Who we are
This policy applies to Primrose Rehab and Wellness, the operator of this website and the residential treatment facility located at Thindigua, Kiambu Road, Nairobi. We are registered with the National Authority for the Campaign Against Alcohol and Drug Abuse (NACADA) as a treatment provider.
For the purposes of the Data Protection Act 2019 of Kenya, Primrose Rehab and Wellness is the Data Controller for the information described in this policy. We are registered with the Office of the Data Protection Commissioner of Kenya (ODPC).
Our Data Protection Officer can be contacted at dpo@primroserehab.org or by post at the address above.
What this policy covers
This policy explains what information we collect about you, why we collect it, how we use and protect it, who else may see it, and the rights you have over it. It covers data we collect through:
- This website — including contact forms, enquiry forms, and any analytics we operate
- Direct contact with us — phone calls, WhatsApp messages, SMS, and email
- Admission, treatment, and aftercare — including clinical notes, family information, and billing records
- Visits to our premises — including any visitor sign-in or CCTV footage
If we collect data from you in a context not described here, we will explain at the point of collection what we are doing and why.
The data we collect
The data we hold about you depends on whether you are a website visitor, an enquirer, a current client, a family contact, or a former client. Broadly, we collect:
| Category | What it includes |
|---|---|
| Identification & contact | Full name, date of birth, ID or passport number (where required for admission), phone numbers, email, physical address, next-of-kin details. |
| Enquiry information | The details you share when you contact us about admission — for yourself or on behalf of someone else — including a description of the situation you are calling about. |
| Health & clinical data | Medical history, current medication, substance-use history, mental-health history, assessment results, clinical notes from your treatment, discharge plan, and aftercare records. Treated as sensitive data — see Section 5. |
| Family & system data | Information about your family system relevant to family therapy and aftercare, including contact details for family members who participate in the family programme. |
| Financial data | Information needed for billing — invoicing details, insurance scheme membership (e.g., SHA), payment records. We do not store full bank or card numbers; payment processors handle those directly. |
| Website & technical data | IP address, browser type, pages viewed, referring URL, approximate location derived from IP, and any cookies you accept (see Section 11). |
| Premises data | Visitor sign-in records and CCTV footage covering common areas, retained for security purposes. |
We collect this data directly from you in most cases. Where it comes from someone else — for example, a referring doctor, a family member making the initial enquiry, or an insurance provider — we tell you when we first interact with you directly.
Why we use your data, and our legal basis
The Data Protection Act requires us to have a lawful reason for processing your personal data. For each thing we do with your data, the legal basis is one or more of the following:
- Consent — where you have given clear, specific, informed consent for a particular use (e.g., signing up to receive non-essential communications).
- Contract — where we need the data to enter into or perform a treatment agreement with you.
- Legal obligation — where the law requires us to process or report (e.g., regulatory reporting to NACADA or the ODPC).
- Vital interests — where processing is necessary to protect your life or someone else’s, including emergency clinical situations.
- Legitimate interests — where processing is necessary for a legitimate purpose we have, and your interests, rights and freedoms do not override that purpose (e.g., basic website security logs).
In practical terms, the most common reasons we hold and use your data are: to respond to your enquiry; to assess clinical suitability; to deliver the agreed treatment safely; to coordinate family therapy and aftercare; to bill correctly and to recover insurance entitlements; to meet regulatory and reporting obligations; and to keep the premises and our systems secure.
Sensitive health data — the extra care we take
The Data Protection Act treats data about your physical or mental health, substance use, and related matters as sensitive personal data. We can only process such data under stricter conditions — typically with your explicit consent, or because the processing is necessary for the provision of healthcare, or to protect your vital interests when you cannot consent.
In a treatment context, sensitive health data is the heart of what we hold about you. We commit to:
- Asking for explicit consent at admission to collect and process the clinical information needed to deliver treatment.
- Limiting access to clinical files to the staff who need them to deliver your care — therapists, the consulting psychiatrist, nursing, and necessary support staff.
- Not disclosing clinical content to any third party — including family members — without your specific consent, except where the law requires it or where life is at immediate risk.
- Treating any disclosure differently from the consent to receive treatment. Consenting to treatment is not the same as consenting to share clinical detail.
Confidentiality between client and family
Family members who are paying for treatment, or who initiated the enquiry, are not automatically entitled to clinical detail about an adult client. Where family members participate in family therapy, the content of those sessions is governed separately under that programme’s confidentiality framework.
Who we share your data with
We do not sell your data. We do share specific categories of data with specific parties, only when there is a clear reason and a lawful basis. These parties fall into the following groups:
- Our clinical and operations team — internal staff with role-based access to the data they need to do their job. Therapists see clinical notes; finance sees billing records; reception does not see clinical notes.
- Healthcare partners and referring clinicians — where your care requires it, and where you have consented, we share the minimum data needed to coordinate (e.g., medication list with a post-discharge psychiatrist).
- The Social Health Authority (SHA) and any other insurer — for verification of cover and processing of claims, limited to what each scheme requires.
- Regulators and public authorities — including NACADA and the ODPC, where statutory reporting or lawful information requests apply.
- Law-enforcement and courts — only where we are required to provide data by a valid court order or applicable legal process.
- Service providers acting on our instructions — including our IT and cloud-hosting providers, secure email and messaging services, accounting and payroll providers. These providers are bound by written contracts to process the data only for the purposes we specify and to keep it secure.
- In emergencies — emergency services and treating clinicians, where there is an immediate risk to your life or to the life of another person.
