Skip to Content

Privacy Policy

Effective Date: 10 June 2026

What This Means for You1. Who We Are and Why This Policy Exists2. The Legal Framework We Operate Under3. What Personal Data We Collect4. Why We Collect Your Data and the Legal Basis for Doing So5. How We Collect Your Data6. How We Use Your Data7. Who We Share Your Data With8. How Long We Keep Your Data9. Minor Patients10. Your Data Subject Rights11. How We Protect Your Data12. Patient Confidentiality13. Automated Security, Fraud Detection, and Cybersecurity Monitoring14. Cookies and Website Use15. Changes to This Policy16. Contact Us17. Complaints

What This Means for You

When you use Jasmine Pharmacy, you share personal and health information with us. We take that responsibility seriously. 

This policy explains exactly what information we collect, why we collect it, how we protect it, who we may share it with, and what rights you have over it. 

We collect only what we need to provide you with safe, specialist chronic-care pharmacy services. 

  • We do not sell your data. 
  • We do not use your health information for advertising without your explicit consent. 

We are governed by Kenyan law, specifically the Kenya Data Protection Act 2019 and the Pharmacy and Poisons Act Cap. 244, among other statutes listed below. 

If anything in this policy is unclear, please contact us directly  our contact details are provided at the end of this policy.


1. Who We Are and Why This Policy Exists


Jasmine Pharmacy is a specialist chronic-care pharmacy registered and licensed in Kenya. We operate under the oversight of the Pharmacy and Poisons Board (PPB). 

We process your personal data in accordance with the Kenya Data Protection Act 2019, and we are actively taking all necessary steps to maintain full regulatory compliance, including statutory registration with the Office of the Data Protection Commissioner (ODPC) as required by law.

This policy applies to every patient, caregiver, guardian, and website visitor who interacts with us in person, by telephone, via our website, or through any digital channel we operate.

We process your personal data where required or permitted under Kenyan law, where necessary for the safe dispensing of chronic-care medication, and because you have chosen to use our healthcare services. 


2. The Legal Framework We Operate Under

All data processing described in this policy is governed exclusively by Kenyan law. The primary statutes are:

  • Kenya Data Protection Act 2019
  • Data Protection (General) Regulations 2021
  • Data Protection (Registration of Data Controllers and Processors) Regulations 2021
  • Pharmacy and Poisons Act Cap. 244
  • Health Act 2017
  • Consumer Protection Act 2012
  • Computer Misuse and Cybercrimes Act 2018


3. What Personal Data We Collect

We collect personal data in the following categories: general personal data and sensitive personal data.


General Personal Data

This includes your full name, date of birth, gender, national identification number or passport number, physical address, telephone number, email address, and emergency contact details.


Username and Account Credentials

We maintain authentication credentials necessary to provide secure access to your account. Passwords are stored in encrypted or otherwise protected form and are not accessible in plain text.


Sensitive Personal Data

Under Section 2 of the Kenya Data Protection Act 2019, these categories are classified as sensitive personal data and are protected through appropriate technical and organisational measures commensurate with their sensitivity.

  • Prescription information, including the name, dosage, frequency, and prescribing clinician details for every medication dispensed to you
  • Medical history and diagnosis information shared with us to enable safe dispensing
  • Information about chronic conditions, allergies, and adverse drug reactions
  • Any other health or medical data you provide to us

Prescription data is sensitive personal data. We treat it as such at every stage of collection, storage, processing, and disposal.


Payment Data

We collect basic transaction information to initiate your orders. Payment transactions are securely handled by DPO Pay, our designated payment gateway. 

Jasmine Pharmacy does not capture, view, or store full payment card details or bank credentials on our own systems. Your patient record history and your health data are stored in separate, access-controlled environments completely isolated from the payment flow. 

DPO Pay operates as an independent data controller for the processing, security, and verification of your financial data. For details on how DPO Pay handles your payment information, please refer to the DPO Pay Privacy Policy directly.


Website and Digital Data

When you visit https://pharmacy.jdmc.co.ke, we collect standard technical data including your IP address, browser type, device type, and pages visited. We use this data to maintain website security, diagnose technical issues, prevent fraud, and improve website performance. The lawful basis for this processing is legitimate interests, as described further in Section 4.


4. Why We Collect Your Data and the Legal Basis for Doing So

We collect and process your personal data only for specific, lawful purposes. For each purpose, we identify the legal basis under the Kenya Data Protection Act 2019. 

We do not use legitimate interests as a basis for processing special category health data where stricter legal bases are required. Where we rely on consent, we will clearly identify it as optional and separate from any legal or clinical requirement.


Managing Your Online Account

Legal basis: Contract and legitimate interests.

We process your personal data to create, maintain, and secure your online account and to authenticate your access to our website and services. Where we rely on legitimate interests, we ensure that such interests are not overridden by your fundamental rights and freedoms, and we conduct a balancing assessment to confirm this.


Dispensing Your Prescribed Medication

Legal basis: Legal obligation (compliance with the Pharmacy and Poisons Act Cap. 244) and contract (fulfilling your service request).

No medication will be dispensed without a valid and verified prescription.


Processing Your Prescription Data as Sensitive Personal Data

Legal basis: Provision of healthcare services, legal obligation, and explicit consent.

We process sensitive personal data where this is necessary for the provision of healthcare services and compliance with legal obligations. In limited cases, we may rely on your explicit consent for specific optional processing activities. Legal obligation arises from the Pharmacy and Poisons Act Cap. 244 and the Health Act 2017.


Verifying Prescriptions

Legal basis: Legal obligation and legitimate interests.

Where necessary to confirm a prescription's authenticity, dosage accuracy, legal validity, or patient safety, we will verify the prescription directly with the prescribing clinician, the healthcare facility from which it was issued, or another authorised healthcare provider. We share only the minimum information required for the purpose of that verification.


Managing Your Patient Record

Legal basis: Legal obligation and legitimate interests.

We maintain a complete and accurate patient record to ensure continuity of care and to prevent dispensing errors.


Processing Your Payment

Legal basis: Contract.

Payment processing is necessary to complete the transaction you request.


Communicating with You About Your Medication and Orders

Legal basis: Contract and legitimate interests.

We contact you to confirm prescriptions, notify you of delivery status, and inform you of matters directly related to your care.


Website Security, Technical Monitoring, and Fraud Prevention

Legal basis: Legitimate interests.

We process technical and operational data to maintain the security of our website and systems, diagnose and resolve technical issues, detect and prevent fraudulent activity, monitor for suspicious transactions or abuse, and improve the performance of our digital services. We balance these interests against your rights and will not use this data for purposes beyond those stated.


Complying with Regulatory and Legal Requirements

Legal basis: Legal obligation.

We may be required to share data with the PPB, the Kenya Revenue Authority, a court of law, or another authority acting under Kenyan law. When we do so, we share only what is required and inform you where lawful to do so.


Marketing and Service Updates (Optional)

Legal basis: Explicit consent only.

We will not use your personal data or health information for marketing, promotional, or advertising purposes unless you have given us your explicit, written consent. 

You may withdraw your consent to marketing at any time by 

  • Emailing privacy@jdmc.co.ke
  • Using the unsubscribe link or mechanism included in any marketing communication we send to you
  • Writing to us at our physical address below. 

We will action your withdrawal promptly. Withdrawal of consent does not affect the lawfulness of any processing we carried out before you withdrew your consent.


5. How We Collect Your Data

We collect your data directly from you when you register as a patient, create an account, submit a prescription, place a delivery order, contact us by telephone or email, or visit our website.

We may also receive data from your prescribing clinician or from a caregiver or guardian acting on your behalf, where you have authorised that arrangement. We may also receive information from healthcare facilities, laboratories, insurers, delivery partners, or other persons authorised by you or otherwise permitted by law.

  • We do not purchase personal data from third parties. 
  • We do not source data from data brokers.


6. How We Use Your Data

We use your data to:

  • Create and maintain your online account
  • Verify your identity and confirm your registration
  • Authenticate your identity when you access our website and services
  • Receive, review, and verify your prescription with the prescribing clinician, healthcare facility, or authorised healthcare provider where required
  • Process your payment through DPO Pay
  • Dispense your prescribed medication safely and accurately
  • Arrange, manage, and track the delivery of your medication within the service areas operated by Jasmine Pharmacy.
  • Communicate with you regarding your account, prescriptions, orders, deliveries, and service-related notifications.
  • Respond to your queries and complaints
  • Maintain your patient record and medication history
  • Comply with the requirements of the PPB, including record-keeping obligations
  • Monitor and maintain the security of our systems and detect fraudulent or suspicious activity
  • Improve our services using anonymised or aggregated data that does not identify you

7. Who We Share Your Data With

We share your personal data only in the circumstances described below. We do not sell, rent, or trade your personal data or health information.


Your Prescribing Clinician or Healthcare Provider

Where necessary to verify a prescription, confirm its authenticity or legal validity, clarify dosage, or ensure patient safety, we will contact your prescribing clinician, the healthcare facility from which the prescription was issued, or another authorised healthcare provider. We share only the minimum information required.


DPO Pay

Your payment data is handled directly by DPO Pay, our designated payment gateway. DPO Pay acts as an independent data controller regarding the authorization, processing, and security of your transactions. 

This independent controller status arises because DPO Pay autonomously determines the operational means and compliance parameters required to safely execute payments under financial regulations—including Central Bank of Kenya directives and PCI-DSS compliance standards. Their processing is strictly governed by the DPO Pay Privacy Policy, and they maintain their own independent liability and compliance under the Kenya Data Protection Act 2019.


Delivery Partners

To facilitate delivery, we share your name, delivery address, and contact telephone number with our delivery partners. We share only the information necessary to complete the delivery. Delivery services are available only within the service areas designated by Jasmine Pharmacy from time to time.


Technology Service Providers

We use trusted technology, hosting, communication, cloud, software, payment, analytics, security, and infrastructure service providers to operate our systems and deliver our services.

Our technology ecosystem may include cloud hosting providers, communication platforms, software vendors, email service providers, SMS gateways, analytics providers, cybersecurity vendors, and other infrastructure providers used to support the operation of our systems and services. Some features available within our technology platforms may permit the use of additional tools or integrations.

Where these providers process personal data on our behalf, they act as data processors and are subject to appropriate contractual, confidentiality, security, and data protection obligations consistent with the Kenya Data Protection Act 2019. They may process personal data only in accordance with our documented instructions, are required to implement appropriate security measures, and are required to support us in meeting our data protection obligations.

We review provider arrangements periodically to help ensure ongoing compliance with applicable legal and security requirements.


Regulatory Authorities

We will share your data with the Pharmacy and Poisons Board, the Office of the Data Protection Commissioner, a court of law, or any other Kenyan authority when we are legally required to do so. We will inform you of any such disclosure where Kenyan law permits us to do so.


Professional Advisors

Our legal counsel, auditors, and compliance advisors may access your data where strictly necessary for the provision of professional services. These parties are bound by confidentiality obligations.


Cross-Border Data Transfers

Whenever any of our service providers or processors transfer data outside Kenya, we will ensure that an adequate level of protection is in place before the transfer occurs. We achieve this through appropriate contractual, technical, and organisational safeguards—such as standard contractual clauses or transfer risk assessments as required or recognised under the Data Protection (General) Regulations 2021. 

If Kenyan law requires a specific transfer risk assessment or equivalent safeguard before a transfer may lawfully proceed, we will conduct and document that assessment prior to the transfer. Your rights under Kenyan law remain fully intact.

 

8. How Long We Keep Your Data

We keep your data for the periods set out below. We do not retain data beyond these periods unless Kenyan law requires it.


Adult Patients (18 years and over)

We retain your prescription records and patient data for a minimum of seven (7) years from the date of your last interaction with us.


Minor Patients (under 18 years)

We retain prescription records and patient data until the minor reaches the age of twenty-five (25), or for five (5) years from the date of the last interaction, whichever period is longer.


Payment Records

We retain transaction records in accordance with the requirements of the Kenya Revenue Authority and applicable tax law, for a minimum of five (5) years.


Website and Technical Data

We retain technical and analytical data from our website for no longer than twelve (12) months, unless a specific legal or security reason requires longer retention.

At the end of the applicable retention period, we will securely delete or anonymise your data. 

 

9. Minor Patients

If you are registering a patient who is under eighteen (18) years of age, the following applies:

  • A parent or legal guardian must provide explicit written consent before the minor is registered and before any prescription is dispensed.
  • The parent or legal guardian may exercise all data subject rights listed in this policy on the minor's behalf. Where appropriate and having regard to the age and maturity of the minor, we may seek the minor's views concerning the exercise of their privacy rights.
  • We retain minor patient data until the minor reaches age twenty-five (25) or for five (5) years after the last interaction, whichever is longer. 


10. Your Data Subject Rights

Under the Kenya Data Protection Act 2019, you have eight rights in relation to your personal data. These rights apply to all patients, including parents and guardians acting on behalf of minor patients.

  1. Right to be Informed: You have the right to know what personal data we hold about you, why we hold it, and how we use it. This policy fulfils that obligation.
  2. Right of Access: You have the right to request a copy of the personal data we hold about you.
  3. Right to Rectification: You have the right to ask us to correct any personal data that is inaccurate or incomplete.
  4. Right to Erasure: You have the right to ask us to delete your personal data. We will honour this request unless we are required to retain the data under Kenyan law, including the minimum retention periods described in Section 8.
  5. Right to Restrict Processing: You have the right to ask us to stop using your data in certain ways, while we investigate a dispute or consider your objection.
  6. Right to Data Portability: You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another data controller to the extent required by applicable law and where technically feasible. Depending on the nature of your request, the data may be provided in formats such as CSV, PDF, or another appropriate electronic format.
  7. Right to Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis. You have an absolute right to object to the use of your data for direct marketing purposes.
  8. Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision made solely on the basis of automated processing, including profiling, that produces a legal or similarly significant effect on you. We do not use automated decision-making in connection with the dispensing of your medication.


How to Exercise Your Rights

Submit your request in writing to our designated privacy contact at privacy@jdmc.co.ke, or by post to our physical address below. Include 

  • Your full name, 
  • Your registered contact number
  • A copy of your national ID or passport
  • A clear description of the right you wish to exercise

We may request additional information to verify your identity before acting on a request in order to protect your privacy and prevent unauthorised disclosure.

We will respond within fourteen (14) days of receiving your request. If your request is complex or involves a large volume of data, we may extend this period by a further fourteen (14) days. We will notify you in writing before extending the deadline and explain the reason for the extension. 


Fees for Rights Requests

We do not ordinarily charge a fee for responding to requests made under this Section. 

However, where a request is manifestly unfounded, excessive, repetitive, or otherwise permitted by applicable law, we may charge a reasonable administrative fee or decline to act on the request. Where a fee is applicable, we will inform you of the amount and the reasons for it before proceeding.


11. How We Protect Your Data

We apply technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss, alteration, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel only
  • Separation of your financial data and your health data in distinct, access-controlled environments
  • Secure, audited physical storage of paper prescription records
  • Staff training on data protection obligations under the Kenya Data Protection Act 2019
  • Regular review of our security practices and systems

Patients are responsible for maintaining the confidentiality of their account credentials and should notify Jasmine Pharmacy immediately if they believe their account has been accessed without authorisation.

No method of data storage or transmission is entirely without risk. Where a personal data breach occurs, we will assess and handle it in accordance with the Kenya Data Protection Act 2019 and its regulations. If the breach is reportable under applicable law, we will notify the Office of the Data Protection Commissioner and affected individuals within the prescribed legal timelines. We will document all breaches and take prompt steps to contain and remediate any incident.

 

12. Patient Confidentiality

All pharmacists, pharmacy technicians, healthcare professionals, employees, contractors, advisors, and service providers who access patient information in the course of their work are bound by professional, contractual, or legal confidentiality obligations. These individuals and organisations may only access your personal data where it is necessary to perform their specific duties. Access privileges are role-based and are periodically reviewed and revoked when no longer required.

Confidentiality obligations apply during employment or engagement and continue after any relationship with Jasmine Pharmacy ends. 


13. Automated Security, Fraud Detection, and Cybersecurity Monitoring

We use automated and manual processes to protect patients, healthcare providers, Jasmine Pharmacy, and the integrity of our pharmacy services. These activities include:

  • Cybersecurity monitoring of our systems and digital infrastructure
  • Detection and prevention of fraud, abuse, and unauthorised access
  • Prescription fraud screening to identify and prevent unlawful dispensing
  • Suspicious transaction detection in connection with payment processing
  • Abuse prevention measures across our digital and operational services

Where these activities involve processing your personal data, the lawful basis is legitimate interests. We balance those interests against your rights and will not use data collected through these processes for any purpose other than security, fraud prevention, and the protection of patients and pharmacy services.

These processes do not constitute automated decision-making for the purpose of dispensing medication. No medication dispensing decision is made solely by automated means.

 

14. Cookies and Website Use

Our website uses cookies and similar technologies to support website functionality, maintain security, remember user preferences, and, where applicable, collect analytics information.

Some cookies are essential to the operation of the website, while others may require your consent before being placed on your device.

For detailed information about the cookies and similar technologies we use, including the categories of cookies deployed, the purposes for which they are used, the legal basis for their use, retention periods, and how you can manage your preferences, please refer to our Cookie Policy available on our website.

You may adjust your cookie preferences through our cookie consent mechanism or through your browser settings, subject to the limitations described in the Cookie Policy.


 

15. Changes to This Policy

We regularly review and may update this policy from time to time. When we make material changes, we will post the updated policy on our website. Where appropriate, we may also notify registered patients by email, SMS, or other reasonable means. The effective date at the top of this document will always reflect the most current version.


16. Contact Us

For any question, concern, or request relating to your personal data or this policy, contact our designated privacy contact using the details below.


Data Protection Contact

Email: privacy@jdmc.co.ke

All privacy rights requests, data protection complaints, and data protection enquiries should be directed to this address. We will acknowledge your communication promptly and respond within the timelines set out in Section 10.


Jasmine Pharmacy: General Enquiries

Phone: 0115524193



Physical Address: Gateway Place, Jakaya Kikwete Road, Kilimani, Nairobi

Postal Address: P.O. Box 34657-00100, Nairobi


17. Complaints

If you believe we have not handled your personal data properly, or if you have a concern about our pharmacy practice, you have the right to complain to the relevant authority. 

We encourage you to contact us first at privacy@jdmc.co.ke. We will make every effort to resolve your concern promptly and fairly. Lodging a complaint with Jasmine Pharmacy does not affect your right to complain directly to the Office of the Data Protection Commissioner or any other competent authority.


Data Protection Matters

Office of the Data Protection Commissioner (ODPC)


Pharmacy Practice Matters

Pharmacy and Poisons Board (PPB)


Consumer Protection Matters

Competition Authority of Kenya (CAK)