+254 768 933871 [email protected]
Login Wishlist 0 Cart 0

Privacy Policy

What we collect, why we collect it, and what you can do about it.

Last updated: April 2026

This policy explains how ZIOMED ("we", "us") handles your personal information when you visit ziomed.health, place an order, or reach out to us on phone, email or WhatsApp. We process your data under the Kenya Data Protection Act, 2019, and try to keep our use of it proportional and boring: enough to get your order to your door and nothing fancier.

Who is responsible for your data

ZIOMED Pharmacy, based in Nairobi, Kenya, is the data controller for the information described below. If you have a question or a complaint, write to [email protected] and mark the subject line "Data Privacy". We aim to respond within seven working days.

What we collect

We only collect what we actually need. That usually falls into three buckets:

  • Account and order details — your name, phone number, delivery address, email, and the items you order. If you create an account we also keep a hashed version of your password (we cannot read it).
  • Payment information — handled directly by our payment partner Paystack and M-Pesa. We receive a transaction reference and the last four digits of a card, not the full card number or PIN.
  • Usage data — the pages you visit, your device type, the browser you use, approximate location from your IP, and interactions captured by Microsoft Clarity so we can see where people get stuck on the site.

For prescription orders we also collect the uploaded prescription image, the prescriber's name where visible, and any notes you add at checkout. These are treated as sensitive health data and stored separately from the rest of your account.

Why we use it

  • To take and fulfil your order: picking stock, printing a delivery note, calling you if something is out of stock.
  • To meet our obligations under pharmacy and consumer-protection law, including keeping records the Pharmacy and Poisons Board may ask for.
  • To run the site itself — fraud checks, cart recovery, and working out which pages are slow or broken.
  • To send you order updates via SMS, email or WhatsApp. These are transactional and you cannot opt out of them while an order is active.
  • To send occasional marketing if you opted in. You can unsubscribe at any time using the link in the email or by replying STOP to an SMS.

Who we share it with

We do not sell your data. We share limited information with:

  • Paystack and Safaricom (M-Pesa) to process payments.
  • Delivery riders and courier partners — the ones who actually bring the parcel, so they get your name, phone and address and nothing else.
  • Microsoft Clarity and Google for analytics, in anonymised form where possible.
  • Law enforcement or regulators when we have a valid legal request.

How long we keep it

Order records are retained for seven years to satisfy tax and pharmacy record-keeping rules. Account information stays until you ask us to delete it. Analytics logs roll off after 13 months. Prescription images are kept for five years and then purged.

Your rights

Under the Data Protection Act you can ask us to:

  • Show you a copy of the personal data we hold about you.
  • Correct anything that is wrong or out of date.
  • Delete your account and its data, unless we are legally required to keep it (for example, completed orders within the seven-year window).
  • Stop using your data for marketing.
  • Take a complaint to the Office of the Data Protection Commissioner at odpc.go.ke if you are not satisfied with how we responded.

Cookies

The site uses a small number of cookies: one to keep you logged in, one to remember your cart, a CSRF token to block form hijacking, and the Microsoft Clarity tag for heatmaps. You can block them in your browser settings, but logging in and checking out will not work properly without the first three.

Security

Traffic to and from the site runs over HTTPS. Passwords are hashed with bcrypt. Sensitive files (environment variables, the database and admin scripts) sit behind server rules that refuse direct access. We are not going to pretend we are impossible to breach, but we take reasonable steps and we will tell you within 72 hours if anything material does happen.

Children

The site is not intended for children under 18. If you are a parent or guardian and you find that a child has created an account, email us and we will close it and delete the data.

Changes

If we update this policy we will change the "last updated" date at the top. For anything material — new sharing partners, a change in retention period — we will also flag it on the home page for at least two weeks.

Get in touch

Email [email protected] or call +254 768 933871 (Mon–Sat, 8am–7pm).

How can we help you?

Order via WhatsApp Check medicine availability
Ask a Pharmacist Get professional health advice