Trust Center
Last updated: June 2026
Crucibel Technology Ltd. ("Crucibel", "we", "us", or "our") is a technology company incorporated under the Companies Act 2015 and registered in the Republic of Kenya. We operate NOVA, a cloud-based Health Information Exchange (HIE) and Health Management Information System (HMIS) platform, delivered as a Software-as-a-Service product to healthcare organisations in Kenya.
Crucibel is registered as both a data controller and a data processor with the Office of the Data Protection Commissioner (ODPC) as required under the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.
| Role | When It Applies | What It Means |
|---|---|---|
| Data Controller | When processing personal data of our own staff, job applicants, website visitors, business contacts and NOVA platform users (administrators) | Crucibel determines the purpose and means of the processing. This Privacy Policy primarily governs these activities. |
| Data Processor | When processing patient health data on NOVA on behalf of our client healthcare organisations | Crucibel follows the instructions of the client data controller. Patient health data processing is governed by our Data Processing Agreement and Health Data & Confidentiality Policy, not primarily this Privacy Policy. |
Crucibel has appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with Kenyan data protection law and this Privacy Policy. You can contact our DPO for any privacy-related query, request, or concern:
| Email: | dpo@crucibel.org |
| Post: | Data Protection Officer, Crucibel Technology Ltd., Nyali, Mombasa, Kenya |
| Subject line: | "Privacy Query" or "Data Subject Rights Request" |
This Privacy Policy governs Crucibel's processing of personal data as a data controller. It applies to the following categories of individuals ("data subjects"):
| Data Subject Category | Description |
|---|---|
| NOVA Platform Users | Healthcare professionals, administrators, system administrators and other authorised users who create accounts and log in to the NOVA platform. This Policy governs Crucibel's processing of their account and usage data. |
| Client Organisation Contacts | Employees, officers and representatives of healthcare organisations that contract with Crucibel for NOVA services — including signatories, procurement contacts and billing contacts. |
| Crucibel Employees & Contractors | Current, former and prospective employees and contractors of Crucibel. A separate HR Data Privacy Notice governs employment-context processing; this Policy covers general internal processing. |
| Job Applicants | Individuals who apply for employment or engagement with Crucibel through any channel. |
| Website & Marketing Contacts | Visitors to www.crucibel.org, individuals who subscribe to Crucibel communications, attend Crucibel events, or interact with Crucibel on social media or professional networks. |
| Business & Government Partners | Representatives of partner organisations, government agencies, development partners, NGOs and research institutions who engage with Crucibel at an organisational level. |
Patient Health Data — Important Distinction
Patient health data processed through NOVA belongs to patients receiving care at Crucibel's client healthcare facilities. Crucibel processes that data as a data processor on behalf of the client data controller — not under this Privacy Policy. Patients seeking information about how their health records are handled should contact their healthcare provider directly, or refer to Crucibel's Health Data & Confidentiality Policy.
We collect and process the following categories of personal data, depending on your relationship with Crucibel:
When you are registered as an Authorised User of NOVA, we collect:
When your organisation contracts with Crucibel for NOVA services, we collect:
When you apply for a role at Crucibel, we collect:
When you visit www.crucibel.org or interact with Crucibel online, we may collect:
In limited circumstances we may receive personal data about you from third parties, including:
The NOVA platform and Crucibel website use cookies and similar tracking technologies. We use the following types:
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly Necessary | Session management, authentication, security, MFA | Legitimate interest and legal obligation — these cannot be disabled as they are essential for platform security |
| Functional | User preferences, language settings, interface personalisation | Consent — you may withdraw consent via your browser settings or the cookie preference centre |
| Analytics | Platform usage statistics, performance monitoring, user experience improvement | Consent — analytics data is aggregated and anonymised wherever possible |
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect your ability to use the NOVA platform or Crucibel website.
