Date: November 2025

1. INTRODUCTION

Amicus Wellness FLAGs (“Amicus,” “we,” “us,” or “our”) operates a digital health and social-impact platform that connects individuals, families, healthcare providers, community-based organizations (CBOs), NGOs/CSOs, donors, and payers to trusted information, guided Health Journeys, fundraising tools, and secure messaging (the “Services”), delivered through the Amicus Platform (web, WhatsApp or other messaging channels, and integrated partners/providers).

This Privacy Policy explains how we collect, use, share, retain, and protect personal data when you use the Services. Capitalized terms not defined here have the meanings in our Terms of Service.

By using the Services, you acknowledge that you have read, understood, and accepted this Privacy Policy. If you share personal data of others with us (e.g., a dependent or beneficiary), you are responsible for informing them about this Policy and obtaining any required consent.

Note: This Policy does not cover how Payers, Providers, or other partners process your personal data. Please consult their privacy notices for details about their processing.

2. WHAT IS PERSONAL DATA?

Personal data” means any information relating to an identified or identifiable natural person (a “User”). Examples include: name, contact details, national ID/passport number, location data, biometric identifiers (if used), program/policy numbers, and health information (considered sensitive and processed with extra care). Personal data may also relate to your dependents or beneficiaries (e.g., spouse, children, or other relations) if you add or manage them through the Services.

We may apply pseudonymization (replacing identifiers with pseudonyms) and anonymization (removing identifiers) to reduce privacy risk where exact identity is not needed.

3. AMICUS’ COMMITMENT

We recognize the responsibilities that come with processing personal data—privacy, confidentiality, security, access, and transparency—and we take these seriously. Amicus aligns with the Kenya Data Protection Act (KDPA) and, where relevant, principles from the EU General Data Protection Regulation (GDPR) and other applicable data protection laws (“Data Protection Laws”). We:

  • Process personal data on a lawful basis and for specified purposes;

  • Practice data minimization and implement privacy-by-design and security-by-default;

  • Execute data processing agreements with processors/sub-processors;

  • Conduct risk-based controls and, where required, Data Protection Impact Assessments (DPIAs);

  • Offer clear choices and respect your data subject rights.

4. HOW DO WE PROTECT YOUR DATA?

We use administrative, technical, and organizational safeguards to protect personal data, including encryption-in-transit, access controls, audit logging, role-based permissions, secure key management, least-privilege principles, and segregation of environments. Additional measures:

  • Pseudonymization/anonymization where feasible;

  • Retention limits tied to legal, regulatory, and operational needs;

  • Contractual and policy safeguards for Amicus staff and processors;

  • Vendor due diligence, confidentiality, and security obligations;

  • Incident response procedures and regulatory/beneficiary notifications as required by law.

While we strive to protect information, no system is impenetrable. You also play a role: keep credentials secret, use private networks where possible, and alert us promptly if you suspect unauthorized access.

Unless a different period is stated below, we generally retain personal data for up to seven (7) years or as required by law or contract (e.g., with a Payer), or longer if needed to establish, exercise, or defend legal claims.

5. AMICUS PRODUCTS AND SERVICES

A. Websites and Public Pages

Role. For our websites and public pages, Amicus is the controller of the personal data you provide or that we collect through cookies and similar technologies.

Data and purposes. We process device and usage data (e.g., IP address, device type, approximate location, pages viewed, timestamps, error logs), contact submissions, and job applications to operate, secure, troubleshoot, and improve the sites; respond to inquiries; manage careers; and prevent abuse/fraud.

Legal basis. Legitimate interests (running secure, useful websites), and consent where required (e.g., non-essential cookies).

Cookies.

  • Necessary cookies (essential features, security, session continuity) – cannot be turned off in our systems.

  • Analytics cookies (usage and performance) – you may manage preferences via our cookie banner or browser settings.
    Turning off some cookies may affect site functionality.

Location & retention. Hosting and analytics tools may process data in Kenya, the EEA, or other jurisdictions with appropriate safeguards. Website data is retained only as necessary for these purposes and legal compliance.

B. Payer-Supported Programs (when your benefits are administered by a Payer)

Role. Amicus typically acts as a processor for the Payer (the controller). The Payer’s privacy notice governs; contact them for controller-level requests (unless they appoint us for customer support).

Data and purposes.

  • Registration & account data (e.g., name, date of birth, gender, contacts, IDs, membership numbers, organization, staff ID, location, address, tax ID) to create/manage your Amicus Account and meet KYC/AML obligations.

  • Biometrics (if required by the Payer) for identification and fraud prevention, collected by a Provider using approved devices.

  • Treatment and health data (e.g., claims, invoices, items billed, diagnoses, medical notes, history, referrals, authorizations, visited providers, benefits/limits) to enable access to services, claims adjudication, and program administration.

Legal basis. Performance of contract with/for the Payer and you; legal obligations (e.g., AML/KYC); legitimate interests (platform security/fraud prevention).

Retention. As instructed by the Payer and as required for legal compliance.

C. Amicus-Branded Programs (including Health Journeys and donor-funded benefits)

Role. Amicus is a controller (and in some cases, a joint controller with a participating Payer/partner).

Data and purposes.

  • Registration & account data (name, DOB, gender, contact, national ID/passport/birth certificate, tax ID, dependent details) for account creation, eligibility checks, and KYC/AML.

  • Biometrics (if explicitly required and lawful) for identification/fraud prevention.

  • Treatment and health data provided by you or Providers to enable triage, guided journeys, referrals, and coordination.

  • Engagement data (journey steps, messages, uploads) to personalize your experience, track progress, and improve the Services.

  • Marketing/communications (product updates, surveys, satisfaction) where permitted; you can opt out at any time.

Legal basis. Performance of contract; consent (where required, e.g., certain health data uses, marketing); legitimate interests (service improvement, security, fraud prevention); legal obligations.

Retention. Typically up to 7 years, or as required by law/contract.

D. Distribution of Programs and Fundraising Campaigns

Role. Amicus distributes programs and facilitates Fundraising Campaigns for named beneficiaries. Depending on context, Amicus may act as controller, joint controller, or processor (e.g., for licensed insurance intermediaries or Payers).

Data and purposes.

  • KYC/contact (identity, contacts, IDs, dependent info) to distribute programs, enroll participants, manage Campaigns, and meet AML/KYC obligations.

  • Program/benefit details (plan type, limits, dependents) and payment info (mobile money, card, bank details) to process purchases/donations.

  • Campaign data (beneficiary profile, case description, budget, updates) for transparency, fraud prevention, and donor reporting.

  • Marketing where permitted (opt-out available).

Legal basis. Contract performance; legal obligations (AML/KYC); legitimate interests (preventing fraud, ensuring donor trust); consent where required.

Retention. Up to 7 years or as required by law/contract (e.g., financial/tax records).

E. Program Facilitation / Claims Coordination (including pre-authorization support)

Role.

  • For Payer-supported programs: Amicus is usually a processor.

  • For Amicus-branded programs: Amicus is a controller (sometimes joint controller).

Data and purposes.

  • KYC/contact, financial/claim data, visited provider, service charges, and medical information required to assess eligibility, appropriateness, fraud risk, and to coordinate care/payments.

Legal basis. Contract performance; legal obligations; legitimate interests (network integrity, fraud prevention).

Retention. As required by program terms and applicable law.

F. Loans and Payments Facilitation

Role. Amicus may facilitate payments or loans through licensed payment providers and lenders. Amicus is generally a controller alongside the financial partner (each for its own processing). See the partner’s privacy notice for their processing.

Data and purposes.

  • KYC (full name, national ID, contact, address),

  • Financial/payment data (amounts, accounts, mobile money, repayments),
    to process payments, disbursements, reconciliations, risk checks, and regulatory reporting.

Legal basis. Contract performance; legal obligations (AML/KYC, financial reporting); legitimate interests (fraud prevention, security).

Retention. Up to 7 years or as required by finance/tax/AML laws.

G. General Platform & Operational Processing (including AI-assisted features)

Role. Amicus is the controller for platform operations and improvement.

Data and purposes.

  • Access & support. Username (email/phone), platform identifiers, authentication logs, tickets, and correspondence for user support.

  • Monitoring & security. Pseudonymized usage analytics, IP/address, device details, cookies/SDK signals to diagnose issues, improve performance, and protect against abuse/fraud.

