Trust Center

Privacy Policy

Last updated: June 2026

1. Who We Are and How to Contact Us

1.1 About Crucibel

Crucibel Technology Ltd. ("Crucibel", "we", "us", or "our") is a technology company incorporated under the Companies Act 2015 and registered in the Republic of Kenya. We operate NOVA, a cloud-based Health Information Exchange (HIE) and Health Management Information System (HMIS) platform, delivered as a Software-as-a-Service product to healthcare organisations in Kenya.

Crucibel is registered as both a data controller and a data processor with the Office of the Data Protection Commissioner (ODPC) as required under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.

1.2 Our Roles Under the Kenya Data Protection Act 2019

RoleWhen It AppliesWhat It Means
Data ControllerWhen processing personal data of our own staff, job applicants, website visitors, business contacts and NOVA platform users (administrators)Crucibel determines the purpose and means of the processing. This Privacy Policy primarily governs these activities.
Data ProcessorWhen processing patient health data on NOVA on behalf of our client healthcare organisationsCrucibel follows the instructions of the client data controller. Patient health data processing is governed by our Data Processing Agreement and Health Data & Confidentiality Policy, not primarily this Privacy Policy.

1.3 Data Protection Officer

Crucibel has appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with Kenyan data protection law and this Privacy Policy. You can contact our DPO for any privacy-related query, request, or concern:

Email:dpo@crucibel.org
Post:Data Protection Officer, Crucibel Technology Ltd., Nyali, Mombasa, Kenya
Subject line:"Privacy Query" or "Data Subject Rights Request"

2. Who This Privacy Policy Applies To

This Privacy Policy governs Crucibel's processing of personal data as a data controller. It applies to the following categories of individuals ("data subjects"):

Data Subject CategoryDescription
NOVA Platform UsersHealthcare professionals, administrators, system administrators and other authorised users who create accounts and log in to the NOVA platform. This Policy governs Crucibel's processing of their account and usage data.
Client Organisation ContactsEmployees, officers and representatives of healthcare organisations that contract with Crucibel for NOVA services — including signatories, procurement contacts and billing contacts.
Crucibel Employees & ContractorsCurrent, former and prospective employees and contractors of Crucibel. A separate HR Data Privacy Notice governs employment-context processing; this Policy covers general internal processing.
Job ApplicantsIndividuals who apply for employment or engagement with Crucibel through any channel.
Website & Marketing ContactsVisitors to www.crucibel.org, individuals who subscribe to Crucibel communications, attend Crucibel events, or interact with Crucibel on social media or professional networks.
Business & Government PartnersRepresentatives of partner organisations, government agencies, development partners, NGOs and research institutions who engage with Crucibel at an organisational level.

Patient Health Data — Important Distinction

Patient health data processed through NOVA belongs to patients receiving care at Crucibel's client healthcare facilities. Crucibel processes that data as a data processor on behalf of the client data controller — not under this Privacy Policy. Patients seeking information about how their health records are handled should contact their healthcare provider directly, or refer to Crucibel's Health Data & Confidentiality Policy.

3. What Personal Data We Collect

We collect and process the following categories of personal data, depending on your relationship with Crucibel:

3.1 NOVA Platform User Data

When you are registered as an Authorised User of NOVA, we collect:

  • Identity data: Full name, job title, professional registration number (where applicable)
  • Contact data: Work email address, work telephone number, health facility name and location
  • Account data: Username, encrypted password, assigned role and access permissions, system administrator designation
  • Usage and access data: Login timestamps, IP addresses, device information, session duration, pages and modules accessed, records viewed or modified, data export events, API calls
  • Security data: MFA device identifiers, failed login attempts, security alert events
  • Training and compliance data: Training completion records, policy acknowledgement timestamps

3.2 Client Organisation Contact Data

When your organisation contracts with Crucibel for NOVA services, we collect:

  • Name, job title and contact details of the organisation's key contacts, signatories and procurement officers
  • Professional email addresses and telephone numbers for service delivery, invoicing and communications
  • Correspondence and communication records (emails, meeting notes, support tickets)
  • Contract execution data, including e-signature records

3.3 Job Applicant Data

When you apply for a role at Crucibel, we collect:

  • Identity data: Full name, date of birth, national identification number or passport details
  • Contact data: Email address, telephone number, physical address
  • Professional data: Curriculum vitae (CV), employment history, academic qualifications, professional references
  • Assessment data: Interview notes, test scores, background check results (where applicable and lawful)
  • Right to work data: Verification documents confirming eligibility to work in Kenya

3.4 Website and Marketing Data

When you visit www.crucibel.org or interact with Crucibel online, we may collect:

  • Technical data: IP address, browser type and version, operating system, device type, pages visited, time and date of visit, referring URL
  • Cookie data: Session cookies, analytics cookies (see Section 3.6 on cookies)
  • Contact form data: Name, email address, organisation and the content of any message you submit
  • Marketing preferences: Email subscription status, event registration details, communication preferences

3.5 Data We Collect From Third Parties

In limited circumstances we may receive personal data about you from third parties, including:

  • From client organisations: Contact details of their staff provided during onboarding and contract administration
  • From professional networks (e.g., LinkedIn): Publicly available professional profile information for business development or recruitment purposes
  • From background check providers: Verification results for job applicants, where authorised by Kenyan law and with the applicant's consent
  • From referees: Professional reference information provided during a recruitment process

3.6 Cookies and Tracking

The NOVA platform and Crucibel website use cookies and similar tracking technologies. We use the following types:

Cookie TypePurposeLegal Basis
Strictly NecessarySession management, authentication, security, MFALegitimate interest and legal obligation — these cannot be disabled as they are essential for platform security
FunctionalUser preferences, language settings, interface personalisationConsent — you may withdraw consent via your browser settings or the cookie preference centre
AnalyticsPlatform usage statistics, performance monitoring, user experience improvementConsent — analytics data is aggregated and anonymised wherever possible

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect your ability to use the NOVA platform or Crucibel website.

4. How and Why We Use Your Personal Data

We only process your personal data where we have a valid lawful basis under the Kenya Data Protection Act 2019. The table below sets out our processing activities, their purposes and the legal basis for each:

4.1 NOVA Platform User Data

Processing ActivityPurposeLawful Basis (KDPA)
Creating and managing your NOVA user accountEnabling authorised access to the platformPerformance of a contract (S.30(b))
Authenticating your identity at login (including MFA)Protecting platform security and preventing unauthorised accessLegitimate interests — security (S.30(e))
Logging all access to patient records and platform actionsAudit trail for compliance, incident investigation and patient data protectionLegal obligation (S.30(f)); legitimate interests (S.30(e))
Assigning and managing roles and access permissionsEnforcing data minimisation and access control obligationsLegal obligation (S.30(f)); performance of contract
Recording training completion and policy acknowledgementDemonstrating compliance with KDPA accountability requirementsLegal obligation (S.30(f))
Monitoring platform usage for security anomaliesDetecting and investigating potential security incidents and policy breachesLegitimate interests — security (S.30(e))
Sending system notifications, updates and service communicationsKeeping users informed about platform changes, maintenance and security alertsPerformance of a contract; legitimate interests (S.30(e))

4.2 Client Organisation Contact Data

Processing ActivityPurposeLawful Basis (KDPA)
Contract administration and service deliveryManaging the Service Agreement and delivering NOVA servicesPerformance of a contract (S.30(b))
Invoicing and financial administrationIssuing invoices, processing payments, maintaining financial recordsPerformance of a contract; legal obligation (S.30(b),(f))
Technical support and onboardingDelivering implementation, training and ongoing supportPerformance of a contract (S.30(b))
Compliance and regulatory reportingMeeting KDPA, ODPC and Ministry of Health reporting obligationsLegal obligation (S.30(f))
Business relationship management and communicationsMaintaining the client relationship, service reviews, renewal discussionsLegitimate interests (S.30(e))

4.3 Job Applicant Data

Processing ActivityPurposeLawful Basis (KDPA)
Reviewing applications and assessing suitabilityEvaluating candidates for the applied rolePre-contractual steps at data subject's request (S.30(b))
Conducting interviews and assessmentsAssessing technical and cultural fitPre-contractual steps (S.30(b))
Background verificationVerifying qualifications, right to work and professional standing — conducted only where lawful and with applicant consentConsent (S.30(a)); legal obligation (S.30(f))
Retaining applications for future opportunitiesConsidering applicants for future suitable rolesConsent (S.30(a)) — we will ask for this separately

4.4 Website and Marketing Data

Processing ActivityPurposeLawful Basis (KDPA)
Website analytics and performance monitoringUnderstanding how the website is used and improving user experienceConsent — analytics cookies (S.30(a))
Responding to contact form enquiriesResponding to your question or requestConsent; legitimate interests (S.30(a),(e))
Sending Crucibel newsletters and marketing communicationsKeeping you informed about NOVA updates, digital health news and Crucibel eventsConsent (S.30(a)) — you may opt out at any time
Event registration and managementOrganising webinars, conferences and training eventsPerformance of a contract; consent (S.30(a),(b))

5. Legal Bases for Processing

Under the Kenya Data Protection Act 2019 (Section 30), personal data may only be processed on a valid legal basis. Crucibel relies on the following bases:

Legal BasisWhen We Rely on ItYour Rights
Consent (S.30(a))Marketing communications; analytics cookies; retaining job applications for future roles; specific secondary uses where no other basis appliesYou have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Contact dpo@crucibel.org or use the unsubscribe link in any marketing email.
Performance of Contract (S.30(b))Providing NOVA platform access; managing user accounts; delivering implementation and support services; processing invoicesIf you object to processing on this basis, note that it may not be possible to provide you with the relevant service.
Legal Obligation (S.30(f))Audit logging (KDPA accountability); ODPC reporting; financial record-keeping; responding to valid court orders and regulatory directionsWe must process this data to comply with Kenyan law. You cannot object to processing on this basis.
Legitimate Interests (S.30(e))Platform security monitoring; fraud prevention; business relationship management; direct marketing to existing clients (B2B); improving NOVA platform featuresYou have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Healthcare Provision / Vital Interests (S.30(b),(c))Processing health data in the context of providing NOVA as a data processor to healthcare clients — see Health Data & Confidentiality Policy for detailsRights exercised through the client healthcare organisation as data controller.

6. Who We Share Your Personal Data With

Crucibel does not sell your personal data. We share it only where necessary for the purposes described in this Policy, with appropriate safeguards in place.

6.1 Within Crucibel

Your data is accessed internally only by Crucibel staff who have a legitimate need for it in the course of their duties — for example, the engineering team for platform support, the finance team for invoicing and the HR team for employment matters. All staff are bound by confidentiality obligations and complete data protection training.

6.2 Cloud Infrastructure and Hosting Providers

NOVA is hosted on cloud infrastructure provided by our carefully selected cloud service partners. These providers process data on our behalf and are bound by Data Processing Agreements that impose data protection obligations at least equivalent to those under the KDPA. Infrastructure is hosted in Kenya or, where necessary, in jurisdictions subject to Transfer Impact Assessments.

6.3 Cybersecurity and SIEM Providers

We share system access logs and security telemetry with our security monitoring partners to detect, investigate and respond to security incidents. These providers act as data processors under our instruction and are bound by DPAs.

6.4 Communication and Notification Services

We use third-party email and SMS service providers to send NOVA system notifications, alerts and marketing communications. These providers process contact information on our behalf under DPAs.

6.5 Professional Advisers

We share data with our legal advisers, auditors and accountants where necessary for legal, financial, or regulatory purposes. These parties are bound by professional confidentiality obligations and, where applicable, DPAs.

6.6 Client Healthcare Organisations

We share NOVA user account and access data with the System Administrator of the relevant client organisation to support access management, training compliance monitoring and incident investigation at that organisation.

6.7 Government and Regulatory Authorities

We share personal data with public authorities only where required by Kenyan law or a valid court order. This includes:

  • The Office of the Data Protection Commissioner (ODPC) in connection with data protection compliance obligations and breach notifications
  • The Kenya Revenue Authority (KRA) for tax compliance purposes
  • The Kenya Police Service or Directorate of Criminal Investigations (DCI) where required by a valid court order or legal process
  • The Ministry of Health or county health authorities for lawful public health reporting obligations

6.8 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of Crucibel's business or assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and ensure the acquiring entity is bound by data protection obligations at least equivalent to those in this Policy.

No Sale of Personal Data

Crucibel does not sell, rent, or trade your personal data to any third party for their own commercial purposes. We are not an advertising platform. Our revenue comes from NOVA subscriptions, not from monetising user data.

7. International and Cross-Border Data Transfers

NOVA is a Kenya-focused platform and we store and process your personal data primarily within Kenya. However, some of our cloud infrastructure providers, security partners and software tools may involve the transfer of personal data to servers located outside Kenya.

Whenever we transfer personal data outside Kenya, we ensure that one of the following safeguards applies:

SafeguardHow It Protects Your Data
Adequacy DecisionTransfer to a country that the ODPC has determined provides an adequate level of data protection equivalent to Kenyan standards.
Standard Contractual Clauses (SCCs)Binding contractual obligations imposed on the recipient requiring them to protect your data to KDPA-equivalent standards.
Transfer Impact Assessment (TIA)Assessment of whether the legal environment in the destination country adequately protects your rights, with additional safeguards implemented where necessary.

You may request details of the specific safeguards in place for any cross-border transfer by contacting dpo@crucibel.org.

8. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable Kenyan law. The following retention schedule applies:

Data CategoryRetention PeriodBasis for Retention
NOVA user account data (active)Duration of accountPerformance of contract — access required while the user's role continues
NOVA user account data (inactive / offboarded)90 days after deactivation, then deleted or anonymisedLimited retention for audit and incident investigation purposes; then minimisation by deletion
NOVA platform audit logs and access records7 yearsKDPA accountability requirements; legal limitation periods under Kenyan law; security investigation purposes
Client contract and commercial records7 years from contract endTax and financial record-keeping obligations under the Income Tax Act and VAT Act
Successful job applicant dataDuration of employment, then per HR retention policyEmployment contract; legal obligation
Unsuccessful job applicant data6 months from decision, then deletedLegitimate interest in responding to any queries; KDPA data minimisation obligation
Retained applicant data (consented)Up to 12 months from consent, with renewalConsent — you may withdraw at any time
Marketing contact data (subscribed)Until you unsubscribe or withdraw consentConsent — opt-out is available in every communication
Website analytics data13 months rolling (anonymised after 30 days)Consent; legitimate interests — anonymised after initial period
Security incident records7 yearsLegal obligation; legitimate interests in security improvement and potential legal proceedings

At the end of each retention period, data is securely deleted or anonymised. We do not retain data longer than necessary. If you would like to know the specific retention period applicable to your data, please contact dpo@crucibel.org.

9. Your Data Protection Rights

Under the Kenya Data Protection Act 2019, you have the following rights in relation to your personal data processed by Crucibel as data controller. These rights apply to your own personal data — not to patient health data processed on behalf of a client healthcare organisation.

RightWhat It MeansHow to Exercise It
Right to Be InformedThe right to receive clear, transparent information about how your personal data is used — which is the purpose of this Privacy Policy.This Policy fulfils this right. If you have questions, contact dpo@crucibel.org.
Right of AccessThe right to receive a copy of the personal data we hold about you and information about how we process it.Submit a written request to dpo@crucibel.org. We will respond within 21 days. The first request is free; a fee may be charged for subsequent requests within 12 months.
Right to RectificationThe right to have inaccurate or incomplete personal data corrected without delay.Contact dpo@crucibel.org with the correction required. We will update records within 21 days and notify any third parties to whom the inaccurate data was shared.
Right to ErasureThe right to request deletion of your personal data where it is no longer necessary, you have withdrawn consent, or processing is unlawful.Contact dpo@crucibel.org. Note that we may be required to retain some data for legal obligations. We will explain any limitations on erasure within 21 days.
Right to Data PortabilityThe right to receive your personal data in a structured, machine-readable format and to transmit it to another organisation.Applies to data you provided to us processed on the basis of consent or contract. Submit a request to dpo@crucibel.org.
Right to ObjectThe right to object to processing based on legitimate interests or for direct marketing purposes.For direct marketing: use the unsubscribe link in any email or contact dpo@crucibel.org. For other processing: contact dpo@crucibel.org with the specific processing you object to.
Right to Restrict ProcessingThe right to request that we limit how we use your data, for example while a dispute about accuracy or legitimacy is resolved.Contact dpo@crucibel.org with details of the restriction you are requesting and the grounds.
Right to Withdraw ConsentWhere we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.Use the unsubscribe link (marketing), cookie preference centre (analytics), or contact dpo@crucibel.org.

Response Timeframes

We will acknowledge all data subject rights requests within 5 business days and provide a substantive response within 21 days of receipt. Where a request is complex or we receive multiple requests, we may extend this to 45 days — we will notify you if this is the case and explain why.

9.1 How to Exercise Your Rights

To exercise any of the rights above, please contact our Data Protection Officer:

  • Email: dpo@crucibel.org (preferred — please use the subject line "Data Subject Rights Request")
  • Post: Data Protection Officer, Crucibel Technology Ltd., Nyali, Mombasa, Kenya

We may need to verify your identity before processing your request to protect you and other data subjects. We will not charge a fee for the first request; we reserve the right to charge a reasonable administrative fee for manifestly unfounded or excessive requests.

9.2 Right to Lodge a Complaint

If you are not satisfied with how Crucibel has handled your personal data or responded to your rights request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

  • Website: www.odpc.go.ke
  • Address: Office of the Data Protection Commissioner, Nairobi, Kenya

We would, however, appreciate the opportunity to address your concerns before you contact the ODPC. Please contact our DPO in the first instance.

10. How We Protect Your Personal Data

Crucibel takes the security of your personal data seriously. We implement and maintain technical and organisational security measures appropriate to the nature of the data we process and the risks involved. Our security programme includes:

Control CategoryMeasures Implemented
EncryptionAES-256 encryption for all personal data at rest; TLS 1.3 for all data in transit. Encryption keys managed via Hardware Security Modules (HSMs).
Access ControlMulti-factor authentication mandatory for all staff; role-based access control; principle of least privilege; privileged access management for administrative functions.
Monitoring24/7 Security Information and Event Management (SIEM) monitoring; real-time anomaly detection; immutable audit logging of all data access.
Vulnerability ManagementWeekly automated vulnerability scanning; critical patches applied within 72 hours; annual third-party penetration testing by certified ethical hackers.
Staff TrainingMandatory annual data protection and cybersecurity training for all staff; quarterly phishing simulation exercises; clear desk and screen policy.
Incident ResponseDocumented incident response plan; 72-hour ODPC notification procedure for notifiable breaches; cyber insurance; regular incident response drills.
Business ContinuityDaily automated backups; Recovery Time Objective (RTO) of 4 hours for critical services; Recovery Point Objective (RPO) of 1 hour for platform data; annual DR testing.
Third-Party SecurityAll sub-processors and suppliers are assessed against security standards; ISO 27001 or SOC 2 Type II certification required for cloud providers; DPAs with all processors.

No Absolute Guarantee

While we implement industry-leading security measures, no digital platform can guarantee absolute security against all threats. If you become aware of any security vulnerability or suspicious activity relating to your Crucibel or NOVA account, please report it immediately to security@crucibel.org.