How long we keep your data
We keep personal data only for as long as we need it for the purposes set out in this policy, or for as long as the law requires. The retention periods below are our defaults; specific data may be kept longer where a legal or clinical reason applies, and we will explain that if it affects you.
| Data type | Retention period |
|---|---|
| Enquiry data (where you did not become a client) | Up to 12 months from last contact, then deleted unless you have asked us to keep your details on file. |
| Clinical records (adult clients) | A minimum of 7 years from the date of last treatment, in line with healthcare records-retention standards in Kenya. |
| Clinical records (clients who were minors at the time of treatment) | Until the client’s 25th birthday, or 7 years from the date of last treatment — whichever is later. |
| Financial & tax records | At least 7 years, in line with tax-law requirements. |
| CCTV footage | 30 days, except where an incident requires longer retention. |
| Website analytics | 26 months for aggregated analytics; shorter for any identifiable session data. |
International transfers
Some of our service providers — including email, document storage, and website hosting — operate from servers located outside Kenya. Where personal data is transferred outside Kenya, we ensure the transfer meets the conditions set out in Sections 48 and 49 of the Data Protection Act, including by relying on adequacy findings, contractual safeguards, or your explicit consent where required.
We do not transfer sensitive clinical data outside Kenya for any purpose other than the operation of the secure cloud services that store our records. If you would like a list of the specific service providers we use and the countries they operate from, please email our DPO.
Your rights under the Data Protection Act
The Data Protection Act gives you specific rights over the data we hold about you. These rights are not absolute — some are conditional, and some can be limited by law (for example, where retention of clinical records is required) — but we commit to respecting and responding to them in line with the Act.
- Right to be informedTo know what data we hold, why, and with whom we share it — which is what this policy is for.
- Right of accessTo request a copy of the personal data we hold about you, and information about how we are using it.
- Right to rectificationTo have inaccurate or incomplete data about you corrected or completed.
- Right to erasureTo have your data deleted, where the legal basis for keeping it no longer applies and no overriding requirement exists.
- Right to restrict processingTo pause our use of your data while a dispute about it is being resolved.
- Right to data portabilityTo receive a copy of certain data in a structured, commonly used, machine-readable format.
- Right to objectTo object to processing based on legitimate interests, or to direct-marketing communications.
- Right to withdraw consentWhere we rely on your consent, to withdraw it at any time without affecting earlier processing.
To exercise any of these rights, please email our DPO at dpo@primroserehab.org. We will respond within 30 days. We may need to verify your identity before we act on the request.
How we keep your data secure
We apply reasonable technical and organisational measures to protect personal data against loss, misuse, unauthorised access, and unlawful disclosure. These include:
- Role-based access to clinical and administrative systems, with the principle that staff see only what they need to.
- Encryption of data in transit (HTTPS) and at rest in our cloud systems where the provider supports it.
- Multi-factor authentication for staff access to systems holding clinical or financial data.
- Locked, controlled-access physical filing for any paper records.
- Written confidentiality undertakings from all staff and contractors.
- Regular review of who has access to what, and revocation of access when staff leave.
No system is perfectly secure. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ODPC within 72 hours of becoming aware and will notify you directly where the risk is high.
Cookies and website tracking
This website uses a small number of cookies to function and to help us understand how visitors use the site. We group cookies as follows:
- Strictly necessary — required for the website to work (e.g., load balancing, cookie-preference memory). These cannot be turned off without breaking the site.
- Analytics — help us understand which pages are useful and where the site needs improvement. These are only set if you accept them.
You can manage your cookie preferences from the banner shown on your first visit, or at any time by clearing this site’s cookies in your browser. We do not use cookies to track health-related browsing or to build advertising profiles.
Children and minors
Our primary admission programme is for adults. Where we admit a minor — defined under Kenyan law as a person under 18 — we apply additional safeguards: parental or guardian consent for admission and processing of clinical data, age-appropriate explanation of the treatment, and longer record-retention as set out in Section 7.
This website is not directed at children. We do not knowingly collect personal data from anyone under 13 through this site. If you believe we have, contact our DPO and we will delete it.
Complaints
If you are unhappy with how we have handled your personal data, please tell us first. The fastest route is to email our DPO at dpo@primroserehab.org. We will acknowledge within 7 days and aim to resolve within 30.
If you remain unsatisfied, you have the right to lodge a complaint directly with the supervisory authority in Kenya:
Office of the Data Protection Commissioner (ODPC), Kenya
Britam Tower, Hospital Road, Upper Hill, Nairobi.
Website: www.odpc.go.ke · Email: info@odpc.go.ke
You may lodge a complaint with the ODPC directly. You do not need to have raised the matter with us first, although we would prefer to have the chance.
Changes to this policy
We may update this policy from time to time to reflect changes in our practice, in the law, or in the services we offer. When we do, we will change the version number and “last updated” date at the top of this page. For substantive changes that affect how we handle existing client data, we will notify affected clients directly where it is reasonable to do so.
The current version supersedes any prior version. Previous versions are kept on file and are available on request.
Contact us
For anything related to this policy or to your data, please use one of the following:
- Data Protection Officer — dpo@primroserehab.org
- General enquiries — info@primroserehab.org
- Phone — 0726 883 960 (24/7 for admissions; data-protection matters handled within business hours)
- Post — Primrose Rehab and Wellness, Thindigua, Kiambu Road, Nairobi
Visit our contact page for a map and our full office hours.