Data Processing Agreement

How we handle and process your data

Last updated: January 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Nurafya Health Technologies ("Processor," "we," "us") and the user ("Controller," "you") for the processing of personal data.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Health Data" means personal data related to the physical or mental health of an individual, including the provision of health care services.
  • "Processing" means any operation performed on personal data, such as collection, recording, storage, use, or disclosure.

2. Scope of Processing

We process personal data solely for the purpose of providing diabetes management services, including:

  • Risk assessment and screening
  • Nutritional guidance based on food logging
  • Medication verification
  • Health reminders and notifications
  • Service improvement through anonymized analytics

3. Data Categories Processed

Personal Identifiers

  • Phone number
  • Name (optional)

Health Data

  • Age, gender, weight, height
  • Blood glucose readings
  • Dietary information
  • Medication records
  • Family health history (for risk assessment)

4. Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Access controls limiting data access to authorized personnel
  • Regular security assessments and penetration testing
  • Incident response procedures
  • Employee training on data protection

5. Sub-Processors

We may engage sub-processors to assist in providing our services. Current sub-processors include:

  • Cloud infrastructure providers (data hosting)
  • SMS/USSD gateway providers (message delivery)
  • Payment processors (subscription management)

All sub-processors are bound by data processing agreements that provide equivalent protection to this DPA.

6. International Data Transfers

We primarily store data within Africa. When international transfers are necessary, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses
  • Adequacy decisions where applicable
  • Encryption during transfer

7. Data Subject Rights

We assist you in responding to requests from data subjects exercising their rights under applicable data protection laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to withdraw consent

8. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach, where feasible.

9. Data Retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations. Upon account deletion, we delete personal data within 30 days, except where retention is required by law.

10. Contact

For questions about data processing, contact our Data Protection Officer at dpo@nurafya.com.