PRIVACY POLICY
BACKGROUND
Spark Clinic understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits this website, spark.clinic ("Our Site"), and we will only collect and use personal data in ways that are described in this Privacy Policy and in accordance with applicable laws of Zimbabwe, including the Cyber and Data Protection Act [Chapter 12:07].
Please read this Privacy Policy carefully and ensure that you understand it. By using Our Site, you acknowledge that you have read and understood this Privacy Policy.
Introduction
Spark Clinic is committed to providing the highest level of confidentiality, integrity, and availability of information and related assets by:
- Protecting them from threats using reasonably practical and appropriate measures.
- Ensuring continual improvement in business continuity of its services and related operations.
- Monitoring, regularly reviewing, and continually improving Information Security Management.
- Ensuring that information security controls are implemented within the framework of applicable Zimbabwean laws, regulations, and other relevant legal or regulatory requirements.
1. Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
| Term | Definition |
|---|---|
| "Account" | Means an account required to access and/or use certain areas and features of Our Site. |
| "Cookie" | Means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in Part 16 below. |
| "Applicable Data Protection Law" | Means the Cyber and Data Protection Act [Chapter 12:07] and any other applicable data protection, cyber security, electronic communications, or related laws and regulations in force in Zimbabwe from time to time. |
| "Personal Data" | Means any information relating to an identified or identifiable natural person, as understood under applicable law. |
2. Information About Us
Our Site is operated by Spark Clinic (Private) Limited, a private limited company registered in Zimbabwe under company number 76726A0312026.
Registered address: Suite C2, 187 Baines Avenue, Corner 9th Street, Harare, Zimbabwe
3. What Does This Policy Cover?
This Privacy Policy applies only to your use of Our Site. Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites, and we advise you to check the privacy policies of any such websites before providing any data to them.
4. What Is Personal Data?
Personal data is defined in terms of Zimbabwe’s data protection laws, including the Cyber and Data Protection Act [Chapter 12:07], as any information relating to an identifiable natural person who can be directly or indirectly identified, in particular by reference to an identifier.
In simpler terms, personal data is any information about you that can be used to identify you. This includes obvious details such as your name and contact information, as well as less obvious data such as identification numbers, location data, online identifiers, and, where applicable, health-related information you provide to us.
5. What Are My Rights?
Subject to applicable law in Zimbabwe, you may have the following rights in relation to your personal data, and we will work to uphold them where they apply:
- The right to be informed about the collection and use of your personal data.
- The right to request access to personal data we hold about you.
- The right to request correction of personal data that is inaccurate, incomplete, misleading, or out of date.
- The right to object, in certain circumstances, to the processing of your personal data.
- The right to request deletion of personal data where its retention is no longer justified, where it is inaccurate or misleading, or where deletion is otherwise required by law.
- The right to withdraw your consent where we rely on your consent to process your personal data, subject to legal and operational limitations.
- The right not to be subject, in certain circumstances, to a decision based solely on automated processing, including profiling, where such processing significantly affects you.
- The right to lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) or any other competent authority where you believe your rights have been infringed.
For more information about Our use of your personal data or about exercising your rights, please contact us using the details in Part 17.
It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed.
If you have any concerns about how we use your personal data, we would welcome the opportunity to address those concerns directly before you escalate the matter to a regulator.
6. What Data Do You Collect and How?
Depending upon your use of Our Site and services, we may collect and hold some or all of the personal and non-personal data set out in the table below. We collect this data only where it is relevant, necessary, and lawful to do so. Please also see Part 16 for more information about Our use of Cookies and similar technologies.
