Legal & Compliance
Master Privacy Policy
At Ethmoide Inc., we are committed to protecting your privacy and maintaining the confidentiality of your personal information across all our products and services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use any Service operated by Ethmoide Inc., and describes your rights regarding your data.
We adhere to applicable data protection laws, including the Kenya Data Protection Act 2019, the General Data Protection Regulation (GDPR) where applicable, and other relevant regional privacy regulations. Product-specific regulatory obligations (such as HIPAA for our healthcare products) are addressed in the corresponding Product Supplement.
By accessing or using any of our Services, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
We collect information across all our Services in the following categories:
a. Information You Provide Directly
- Account Information: Name, email address, username, password, phone number, and role or professional credentials when you register for any Service.
- Profile Information: Organisation affiliation, department, preferences, and profile photo.
- Submitted Content: Data, files, records, or materials you upload or submit through any Service. The nature of this content is governed by the applicable Product Supplement.
- Communications: Messages, feedback, support requests, and survey responses you send us.
b. Information Collected Automatically
- Usage Data: Pages visited, features accessed, time spent, actions taken, and session duration across any Service.
- Device & Technical Data: IP address, browser type, operating system, device identifiers, screen resolution, and referring URLs.
- Log Data: Server logs, error reports, and performance metrics.
- Location Data: Approximate location inferred from IP address, or precise location if you grant permission within a specific Service.
c. Information From Third Parties
- Integrated Third-Party Systems: Data received from external systems that our Services integrate with, subject to applicable authorisations and the terms of those integrations.
- Identity Verification Services: Information used to verify your identity or professional credentials.
- Analytics Providers: Aggregated and de-identified usage analytics data.
2. How We Use Your Information
We use the information we collect to:
- Provide and operate our Services, including delivering the core functionality of each product.
- Authenticate and secure your account and prevent unauthorised access.
- Personalise your experience and tailor features to your role and preferences.
- Improve and develop our Services through analysis of aggregated, de-identified usage patterns.
- Communicate with you about updates, new features, security alerts, and support matters.
- Comply with legal obligations, including applicable regulations, audit requirements, and lawful orders.
- Detect and prevent fraud, abuse, or security incidents.
- Conduct research using only de-identified or aggregated data, in accordance with applicable law and ethical guidelines.
We do not sell your personal information to third parties, and we do not use your personal data for advertising purposes on third-party platforms.
3. How We Share Your Information
We may share your information only in the following limited circumstances:
a. Service Providers
We engage trusted third-party vendors (e.g., cloud hosting, analytics, identity verification, payment processors) who process data on our behalf. These parties are contractually bound to handle data securely and only for the purposes we specify. Where applicable, we execute appropriate data processing agreements as required by law.
b. Institutional or Enterprise Access
If you access a Service through your employer or an institution, certain account and usage information may be shared with that institution's administrators as part of the service agreement.
c. Legal Requirements
We may disclose your information if required by applicable law, regulation, legal process, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Ethmoide Inc., our users, or the public.
d. Business Transfers
In connection with a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will provide notice if your information becomes subject to a different privacy policy.
e. With Your Consent
We may share your information for any other purpose with your explicit prior consent.
4. Data Retention
We retain personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined based on:
- The duration of your account and active use of the applicable Service.
- Applicable legal and regulatory obligations (e.g., records laws, tax laws).
- Legitimate business needs, such as resolving disputes and enforcing agreements.
Specific retention periods for regulated data categories (such as healthcare records) are addressed in the applicable Product Supplement. Upon a lawful deletion request and subject to applicable legal obligations, we will securely destroy or de-identify your information.
5. Data Security
We implement a layered security programme across all our Services, including:
- Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege are enforced.
- Audit Logging: Comprehensive audit trails are maintained for all access to and modifications of sensitive data.
- Vulnerability Management: Regular penetration testing, security assessments, and patch management processes are in place.
- Incident Response: A documented security incident response plan is maintained and tested regularly.
- Employee Training: All staff with access to sensitive data undergo regular privacy and security training.
Despite our efforts, no security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you and the appropriate regulatory authorities as required by applicable law.
6. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (pixels, local storage, session tokens) to:
- Essential Cookies: Enable core Service functionality, authentication, and security. These cannot be disabled.
- Analytics Cookies: Help us understand usage patterns to improve our Services (e.g., session duration, error rates). These may be disabled.
- Preference Cookies: Remember your settings and UI preferences. These may be disabled, though some features may be affected.
We do not use advertising or third-party behavioural tracking cookies. You can manage cookie preferences through your browser settings. Note that disabling certain cookies may impair the functionality of our Services.
7. Third-Party Links and Services
Our Services may contain links to third-party websites or integrate with external platforms. These third parties have their own privacy policies, and we do not control or assume responsibility for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our products.
8. Your Privacy Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
- Right of Access
- Request a copy of the personal information we hold about you.
- Right to Rectification
- Request correction of inaccurate or incomplete personal information.
- Right to Erasure
- Request deletion of your personal information, subject to legal and contractual obligations.
- Right to Restriction of Processing
- Request that we limit how we use your information in certain circumstances.
- Right to Data Portability
- Receive your personal data in a structured, machine-readable format where technically feasible.
- Right to Object
- Object to processing of your information for certain purposes, including direct marketing.
- Right to Withdraw Consent
- Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us as described in Section 13. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before fulfilling your request.
If you are located in the European Economic Area (EEA) and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). If you are located in Kenya, you may contact the Office of the Data Protection Commissioner (ODPC).
9. Children's Privacy
Our Services are not directed at individuals under the age of 18, and we do not knowingly collect personal information directly from minors. Certain products (such as our healthcare platform) may process data involving minors in the context of clinical care delivery — see the applicable Product Supplement for how such data is handled. If you believe we have inadvertently collected personal information from a minor in violation of applicable law, please contact us immediately.
10. International Data Transfers
Ethmoide Inc. operates globally. If you are accessing our Services from outside the country where our servers are located, your information may be transferred across international borders. When transferring personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by the relevant data protection authority.
- Other legally recognised transfer mechanisms as applicable.
We take appropriate steps to ensure that recipients of your personal data afford an adequate level of protection consistent with this Privacy Policy.
11. Products and Services Covered by This Policy
This Privacy Policy applies to the following products and services operated by Ethmoide Inc. Each product is named explicitly so that users can identify which privacy terms govern their use. Products marked with a supplement have additional privacy provisions published at the link provided.
Ethmoide Healthcare Platform
Clinical decision support, diagnostic tools, and healthcare workflow automation at ethmoide.com. This product collects and processes Protected Health Information (PHI). See the Healthcare Platform Privacy Supplement for full HIPAA and PHI handling details.
Theatre Lists — Ethmoide Surgicore
Surgical theatre scheduling, booking, and management dashboard for hospitals and surgical teams. Processes patient scheduling data and PHI. Subject to the Healthcare Platform Privacy Supplement.
PhotoSurgeon
Mobile application for structured surgical photography documentation and theatre list generation. Collects photographic and clinical data. Subject to the Healthcare Platform Privacy Supplement.
Utafiti — Research Platform
Kenyan scientific literature and research discovery platform at utafiti.ethmoide.com. Collects account registration data and search usage data. Governed by this Master Privacy Policy only.
Ethmoide Social Scheduler
Social media scheduling and management tool for healthcare professionals and organisations, available at postiz.server.ethmoide.com. This product:
- Collects account credentials, connected social media account tokens, scheduled post content, and usage analytics.
- Connects to third-party social media platform APIs (including TikTok, Instagram, X/Twitter, LinkedIn, and others) to publish content on your behalf. Data shared with those platforms is subject to their own privacy policies.
- Stores OAuth tokens for connected social accounts, which are encrypted at rest and used only to perform scheduled actions you authorise.
- Does not access, read, or store your social media followers' personal data beyond what the platform API returns for publishing confirmation.
Governed by this Master Privacy Policy. No healthcare-specific supplement applies to this product.
Surgeons.co.ke
Kenya Surgical Discovery Platform at surgeons.co.ke and camps.surgeons.co.ke. Collects surgeon profile data (with consent), search queries, and camp registration information. Governed by this Master Privacy Policy.
Ethmoide Supplies
Medical and surgical supplies marketplace at supplies.ethmoide.com. Collects account, order, and payment data. Governed by this Master Privacy Policy.
Ethmoide Branding
Healthcare branding and creative services at branding.ethmoide.com. Collects enquiry and project information. Governed by this Master Privacy Policy.
Cleft Lip Simulator
Web-based surgical planning tool for cleft lip rotation and repair. May process de-identified patient image data. Subject to the Healthcare Platform Privacy Supplement.
KNH Theatre List Automation
Automated theatre list tool for Kenyatta National Hospital. Processes scheduling and clinical data. Subject to the Healthcare Platform Privacy Supplement.
AI vs Researcher
Blog and content platform at aivsresearcher.com. Collects comment and subscriber data. Governed by this Master Privacy Policy.
CC Version Guard
Desktop version control utility distributed by Ethmoide Inc. May collect anonymised crash and usage telemetry. Governed by this Master Privacy Policy.
The full current list of all Ethmoide Inc. products, along with any applicable supplements and the distinction between Ethmoide-operated products and agency-built client sites, is maintained on the Legal Hub.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page.
- Notify you via email (to the address associated with your account) or via a prominent notice within the relevant Service.
- Where required by law, obtain your renewed consent.
Your continued use of our Services following the effective date of any changes constitutes your acknowledgement of the updated Privacy Policy. We encourage you to review this policy periodically.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Office:
Ethmoide Inc. — Privacy OfficeEmail: privacy@ethmoide.comPostal Address: Hospital Rd, Upper Hill, Nairobi, KenyaWe aim to acknowledge all privacy-related enquiries within 5 business days and resolve them within 30 days, or within the timeframe required by applicable law.