We only process your personal data where we have a valid lawful basis under the Kenya Data Protection Act 2019. The table below sets out our processing activities, their purposes and the legal basis for each:
| Processing Activity | Purpose | Lawful Basis (KDPA) |
|---|---|---|
| Creating and managing your NOVA user account | Enabling authorised access to the platform | Performance of a contract (S.30(b)) |
| Authenticating your identity at login (including MFA) | Protecting platform security and preventing unauthorised access | Legitimate interests — security (S.30(e)) |
| Logging all access to patient records and platform actions | Audit trail for compliance, incident investigation and patient data protection | Legal obligation (S.30(f)); legitimate interests (S.30(e)) |
| Assigning and managing roles and access permissions | Enforcing data minimisation and access control obligations | Legal obligation (S.30(f)); performance of contract |
| Recording training completion and policy acknowledgement | Demonstrating compliance with KDPA accountability requirements | Legal obligation (S.30(f)) |
| Monitoring platform usage for security anomalies | Detecting and investigating potential security incidents and policy breaches | Legitimate interests — security (S.30(e)) |
| Sending system notifications, updates and service communications | Keeping users informed about platform changes, maintenance and security alerts | Performance of a contract; legitimate interests (S.30(e)) |
| Processing Activity | Purpose | Lawful Basis (KDPA) |
|---|---|---|
| Contract administration and service delivery | Managing the Service Agreement and delivering NOVA services | Performance of a contract (S.30(b)) |
| Invoicing and financial administration | Issuing invoices, processing payments, maintaining financial records | Performance of a contract; legal obligation (S.30(b),(f)) |
| Technical support and onboarding | Delivering implementation, training and ongoing support | Performance of a contract (S.30(b)) |
| Compliance and regulatory reporting | Meeting KDPA, ODPC and Ministry of Health reporting obligations | Legal obligation (S.30(f)) |
| Business relationship management and communications | Maintaining the client relationship, service reviews, renewal discussions | Legitimate interests (S.30(e)) |
| Processing Activity | Purpose | Lawful Basis (KDPA) |
|---|---|---|
| Reviewing applications and assessing suitability | Evaluating candidates for the applied role | Pre-contractual steps at data subject's request (S.30(b)) |
| Conducting interviews and assessments | Assessing technical and cultural fit | Pre-contractual steps (S.30(b)) |
| Background verification | Verifying qualifications, right to work and professional standing — conducted only where lawful and with applicant consent | Consent (S.30(a)); legal obligation (S.30(f)) |
| Retaining applications for future opportunities | Considering applicants for future suitable roles | Consent (S.30(a)) — we will ask for this separately |
| Processing Activity | Purpose | Lawful Basis (KDPA) |
|---|---|---|
| Website analytics and performance monitoring | Understanding how the website is used and improving user experience | Consent — analytics cookies (S.30(a)) |
| Responding to contact form enquiries | Responding to your question or request | Consent; legitimate interests (S.30(a),(e)) |
| Sending Crucibel newsletters and marketing communications | Keeping you informed about NOVA updates, digital health news and Crucibel events | Consent (S.30(a)) — you may opt out at any time |
| Event registration and management | Organising webinars, conferences and training events | Performance of a contract; consent (S.30(a),(b)) |
Under the Kenya Data Protection Act 2019 (Section 30), personal data may only be processed on a valid legal basis. Crucibel relies on the following bases:
| Legal Basis | When We Rely on It | Your Rights |
|---|---|---|
| Consent (S.30(a)) | Marketing communications; analytics cookies; retaining job applications for future roles; specific secondary uses where no other basis applies | You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Contact dpo@crucibel.org or use the unsubscribe link in any marketing email. |
| Performance of Contract (S.30(b)) | Providing NOVA platform access; managing user accounts; delivering implementation and support services; processing invoices | If you object to processing on this basis, note that it may not be possible to provide you with the relevant service. |
| Legal Obligation (S.30(f)) | Audit logging (KDPA accountability); ODPC reporting; financial record-keeping; responding to valid court orders and regulatory directions | We must process this data to comply with Kenyan law. You cannot object to processing on this basis. |
| Legitimate Interests (S.30(e)) | Platform security monitoring; fraud prevention; business relationship management; direct marketing to existing clients (B2B); improving NOVA platform features | You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Healthcare Provision / Vital Interests (S.30(b),(c)) | Processing health data in the context of providing NOVA as a data processor to healthcare clients — see Health Data & Confidentiality Policy for details | Rights exercised through the client healthcare organisation as data controller. |
Crucibel does not sell your personal data. We share it only where necessary for the purposes described in this Policy, with appropriate safeguards in place.