| Data Collected | How We Collect the Data |
|---|---|
| Identity Information (such as name, date of birth, national identification details, and gender where relevant) | Collected when you create an account, complete forms, book an appointment, request services, or otherwise provide information directly to us. |
| Contact Information (telephone/mobile number, email address, physical address) | Collected when you contact us, register, complete forms, subscribe to updates, or use our services. |
| Health or Special Category Information (such as symptoms, medical history, prescriptions, laboratory requests, consultation-related information, or other health details you submit) | Collected only where you choose to provide it through consultations, questionnaires, bookings, secure forms, medical service requests, or related interactions with us. |
| Business Information (job title, business name, business address, regulatory information where relevant) | Collected when you provide it to us directly, for example when engaging with us on behalf of an organisation or service provider. |
| Payment Information (billing details, payment references, limited payment-related records) | Collected when you make a payment, subscribe to a service, or complete a transaction with us or through our authorised payment providers. |
| Profile Information (account preferences, previous bookings, service history, communications, feedback) | Collected when you create and use an account, interact with our services, or communicate with us. |
| Technical Information (IP address, browser type, device type, operating system, approximate location, usage data) | Collected automatically when you browse Our Site through server logs, analytics tools, cookies, and similar technologies. |
7. How Do You Use My Personal Data?
We will only use your personal data where we have a lawful basis to do so under applicable law in Zimbabwe. Depending on the circumstances, this may include using your personal data where it is necessary to provide services to you, to comply with legal obligations, for legitimate operational purposes, to protect your vital interests, or where you have given your consent.
We may use your personal data for purposes such as managing your account, processing bookings or service requests, communicating with you, processing payments, maintaining records, improving our services, ensuring security, complying with legal and regulatory obligations, and handling complaints or enquiries.
Third parties whose content appears on Our Site may use third-party Cookies, as detailed in Part 16. Please note that we do not control the activities of such third parties or the data that they collect and use themselves, and we advise you to review their privacy policies.
We will only use your personal data for the purpose or purposes for which it was originally collected unless we reasonably consider that another purpose is compatible with the original purpose or is otherwise permitted or required by law.
If we need to use your personal data for a new purpose that is materially different from the original purpose, we will take appropriate steps to inform you where required and identify the lawful basis for doing so.
In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of applicable law and your legal rights.
8. How Long Will You Keep My Personal Data?
We will not keep your personal data for longer than is necessary for the purpose or purposes for which it was collected, unless a longer retention period is required or permitted by law, professional obligations, or legitimate operational needs.
Retention periods may vary depending on the type of data and the reason it was collected. By way of example, we may retain data as follows:
| Type of Data | How Long We Keep It |
|---|---|
| Identity and Contact Information | For as long as your account remains active and for a reasonable period thereafter where required for administration, legal compliance, dispute resolution, or record keeping. |
| Health or Clinical Information | For as long as reasonably necessary for healthcare provision, record management, legal compliance, and professional or regulatory requirements. |
| Business and Transaction Information | For as long as necessary for contractual, accounting, audit, tax, and regulatory purposes. |
| Payment Information | For as long as necessary to process payments, maintain financial records, and meet legal or audit requirements. We do not retain full card details unless lawfully required and securely managed. |
| Technical Information and Analytics Data | For as long as reasonably necessary for security, performance monitoring, fraud prevention, analytics, and service improvement. |
9. How and Where Do You Store or Transfer My Personal Data?
We may store your personal data in Zimbabwe and, where necessary for the provision of our services, with trusted service providers located in other jurisdictions.
Where your personal data is stored or transferred outside Zimbabwe, we will take appropriate steps to ensure that it is protected to a standard that is consistent with applicable law. These steps may include transferring data only where:
- the recipient is subject to adequate legal or contractual safeguards;
- the transfer is necessary for the performance of a contract or provision of services to you;
- you have provided consent where such consent is required; or
- the transfer is otherwise authorised or required by law.
Security Measures: The security of your personal data is important to us. To protect your data, we take appropriate technical and organisational measures, including:
- Limiting access to your personal data to employees, agents, contractors, and service providers who have a legitimate need to know and who are subject to duties of confidentiality.
- Using appropriate access controls, authentication measures, and system monitoring.
- Applying encryption and secure transmission methods where appropriate.
- Maintaining procedures for identifying, managing, and responding to data security incidents and breaches, including notifications where legally required.
10. Do You Share My Personal Data?
We will not share your personal data with third parties except where this is necessary, lawful, and proportionate, including in the following circumstances:
- Business Transfer: If we sell, transfer, or merge parts of Our business or assets, your personal data may be transferred to a third party. Any new owner may continue to use your personal data in substantially the same way(s) that we have used it, as described in this Privacy Policy and as permitted by law.
- Legal Requirements: We may be legally required to share certain personal data where we are involved in legal proceedings, complying with legal obligations, responding to lawful requests by regulators or public authorities, or enforcing our rights.
- Group Companies and Professional Advisers: We may share personal data with related companies, auditors, legal advisers, insurers, or other professional advisers where reasonably necessary for administration, compliance, governance, or risk management.
- Service Providers: We may engage third parties to provide certain products and/or services on our behalf, such as payment providers, hosting providers, pharmacies, diagnostic laboratories, messaging providers, analytics providers, or technical support providers.
If any of your personal data is shared with a third party, we will take reasonable steps to ensure that it is handled safely, securely, and in accordance with applicable law. If any personal data is transferred outside Zimbabwe, we will take suitable steps to ensure that your personal data is treated with an appropriate level of protection.
11. AI Usage Privacy Policy
Introduction
Our commitment to your privacy extends to the use of Artificial Intelligence (AI) technologies in our services. This section outlines how we may incorporate AI, the types of data that may be processed, the purposes for which we may use AI, and the measures we take to help keep your data secure and private. Where applicable, the AI models or providers we may use include Gemini by Google and ChatGPT by OpenAI.
Data Collection and Processing
When you interact with our AI-enabled services, we may collect and process the following types of data:
- Personal Information: This includes your name, contact details, and any other information you provide directly.
- Health or Service-Related Information: This may include information you provide in relation to health enquiries, appointment bookings, consultations, or service requests, where such processing is lawful and necessary.
- Interaction Data: This includes chat logs, prompts, feedback, support requests, and usage patterns generated through your interactions with AI-powered tools.
- Technical Data: This includes IP addresses, device information, browser type, session details, and other technical information that helps us operate, secure, and improve our systems.
Purposes of AI Data Processing
We may use AI technologies to enhance and support our services. Specific purposes may include:
- Improving Service Quality: Analysing interactions to improve our services, systems, workflows, and user support.
- Personalisation: Tailoring content, responses, and user experiences where appropriate.
- Automation: Assisting with routine administrative tasks, triage, responses, scheduling, and support functions.
- Security and Fraud Prevention: Detecting suspicious activity, reducing abuse, and helping to secure our platform and users.
Data Security and Privacy Measures
We seek to protect your data in our AI processes by implementing measures such as:
- Data Minimisation: Using only the data reasonably necessary for the relevant purpose.
- Restricted Access: Ensuring that only authorised personnel and approved service providers have access where necessary.
- Encryption: Protecting data in transit and, where appropriate, at rest.
- Review and Oversight: Periodically reviewing AI-related processes, vendors, and safeguards.
Transparency and Control
We believe in transparency regarding how your data is used in AI-supported systems. Subject to applicable law, you may request information about the personal data we process, request correction of inaccurate data, object to certain processing, request deletion where justified, or withdraw consent where consent is the lawful basis for processing.
AI Usage Disclaimer
Our website may utilise AI-powered features to enhance user experience and provide automated assistance. While we strive to improve the quality of these tools, AI-generated responses, recommendations, and content may not always be entirely accurate, complete, up to date, or suitable for every situation.
By using our AI features, you acknowledge and agree that:
- AI-generated content is provided for general information and support only and should not be treated as professional, legal, financial, or medical advice.
- We do not guarantee the accuracy, completeness, or appropriateness of AI-generated responses.
- Users should independently verify important information before relying on AI-generated content.
- We are not liable for loss or damage arising solely from reliance on AI-generated content where such reliance would be unreasonable in the circumstances.
- If you require medical advice or treatment, you should consult an appropriately qualified healthcare professional.
By continuing to use this website and its AI features, you accept these terms and conditions.
