Policy are available on request from our DPO.

18. Contact Us

For all privacy-related queries, data subject rights requests, or concerns, contact: