Privacy Policy

Your privacy matters. This policy explains how Naseeha collects, uses, and protects your personal and health information under Tanzania's Personal Data Protection Act, 2022.

Privacy Policy

Effective date: 10 March 2026 Version: 2.0 Published by: NASIHA DIGITAL HUB Registered office: Hananasif, Kinondoni Makaburini, Dar Es Salaam, United Republic of Tanzania Personal Data Protection Commission registration: Registration application pending — we have begun the process of registering as a data controller under Section 14 of the Personal Data Protection Act, 2022, and will publish our registration number here as soon as it is issued by the Commission.

This is the Privacy Policy for Naseeha. It explains what personal information we collect about you, what we do with it, who we share it with, how we protect it, how long we keep it, and what you can do if you want to see it, change it, or delete it. We've tried to write it in plain English. If you only have a minute, the short version is this: we collect what we need to run the service, we keep your medical information confidential to the doctors who treat you and to the small group of people inside Naseeha who need access to make the platform work, we don't sell anything to advertisers or data brokers ever, and you can email our Data Protection Officer at dpo@nasihatz.org any time you want to know more, see what we hold about you, correct it, or have it deleted.

If you have time to read the whole thing, the rest of this document explains in detail. We owe you that explanation under the Personal Data Protection Act, 2022 (Act No. 11 of 2022, sometimes called "the PDPA"), and we owe it to you because you trust us with information about your body and your health, which is some of the most sensitive information there is.

1. Who is responsible for your information

The data controller for the personal information processed through Naseeha is:

NASIHA DIGITAL HUB A limited liability company incorporated in the United Republic of Tanzania Ada Estate, Kinondoni District, Dar es Salaam

We are currently in the process of registering with the Personal Data Protection Commission as a data controller under Section 14 of the Personal Data Protection Act, 2022. Until our registration number is issued, we operate under the lawful basis of contract performance with you and (for sensitive health data) the Section 30(5)(f) medical-purposes exemption. Our registration number will be published here as soon as it is available.

Whenever this policy says "we", "us", or "our", that's the company we mean. The Personal Data Protection Act calls us a "data controller", which is the legal way of saying we are the entity that decides why your personal information is collected and what happens to it. We take that responsibility seriously, because the PDPA holds us accountable for it under Section 5 of the Act, and because, more practically, you would have every right to be angry with us if we mishandled it.

We have appointed a Data Protection Officer under Section 27(3) of the Personal Data Protection Act. The DPO is the person inside Naseeha who is responsible for making sure we live up to what this policy says, who handles requests from you to access, correct, or delete your data, and who answers questions about how we process information. You can reach the DPO at:

  • Email: dpo@nasihatz.org — please put "DPO" in the subject line so it gets routed correctly
  • Post: Data Protection Officer, NASEEHA DIGITAL HEALTH LIMITED, Ada Estate, Kinondoni District, Dar es Salaam, United Republic of Tanzania

If you do not get a reply from the DPO within five working days, please follow up — sometimes things get lost in the inbox. We are a small team and we are committed to getting back to you, but we are not perfect at it.

2. The law that applies to this policy

This policy is written to comply with the Personal Data Protection Act, 2022 (Act No. 11 of 2022, Cap. 44 of the Laws of Tanzania), which is the controlling law for how organisations in Tanzania handle personal information. We also pay attention to:

  • The Electronic and Postal Communications Act, 2010 (Act No. 3 of 2010), which governs aspects of electronic communications, SMS, and the related infrastructure we use to reach you;
  • The Cybercrimes Act, 2015 (Act No. 14 of 2015), which sets out the criminal offences related to unauthorised access, interception, and abuse of computer data — and which gives us a legal basis to take action against people who try to break into accounts;
  • The Electronic Transactions Act, 2015 (Cap. 442), which validates the digital signatures, click-through consents, and electronic records we rely on;
  • The Medical, Dental and Allied Health Professionals Act, 2017 and the regulations issued under it, which govern the doctors who use the platform and which create certain confidentiality and record-keeping obligations that interact with this policy; and
  • The codes of conduct and professional duties imposed on doctors by the Medical Council of Tanganyika.

If you are not in Tanzania and your local data protection law gives you stronger rights than the PDPA, we will respect those rights to the extent we are required to do so. Naseeha is built primarily for users in Tanzania, but we recognise that some users may be temporarily abroad or may have moved.

3. The kinds of information we collect

We collect different categories of information for different reasons. We try to collect as little as possible while still being able to deliver the service safely. The Personal Data Protection Act calls this principle "data minimisation", and it is set out in Section 5(c) of the Act. We follow it because the law says so and because it is good practice — the less we collect, the less there is to lose if something goes wrong.

