Skip to main content
UlCure
Get Your Plan

Legal

Privacy Policy

Last updated: March 2026 · Sirience LTD

1. Introduction

Sirience LTD (“we”, “us”, or “our”) operates the UlCure platform (“the Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are registered with the Office of the Data Protection Commissioner (ODPC) of Kenya. By using UlCure you agree to the practices described in this policy.

This policy is compliant with the Kenya Data Protection Act (KDPA) 2019 and subsequent regulations issued by the ODPC.

2. Data Controller

Sirience LTD

Registered in Kenya

Email: contact@ulcure.clinic

ODPC Registration: Pending / [Registration number to be inserted upon confirmation]

3. Data We Collect

3.1 Questionnaire Answers

We collect your responses to the 6 symptom questions (duration of pain, frequency, prior treatment, NSAID use, age range, and gender). These answers are used solely to generate your personalised treatment plan. They are stored against an anonymous session identifier — not your name, email address, or phone number.

3.2 Phone Number (Payment Only)

Your Kenyan mobile phone number (07XX or 01XX format) is collected solely to initiate the M-Pesa STK Push payment through Safaricom Daraja API. After payment is confirmed:

  • Your phone number is irreversibly hashed using SHA-256 and stored only as a hash.
  • The plaintext phone number is never written to our database.
  • The hash is used only to associate your plan with your account on return visits.

3.3 Anonymous Identifiers

We generate a random anonymous UID for each user session. This UID links your questionnaire answers, payment status, and generated plan. It cannot be used to identify you without the phone number hash.

3.4 Payment Transaction Data

We store the M-Pesa transaction reference number, payment amount (KES 50 or KES 149), timestamp, and outcome (success, failed, cancelled). This data is required for our financial records and dispute resolution. No full card numbers or banking credentials are stored — all payment processing is handled by Safaricom Daraja.

3.5 Technical and Usage Data

We collect anonymous analytics data via PostHog, including page views, questionnaire completion rate, and feature usage. This data is aggregated and cannot be linked to an individual user. We do not use third-party advertising trackers.

4. How We Use Your Data

  • To generate and deliver your personalised treatment plan
  • To process and verify your M-Pesa payment
  • To provide subscription services including medication tracking and push notifications (subscribers only)
  • To improve the accuracy and content of our treatment plans
  • To comply with Kenyan legal and financial record-keeping requirements
  • To detect and prevent fraud and abuse

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Storage and Security

Your data is stored in Google Cloud Firestore (via Firebase) in the europe-west1 region. Google Cloud complies with ISO 27001, SOC 2 Type II, and GDPR. We have contractual data processing agreements in place.

We apply the following technical security measures:

  • SHA-256 hashing of phone numbers before storage
  • HTTPS-only transmission (TLS 1.2+)
  • Firebase Security Rules restricting data access
  • Firestore data partitioned by anonymous UID — no cross-user access
  • Rate limiting on all API endpoints via Upstash Redis to prevent abuse
  • Admin access protected by multi-factor authentication

6. Third-Party Services

UlCure uses the following third-party services. Each link leads to their respective privacy policies:

ServicePurposeData Shared
Safaricom Daraja APIM-Pesa payment processingPhone number, amount
Google FirebaseDatabase, authentication, push notificationsAnonymous UID, hashed phone, plan data
PostHogAnonymous analyticsPage views, feature events (no PII)
SentryError monitoringError logs (PII scrubbed)
Upstash RedisRate limitingIP addresses (not stored beyond TTL)

7. Data Retention

  • Questionnaire answers: Retained for the lifetime of your account or until you request deletion.
  • Payment records: Retained for 7 years as required by Kenyan tax and financial regulations.
  • Anonymous analytics: Retained for 2 years.
  • Incomplete questionnaire progress: Automatically deleted after 7 days.

8. Your Rights Under KDPA 2019

The Kenya Data Protection Act 2019 grants you the following rights:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data. You can initiate this from your profile settings. Note: payment records required by law cannot be deleted within the statutory retention period.
  • Right to object: Object to processing of your data for any purpose beyond delivering the Service.
  • Right to data portability: Request an export of your data in a machine-readable format.

To exercise any of these rights, contact us at contact@ulcure.clinic. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya.

9. Cookies

We use strictly necessary cookies for authentication and session management, and analytics cookies via PostHog. No advertising cookies are set. For full details see our Cookie Policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. Your continued use of UlCure after any changes constitutes your acceptance of the revised policy.

11. Contact Us

For privacy-related queries contact: contact@ulcure.clinic. For general support see our Contact page.