Privacy notice

How RxWell handles your data

Plain-language summary of what we collect and what we don't. Written to comply with the Kenya Data Protection Act 2019 and GDPR principles. Last updated 2026-05-12.

What we collect

• Identity: your work email, your name, the branch you belong to, and your stable pseudonym (e.g. "Pharmacist 04"). Stored in a separate database from your responses, encrypted at rest.
• Check-in answers: the option you selected for each weekly question, and the derived dimension scores. Stored against your pseudonym only — never against your name or email.
• Anonymous support requests: when you opt in to ask for a manager check-in, we record the request against your pseudonym so we can show your manager that "someone on the team" wants follow-up.
• Sign-in audit: when a magic-link email is sent and consumed, we log the event for security.

What we do with it

• We use your email only to send your weekly magic-link sign-in and the optional Thursday reminder. We never share it.
• We use your pseudonymous answers to compute team-level averages for your manager. Aggregates are only ever shown for groups of five or more responses — below that, the manager sees "Insufficient data".
• We do not sell or licence your data to third parties.
• We may share fully anonymised, aggregate-only research data with academic or policy partners, but only with prior written consent from the pilot organisation.

How we keep it safe

• All traffic is encrypted in transit (TLS).
• Your identity data and your response data live in two separate database files with different access boundaries.
• Every access to identity data is recorded in an audit log.
• Database backups are encrypted and rotated.

Your rights

Under the Kenya Data Protection Act 2019, you can:

• Access a copy of your data.
• Correct anything that's wrong.
• Delete your account and all linked identity data. (Past anonymous response rows remain part of your team's aggregates so deleting yourself doesn't break historical reporting.)
• Object to specific processing.
• Lodge a complaint with the Office of the Data Protection Commissioner in Kenya.

How to exercise these rights

Email hello@rxwell.co.ke with your request. We'll respond within seven calendar days.

Retention

We keep your identity data while your account is active. We keep pseudonymous response data for as long as the pilot organisation contracts with us — typically a rolling 24 months — so we can show trend lines that are actually useful.

Changes to this notice

If we make material changes we'll notify you in-app before the change takes effect. Minor wording changes will be reflected in the "Last updated" date at the top.