Privacy Policy: Brown’s Pharmacy Limited
Effective Date: 20 September, 2025
Who we are: Brown’s Pharmacy Limited (“we”, “us”, “our”) provides retail and e-commerce pharmacy services in Kenya. We are the data controller for personal data processed via our website, mobile experiences, and customer support channels.
1. Scope & What this Policy Covers
Applies to our website, mobile views, contact channels (phone, SMS, WhatsApp/CTWA, email, web chat), and in-store or delivery interactions that link to this policy.
Explains what we collect, why, legal bases for processing, how long we keep it, who we share it with, your rights, and how to contact us.
Covers personal data and sensitive personal data (e.g., health and prescription information) under the Kenya Data Protection Act, 2019 (KDPA) and its Regulations.
2. The Data We Collect (Comprehensive List)
A. Identification & Contact
Full name, alias/preferred name
Phone number(s), WhatsApp number
Email address
Delivery address, landmark, building, estate, postal code
County/sub-county/ward, city/town
National ID/passport number only when legally required (e.g., prescription verification, controlled medicines)
Date of birth (age eligibility for purchases, controlled products)
B. Account & Authentication
Account username, hashed password
Security questions/answers (if used)
Login timestamps, account activity logs
C. Health & Prescription (Sensitive Personal Data)
Prescription documents (images/PDF), prescriber details, dosage, instructions
Product/medicine purchase history (Rx and OTC)
Allergies and contraindications only if you disclose
Notes exchanged with our pharmacists/techs related to your order or care
Previous dispensations needed to ensure safe supply or prevent interactions
D. Order & Transaction
Items ordered, quantities, prices, discounts, promo codes
Preferred products, refill reminders (if opted-in)
Delivery instructions and proof of delivery (name/signature or OTP)
Customer service and refund/cancellation records
E. Payment
Payment method (e.g., M-Pesa, card, bank transfer)
Transaction reference, amount, timestamps
Billing details where applicable
We do not store card numbers, CVV, or M-Pesa PINs
F. Communications & Support
Emails, SMS, WhatsApp/chat messages, call details (time, duration, agent notes)
Survey responses, ratings, reviews, complaints, inquiries
Marketing preferences (email/SMS/WhatsApp opt-ins)
G. Technical & Usage
Device type, browser, OS
IP address, approximate geolocation (from IP or with permission)
Cookies and similar technologies (pixels, local storage)
Pages visited, time on page, clicks, referring/exit pages, search terms
Crash/error logs and performance diagnostics
H. In-Store & Logistics (if applicable)
CCTV footage in our premises (where signage indicates)
Courier/delivery GPS metadata, route completion notes
Photo evidence of delivered package where required
I. Third-Party & Public Sources
Prescriber verification data (where lawful)
Payment providers (payment confirmations)
Delivery partners (status updates)
Data from consented integrations (e.g., your WhatsApp contact card)
Public registers or regulatory sources where necessary (e.g., for compliance)
3. Why We Collect Your Data (Purposes)
Order processing & fulfilment: verify prescriptions, dispense medicines safely, deliver orders, manage refunds/returns where applicable.
Customer support: respond to queries, resolve complaints, after-sales service.
Safety & clinical assurance: check interactions/contraindications, ensure appropriate supply, detect misuse or fraud.
Account management: registration, login, preferences, order history, reminders.
Payments & billing: process and reconcile transactions, prevent fraud.
Service improvement & analytics: measure performance, fix errors, optimize user experience.
Regulatory & legal compliance: KDPA, health regulations, tax, accounting, record-keeping, law-enforcement requests.
Marketing (with consent): send offers, health tips, product updates; personalize content and recommendations.
Security & abuse prevention: protect accounts, systems, and data; detect bots or malicious activity.
4. Legal Bases for Processing (KDPA)
Consent: marketing communications, certain health-data uses beyond core dispensing, cookies where required.
Contract: to provide products/services you request (ordering, delivery, returns).
Legal obligation: tax and accounting records, responding to regulator/law-enforcement, pharmacy/health regulations.
Vital interests: in rare cases to protect life (e.g., urgent safety notifications or recalls).
Legitimate interests: site security, fraud prevention, service improvement, non-intrusive analytics—balanced against your rights and expectations.
5. Special Category: Health & Prescription Data
Treated as sensitive personal data; processed strictly for dispensing, safety checks, and compliance.
Access restricted to authorized staff (e.g., pharmacist, pharmacy technologist, senior support under supervision).
Not used for advertising of prescription-only medicines to the public.
Shared only on a need-to-know basis (e.g., with a delivery partner for handover, with regulators when legally required).
6. Cookies & Similar Technologies
Essential cookies: order basket, login/session security.
Performance/analytics: page usage, load times (aggregated).
Functional: preferences (language, location, saved addresses).
Marketing (with consent): remarketing pixels, campaign attribution.
Options: manage in our cookie banner/settings, or via browser settings. Disabling essential cookies may break core features (cart, checkout).
7. How We Share Your Data
Payment processors/gateways: to complete transactions (e.g., M-Pesa providers, card processors); we do not store sensitive card/PIN data.
Delivery & logistics partners: for pickup, routing, and proof of delivery.
Healthcare professionals (internal/contracted): pharmacists for verification/dispensing and safety checks.
IT & security vendors: hosting, cloud storage, email/SMS, analytics, fraud prevention.
Regulators & law enforcement: when required by Kenyan law or valid legal request.
Corporate transactions: if we undergo a merger, acquisition, or asset sale, subject to confidentiality and continuity of protection.
We do not sell personal data.
8. International Data Transfers
Some processors may be located outside Kenya.
We use appropriate safeguards (contractual protections, technical controls, restricted access) to protect cross-border transfers as required by KDPA and applicable regulations.
Where feasible, we prioritize regional hosting or data minimization/anonymization.
9. Data Retention
Keep personal data only as long as necessary for the purposes above and to meet legal, regulatory, tax, accounting, and audit requirements.
Examples (indicative; subject to legal change):
1. Order, invoice, and tax records: retained for the period required by Kenyan tax and accounting laws.
2. Prescription/dispensing records: retained as required by pharmacy/health regulations.
3. Customer support logs: retained for a period necessary to defend or resolve claims.
When no longer needed, data is securely deleted, anonymized, or archived per our retention policy.
10. Security Measures
Role-based access; least-privilege permissions; staff confidentiality obligations.
Encryption in transit (HTTPS/TLS); encryption at rest where applicable.
Network and application firewalls, anti-malware, vulnerability management.
Strong password hashing, MFA for admin/staff where feasible.
Regular backups, disaster recovery planning.
Vendor due diligence and data processing agreements.
11. Your Rights (Kenya Data Protection Act)
Access: request a copy of your personal data we hold.
Correction/Rectification: fix inaccurate or incomplete data.
Deletion/Erasure: request deletion where no longer necessary or where consent is withdrawn (subject to legal retention).
Objection/Restriction: object to or limit processing in certain cases (e.g., marketing).
Portability: receive data you provided in a structured, commonly used format where technically feasible.
Withdraw consent: at any time for processing based on consent (e.g., marketing).
Complain: to the Office of the Data Protection Commissioner (ODPC) if you believe your rights are infringed.
We will respond to requests within applicable statutory timelines.
12. Children & Minors
Our services are intended for adults (18+).
For minors, a parent/guardian or legally authorized representative should place orders and provide any required consent.
We do not knowingly collect personal data from children without appropriate authorization.
13. Accuracy & Your Responsibilities
Provide accurate, current information (e.g., prescription details, allergies).
Update your account details and delivery address when they change.
Use strong, unique passwords and keep credentials confidential.
Immediately report suspected account compromise or unauthorized activity.
14. Third-Party Links
Our site may link to third-party websites or services.
We are not responsible for their privacy practices. Review their policies before providing personal data.
15. Automated Decision-Making & Profiling
We do not make decisions producing legal or similarly significant effects solely by automated means.
We may use limited profiling (e.g., recommend OTC products or reminders) based on your purchase history with your consent where required.
16. Marketing Preferences
We send marketing communications (email/SMS/WhatsApp/CTWA) only with your consent or as otherwise permitted by law.
You can opt out at any time via the link or instructions in the message, or by contacting us.
17. Changes to this Policy
We may update this Privacy Policy to reflect legal, technical, or business changes.
We will post the new version with a new “Effective Date”.
Where changes are material, we will take appropriate steps to notify you (e.g., banner, email).
