Privacy Policy

Kairo GP Practice Management System

Last updated: 28 February 2026

Operated by: Medpro Essentials Ltd

1. Introduction

Medpro Essentials Ltd (Company Number: 16569098), registered in England and Wales, trading as “Kairo” (“we”, “us”, or “our”), operates the Kairo GP Practice Management System — a multi-tenant Software-as-a-Service platform designed for private GP practices in Zimbabwe. This Privacy Policy explains how we collect, use, store, protect, and share personal data and protected health information when you use our platform.

As a company registered in England and Wales, we comply with UK GDPR and the Data Protection Act 2018. As Kairo delivers services in Zimbabwe, we also comply with the Zimbabwe Data Protection Act. This Policy applies to:

  • Healthcare practices and their staff who subscribe to Kairo
  • Patients whose data is recorded within the system by a registered practice
  • Visitors to our website and any related services

By using Kairo, you confirm that you have read, understood, and agree to this Privacy Policy. If you are a Practice Administrator, you are responsible for ensuring your staff and patients are informed of this Policy.

2. Data Controller Information

Kairo operates as a data processor on behalf of each registered GP practice, which acts as the data controller for their patient data. For platform-level data, Kairo acts as the data controller.

3. Data We Collect

3.1 Practice & Staff Data

When a practice registers and staff members use Kairo, we collect:

  • Full name, email address, phone number
  • Role and professional registration numbers (GMC number for GPs, NMC number for Nurses)
  • Password (stored as a bcrypt hash — never in plain text)
  • Device fingerprint, IP address, and browser user agent for security purposes
  • Login timestamps and activity logs
  • Digital signature (uploaded by clinicians for prescriptions and clinical notes)
  • Working hours and scheduling preferences

3.2 Patient Data

GP practices using Kairo record the following patient information:

  • Personal: full name, date of birth, gender, title, preferred language
  • Contact: email address, phone number, mobile number, full postal address
  • Identification: Patient number, Zimbabwe National ID
  • Medical: medical history, diagnoses, allergies, surgical history, chronic conditions
  • Clinical notes: SOAP-format consultation notes, examination findings, treatment plans
  • Prescriptions: medication names, dosages, frequencies, quantities, pharmacy details
  • Documents: lab results, referral letters, discharge summaries, scan reports, ECG results, consent forms, FIT notes
  • Billing: invoice history, payment methods, amounts
  • Alerts: allergy alerts, safeguarding alerts, medical alerts, communication preferences
  • Emergency contact: name, phone number, relationship
  • Appointments: appointment history, attendance records, consultation types

3.3 Automatically Collected Data

We automatically collect:

  • Device fingerprint for registered device management
  • IP addresses for security monitoring and audit logging
  • Browser and operating system information
  • Session activity and timestamps

4. How We Use Your Data

4.1 Providing Healthcare Services

  • Enable GP practices to manage patient records, appointments, and consultations
  • Support clinical workflows including prescriptions, referrals, and clinical documentation
  • Process billing and invoice management for private practices
  • Facilitate automated appointment reminders and confirmations via WhatsApp, SMS (Twilio), and email (SMTP/Nodemailer)

4.2 Platform Security & Operations

  • Device registration and approval workflow to prevent unauthorised access
  • Role-based access control to ensure staff only access appropriate data
  • Audit logging of super admin actions for accountability
  • Monitoring platform performance and reliability

4.3 Communications

We send the following communications to patients (on behalf of practices):

  • Appointment confirmation and reminder messages via WhatsApp, SMS, and/or email
  • Appointment cancellation notices via WhatsApp, SMS, and/or email
  • Practice-initiated custom messages using approved templates

WhatsApp and SMS messaging is an optional add-on feature. When enabled, patient phone numbers are transmitted to Twilio (our third-party messaging provider) for the purpose of delivering messages. All messages are logged in our MessageLog system with delivery status tracking.

5. Legal Basis for Processing

Medpro Essentials Ltd is registered in England and Wales and operates under UK GDPR and the Data Protection Act 2018. As Kairo delivers services in Zimbabwe, we also comply with the Zimbabwe Data Protection Act. We process personal data under the following legal bases.

6. Third-Party Services

Kairo integrates the following third-party services. Each acts as a data sub-processor:

  • Twilio (WhatsApp & SMS): Used to deliver WhatsApp messages and SMS to patients. Patient phone numbers and message content are transmitted to Twilio for delivery. Twilio acts as a data sub-processor under their Data Protection Addendum. Twilio is based in the United States and maintains appropriate safeguards for international data transfers
  • SMTP/Nodemailer (Email): Used to deliver email notifications to patients and practice staff
  • DigitalOcean (Hosting): Cloud infrastructure provider hosting the Kairo platform and database

Note: No payment card data is transmitted to third parties. Kairo does not integrate a payment processing gateway. All payment transactions are recorded manually by practice staff.

7. Data Retention

We retain data for the following periods:

  • Patient clinical records (consultations, prescriptions, documents): minimum 7 years from last entry, or until patient reaches age 25 (whichever is longer), in accordance with Zimbabwe medical records regulations
  • Staff account data: retained for the duration of employment plus 3 years
  • Audit logs and activity records: 7 years
  • Message logs (WhatsApp/SMS/email): 2 years
  • Billing and invoice records: 7 years for financial compliance
  • Device registration records: until device is revoked plus 1 year

Practices are responsible for setting appropriate retention policies for their patient data within the platform.

8. Data Security

8.1 Technical Controls

  • Password hashing using bcrypt with salt rounds — passwords are never stored in plain text
  • Billing PIN hashing using bcrypt for additional financial data protection
  • JWT tokens with 7-day expiry for session management
  • Three-layer authentication: JWT validation, role-based access control, device approval
  • SSL/TLS encryption in transit via Let's Encrypt certificates managed by Nginx
  • Device fingerprinting and mandatory approval workflow before system access
  • Multi-tenant data isolation: all data scoped by practiceId at the database query level

8.2 Organisational Controls

  • Role-based access control with 7 defined roles limiting data access to job requirements
  • Super admin activity logging with IP address and timestamp tracking
  • Separate Super Admin account model with 2FA support
  • Device approval workflow requiring practice administrator authorisation

9. Your Rights

Under the Zimbabwe Data Protection Act and applicable law, you have the right to:

  • Access: Request a copy of personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your data (subject to medical records retention obligations)
  • Restriction: Request we limit processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at: support@kairo.clinic or call +263 785 767 099

Please note: patient data deletion requests may be limited by legal obligations to retain medical records for the required retention period.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals, Kairo will:

  • Notify affected practices within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, data affected, and likely consequences
  • Recommend immediate steps practices should take
  • Support practices in their obligations to notify patients where required
  • Report to the relevant Zimbabwe regulatory authority as required by law

11. International Data Transfers

Patient data is stored on servers located in our hosting region. Where data is transferred outside Zimbabwe (for example, via Twilio's WhatsApp and SMS infrastructure), we ensure appropriate safeguards are in place in accordance with the Zimbabwe Data Protection Act. Twilio processes message data in the United States and maintains compliance with applicable data protection frameworks.

12. Cookies

Kairo uses essential session cookies for authentication purposes only. No tracking, advertising, or analytics cookies are used. Cookies are required for the platform to function correctly and cannot be disabled without preventing login.

13. Children's Data

Kairo processes data relating to child patients (under 18) as part of normal GP practice operations. This data is subject to the same security controls as adult patient data, and practices are responsible for obtaining appropriate parental or guardian consent in accordance with their clinical and legal obligations.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered practices by email and via an in-app notification at least 30 days before material changes take effect. Continued use of Kairo after the effective date constitutes acceptance of the updated Policy.

15. Contact Us

For privacy-related queries, data subject requests, or to report a concern: