Privacy Policy
Effective Date: 12 June 2026
At Walax Health (“Walax”, “we”, “us”, or “our”), we are committed to protecting your privacy and handling personal information responsibly and lawfully. This Privacy Policy explains what we collect, how and why we use it, who may access it, how long we keep it, and the choices and rights available to you when you use our website, applications, application programming interfaces, and related services (collectively, the “Platform”).
This Policy should be read together with our Terms and Conditions. It is intended to comply with the Data Protection and Privacy Act, 2019 of Uganda and related regulations, as well as applicable occupational health and safety requirements.
- Who This Policy Applies To
- Data Controller and Roles
- Information We Collect
- Sensitive and Health-Related Information
- How We Collect Information
- How We Use Your Information
- Legal Basis and Consent
- Who We Share Information With
- Employer and Company Roles
- Payment Information
- Messaging, Calls, Notifications, and Safety Workflows
- CME, Certificates, and Professional Records
- Cookies, Analytics, and Tracking
- Data Retention
- Security
- Your Rights
- Children’s Privacy
- International and Third-Party Processing
- Data Breach Handling
- Changes to This Policy
- Contact Us
1. Who This Policy Applies To
This Policy applies to:
- Individual users of Walax Health
- Company employees linked to an employer on the Platform
- Company owners and authorized workplace representatives
- Healthcare providers, trainers, speakers, OSH officers, clinical officers, data protection officers, and other authorized administrative users
- CME participants and professionals who register for accredited events
- Visitors who browse public pages, verify certificates, or contact us
2. Data Controller and Roles
Walax Health is the data controller for personal information processed to operate the Platform. Where your employer enables a workplace mental-health or OSH program, your employer may act as a data controller or co-controller for certain employment and workplace-health records, and Walax may act as a processor or co-controller depending on program configuration and applicable law. Your organization’s designated Data Protection Officer (DPO) and OSH officer, where appointed, share responsibility for lawful handling of workplace-health data.
3. Information We Collect
Depending on how you use the Platform, we may collect the following categories of information:
| Category | Examples |
|---|---|
| Account and identity data | Name, email address, phone number, hashed password, profile photo, gender, date of birth, account type and role, authentication provider, active status, email-verification status, and current device/session identifiers |
| Employment and company data | Primary company, department, employee ID, job title, employment date and type, company membership status and history, and company registration documents (for owners) |
| Consent and compliance data | Consent text snapshots, consent and withdrawal timestamps, IP address and device/user-agent captured at consent, mental-health access level, and audit-log entries |
| Fitness and learning data | Video, conference, and playlist watch progress, watch seconds, last position, completion status, likes, saves, ratings, goals, purposes, fitness level, and recommendations |
| Booking and commerce data | Event bookings, doctor appointments, subscriptions, packages, free-trial status, payments, transaction IDs, receipts, service-specific data, and company deduction pricing |
| Healthcare interaction data | Selected providers, specialties, appointment type, date, time, notes, doctor feedback, and consultation-related records created through the Platform |
| CME data | Participant profile (license number, organization, country), event registrations, waitlist position, attendance records and signatures, certificates (numbers, verification codes, credits, CPD points), feedback, downloaded resources, and annual transcripts |
| Mental health and OSH data | Screening questionnaires and responses, scores and subscale results, risk indicators, recommendations, consent records, referrals, attachments, schedules, incident reports, surveillance plans, risk flags, and related audit events |
| Messaging data | Chat room membership and roles, anonymous group display names, message content, attachments and their metadata, edit/delete metadata, typing status, read receipts, unread counts, and scheduled group-call details |
| User-generated content | Blog posts, comments, ratings, feedback, and uploaded files such as avatars, documents, and images |
| Technical and usage data | Device information, browser type, IP address, log files, cookies, session and access tokens, and analytics about how features are used (including client-side analytics events) |
| Communications data | Support and contact-form requests, notifications sent to you, broadcasts, and your responses to surveys or forms |
4. Sensitive and Health-Related Information
Some information we process is sensitive because it relates to physical or mental health, wellbeing, or workplace safety. This may include screening answers and scores, risk classifications, high-risk flags, clinical referrals and their status, incident reports, consent history, appointment notes, and related occupational-health records.
