1 Who We Are

MedMarket Pharmacies (“MedMarket”, “we”, “our”) is a licensed pharmacy network operating in Nairobi, Kenya. We operate the website and mobile platform at medmarket.co.ke (the “Service”).

MedMarket is the data controller responsible for your personal information as described in this Privacy Policy. Any questions regarding this policy may be directed to our Data Protection Officer at dpo@medmarket.co.ke.

2 Information We Collect

Information you provide directly:

• Name, email address, phone number, and delivery address when you register or place an order
• Username and password for your account
• Prescription documents and associated medical details when ordering prescription medicines
• Payment information (processed securely by our payment providers — we do not store card numbers)
• Support and chat messages you send to our team
• Product reviews and ratings you submit

Information collected automatically:

• IP address, browser type, operating system, and device identifiers
• Pages visited, time spent, and clickstream data while using the Service
• Location data (city/region level) derived from your IP address
• Cookie and session identifiers (see Section 6)

3 How We Use Your Information

We use your information to:

• Process and fulfil your orders and arrange delivery
• Verify your identity and manage your account
• Communicate order confirmations, delivery updates, and support responses
• Send promotional emails and SMS (only where you have opted in — you may opt out at any time)
• Detect and prevent fraud, abuse, and unauthorised access
• Comply with our legal and regulatory obligations as a licensed pharmacy
• Improve the Service through usage analysis and feedback
• Generate anonymised, aggregated statistics for business insights

4 Medical & Prescription Data

When you upload a prescription or provide health-related information, we treat this as special category (sensitive) personal data requiring a higher standard of protection.

Medical data is:

• Accessible only to our licensed pharmacists for the purpose of dispensing verification
• Never sold or shared with third-party marketers
• Stored with encryption and strict access controls
• Retained for seven (7) years as required by pharmacy regulations in Kenya

5 Data Sharing

We do not sell your personal data. We share your information only with:

• Delivery partners: Your name, phone number, and delivery address are shared with our courier partners solely to complete your delivery
• Payment processors: Transaction data is shared with M-Pesa (Safaricom) and card payment gateways to process payments securely
• Regulatory authorities: We may be required to disclose information to the Pharmacy and Poisons Board (PPB), ODPC, or law enforcement in response to a lawful request
• Service providers: Trusted technology vendors (e.g. hosting, email, analytics) who process data on our behalf under binding data processing agreements

All third parties we share data with are contractually required to protect your data and use it only for the specified purpose.

6 Cookies & Tracking

We use cookies and similar technologies to keep you logged in, remember your cart, and understand how you use the Service. Types of cookies we use:

• Essential cookies: Required for the Service to function (session management, security tokens). Cannot be disabled.
• Preference cookies: Remember your language, location, and display preferences.
• Analytics cookies: Help us understand page performance and user journeys (anonymised). You may opt out.
• Marketing cookies: Used only if you have given explicit consent to receive personalised promotions.

You can manage cookies through your browser settings. Note that disabling essential cookies may prevent you from using key features of the Service.

7 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: retained until you delete your account, then 30 days before purging from all systems
• Order and transaction records: 7 years (Kenya tax and pharmacy regulation requirement)
• Prescription records: 7 years (PPB regulatory requirement)
• Support conversations: 2 years
• Analytics data: 14 months (anonymised)

8 Data Security

We implement industry-standard technical and organisational measures to protect your data, including:

• HTTPS encryption for all data in transit
• Encrypted storage for sensitive data at rest
• Role-based access controls — staff can only access data required for their role
• Regular security audits and vulnerability assessments
• Secure, offsite backups

Despite our best efforts, no system is 100% secure. If you suspect your account has been compromised, contact us immediately at security@medmarket.co.ke.

9 Your Rights

Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data where it is no longer necessary for the purpose it was collected (subject to regulatory obligations)
• Right to object: Object to processing of your data for direct marketing at any time
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, email us at dpo@medmarket.co.ke with your name, email address, and a description of your request. We will respond within 21 days as required by the DPA 2019.

10 Children’s Privacy

The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information, please contact us immediately and we will delete it promptly.

11 Third-Party Links

The Service may contain links to third-party websites (e.g. payment portals, partner sites). These sites have their own privacy policies, and MedMarket is not responsible for their practices. We encourage you to review the privacy policy of any third-party site you visit.

12 Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you via email or a prominent notice on the Service at least 14 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent revision.

13 Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your data, please contact our Data Protection Officer:

• Email: dpo@medmarket.co.ke
• Postal address: MedMarket Pharmacies, Kimathi Street, Nairobi CBD, P.O. Box 00100, Nairobi, Kenya
• Phone: +254 700 000 000

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya at www.odpc.go.ke.