Africa Afya Healthcare

Privacy Policy

Last updated: 22 June 2026

Africa Afya Healthcare Limited ("Africa Afya," "AfyaRad," "we," "us," or "our") operates the website africaafya.co.ke, the AfyaRad teleradiology marketplace, and AfyaRad Community (collectively, the "Services"). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the rights you have over it.

AfyaRad consists of two distinct services with different data profiles, and this policy addresses both:

  • AfyaRad Marketplace — a teleradiology platform connecting hospitals and imaging centres ("Facilities") with credentialed, licensed radiologists ("Teleradiologists") for paid, professional reporting of real patient studies.
  • AfyaRad Community — a free educational platform where members read anonymised, de-identified radiology cases, submit their own interpretations, and compare them against the original findings. No real patient data, names, or identifiable images are processed on AfyaRad Community.

Please read the section relevant to how you use our Services. If you interact with both, both sections apply to you.

1. Who We Are

Africa Afya Healthcare Limited is a company incorporated under the laws of Kenya, with its registered office at Karen Flame Business Centre, Dagoretti Road, Nairobi, Kenya. We are the data controller for the personal data described in this policy unless otherwise stated.

2. Information We Collect — AfyaRad Marketplace

2.1 Facility Onboarding and Accounts

When a Facility applies to join AfyaRad, we collect the facility name, physical address, and contact details; the name, email, phone, and WhatsApp number of facility administrators and authorised representatives; facility registration and licensing documentation; the Facility's preferred payment method and associated billing details; and a record of acceptance of the Facility Service Agreement, including the date and IP address of acceptance.

2.2 Teleradiologist Onboarding and Accounts

Our radiologist credentialing process is detailed because the integrity of every report depends on it. We collect:

  • Full legal name, preferred name, date of birth, nationality, national ID or passport number, country of residence, physical address, phone, WhatsApp number, and email
  • Primary medical degree and postgraduate radiology qualification, including institution, country, and year of award; fellowship training and additional certifications
  • Professional registration and practising licence details for each jurisdiction in which the applicant is licensed, including regulatory body, registration number, licence number, and expiry date
  • Current employer, job title, years of experience, average daily study volume, competent modalities, subspecialties, PACS systems used, reporting software, and reporting languages
  • Availability tier, hours per week, preferred time blocks, timezone, and willingness to cover overnight STAT or weekend studies
  • Disclosures relevant to professional standing: whether the applicant's licence has ever been suspended or restricted, whether they have been subject to disciplinary proceedings, any criminal conviction, any declared conflict of interest, and details of professional indemnity insurance where held
  • Identity document, licence certificate, qualification certificate, indemnity insurance certificate, and a photograph, uploaded as part of the application
  • Payment details for monthly payout, which may include M-Pesa number or bank account details depending on the radiologist's location and selected payment method
  • A signed, notarised professional declaration, sworn before a Commissioner for Oaths or Notary Public in the applicant's country of residence, and a record of acceptance of the Teleradiologist Independent Contractor Agreement

We treat bank account numbers and mobile money numbers as confidential within our systems and restrict their visibility to personnel who require access for payment processing.

2.3 Patient and Study Data

  • DICOM imaging studies uploaded by an authorised Facility for the purpose of obtaining a radiology report
  • Associated clinical history, referring-clinician notes, and the report content generated by the reporting Teleradiologist
  • Where feasible, patient identifiers are managed using our internal KHUID convention rather than retaining hospital-issued patient identifiers in full
  • We process this data strictly as a data processor acting on the instructions of the submitting Facility, which remains the data controller for its patients' health information, unless a separate Data Processing Agreement states otherwise

2.4 Payment Information

Payment methods currently available depend on the country in which a Facility or Teleradiologist operates, and are expanding progressively:

  • Kenya — Facilities can pay via M-Pesa direct to our company bank account, bank transfer, or invoice on Net 30 terms; Teleradiologists are paid via M-Pesa or bank transfer (including SWIFT details for cross-border payouts where applicable)
  • Nigeria — we are actively expanding to offer multiple convenient local payment options
  • Other countries — additional local payment methods will be introduced over time; bank transfer remains available in the interim

We do not store full payment card numbers or mobile-money PINs. Bank account and mobile money numbers used for payout are stored securely and access-restricted as described in Section 2.2.

3. Information We Collect — AfyaRad Community

3.1 Account Information

  • Username, email address, and password (stored as a salted hash, never in plain text)
  • Optional full name, country, and short biography, shown on your public profile if provided
  • Subspecialty interests, selected at signup and editable at any time
  • IP address at signup and login, retained for fraud-prevention and abuse-detection purposes only

3.2 Activity Data

  • Cases you interpret, your written impressions, agreement level versus the original report, and self-reported confidence score
  • Cases you bookmark, react to, or flag
  • Aggregate accuracy statistics, derived from your interpretation history, used to power your own profile page
  • Streak data (consecutive days of activity)

3.3 What We Do Not Collect on AfyaRad Community

We do not collect or store real patient names, hospital names, dates of birth, or any other directly identifying patient information in connection with community cases. You see only the age, sex, and clinical history relevant to learning — nothing else. Cases sourced externally are drawn only from properly licensed, already-published academic case reports under permissive open licences, or from real network Teleradiologists' own cases where the patient identity has been fully removed prior to posting. AfyaRad Community membership is free; no credentials, payment details, or identification documents are required to join.

4. How We Use Your Information

We use the information described above to operate, maintain, and improve the Services; verify Teleradiologist credentials and match them to studies; generate and deliver radiology reports; process facility billing and Teleradiologist payouts; personalise the AfyaRad Community feed and learning experience; detect and prevent fraud, abuse, and policy violations; communicate with you about your account and security; comply with applicable law; and produce de-identified, aggregated analytics that do not identify any individual. We do not sell personal data to third parties, and we do not use AfyaRad Community member data to train commercial AI products without separate, explicit notice and consent.

5. Legal Basis for Processing

Where applicable data protection law requires a legal basis, we rely on consent, performance of a contract (including the Facility Service Agreement and Teleradiologist Independent Contractor Agreement), legitimate interest, or legal obligation, depending on the specific processing activity.

6. Data Sharing and Disclosure

We do not sell your personal data. We share information only with the submitting Facility and assigned Teleradiologist as necessary to deliver a report; with service providers acting on our behalf (hosting, payments, email delivery) under confidentiality obligations; with professional or regulatory bodies where required to verify credentials or comply with a lawful request; in connection with a business transfer; or where required by law. We never share AfyaRad Community member data with case-source institutions, nor do we publicly display a member's email address, full name (unless voluntarily added to their profile), or IP address.

7. Third-Party Services

  • Google OAuth — for optional sign-in on AfyaRad Community
  • M-Pesa and banking partners — to process Kenyan facility billing and Teleradiologist payouts; further local payment partners are being onboarded for Nigeria and other countries over time
  • Email delivery providers — for verification emails and notifications
  • Cloud infrastructure providers — to host our servers, databases, and file storage

8. International Data Transfers

Our servers are located outside Kenya in some cases. Where personal data is transferred internationally, we take steps to ensure an equivalent level of protection is maintained, consistent with the Kenya Data Protection Act, 2019.

9. Data Retention

Facility and patient study data is retained for as long as necessary to provide the reporting service and to meet applicable medical-record retention requirements under Kenyan law. Teleradiologist credentialing data, including the signed professional declaration, is retained for the duration of the active relationship and a reasonable period afterward to meet audit and regulatory requirements. AfyaRad Community account data is retained while your account is active; if you delete your account, your personal data is deleted or anonymised within a reasonable period, except where retention is required for fraud prevention or legal compliance.

10. Data Security

All DICOM files and reports are encrypted in transit and at rest. We apply role-based access controls, secure password hashing, full audit trails of study access and report actions, and regular review of account activity for signs of abuse. Identity documents, licence certificates, indemnity certificates, and bank or mobile-money details submitted during onboarding are access-restricted to personnel who require them to perform credentialing or payment functions. No system can guarantee absolute security.

11. Your Rights

Subject to the Kenya Data Protection Act, 2019, you have the right to access, correct, delete, restrict, object to processing of, and export your personal data, and to withdraw consent at any time. Contact us using the details in Section 15 to exercise these rights.

12. Children's Privacy

Our Services are not directed at children. AfyaRad Marketplace is restricted to verified healthcare professionals and authorised facility representatives. AfyaRad Community requires members to confirm they meet the minimum age permitted under applicable law in their jurisdiction at signup.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date and take reasonable steps to notify affected users of material changes.

14. Kenya Data Protection Act, 2019

This Privacy Policy is intended to comply with the Kenya Data Protection Act, 2019, and its implementing regulations. We have not yet obtained formal Data Processor certification from the Office of the Data Protection Commissioner of Kenya; we are actively pursuing this certification. For further detail on our compliance approach, including data subject request procedures and breach notification, see our Data Protection Compliance page.

15. Contact Us

Africa Afya Healthcare Limited
Karen Flame Business Centre, Dagoretti Road
Nairobi, Kenya

Email: info@africaafya.co.ke
Phone: +254 799 657 949