  • AI-assisted features. We use machine-learning models for language support, intent detection, triage prompts, quality monitoring, and analytics. We strive to minimize personal data in training where feasible and apply safeguards.

  • Automated decision-making. Certain features may use automated scoring or routing (e.g., suspected fraud or unsafe content). You can request human review of decisions that produce legal or similarly significant effects.

  • Marketing & surveys. With consent where required; you may opt out at any time.

  • Call recordings. For quality and training, where permitted by law and with any required notices/consent.

Cookies/SDKs.

  • Necessary (security, session, SSO, stability) – essential to function.

  • Analytics (usage/performance) – configurable via cookie banner where available.

Legal basis. Legitimate interests (operate, secure, and improve Services); consent where required; legal obligations.

Retention. Up to 7 years or as necessary for the purposes above and compliance.

Children’s data. Where Services involve children (e.g., as dependents), we collect/process data with consent of a parent/guardian and in line with applicable laws.

Vital interests & safety. In limited circumstances (e.g., credible threats of serious harm), we may process/share data to protect life or physical integrity, consistent with law.

Emergency disclaimer. Amicus is not an emergency service. For emergencies in Kenya, call 999 or 112.

6. WHERE DO WE PROCESS DATA?

We aim to host and process data in-country or within the EEA where feasible. Otherwise, data may be processed in other jurisdictions with appropriate safeguards (e.g., contractual clauses, risk assessments, and technical protections). Some support activities may occur from operational offices outside your country. You may contact us for current hosting and processor locations.

7. WHO DO WE SHARE DATA WITH?

We share personal data only as necessary and lawful:

  • Payers and Providers participating in your Program or care;

  • Payment processors, mobile money operators, and licensed lenders to complete transactions;

  • CBOs/NGOs/CSOs and program partners involved in your selected Program or Campaign;

  • Vendors/processors (cloud hosting, analytics, communications, security, support) under contract and bound to our instructions;

  • Regulators, courts, or law enforcement where required by law;

  • Other third parties with your consent or as permitted/required by law.

We may share aggregated/anonymized insights that do not identify individuals.

8. YOUR RIGHTS

Where Amicus is the controller, you (or your authorized representative) may exercise these rights under Data Protection Laws:

  • Access. Request a copy/summary of personal data we hold about you.

  • Rectification. Correct incomplete or inaccurate data.

  • Erasure. Request deletion in certain cases (e.g., no longer needed, unlawful processing).

  • Restriction. Ask us to limit processing in specific circumstances.

  • Portability. Receive certain data in a structured, commonly used, machine-readable format.

  • Object/opt-out. Object to processing based on legitimate interests and opt out of direct marketing at any time.

  • Withdraw consent. Where processing relies on consent, you may withdraw it; this does not affect prior lawful processing.

  • Human review. Request human intervention and to contest decisions with legal or similarly significant effects made solely by automated means.

Important: If a Payer (or your organization) is the controller, please contact them directly for rights requests (unless they have appointed Amicus to handle requests).

We will respond within statutory timelines. We may take steps to verify your identity and, where appropriate, ask you to clarify your request. Some data must be retained to meet legal or contractual obligations.

9. CONTACT AND COMPLAINTS

Amicus Contact:

  • Entity Name: Amicus Wellness FLAGs

  • Address: P. O. Box 4059 - 00200 Nairobi

  • Email (privacy): help[at]amicus.co.ke

  • Telephone: +254 795 797 328

  • Website: https://www.amicus.co.ke

  • Data Protection Officer: [Contact Us]

If you have questions, concerns, or complaints about our data processing or your rights, please contact us using the details above. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (Kenya). We appreciate the opportunity to address your concerns first.

10. UPDATES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our Services, legal requirements, or best practices. Material changes may be shown in-app at next sign-in, via messaging, or email. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

QUICK SUMMARY OF ROLES (for clarity)

  • Payer-Supported Programs: Amicus = processor; Payer = controller.

  • Amicus-Branded Programs & Health Journeys: Amicus = controller (sometimes joint controller with a Payer/partner).

  • Payments/Loans: Amicus and financial partners = separate controllers for their respective processing.

  • Platform Operations/Analytics/Security/AI: Amicus = controller.

End of Privacy Policy