11. Personal Data Breach Notification

In the event of a personal data breach that is likely to affect your rights or cause you harm, Crucibel will:

  • Notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware, in accordance with Section 43 of the Kenya Data Protection Act 2019
  • Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms — for example, where there is a risk of identity theft, financial loss, discrimination, or harm to reputation
  • Provide you with a clear description of: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures taken or proposed to address it
  • Maintain a breach register and cooperate fully with any ODPC investigation

If you believe your personal data has been involved in a breach, please contact dpo@crucibel.org immediately.

12. Children's Privacy

Crucibel's website and NOVA platform are not directed at children (persons under 18 years of age) as end users. We do not knowingly collect personal data directly from children through our website or marketing activities.

Patient health data of children is processed through NOVA as part of healthcare delivery by our client organisations. This processing is governed by the Health Data & Confidentiality Policy and is subject to the Children Act 2022 and applicable clinical consent guidelines. Client healthcare organisations are responsible for obtaining appropriate parental or guardian consent for processing children's health data.

If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact dpo@crucibel.org and we will take prompt steps to delete it.

13. Marketing and Commercial Communications

13.1 What We Send

With your consent, we may send you:

  • NOVA product updates, feature announcements and release notes
  • Digital health insights, research and thought leadership from Crucibel
  • Invitations to Crucibel webinars, training events and conferences
  • Information about new NOVA modules or services that may be relevant to your work

We do not serve third-party advertising and we do not share your data with advertisers. Crucibel products and communications are ad-free.

13.2 Opting Out

You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link at the bottom of any marketing email
  • Contacting us at dpo@crucibel.org with the subject line "Marketing Opt-Out"

Opting out of marketing will not affect receipt of service-related communications (e.g., NOVA maintenance notifications, security alerts, or communications necessary to deliver the NOVA service to your organisation).

14. Third-Party Links and External Services

The Crucibel website and the NOVA platform may contain links to third-party websites, resources, or services — for example, links to the ODPC, Ministry of Health, DHIS2, or partner organisations. This Privacy Policy applies only to Crucibel's own processing of personal data.

Crucibel is not responsible for the privacy practices or content of third-party websites or services. We encourage you to read the privacy policies of any third-party services you access via links from our website or platform before providing them with any personal data.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in Kenyan data protection law, ODPC guidance, our business operations, or the NOVA platform.

When we make material changes, we will:

  • Update the "Last Revised" date at the top of this document
  • Notify NOVA platform users via an in-platform notification or email to the address associated with their account
  • Post the updated Policy on www.crucibel.org

We encourage you to review this Policy periodically. Your continued use of NOVA or Crucibel's website after a change has been notified constitutes acceptance of the updated Policy.

15.1 Version History

VersionDateAuthorSummary of Changes
1.01 July 2025Data Protection OfficerInitial version — Privacy Policy established for NOVA Kenya market launch

16. Contact Information and Regulatory Oversight

16.1 Crucibel Data Protection Officer

For all privacy queries, data subject rights requests and data protection concerns, please contact:

Role:Data Protection Officer, Crucibel Technology Ltd.
Email:dpo@crucibel.org
Response time:Acknowledgement within 5 business days; substantive response within 21 days
Post:Data Protection Officer, Crucibel Technology Ltd., Nyali, Mombasa, Kenya

16.2 Key Crucibel Contacts

FunctionContactEmail
Data Protection / PrivacyData Protection Officerdpo@crucibel.org
Security Incidents & BreachesSecurity Operations Teamsecurity@crucibel.org
Legal & ContractualLegal Teamlegal@crucibel.org
General EnquiriesCrucibelinfo@crucibel.org
NOVA SupportSupport Teamsupport@crucibel.org

16.3 Regulatory Authority

The supervisory authority for data protection in Kenya is the Office of the Data Protection Commissioner (ODPC). You have the right to lodge a complaint with the ODPC at any time if you believe we have not handled your personal data lawfully:

Authority:Office of the Data Protection Commissioner (ODPC)
Website:www.odpc.go.ke
Location:Nairobi, Kenya