3.1 Information you give us directly

When you create an account, when you book a consultation, when you talk to a doctor, when you upload a medical document, when you contact our support team, or when you fill in any form inside the app or on our website, you are giving us information directly. This typically includes:

  • Your full legal name as it appears on your national ID or passport.
  • A phone number you actually use, which we verify by sending you a one-time password by SMS during sign-up. This is also how we contact you for appointment reminders and how we identify you when you log in.
  • An email address you can access, used for confirmations, receipts, and occasional important notices.
  • Your date of birth, which we use to confirm you are old enough to use the service in your own name and which doctors use as part of clinical assessment (your age affects what is normal and what is concerning, what doses are safe, what conditions are likely).
  • Your gender, where you choose to provide it, again because doctors use it as part of clinical assessment.
  • A profile photo, if you choose to upload one. This is optional.
  • A government-issued identity document in some circumstances — for example, when you are first registering as a doctor on the platform, or when we need to verify your identity to release a wallet refund, or when a regulator asks us to confirm the identity of a specific user. We do not require an ID document for routine patient registration.
  • Your health information, which is the whole reason any of this exists. This includes the symptoms you describe to a doctor, the medical history you share, the medications you tell us you are taking, the allergies you have, the lab results and prescriptions you upload, the photos of a rash or wound you send to a doctor for assessment, and the written notes the doctor records during the consultation. We treat this category of information with the highest degree of care that the law and good practice allow.
  • Your payment information — specifically, the mobile money phone number you use to pay for a consultation. We do not see, store, or have any access to your mobile money PIN, your bank login, your card number, or any other authentication credential. Those stay with the payment processor.
  • Your messages to and from doctors during a consultation, and your messages to and from our support team when you contact us for help.
  • Anything else you choose to send us in any communication channel we operate.

3.2 Information we collect automatically

When you use the Naseeha mobile app or website, some information is collected automatically by the technology itself. This includes:

  • Device information — the type of device you are using, the operating system version, the app version, the device model, and the device's unique advertising identifier (where the operating system makes it available). We use this to make sure the app works correctly on your device, to identify the source of crashes and errors, and to push you the right type of notifications.
  • IP address — your device's IP address when you connect to our servers. We use it for security purposes, including detecting suspicious login patterns, blocking fraudulent traffic, and identifying the rough geographic location of access (city or region, not street address).
  • Approximate location, derived from your IP address. We do not collect precise GPS location unless you specifically grant the app permission to access it for a feature that needs it.
  • Usage data — what screens you visited, what features you tapped, how long you spent in different parts of the app, what errors you encountered. We use this to find bugs, improve the user experience, and decide what to build next.
  • Cookies and similar technologies on the website. The app does not use traditional browser cookies, but the website does, and Section 14 of this policy explains what they do.
  • Push notification tokens — a long random string that the operating system generates for your device, which we need in order to deliver push notifications to your device. The token does not identify you personally; it identifies your device's notification channel.
  • Crash reports — when something in the app crashes, we collect information about what was happening at the time of the crash. We try to scrub anything personally identifying out of crash reports before they reach our developers, but technical information like memory state and call stacks is unavoidable.

3.3 Information we collect from third parties

In limited circumstances, we receive information about you from third parties. These include:

  • Your mobile network operator when you sign in by SMS one-time password — the operator confirms that the SMS was delivered and (for some operators) that the phone number is currently registered to a person at all.
  • Your payment provider, when you complete or fail to complete a payment — we receive a confirmation of the transaction status, the amount, the reference number, and (in failure cases) the reason for the failure. We do not receive your payment credentials.
  • Doctors on the platform, when they record consultation notes about you. These notes form part of your health information, and they are visible to you in your account.
  • Authorities and regulators, where we are required by law to receive and act on information they send us. For example, if a court or the Medical Council of Tanganyika informs us that a doctor's licence has been suspended, we receive that information and act on it.

3.4 Sensitive personal data — special rules apply

Most of what doctors collect from you in a medical consultation is sensitive personal data under Section 3 of the Personal Data Protection Act. Sensitive personal data includes "data concerning health or sex life", "genetic data", "data related to children", and "financial transactions of the individual" — and a lot of what we handle for you falls into one of those categories.

Sensitive personal data is held to a higher standard under the PDPA. Section 30(1) of the Act says that we cannot process sensitive personal data without your prior written consent. We collect that consent at the point you create your account — you tap a checkbox confirming you have read this policy and the Terms of Service and that you agree to us processing your health information for the purpose of providing telemedicine services. We keep a record of when you gave consent and which version of this policy was in force at the time.

There is one practical exception that the PDPA itself recognises and that we rely on every day. Section 30(5)(f) of the Act says that the requirement for prior written consent does not apply where "the processing is necessary for the purposes of medical reasons in the interest of the data subject, and the sensitive personal data concerned is processed under the supervision of a health professional in accordance with the law governing such health care services." In plain English: when a doctor on Naseeha is treating you, they are processing your sensitive data under their professional licence and under the supervision required by the Medical, Dental and Allied Health Professionals Act, 2017. That counts as a separate legal basis for the doctor's processing of your data, and it lives alongside the consent you gave to us at registration.

This is why we are careful about who counts as a doctor on the platform. If a person were to provide medical consultations through Naseeha without a valid licence from the Medical Council of Tanganyika, the Section 30(5)(f) exception would not apply to their handling of your data, and we would all be exposed. We verify every doctor's licence before activating their account, and we re-verify periodically.

4. Why we collect what we collect

The Personal Data Protection Act, in Section 5(b), requires us to collect personal data only for "explicit, specified, and legitimate purposes" and not to use it later for purposes that conflict with those original purposes. So here is the honest, complete list of why we collect and use your information:

  • To provide the service. To create your account, to log you in securely, to let you find a doctor, to book a consultation, to deliver the video and chat connection during a consultation, to record the consultation and store the doctor's notes, to send you appointment reminders, to issue a digital prescription where the doctor writes one, to maintain your health record over time, and generally to make Naseeha work the way it is supposed to work. Without your information, none of this is possible.
  • To process payments. To accept payment for a consultation, to credit refunds to your wallet, to allow doctors to withdraw their earnings, to issue receipts, to keep accurate financial records that we can show the Tanzania Revenue Authority if asked, and to investigate disputes about charges. The legal basis for this is the contract between you and us — under Section 5(a) of the PDPA, processing for the performance of a contract you are a party to is lawful.
  • To verify identity and prevent fraud. To make sure you are who you say you are, to detect attempts to use Naseeha for identity theft or money laundering, to investigate unusual patterns of behaviour, to lock accounts that have been compromised, and to protect both individual users and the platform as a whole from criminal activity. We have a "legitimate interest" in this under Section 5(a), and so do you — you do not want someone else booking consultations under your name or stealing your wallet balance.
  • To comply with legal obligations. To respond to court orders, to cooperate with regulators, to keep records that the law requires us to keep (for example, financial records for the Tanzania Revenue Authority, or medical consultation records that doctors are obliged to retain under their professional duty), and to report serious incidents to the Personal Data Protection Commission as required by Section 27(5) of the PDPA.
  • To provide customer support. When you write to us, we read your message, look up your account, check what happened, and reply. This requires us to access your information.
  • To improve the platform. We look at how features are being used, what is breaking, where users are getting stuck, and what we should build next. As far as possible, we do this with aggregated data that does not identify individual users, but sometimes we need to look at a specific case in detail to understand what went wrong.
  • To send you essential service messages. Appointment reminders, payment confirmations, security notifications, account updates, password reset codes, and notices about changes to this policy or the Terms of Service. These messages are part of the service and you cannot opt out of them while keeping the account active.
  • To send you optional messages about new features, occasional health tips, or product updates — but only if you have opted in. You can opt out at any time without affecting any other part of your relationship with us. We do not enrol you in marketing by default.
  • To defend ourselves and our doctors in legal disputes. If you bring a complaint against us or against a doctor, or if a third party makes a claim that involves your account, we may need to access and process your information to investigate and respond. We will do this carefully and only to the extent necessary.

We do not use your information for any of the following:

  • We do not sell your personal data, your health information, or anything derived from them to advertisers, data brokers, insurers who are not already your insurer, employers, market research firms, or anyone else. We are a healthcare service, not a data business.
  • We do not use your medical information to target you with advertising. The app does not contain ads. The website does not run behavioural advertising.
  • We do not share your information with the doctor's family, your family, your employer, or anyone else without your explicit consent or a clear legal obligation that overrides confidentiality.
  • We do not feed your medical information into general-purpose AI training systems. If we ever introduce AI features that process your information (for example, an AI-assisted symptom checker, or a tool that helps doctors summarise consultation notes), we will tell you about it specifically, we will explain what data the AI sees, and we will give you a meaningful way to opt out — see Section 12 of this policy on automated decisions.

5. The legal basis for everything we do with your information

The Personal Data Protection Act requires us to be able to point to a specific legal basis for every category of processing we carry out. Here is the mapping:

What we doLegal basis under the PDPA
Creating your account, signing you in, basic platform functionsPerformance of the service contract between you and us (PDPA Section 5(a) — lawful processing)
Processing your sensitive health data during a consultationThe Section 30(5)(f) medical purposes exemption — processing under the supervision of a registered health professional
Processing your sensitive health data outside a consultation (e.g. storing your historical record)Your prior written consent given at registration (PDPA Section 30(1))
Processing payment informationPerformance of the service contract (PDPA Section 5(a)); financial-record-keeping legal obligations under the Tax Administration Act
Sending you essential service messages (appointment reminders, OTPs, password resets)Performance of the service contract
Sending you optional marketing messagesYour specific opt-in consent, which you can withdraw at any time (PDPA Section 5(a) and our Section 7 below)
Verifying identity and preventing fraudOur legitimate interest in protecting the integrity of the platform and your interest in not being defrauded
Responding to a court order, regulator, or other legal obligationCompliance with a legal obligation (PDPA Section 25(2)(f))
Defending ourselves or a doctor in a legal claimEstablishment, exercise, or defence of legal claims
Improving the platform through analyticsOur legitimate interest in operating and improving the service, balanced against your privacy through aggregation and minimisation

If you ask us in writing, the DPO will explain in more detail the specific legal basis for any specific use of your data — that's part of what the Section 33 right of access (see Section 9 below) means in practice.

6. Who we share your information with

We share your information with as few people as possible, and only for the reasons set out in this section. We have written contracts with every external organisation that processes data on our behalf, as required by Section 27(4) of the Personal Data Protection Act. Each of those contracts requires the organisation to act only on our instructions, to keep your information confidential, to apply appropriate security measures, to notify us promptly of any incident, and to delete or return the data when our relationship with them ends.

6.1 Doctors on the platform

The most obvious sharing is with the doctor you book a consultation with. The doctor sees:

  • Your name, age, gender, and any health information you choose to share with them in the consultation.
  • The history of any previous consultations you have had with that same doctor.
  • Any medical documents you upload before or during the consultation.
  • The chat or call session itself.

A doctor on the platform does not see your consultations with a different doctor unless you specifically authorise the sharing (for example, by explicitly forwarding a previous consultation note to a new doctor for context). We do not share your full medical history across doctors automatically, because we believe that decision belongs to you, not to us.

Doctors are bound by their own professional duty of confidentiality under the Medical, Dental and Allied Health Professionals Act, 2017 and under the codes of the Medical Council of Tanganyika. They can be disciplined or struck off for breaches of that duty. Their handling of your data sits within their professional accountability, in addition to our contractual relationship with them.

6.2 Naseeha staff

A small number of Naseeha employees and contractors have access to user data, strictly limited to the minimum needed for them to do their job. These include:

  • Customer support agents, who can see your account details, your booking history, and the metadata of your consultations (when, with whom, what status), so they can help you when you write in. Support agents do not routinely read the content of your consultations, and where they need to (for example, to investigate a complaint about a specific consultation), the access is logged and reviewed.
  • Engineers, who maintain the platform and may need to look at production data to diagnose bugs or investigate security incidents. Engineering access to identifiable health data is restricted, audited, and used only when no anonymised alternative would solve the problem.
  • The Data Protection Officer, who has access for the specific purpose of handling data subject requests and investigating potential breaches.
  • Senior management, in connection with specific incidents, regulatory matters, or oversight responsibilities — never for routine review of user activity.

Everyone with access is bound by a written confidentiality agreement and is subject to the same legal duties as the company itself. We do not allow personal devices to be used to access user data; access happens through controlled work environments with multi-factor authentication.

6.3 Service providers (categorical disclosure)

We use a number of third-party service providers to operate the platform. We have made a deliberate choice in this policy to disclose them by category rather than by individual company name, partly to protect commercially sensitive information about our infrastructure choices and partly because the specific providers may change from time to time as we re-evaluate our stack. Categorical disclosure is permitted by Section 23(2) of the Personal Data Protection Act, which requires us to tell you the "intended recipients of the personal data" without mandating a particular level of granularity.

The categories are:

  • Cloud hosting and database providers, who run the servers where Naseeha's data lives. They store the data, they back it up, and they ensure that the service can continue to run if any single component fails. They process all of the data we hold, but they hold it under contractual confidentiality obligations and do not access it except for system administration and security incident response.
  • Payment processing providers, who handle the actual movement of money for consultation fees, refunds, and doctor payouts. They receive your phone number, the amount of the transaction, a transaction reference, and (in some cases) the result of identity-related checks required by anti-money-laundering law. They are independently regulated by the Bank of Tanzania.
  • Video and audio infrastructure providers, who supply the underlying technology that lets you talk to a doctor in real time. The video and audio streams pass through their infrastructure during the consultation and are encrypted end-to-end during the call itself. The provider does not retain a copy of the call content unless we (or you) specifically ask for the call to be recorded, and we do not enable recording without notice and consent.
  • Push notification providers, who deliver the push notifications you see on your device's lock screen. They receive a device-specific notification token (which does not identify you personally) and the content of the notification.
  • SMS delivery providers, who deliver the one-time passwords and other text messages we need to send to your phone. They receive your phone number and the message content.
  • Email delivery providers, who deliver the receipts, password reset emails, and other transactional emails we send. They receive your email address and the message content.
  • Crash reporting and analytics providers, who collect anonymised technical data about how the app is performing and where it is breaking. We configure these providers to scrub personally identifying information from the data they receive, and they do not access the contents of consultations.
  • Identity verification providers, where we need to verify a national ID or passport for a specific compliance reason. They receive only the document we send them and the result of the verification check.

If you would like to know the specific named providers in any of these categories, you can email our DPO at dpo@nasihatz.org and we will share the list with you. We do not publish the list on this page, but we do not hide it from data subjects who ask.

Several of these providers are headquartered or operated outside Tanzania, which means that some of your information is transferred internationally. Section 7 below explains what we do about that.

6.4 Authorities and legal disclosures

We share information with government authorities, courts, regulators, and law enforcement agencies in two situations:

  • When the law requires us to share it. If a court issues a valid order requiring us to disclose specific information, if a regulator with proper authority demands specific records, or if a statute imposes a reporting obligation on us that we cannot lawfully refuse, we comply. Where the law allows us to challenge the order or to notify you that the disclosure has happened, we will do so.
  • When we believe sharing is necessary to prevent imminent serious harm. If we receive credible information that someone is about to be seriously hurt — a clear suicide threat through the platform, evidence that a child is being abused, a credible threat to another user's life — we may share information with the appropriate authorities even without a formal legal order, where doing so is permitted by Section 25(2)(e) of the Personal Data Protection Act ("processing necessary to prevent or lessen a serious and imminent threat to the life or health of the data subject or another person"). We do not do this lightly.

6.5 Business transactions

If we ever sell Naseeha, merge with another company, restructure, transfer assets, or undergo any similar corporate change, your information may be transferred to the acquiring or successor entity as part of the transaction. If that happens:

  • The successor entity will be bound by this Privacy Policy until they update it (and any update would itself require notice to you under Section 17 below).
  • The successor entity will inherit our obligations under the Personal Data Protection Act and our contractual commitments to you.
  • You will be notified of the change in advance where it is reasonably possible to do so, and you will have a reasonable opportunity to delete your account before the transfer takes effect if you would prefer not to have your data go to the successor entity.

We mention this not because we are planning to sell — we are not — but because the Personal Data Protection Act expects us to disclose the possibility, and because we want you to know what would happen if circumstances changed.

6.6 What we do not share

To make absolutely clear what we do not do:

  • We do not sell, rent, lease, or otherwise commercially provide your personal information to any third party for that third party's own marketing, profiling, or business purposes.
  • We do not share your medical history with insurers, employers, landlords, or any other party who might use the information against you, unless you specifically and freely authorise it in writing for a specific purpose.
  • We do not publish your name, your photo, your medical information, or your reviews on any public-facing surface in a way that could identify you to people who do not already know you, unless you have asked us to do so.
  • We do not feed your data into machine learning models operated by third parties for those third parties' general training purposes.

7. Where your information goes — international transfers

The Personal Data Protection Act, in Sections 31 and 32, imposes specific rules on transferring personal data outside Tanzania. At the time this policy is published, the Personal Data Protection Commission has not published a list of countries that it considers to provide an "adequate level of protection" for personal data, so for legal purposes we treat every transfer outside Tanzania as a transfer to a non-adequate country governed by Section 32 of the Act.

Some of the service providers in the categories listed in Section 6.3 above are located outside Tanzania, including in countries in Europe, North America, Africa (other than Tanzania), and Asia. When we use a provider that is located outside Tanzania, your information will be transferred to that country to the extent necessary for the provider to do its job. The information is held under the same contractual confidentiality obligations whether it is in Tanzania or elsewhere, but we recognise that the laws of other countries may differ from Tanzanian law in ways that matter to you.

The legal basis we rely on for these transfers is Section 32(4)(b) of the Personal Data Protection Act, which permits a transfer to a non-adequate country where "the transfer is necessary for the performance of a contract between the data subject and the data controller". By creating an account and using Naseeha, you are entering into a contract with us, and the transfers we make are necessary for us to perform our side of that contract. Without them, we could not run the platform, process your payments, deliver video calls, or contact you with appointment reminders.

In addition to this contractual basis, we rely on your explicit consent, which you give when you tick the box accepting these terms and this policy at registration — Section 32(4)(a) of the Act recognises consent as an additional independent ground for cross-border transfer.

We have done a written internal assessment, as required by Section 31(3) of the Act, of the necessity and proportionality of each cross-border transfer we make. The assessment is held by the DPO and is available for inspection by the Personal Data Protection Commission on request.

If you are not comfortable with your information being transferred outside Tanzania, your remedy is to stop using Naseeha and delete your account under Section 14 of the Terms of Service. We are not in a position to offer a Tanzania-only version of the service today. If that ever changes — for example, if a Tanzanian provider becomes available for every category of infrastructure we need — we will update this policy and inform you.

8. How long we keep your information

The Personal Data Protection Act, in Section 5(e), tells us to store personal data "for no longer than is necessary for the purposes for which the personal data is processed." We try to honour that. Different categories of data are kept for different periods, and the specific periods depend on the type of data, the legal obligations attached to it, and our legitimate need to retain it.

Here is what we keep, and for how long:

  • Account information (name, contact details, registration metadata) — for as long as your account is active, plus up to 12 months after you delete your account, so we can prevent the same identifiers being immediately reused for fraud.
  • Health records and consultation notes — for up to seven (7) years after the date of the consultation or the closure of your account, whichever is later. This period reflects the professional record-keeping obligations that apply to doctors as licensed healthcare providers under Tanzanian medical law, and it gives us enough time to defend against medical claims that may arise long after the consultation took place.
  • Chat messages with doctors — for the same seven-year period as the consultation notes, because chat messages are part of the consultation record.
  • Chat messages with our support team — for up to three (3) years, so we can investigate complaints, train our team, and demonstrate that we handled support requests properly.
  • Payment records and transaction history — for at least five (5) years, as required by the Tax Administration Act, 2015 and related financial-record-keeping legislation. We may keep them longer if a specific transaction is the subject of a dispute or investigation.
  • Identity verification data (where collected) — for as long as the regulatory purpose that required us to collect it remains active, and not longer.
  • Login and security logs (IP addresses, device IDs, login times) — for up to one (1) year for routine security purposes, or longer where the logs are part of an active investigation.
  • Crash reports and technical analytics — typically retained for 90 days in identifiable form, and then aggregated or deleted.
  • Marketing preferences — for as long as your account is active, or until you opt out, whichever is sooner. If you opt out, we keep a record of the fact that you opted out (without the rest of your marketing data) so that we do not accidentally send you marketing again.
  • Audit logs of administrative actions inside Naseeha — for as long as we are likely to need them to demonstrate compliance, typically several years.

After the retention period for a category ends, we either delete the data or anonymise it so that it can no longer be linked back to you. Anonymised data is no longer personal data under the PDPA, and we may keep it indefinitely for statistical, research, and improvement purposes.

There are a few situations where we may keep data beyond the standard retention period:

  • If the data is the subject of a legal hold — for example, an active dispute, investigation, or regulatory inquiry — we keep it until the hold is lifted.
  • If we are required by a specific law to keep it longer.
  • If the data is needed to defend a claim that has been brought or is reasonably likely to be brought.

9. Your rights as a data subject

The Personal Data Protection Act gives you a set of specific rights over your personal information. These rights are mandatory under the Act and we cannot waive them or limit them in our contract with you. The rest of this section explains each right and how to exercise it.

9.1 The right of access (Section 33 of the PDPA)

You have the right to ask us whether we hold any personal data about you, and if we do, to receive a description of what we hold, what purposes we use it for, and which categories of recipients have access to it. You also have the right to a copy of the data itself in a reasonable format. If we use any solely automated decision-making in a way that significantly affects you, you have the right to be told about the logic involved.

To exercise this right, write to the DPO at dpo@nasihatz.org and explain what you are asking for. We will respond within thirty (30) days of receiving a complete request. If your request is complex or we need to verify your identity in more detail, we may extend the response time by up to thirty more days, in which case we will tell you why before the original thirty-day period ends.

There is no charge for a routine access request. If your requests become excessive or manifestly unfounded — for example, repeated identical requests every few days — we may charge a reasonable administrative fee or refuse to act on the request, but we will explain why.

9.2 The right to correction (Section 29 of the PDPA)

If any of the personal data we hold about you is inaccurate, incomplete, or misleading, you have the right to ask us to correct it. You can correct most basic profile information yourself through the app's settings. For corrections to information you cannot edit yourself — for example, the content of a doctor's consultation notes, where the correction is medically significant — write to the DPO at dpo@nasihatz.org, explain what is wrong, and tell us what it should say. The DPO will investigate and either make the correction or explain why we cannot.

For consultation notes specifically, we generally do not change a doctor's clinical record, because the integrity of the medical record is itself a professional obligation. Instead, we may add a correction note or annotation that becomes part of the record. The doctor may need to be involved.

9.3 The right to erasure (Section 38 of the PDPA)

You have the right to ask us to delete your personal data. The simplest way to exercise this right is to delete your account through Settings → Account → Delete Account in the app, or by going to https://nasihatz.org/account-deletion on the web. Both options trigger the same six-day grace period and the same deletion process described in Section 14 of our Terms of Service.

For more selective deletion — for example, asking us to delete a specific consultation record without deleting your whole account — write to the DPO. We will respect your request to the extent possible, but please be aware that some categories of data cannot be deleted before the end of their retention period for legal reasons (see Section 8 above on retention).

9.4 The right to object to processing (Sections 34 and 35 of the PDPA)

You have the right to object to certain kinds of processing:

  • Marketing: Section 35 gives you an absolute right to opt out of direct marketing. You can opt out through the app's notification settings, by clicking the unsubscribe link in any marketing email, or by writing to the DPO. We will stop using your data for marketing immediately when you opt out.
  • Processing likely to cause damage: Section 34 gives you the right to require us to suspend or stop processing that is causing or likely to cause "substantial damage or substantial distress" to you. If you exercise this right, write to the DPO and explain what processing you are objecting to and why. We will consider the request within thirty days. We may refuse if the processing is necessary for the contract between us, for compliance with a legal obligation, or for the establishment or defence of legal claims, but we will explain our reasoning if we refuse.

9.5 The right to restrict or block processing

In some circumstances — for example, while we are investigating a correction request, or while a dispute is being resolved — you can ask us to restrict the processing of your data so that we hold it but do not actively use it. Write to the DPO if you want to exercise this right.

9.6 The right to data portability

You have the right to ask us for an export of the personal data you have provided to us in a structured, commonly used, machine-readable format, so that you can take it to another service if you wish. We will provide the export within thirty days of a request to the DPO. The export covers data you provided directly — your profile, your uploaded documents, your messages — and may not cover data that was generated about you, such as fraud-detection scores or aggregated analytics.

9.7 The right not to be subject to solely automated decision-making (Section 36 of the PDPA)

You have the right not to be subject to a decision that has a significant effect on you and that is based solely on automated processing of your data. At the time this policy is published, Naseeha does not make any solely automated decisions that significantly affect users. If we ever introduce features that do — for example, an automated risk score that affects whether you can withdraw from your wallet, or an AI triage tool that decides which consultations to prioritise — we will update this section, we will tell you specifically how the automation works, and we will give you a clear way to ask for a human review.

Section 12 of this policy goes into more detail about our current and future use of automation and AI.

9.8 The right to compensation (Section 37 of the PDPA)

If we (or a doctor on the platform) violate the Personal Data Protection Act in a way that causes you damage, you have the right to claim compensation under Section 37 of the Act. "Damage" under the Act includes financial loss and damage that does not involve financial loss, such as distress. You can pursue a compensation claim through the dispute resolution process in Section 15 of our Terms of Service, or directly with the courts.

9.9 The right to withdraw consent

Where we are processing your data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing that happened before you withdrew. To withdraw the consent you gave at registration to the processing of your sensitive health data, write to the DPO at dpo@nasihatz.org. We will stop processing your sensitive data for any purpose that depends on consent (as opposed to one of the other legal bases listed in Section 5 of this policy), and we will explain the practical consequences before you finalise the withdrawal — typically, the consequence is that the account becomes unusable, because the service depends on processing the data.

9.10 The right to complain to the Personal Data Protection Commission (Section 39 of the PDPA)

If you believe we have mishandled your personal data and you are not satisfied with how we have responded to your concerns, you have the right to complain directly to the Personal Data Protection Commission. The Commission's contact details are published on https://www.pdpc.go.tz. You do not have to come to us first before complaining to the Commission, but we would appreciate it if you did, because we generally prefer to fix problems ourselves rather than be told to fix them by a regulator.

10. How we keep your information secure

We are required by Section 27 of the Personal Data Protection Act to apply "appropriate security safeguards" to your personal data. The standard depends on the state of technology, the cost of implementing the safeguards, the nature of the data, and the risks involved. Health data warrants a higher standard than, say, an email newsletter list, and we treat it accordingly.

The specific measures we apply include the following. We are deliberately not publishing the full set of technical details, both because some of them would be useful to attackers and because they evolve over time, but the high-level picture is honest:

  • Encryption in transit: All communication between the Naseeha app or website and our servers is encrypted using TLS (Transport Layer Security) version 1.2 or higher. This protects data while it is moving across the network.
  • Encryption at rest: Our databases and file storage encrypt data at rest, using encryption keys held under controlled access. If somebody were to physically obtain a backup copy of our database, they would have a file full of unreadable bytes rather than usable data.
  • Access controls: Access to user data inside Naseeha is restricted on a need-to-know basis. Most employees have no access to user data at all. Those who do (described in Section 6.2 above) authenticate with multi-factor authentication and their access is logged.
  • Authentication and account security: We require strong passwords for new accounts, we send one-time passwords by SMS for login from new devices, we throttle failed login attempts to prevent brute-force attacks, and we monitor for anomalous login patterns.
  • Network security: Our backend services sit behind firewalls and rate limiters, and we have web application firewall protection at the edge.
  • Webhook signature verification: Incoming webhook callbacks from payment processors are verified using cryptographic signatures, so we do not accept faked payment confirmations.
  • Patching and updates: We update our software dependencies and our underlying systems regularly to address known security vulnerabilities.
  • Backup and disaster recovery: We back up the production database on a regular schedule and test the restore process so that we can recover from a hardware failure or a serious incident.
  • Vendor due diligence: We choose our third-party processors with security in mind, and we contractually require them to meet appropriate security standards.

We do not claim to have any of the following, because they would either be untrue or would imply a level of certainty no honest engineer can promise:

  • We do not claim that the platform is "100% secure" or "unhackable". No system is.
  • We do not claim end-to-end encryption for all communications. The video and audio of a consultation are encrypted end-to-end by our underlying infrastructure provider during the call. Chat messages and stored health records are encrypted in transit and at rest, but they are not end-to-end encrypted in the strict cryptographic sense, because we and the doctors need to be able to read them to deliver the service.
  • We do not claim continuous monitoring by a 24/7 security operations centre. We have monitoring in place during business hours and on-call coverage outside business hours, but we are a small team and we are honest about the limits of what we can staff.

If a security incident affects your personal data and the incident is likely to result in any meaningful risk to you, we will notify you and (where Section 27(5) of the PDPA requires) we will notify the Personal Data Protection Commission "without undue delay" — in practice, as soon as we have enough information to make the notification meaningful and accurate. We will tell you what happened, what kind of data was involved, what steps we are taking to contain and remedy it, and what (if anything) we recommend you do.

11. Cookies and similar technologies on the website

Our website at https://nasihatz.org uses cookies and similar technologies for the following limited purposes:

  • Strictly necessary cookies: To make the site work — remembering whether you have dismissed a banner, holding session state, etc. These cannot be turned off without breaking the site, and they do not require your consent because they are essential.
  • Preferences: Remembering your language choice or theme preference.
  • Anonymous analytics: Counting how many people visit the site and which pages they look at, in aggregate, so we can understand what works and what doesn't. We have configured our analytics provider to anonymise IP addresses where possible and not to track individuals across sessions.

We do not use:

  • Behavioural advertising cookies.
  • Cross-site tracking pixels.
  • Third-party advertising networks.
  • Cookies that build a profile of you across different websites for marketing purposes.

The Naseeha mobile app does not use traditional browser cookies. It uses the device's local storage and secure storage to remember your login session and your preferences, in the way that is normal for native mobile apps.

12. Children's data and parental consent

Naseeha is not designed for children under 18 to use independently, and we do not knowingly process the personal data of a person under 18 without the consent required by the Personal Data Protection Act. Section 30(4) of the Act, which we have already mentioned several times, requires that consent for the processing of sensitive personal data of a person who is a "minor, a person of unsound mind, or any other person unable to consent" be obtained from a "parent, guardian, heir, attorney, or any other person recognised by law to be acting on behalf of the person whose consent is to be sought".

In practice, this means:

  • A parent or legal guardian who registers an account on behalf of a minor takes on the responsibility for that account, and grants consent for the processing of the minor's health information at registration.
  • The parent or guardian must use their own real identity when registering, and must be the person who controls the login credentials.
  • Where the child being treated is younger than 13, we expect the parent or guardian to be present during the consultation. The doctor may decline to provide care if the parent is not present.
  • If we discover that a person under 18 has registered without parental or guardian consent, we will close the account and delete the data, except where retention is required by law.

If you are a parent or guardian and you believe that your child has registered without your knowledge, please write to the DPO at dpo@nasihatz.org immediately so we can take action.

13. Automated decision-making and AI

At the time this policy is published, Naseeha does not make any decisions that have a significant effect on you and that are based solely on automated processing. The decisions that matter to your care — diagnoses, prescriptions, referrals, treatment plans — are made by the doctor, in their professional judgement, after a real human consultation. The decisions that affect your account — refunds, suspensions, terminations — are reviewed by a human member of our team.

