Legal

Privacy notice

MY DOCTOR TZ — how we handle personal and health-related information.

Last updated: 24 April 2026

This notice explains how we handle personal and health-related information. It is written to reflect common expectations under the Tanzania Personal Data Protection Act No. 11 of 2022 (PDPA) and guidance from the Personal Data Protection Commission (PDPC), and internationally recognised practices aligned with the HIPAA Privacy and Security Rules where those frameworks apply to similar processing. It is not a substitute for legal advice to your organisation; obtain independent counsel for compliance decisions.

1. Who we are

MY DOCTOR TZ (“we”, “us”, “the platform”) operates this website and related digital services for health education, community programmes, and care coordination features offered to registered users (including clients, clinicians, and administrators).

2. Scope of this notice

This notice applies to information collected through this platform, including account data, contact details, optional profile and health-related fields you choose to submit, service requests, authentication logs, and technical metadata (such as IP address and device type) needed to secure the service.

3. Categories of data

  • Identity & contact: name, email, phone, address or region, identifiers you supply.
  • Health & care coordination (special category / sensitive): symptoms, conditions, medications, allergies, emergency contacts, and similar fields you enter in your client profile or requests.
  • Account & security: role, activation status, two-factor artefacts, audit events necessary for fraud prevention and accountability.
  • Technical: cookies or local storage used for theme preference and session continuity; server logs for security monitoring.

4. Purposes and lawful bases (PDPA-aligned)

We process data to: provide and improve the platform; authenticate users; coordinate requested services with authorised staff; comply with law; detect abuse; and communicate service-related messages. Where the PDPA requires a lawful basis, we rely on performance of a contract, consent (where you tick specific boxes), vital interests where applicable in emergencies, and legitimate interests (such as network security) balanced against your rights.

5. HIPAA-aligned safeguards (where applicable)

For health information handled on behalf of users or partner organisations, we aim to apply administrative, physical, and technical safeguards comparable to those described in HIPAA’s Security Rule: access controls, encryption in transit where supported by your environment, least-privilege access for workforce roles, integrity controls, and auditability. If MY DOCTOR TZ processes protected health information (PHI) as a business associate of a HIPAA covered entity, additional written arrangements (e.g. a Business Associate Agreement) may be required — contact us before enabling integrations that involve US PHI.

6. Sharing and recipients

We do not sell your personal data. We share information only with: (a) authorised personnel and clinicians involved in your care pathway; (b) infrastructure providers (e.g. hosting, email) under appropriate contracts and confidentiality obligations; (c) regulators or law enforcement when legally required. Cross-border transfers, if any, are made with safeguards consistent with PDPA requirements (such as adequacy assessments or standard contractual clauses as applicable).

7. Retention

We retain data for as long as your account is active and as needed to meet legal, regulatory, or professional obligations (including clinical recordkeeping rules that may apply to partners). When retention ends, we delete or irreversibly anonymise data where feasible.

8. Your rights (Tanzania PDPA & general)

Subject to applicable law, you may have the right to: access, rectify, erase or restrict processing, object to certain processing, withdraw consent where processing was consent-based, and lodge a complaint with the PDPC or another competent authority. To exercise rights, contact us using the details on the Contact page. We may need to verify your identity before responding.

9. Security & breaches

We implement measures designed to protect confidentiality, integrity, and availability. In the event of a personal data breach likely to affect your rights, we will notify regulators and, where required, affected individuals without undue delay, in line with PDPA expectations and good practice.

10. Children

Services are not directed at children without appropriate guardian involvement. Where local law requires parental consent for minors, that consent must be obtained by the responsible adult.

11. Changes

We may update this notice to reflect legal, technical, or operational changes. Material changes will be highlighted in-product (for example at login or profile) and the “Last updated” date revised. Continued use after notice may, where permitted, constitute acknowledgment.

12. Contact

For privacy questions or requests, use the contact details published on our Contact page, marking the subject “Data protection”.