We process this information only where permitted by law and where you or your organization have provided the required notices and consents. Before starting any workplace mental-health or OSH screening, you must provide data-processing consent, and additional screening consent may be required for each assessment session. Sensitive data is subject to stricter access controls and is not exposed to company owners.
5. How We Collect Information
We collect information:
- Directly from you when you register, complete your profile, give consent, take a screening, book or register for services, message others, upload files, submit content or feedback, or contact us
- From your employer where you join through a company program (for example membership, department, and eligibility information)
- Automatically through your use of the Platform (for example device, log, usage, and analytics data)
- From third parties such as payment providers (transaction status and callbacks) and identity providers where you choose to sign in with them
6. How We Use Your Information
We use personal information to:
- Create and manage your account, sessions, and company memberships
- Deliver fitness content, conferences, events, appointments, CME, subscriptions, and notifications
- Operate workplace OSH and mental-health screening programs for eligible employees, including scoring, risk indicators, recommendations, and referral workflows
- Facilitate private and group communication, including optional video calls and scheduled group calls, with authorized clinicians, psychiatrists, support staff, or peers where appropriate
- Manage CME registration, attendance, certificate issuance and verification, feedback, resources, and transcripts
- Provide company owners with workforce-management tools that do not expose individual screening results
- Support authorized OSH, clinical, and privacy officers with compliance, analytics, audit logs, incident management, surveillance planning, and data-subject and breach handling
- Process payments, apply company deduction pricing, prevent fraud, and enforce Platform policies
- Personalize recommendations and improve features, security, performance, and user experience
- Send service messages, alerts, and (where permitted) relevant updates
- Comply with legal, regulatory, and workplace-safety obligations
7. Legal Basis and Consent
We process personal information on one or more of the following bases:
- Your consent, including data-processing consent and screening consent
- Performance of a contract with you or your employer
- Our legitimate interests in operating, securing, and improving the Platform, where not overridden by your rights
- Compliance with legal obligations, including occupational-health and data-protection requirements in Uganda
- Protection of vital interests in urgent health or safety situations where permitted by law
You may withdraw consent for mental-health data processing from your profile at any time. Withdrawal stops new screenings but does not automatically erase records that must be retained by law or for legitimate workplace-safety purposes, nor does it affect processing carried out before withdrawal.
8. Who We Share Information With
We do not sell your personal information. We may share information only as necessary with:
- Service providers that help us host, secure, message, analyze, or process payments on our behalf, under appropriate confidentiality and security obligations
- Healthcare providers and CME organizers you choose to book, communicate with, or register with through the Platform
- Authorized OSH and clinical personnel who require access to perform workplace-health, referral, or compliance duties
- Your employer’s approved program administrators, only in aggregated, anonymized, or role-limited form, and never your individual screening answers or scores to company owners
- Accrediting and verification users, where a CME certificate is independently verified using its public verification code (which discloses certificate validity and limited event details)
- Regulators, courts, or law enforcement where required by law, court order, or valid regulatory request
- Professional advisers such as lawyers or auditors where reasonably necessary
- A successor entity in connection with a merger, acquisition, or reorganization, subject to this Policy
Third-party payment processors (MTN Mobile Money, Airtel Money), video-call infrastructure (such as Jitsi), email, and analytics tools process data according to their own policies and our contractual safeguards where applicable.