Your data is accessed internally only by Crucibel staff who have a legitimate need for it in the course of their duties — for example, the engineering team for platform support, the finance team for invoicing and the HR team for employment matters. All staff are bound by confidentiality obligations and complete data protection training.
NOVA is hosted on cloud infrastructure provided by our carefully selected cloud service partners. These providers process data on our behalf and are bound by Data Processing Agreements that impose data protection obligations at least equivalent to those under the KDPA. Infrastructure is hosted in Kenya or, where necessary, in jurisdictions subject to Transfer Impact Assessments.
We share system access logs and security telemetry with our security monitoring partners to detect, investigate and respond to security incidents. These providers act as data processors under our instruction and are bound by DPAs.
We use third-party email and SMS service providers to send NOVA system notifications, alerts and marketing communications. These providers process contact information on our behalf under DPAs.
We share data with our legal advisers, auditors and accountants where necessary for legal, financial, or regulatory purposes. These parties are bound by professional confidentiality obligations and, where applicable, DPAs.
We share NOVA user account and access data with the System Administrator of the relevant client organisation to support access management, training compliance monitoring and incident investigation at that organisation.
We share personal data with public authorities only where required by Kenyan law or a valid court order. This includes:
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of Crucibel's business or assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and ensure the acquiring entity is bound by data protection obligations at least equivalent to those in this Policy.
No Sale of Personal Data
Crucibel does not sell, rent, or trade your personal data to any third party for their own commercial purposes. We are not an advertising platform. Our revenue comes from NOVA subscriptions, not from monetising user data.
NOVA is a Kenya-focused platform and we store and process your personal data primarily within Kenya. However, some of our cloud infrastructure providers, security partners and software tools may involve the transfer of personal data to servers located outside Kenya.
Whenever we transfer personal data outside Kenya, we ensure that one of the following safeguards applies:
| Safeguard | How It Protects Your Data |
|---|---|
| Adequacy Decision | Transfer to a country that the ODPC has determined provides an adequate level of data protection equivalent to Kenyan standards. |
| Standard Contractual Clauses (SCCs) | Binding contractual obligations imposed on the recipient requiring them to protect your data to KDPA-equivalent standards. |
| Transfer Impact Assessment (TIA) | Assessment of whether the legal environment in the destination country adequately protects your rights, with additional safeguards implemented where necessary. |
You may request details of the specific safeguards in place for any cross-border transfer by contacting dpo@crucibel.org.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable Kenyan law. The following retention schedule applies:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| NOVA user account data (active) | Duration of account | Performance of contract — access required while the user's role continues |
| NOVA user account data (inactive / offboarded) | 90 days after deactivation, then deleted or anonymised | Limited retention for audit and incident investigation purposes; then minimisation by deletion |
| NOVA platform audit logs and access records | 7 years | KDPA accountability requirements; legal limitation periods under Kenyan law; security investigation purposes |
| Client contract and commercial records | 7 years from contract end | Tax and financial record-keeping obligations under the Income Tax Act and VAT Act |
| Successful job applicant data | Duration of employment, then per HR retention policy | Employment contract; legal obligation |
| Unsuccessful job applicant data | 6 months from decision, then deleted | Legitimate interest in responding to any queries; KDPA data minimisation obligation |
| Retained applicant data (consented) | Up to 12 months from consent, with renewal | Consent — you may withdraw at any time |
| Marketing contact data (subscribed) | Until you unsubscribe or withdraw consent | Consent — opt-out is available in every communication |
| Website analytics data | 13 months rolling (anonymised after 30 days) | Consent; legitimate interests — anonymised after initial period |
| Security incident records | 7 years | Legal obligation; legitimate interests in security improvement and potential legal proceedings |
At the end of each retention period, data is securely deleted or anonymised. We do not retain data longer than necessary. If you would like to know the specific retention period applicable to your data, please contact dpo@crucibel.org.