We do use automation in the background for things that are not "significant decisions" in the legal sense:

  • Detecting suspicious login patterns and triggering additional verification.
  • Routing customer support messages to the right team based on keywords.
  • Sending appointment reminders.
  • Calculating wallet balances and applying refunds.
  • Recommending doctors based on their availability and the type of consultation you are looking for.

If we ever introduce features that involve automated decisions of the kind covered by Section 36 of the Personal Data Protection Act — for example, an automated screening tool that decides whether your symptoms warrant a same-day consultation, or an AI summarisation tool that helps doctors generate notes from consultations — we will:

  • Update this policy to describe the feature, the data it uses, and how it makes its decisions.
  • Notify you in the app before the feature affects you.
  • Give you a meaningful right to opt out and to have a human review any decision that affects you.
  • Make sure the underlying logic is documented, tested, and aligned with the doctor's professional duties.

We treat the introduction of AI into healthcare with caution. AI can be useful, but it can also be wrong in ways that matter, and we would rather move slowly and get it right than ship something flashy that hurts people.

14. Security incidents and breach notification

The Personal Data Protection Act, in Section 27(5), requires us to notify the Personal Data Protection Commission "without any undue delay" of any security breach affecting personal data being processed by or on our behalf.

If a security incident affects your personal data and is likely to result in any meaningful risk to you, we will:

  • Investigate the incident promptly to understand what happened, what data was affected, and what we need to do about it.
  • Take immediate steps to contain the incident and prevent it from spreading.
  • Notify the Personal Data Protection Commission within the timeframe required by the Act (in practice, we treat 72 hours from confirmation of a notifiable incident as the practical ceiling).
  • Notify you directly if your data was affected and the risk to you is meaningful, by email and (for serious incidents) by SMS or in-app notice.
  • Tell you what data was involved, what we believe happened, what we are doing about it, what (if anything) we recommend you do, and how to contact us with questions.
  • Cooperate fully with the Commission and with any investigation.

Some incidents are not "breaches" in the legal sense — for example, an attempted but unsuccessful intrusion, or a near-miss caught by our monitoring before any data was actually exposed. We log and learn from those internally, but we do not always notify users about them, because doing so for every near-miss would generate noise that obscures the real signal.

15. How to contact us about this policy

For anything in this policy:

Data Protection Officer NASIHA DIGITAL HUB Email: dpo@nasihatz.org (please put "DPO" in the subject line) Post: Ada Estate, Kinondoni District, Dar es Salaam, United Republic of Tanzania

For everything else:

General support: support@nasihatz.org Phone: +255 655 178 217 (business hours, East Africa Time) Website: https://nasihatz.org

16. Personal Data Protection Commission

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Personal Data Protection Commission of the United Republic of Tanzania. The Commission can be reached through its website at https://www.pdpc.go.tz. You can complain to the Commission whether or not you have first complained to us.

We would prefer that you give us a chance to fix the problem first — most data protection issues are easier to resolve directly than through a regulator — but the right to complain to the Commission is yours and we are not allowed to require you to use any particular complaints process before exercising it.

17. Changes to this policy

We may update this Privacy Policy from time to time. The reasons we update it include:

  • Changes in the law (for example, when the Personal Data Protection Commission issues new regulations under the Act).
  • Changes in our service (for example, when we add a new feature that requires processing different categories of data, or when we change the categories of service providers we work with).
  • Changes in our internal practices or in our security and privacy program.
  • Clarifications we make in response to questions from users or regulators.

When we update the policy, we will:

  1. Post the new version at https://nasihatz.org/privacy-policy with a new effective date and version number.
  2. Update the version that the mobile app fetches from our backend.
  3. Show you a notice inside the app the next time you open it, summarising what changed.
  4. For changes that materially affect your rights or our obligations to you — for example, a new category of data we collect, a new category of recipient we share with, or a new purpose of processing — email you at the address on your account at least thirty (30) days before the new version takes effect.
  5. For minor changes (typos, clarifications, contact detail updates), the change takes effect on the date shown at the top of the new version with no advance notice.

We keep previous versions of this policy and can provide a copy on request through the DPO if you want to see what was in effect at a particular time.

18. Final notes

This Privacy Policy is published in English. We may provide translations into Swahili or other languages for the convenience of users, but in case of any conflict, the English version prevails.

This Privacy Policy forms part of the agreement between you and NASEEHA DIGITAL HEALTH LIMITED under our Terms of Service. Where there is any inconsistency between this Privacy Policy and the Terms of Service on a matter of data protection or personal information handling, this Privacy Policy prevails for that matter, because it is drafted to be consistent with the Personal Data Protection Act, 2022. On all other matters, the Terms of Service prevail.

If you have read this far, thank you. Personal data and health information are not abstract topics for us — they are the trust you place in us when you tell a doctor on Naseeha what is wrong, when you let us hold the record of that consultation, and when you come back to us the next time. We try to be worthy of that trust. If we ever fall short, please tell us, and please give us a chance to make it right.

This Privacy Policy is published by NASIHA DIGITAL HUB, a company incorporated under the laws of the United Republic of Tanzania. Version 2.0, effective 10 March 2026.