Compliance with Legal Standards
Our AI-related practices are intended to comply with applicable data protection and privacy laws in Zimbabwe and any other applicable legal or regulatory requirements.
Changes to This Policy
We may update this AI Usage and Privacy Policy periodically to reflect changes in our practices, technologies, service providers, or legal requirements. Where appropriate, we will update the effective date of this policy and notify users of significant changes.
12. How Can I Control My Personal Data?
In addition to your rights set out in Part 5, when you submit personal data via Our Site, you may be given options to restrict Our use of your personal data. In particular, we aim to give you appropriate controls over Our use of your data for direct marketing purposes, including the ability to opt out of receiving marketing emails from us by using the unsubscribe link provided in such communications or by contacting us directly.
Please note that opting out of marketing communications will not affect service-related or legally required communications that we may still need to send to you.
13. Can I Withhold Information?
You may access certain areas of Our Site without providing any personal data at all. However, to use all features and functions available on Our Site, or to obtain healthcare-related or account-based services, you may be required to submit or allow the collection of certain data.
You may also restrict Our use of Cookies, subject to the functionality of Our Site and your browser settings.
14. How Can I Access My Personal Data?
If you want to know what personal data we hold about you, you may ask us for details of that personal data and, where applicable, request a copy of it. This is commonly known as a data access request.
Requests should be made in writing and sent to the email or postal addresses shown in Part 17. To help us respond efficiently, please provide enough information for us to identify you and understand the scope of your request.
We may request reasonable proof of identity before disclosing personal data. We will respond within a reasonable time and in accordance with applicable law.
We do not normally charge a fee for responding to a legitimate request, but we reserve the right to charge a reasonable administrative fee or refuse a request where it is manifestly unfounded, excessive, repetitive, or otherwise not required by law.
15. Google App Disclosure
Spark Clinic's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
16. How Do You Use Cookies?
Our Site may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by us and are used only by us. We use Cookies to facilitate and improve your experience of Our Site and to provide and improve our products and services.
By using Our Site, you may also receive certain third-party Cookies on your computer or device. Third-party Cookies are those placed by websites, services, and/or parties other than us. Third-party Cookies may be used on Our Site for analytics, functionality, performance, embedded content, or user experience improvement.
All Cookies used by and on Our Site are used in accordance with applicable law.
Where required, before non-essential Cookies are placed on your computer or device, you will be shown a notice or tool requesting your consent. You may choose to accept or reject non-essential Cookies, but please note that certain features of Our Site may not function fully or as intended if some Cookies are disabled.
Certain features of Our Site depend on Cookies to function. These Cookies may be considered strictly necessary. Your consent may not be required for such Cookies, but it is still important that you are aware of them. You may still block these Cookies through your browser settings, but Our Site may not work properly if you do so.
First-Party Cookies
| Name of Cookie | Purpose | Strictly Necessary |
|---|---|---|
| Cookies will be detailed here | ||
Third-Party Cookies
| Name of Cookie | Provider | Purpose |
|---|---|---|
| Cookies will be detailed here | ||
Analytics
Our Site may use analytics services, including Google Analytics or similar tools, to collect and analyse usage information so that we can better understand how Our Site is used and improve our services.
Analytics services may use Cookies or similar technologies to gather the required information. You do not have to allow us to use non-essential analytics Cookies, but enabling them helps us improve Our Site and user experience.
| Name of Cookie | First / Third Party | Provider | Purpose |
|---|---|---|---|
| Analytics cookies will be detailed here | |||
In addition to the controls that we provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also allow you to decide whether to disable all Cookies or only certain categories such as third-party Cookies.
You can delete Cookies on your computer or device at any time, although doing so may affect functionality and may remove saved settings or preferences.
It is recommended that you keep your browser and operating system up to date and consult your device or browser provider’s guidance if you are unsure how to manage your privacy settings.
17. How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a data access request, please use the following details for the attention of our Data Protection Contact:
Email: info@spark.clinic
Postal Address: Spark Clinic (Private) Limited, Suite C2, 187 Baines Avenue, Corner 9th Street, Harare, Zimbabwe
18. Changes to this Privacy Policy
We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes or if we change Our business, systems, or services in a way that affects personal data protection.