Under the Kenya Data Protection Act 2019, you have the following rights in relation to your personal data processed by Crucibel as data controller. These rights apply to your own personal data — not to patient health data processed on behalf of a client healthcare organisation.
| Right | What It Means | How to Exercise It |
|---|---|---|
| Right to Be Informed | The right to receive clear, transparent information about how your personal data is used — which is the purpose of this Privacy Policy. | This Policy fulfils this right. If you have questions, contact dpo@crucibel.org. |
| Right of Access | The right to receive a copy of the personal data we hold about you and information about how we process it. | Submit a written request to dpo@crucibel.org. We will respond within 21 days. The first request is free; a fee may be charged for subsequent requests within 12 months. |
| Right to Rectification | The right to have inaccurate or incomplete personal data corrected without delay. | Contact dpo@crucibel.org with the correction required. We will update records within 21 days and notify any third parties to whom the inaccurate data was shared. |
| Right to Erasure | The right to request deletion of your personal data where it is no longer necessary, you have withdrawn consent, or processing is unlawful. | Contact dpo@crucibel.org. Note that we may be required to retain some data for legal obligations. We will explain any limitations on erasure within 21 days. |
| Right to Data Portability | The right to receive your personal data in a structured, machine-readable format and to transmit it to another organisation. | Applies to data you provided to us processed on the basis of consent or contract. Submit a request to dpo@crucibel.org. |
| Right to Object | The right to object to processing based on legitimate interests or for direct marketing purposes. | For direct marketing: use the unsubscribe link in any email or contact dpo@crucibel.org. For other processing: contact dpo@crucibel.org with the specific processing you object to. |
| Right to Restrict Processing | The right to request that we limit how we use your data, for example while a dispute about accuracy or legitimacy is resolved. | Contact dpo@crucibel.org with details of the restriction you are requesting and the grounds. |
| Right to Withdraw Consent | Where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. | Use the unsubscribe link (marketing), cookie preference centre (analytics), or contact dpo@crucibel.org. |
Response Timeframes
We will acknowledge all data subject rights requests within 5 business days and provide a substantive response within 21 days of receipt. Where a request is complex or we receive multiple requests, we may extend this to 45 days — we will notify you if this is the case and explain why.
To exercise any of the rights above, please contact our Data Protection Officer:
We may need to verify your identity before processing your request to protect you and other data subjects. We will not charge a fee for the first request; we reserve the right to charge a reasonable administrative fee for manifestly unfounded or excessive requests.
If you are not satisfied with how Crucibel has handled your personal data or responded to your rights request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):
We would, however, appreciate the opportunity to address your concerns before you contact the ODPC. Please contact our DPO in the first instance.
