Privacy Policy

Last updated: 27 May 2026

1. Introduction

Virelia Health System ("Virelia", "we", "us", or "our") operates Axon, a cloud-based electronic medical records (EMR) platform for healthcare providers ("the Service").

This Privacy Policy explains how we collect, use, store, process, and protect personal information in connection with the Service.

This policy applies to:

  • Clinic Users — administrators, clinicians, nurses, receptionists, and other authorised personnel accessing Axon on behalf of a registered healthcare provider ("Clinic")
  • Patients — individuals whose medical records are managed by a Clinic using Axon

2. Who We Are

Virelia Health System (Private) Limited
info@virelia.co.zw

For the purposes of this Privacy Policy:

  • A Clinic means a healthcare provider or organisation registered to use the Service.
  • For Patient Data, Virelia generally acts as a data processor on behalf of the Clinic, which acts as the data controller.
  • For Clinic User Data (such as account information, authentication records, billing information, and security logs), Virelia acts as a data controller.

3. Data Protection Officer

Virelia has appointed a person responsible for overseeing data protection and privacy-related matters relating to the Service.

Clinics are responsible for determining whether they are required to appoint their own data protection officer or equivalent role under applicable laws or professional obligations.

Privacy-related questions or requests may be directed to: info@virelia.co.zw


4. Information We Collect

Clinic User Data

We may collect:

  • Full name, email address, phone number, and professional role
  • Authentication and account-related information
  • Device and browser metadata used for authentication and security purposes
  • Activity and audit logs recording actions performed within the Service
  • Support and communication records

Passwords are securely hashed and managed through our authentication infrastructure and are never visible to us in plain text.

Patient Data (processed on behalf of Clinics)

Clinics may store and manage the following categories of Patient Data through the Service:

  • Personal identifiers (such as name, date of birth, gender, contact details, address, and next of kin)
  • Medical and healthcare information (including diagnoses, prescriptions, consultation notes, encounter history, vital signs, triage records, and treatment information)
  • Appointment and consent records
  • Billing and administrative information entered by the Clinic

Patient Data is processed solely on the Clinic's instructions and for purposes determined by the Clinic.

Automatically Collected Information

We may automatically collect limited technical information such as:

  • Browser type and version
  • Device metadata
  • IP address and access timestamps
  • System logs used for security, troubleshooting, and service reliability

5. How We Use Information

Clinic User Data

We use Clinic User Data to:

  • Provide, maintain, and improve the Service
  • Authenticate users and manage account access
  • Maintain audit trails and security records
  • Respond to support requests
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Communicate important service-related notices

Patient Data

Patient Data is processed solely for the purpose of providing the Service to the relevant Clinic.

We do not use Patient Data for advertising or unrelated commercial purposes.

Access to Patient Data by authorised Virelia personnel is limited to operational purposes such as technical support, maintenance, security monitoring, and legal compliance, and is subject to confidentiality obligations.

Clinics are responsible for obtaining any patient consents, notices, or authorisations required under applicable healthcare and data protection laws in connection with their use of the Service.


6. Legal Basis and Applicable Law

We process personal data in accordance with applicable Zimbabwean laws, including the Cyber and Data Protection Act [Chapter 12:07], and apply security and privacy practices aligned with internationally recognised data protection principles where relevant to our infrastructure and operations.

Clinic User Data

Where Virelia acts as data controller, we may process personal data on the basis of:

  • Contractual necessity
  • Legitimate interests (including security, fraud prevention, and service reliability)
  • Compliance with legal obligations
  • Consent, where applicable

Patient Data

Patient Data is processed on behalf of and under the instructions of the relevant Clinic acting as data controller.


7. Data Storage, Security, and Offline Use

Hosting Location

Data is stored on secure cloud infrastructure located primarily in the United Kingdom (London). Certain supporting infrastructure and service providers may process limited data in other jurisdictions where necessary to operate the Service securely and reliably.

Security Measures

We implement reasonable administrative, technical, and organisational safeguards designed to protect personal data, including:

  • Encryption in transit (TLS)
  • Encryption at rest
  • Role-based access controls
  • Audit logging
  • Row-level access controls designed to isolate Clinic data
  • Authentication and session management controls

No system can guarantee absolute security, and Clinics remain responsible for managing authorised access to their accounts and devices.

Offline-first Operation

Axon supports offline-first functionality. Certain information may be temporarily stored locally on a user's device or browser storage to enable continued operation while offline. Such locally stored data remains under the Clinic's control and may sync with our servers once connectivity is restored.

Clinics are responsible for implementing appropriate device-level security controls, including password protection and access management.


8. Cross-border Data Transfers

Because our infrastructure and service providers may operate outside Zimbabwe, personal data (including Patient Data) may be transferred to and processed in the United Kingdom and other jurisdictions where our providers operate.

We implement reasonable contractual, organisational, and technical safeguards designed to protect personal data during such transfers.

For Patient Data, cross-border processing and transfers occur on the Clinic's instructions and as necessary to provide the Service.


9. Data Sharing and Sub-processors

We do not sell personal data.

We may share personal data only in the following circumstances:

  • With trusted infrastructure, hosting, analytics, monitoring, communication, and support providers operating under confidentiality and data processing obligations
  • Where required by law, lawful court order, or competent regulatory authority
  • In connection with a merger, acquisition, restructuring, or sale of assets, subject where appropriate to confidentiality protections

Patient Data is logically isolated between Clinics, and Clinics cannot access each other's data.


10. Security Incidents and Breach Notification

A "Security Incident" means a confirmed or reasonably suspected unauthorised access to, disclosure of, loss of, or compromise of personal data or the confidentiality, integrity, or availability of the Service.

Where a Security Incident affects Patient Data:

  • We will notify the affected Clinic without undue delay after becoming aware of the incident
  • We will provide reasonable information and assistance necessary to help the Clinic meet its legal and regulatory obligations

For Clinic User Data where Virelia acts as data controller, we will manage notifications and reporting obligations in accordance with applicable law.


11. Data Retention

Clinics are responsible for determining retention periods applicable to their practice and legal obligations.

Unless otherwise instructed by the Clinic or required by law:

  • Patient Data may be retained for operational, backup, legal, compliance, and continuity purposes
  • Clinic User accounts may be deleted or anonymised within a reasonable period following account closure
  • Audit and security logs may be retained for security, compliance, and operational purposes

Backup copies may persist temporarily after deletion as part of standard disaster recovery processes.


12. Your Rights

Clinic Users

Clinic Users may have rights under applicable law to request access to, correction of, deletion of, or export of their personal data. Requests may be directed to info@virelia.co.zw.

Patients

Patients should direct privacy or medical record requests to the Clinic responsible for their care, as the Clinic acts as data controller for Patient Data.

Virelia will reasonably assist Clinics in responding to such requests where required and upon lawful instruction.


13. Children's Data

Patient Data processed through the Service may include information relating to minors where entered by a Clinic in connection with healthcare services.

Such data is processed solely on the instructions of the relevant Clinic acting as data controller.


14. Cookies

Axon uses essential session and authentication cookies necessary for operation of the Service.

We do not use advertising cookies or third-party behavioural tracking technologies.


15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Where appropriate, material changes will be communicated through the Service or by other reasonable means.


16. Contact Us

Questions regarding this Privacy Policy or privacy-related requests may be directed to:

Virelia Health System (Private) Limited
info@virelia.co.zw