Any changes will be posted on Our Site and will take effect from the date of publication unless otherwise stated. We recommend that you check this page regularly to keep up to date. This Privacy Policy was last updated on 09 April 2026.
INFORMATION SECURITY POLICY
Introduction
Spark Clinic is committed to providing the highest level of confidentiality, integrity, and availability of information and related assets by:
- Protecting them from threats using reasonably practical and appropriate measures.
- Ensuring continual improvement in business continuity of its services and related operations.
- Monitoring, regularly reviewing, and continually improving Information Security Management.
- Ensuring that its Information Security Management System (ISMS) is implemented in line with applicable Zimbabwean laws, regulations, contractual obligations, and recognised security standards where appropriate.
Purpose
It is vital to Spark Clinic's reputation, operations, and financial well-being that company information assets are protected through controls that ensure confidentiality, integrity, and availability.
The intention of Spark Clinic's IT policies, standards, and procedures is to support this Information Security Policy and to establish procedural, technical, and physical safeguards used to protect sensitive information.
This Information Security Policy applies to all information that Spark Clinic stores, processes, or transmits for business, legal, statutory, regulatory, or operational purposes.
Scope
This policy applies to Spark Clinic, its employees, contractors, third-party service providers, and any other individuals who access company information or systems.
Roles & Responsibilities
- The CEO is the authorising official for assessments of Spark Clinic information systems.
- Senior Management is responsible for:
- Providing vision and leadership for implementing information security.
- Aligning IT and security with business operations.
- Participating in governance processes.
- Maintaining an appropriate security structure.
- Reviewing and updating the security policy regularly.
Compliance, Enforcement, and Sanctions
Compliance reviews or audits may be carried out periodically by authorised personnel. Violations of this policy may result in disciplinary or contractual action, up to and including termination, subject to applicable law.
Policy
Spark Clinic governance documentation will seek to align with recognised information security standards, including ISO 27001 where appropriate, and will address purpose, scope, roles, responsibilities, and compliance.
Policies and procedures will be maintained by responsible stakeholders and reviewed annually or upon significant organisational, legal, technological, or operational change.
Network (Web App spark.clinic) Security
- Password-based authentication
- Multi-level system access and controlled concurrent login sessions
- Strong registration and password update rules
- Auto-lock for inactive sessions
- Logging of events and application processes
- Access-controlled database and shared storage
- Restricted privileges for business users
- Role-based privilege assignments
Data Security
- Implementation of security measures to protect Spark Clinic data
- Least privilege access principles
- Database protection from common threats
- User activity monitoring through appropriate log reviews
- Auditing of access, authentication, and security events
- Regular data backups stored securely
- Measures to preserve data consistency and integrity
System (Hardware) Security
- Defined access controls for system resources
- Auditing of user access
- Firewall and traffic protection controls
- Minimisation of unnecessary services and applications
- Compile-time and run-time defences where appropriate
- Code protection and separation of duties
- Limited permissions for third-party services
- Layered authentication security
- Defined privileges across system architecture
Review of the Policies for Information Security
This policy will be reviewed annually or as needed based on organisational, legal, technological, or environmental changes. Reviews will assess improvements and may be documented in risk and management review records.
Information Security Objectives
Objective 1: Existing Services
Spark Clinic will continue delivering services within a secure environment by maintaining robust IT infrastructure through suitable internal controls, trusted service providers, and secure hardware and cloud solutions.
Measurement:
- Periodic audits or reviews
- Annual review meetings
Objective 2: Development
Risk assessments will be conducted periodically to minimise or eliminate information security risks. These objectives may be tracked through internal risk management processes and measured across functions to align with organisational goals.
Ignite your practice
Spark Clinic (Private) Limited
Suite C2, 187 Baines Avenue, Corner 9th Street
Harare, Zimbabwe
The Companies Office number 76726A0312026