Crucibel takes the security of your personal data seriously. We implement and maintain technical and organisational security measures appropriate to the nature of the data we process and the risks involved. Our security programme includes:
| Control Category | Measures Implemented |
|---|---|
| Encryption | AES-256 encryption for all personal data at rest; TLS 1.3 for all data in transit. Encryption keys managed via Hardware Security Modules (HSMs). |
| Access Control | Multi-factor authentication mandatory for all staff; role-based access control; principle of least privilege; privileged access management for administrative functions. |
| Monitoring | 24/7 Security Information and Event Management (SIEM) monitoring; real-time anomaly detection; immutable audit logging of all data access. |
| Vulnerability Management | Weekly automated vulnerability scanning; critical patches applied within 72 hours; annual third-party penetration testing by certified ethical hackers. |
| Staff Training | Mandatory annual data protection and cybersecurity training for all staff; quarterly phishing simulation exercises; clear desk and screen policy. |
| Incident Response | Documented incident response plan; 72-hour ODPC notification procedure for notifiable breaches; cyber insurance; regular incident response drills. |
| Business Continuity | Daily automated backups; Recovery Time Objective (RTO) of 4 hours for critical services; Recovery Point Objective (RPO) of 1 hour for platform data; annual DR testing. |
| Third-Party Security | All sub-processors and suppliers are assessed against security standards; ISO 27001 or SOC 2 Type II certification required for cloud providers; DPAs with all processors. |
No Absolute Guarantee
While we implement industry-leading security measures, no digital platform can guarantee absolute security against all threats. If you become aware of any security vulnerability or suspicious activity relating to your Crucibel or NOVA account, please report it immediately to security@crucibel.org.
In the event of a personal data breach that is likely to affect your rights or cause you harm, Crucibel will:
If you believe your personal data has been involved in a breach, please contact dpo@crucibel.org immediately.
Crucibel's website and NOVA platform are not directed at children (persons under 18 years of age) as end users. We do not knowingly collect personal data directly from children through our website or marketing activities.
Patient health data of children is processed through NOVA as part of healthcare delivery by our client organisations. This processing is governed by the Health Data & Confidentiality Policy and is subject to the Children Act 2022 and applicable clinical consent guidelines. Client healthcare organisations are responsible for obtaining appropriate parental or guardian consent for processing children's health data.
If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact dpo@crucibel.org and we will take prompt steps to delete it.
With your consent, we may send you:
We do not serve third-party advertising and we do not share your data with advertisers. Crucibel products and communications are ad-free.
You can opt out of marketing communications at any time by:
Opting out of marketing will not affect receipt of service-related communications (e.g., NOVA maintenance notifications, security alerts, or communications necessary to deliver the NOVA service to your organisation).
The Crucibel website and the NOVA platform may contain links to third-party websites, resources, or services — for example, links to the ODPC, Ministry of Health, DHIS2, or partner organisations. This Privacy Policy applies only to Crucibel's own processing of personal data.
Crucibel is not responsible for the privacy practices or content of third-party websites or services. We encourage you to read the privacy policies of any third-party services you access via links from our website or platform before providing them with any personal data.
We may update this Privacy Policy from time to time to reflect changes in Kenyan data protection law, ODPC guidance, our business operations, or the NOVA platform.
When we make material changes, we will:
We encourage you to review this Policy periodically. Your continued use of NOVA or Crucibel's website after a change has been notified constitutes acceptance of the updated Policy.
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | 1 July 2025 | Data Protection Officer | Initial version — Privacy Policy established for NOVA Kenya market launch |
For all privacy queries, data subject rights requests and data protection concerns, please contact:
| Role: | Data Protection Officer, Crucibel Technology Ltd. |
| Email: | dpo@crucibel.org |
| Response time: | Acknowledgement within 5 business days; substantive response within 21 days |
| Post: | Data Protection Officer, Crucibel Technology Ltd., Nyali, Mombasa, Kenya |
| Function | Contact | |
|---|---|---|
| Data Protection / Privacy | Data Protection Officer | dpo@crucibel.org |
| Security Incidents & Breaches | Security Operations Team | security@crucibel.org |
| Legal & Contractual | Legal Team | legal@crucibel.org |
| General Enquiries | Crucibel | info@crucibel.org |
| NOVA Support | Support Team | support@crucibel.org |
The supervisory authority for data protection in Kenya is the Office of the Data Protection Commissioner (ODPC). You have the right to lodge a complaint with the ODPC at any time if you believe we have not handled your personal data lawfully:
| Authority: | Office of the Data Protection Commissioner (ODPC) |
| Website: | www.odpc.go.ke |
| Location: | Nairobi, Kenya |