9. Employer and Company Roles
Where your employer participates in a Walax workplace program:
- Your employer may act as a data controller or co-controller for certain employment and workplace-health records, depending on program configuration and applicable law
- Company owners may manage departments, memberships, and program participation, but are not given access to individual employee screening results through the Platform
- Department-level or anonymized risk analytics may be made available only to authorized OSH or compliance roles
- Organization-specific privacy settings, data-retention rules, consent text, designated DPO and OSH officer details, and emergency contacts may apply in addition to this Policy
10. Payment Information
When you pay for services, we and our payment partners process information needed to complete and record the transaction, including the amount, currency, payment method, provider transaction identifiers, status, the service being paid for, and provider callback data. We do not store full card details on our own systems; mobile-money and other payment processing is handled by the relevant provider. We retain transaction records for accounting, fraud-prevention, and legal-compliance purposes.
11. Messaging, Calls, Notifications, and Safety Workflows
If you use chat, group calls, or receive notifications, we store communications and related metadata needed to deliver the service and support safety workflows. Group features may display an anonymized name instead of your real name to other participants, though the system retains the underlying association. Video and audio calls may be handled by a third-party provider. In some cases, elevated screening risk levels may trigger automated outreach to authorized clinical support channels, recommended follow-up actions, or display of emergency contact information where clinically appropriate.
12. CME, Certificates, and Professional Records
For continuing medical education, we process your professional details, registrations, attendance, feedback, and the certificates and transcripts you earn. Certificates contain a unique certificate number and verification code and can be independently verified through the public verification page. When a certificate is verified, the verifier may see that the certificate is valid along with limited associated details (such as the recipient name, event, credits, and dates). We record verification and download events for integrity and audit purposes.
13. Cookies, Analytics, and Tracking
We use cookies, session identifiers, and similar technologies to keep you signed in, remember preferences, secure the Platform, and understand how features are used. We also collect usage and analytics data, which may include client-side events, watch metrics, and content interaction counts (for example views and clicks on offers or blogs). You can manage cookies through your browser settings, though disabling some cookies may affect functionality.
14. Data Retention
We retain information only for as long as necessary for the purposes described in this Policy, unless a longer period is required by law. In general:
- Account and billing records are kept while your account is active and for a reasonable period afterward for legal, accounting, and dispute-resolution purposes
- Workplace mental-health and OSH screening records, and CME records such as certificates, may be retained for up to seven (7) years, or longer where required by occupational-health law, accreditation, or audit obligations
- Consent, audit, and compliance logs may be retained to demonstrate lawful processing and access controls
- Chat, notification, and call records are retained according to operational needs, safety requirements, and legal obligations
- Some records (such as certain content, conferences, or CME materials) may be soft-deleted and retained in our systems before permanent removal
When information is no longer needed, we delete, anonymize, or securely archive it where feasible. Organization-specific retention periods may apply to workplace data.
15. Security
We use administrative, technical, and organizational safeguards designed to protect personal information, including role-based access controls, restricted access to sensitive screening data, audit logging for sensitive areas, hashed passwords, authentication tokens, and secure transmission where supported. No online system is completely secure, so please protect your credentials, sign out of shared devices, and notify us promptly of any suspected unauthorized access.
16. Your Rights
Subject to applicable Ugandan data-protection law, including the Data Protection and Privacy Act, 2019, you may have the right to:
- Request access to personal information we hold about you
- Request correction of inaccurate or incomplete information
- Object to or restrict certain processing activities
- Request deletion where legally permitted
- Export a copy of your personal data in a portable format
- Submit a data-subject request to the Data Protection Officer through your profile or support channels
- Withdraw consent for mental-health processing where consent is the legal basis
- Opt out of non-essential promotional communications
- Lodge a complaint with the Personal Data Protection Office of Uganda
We may need to verify your identity before fulfilling a request and may decline requests that are unlawful, excessive, or that would undermine the rights of others or our legal obligations.
17. Children’s Privacy
Walax Health is intended primarily for adults and supervised workplace use. Children under 18 should use the Platform only with the consent and supervision of a parent or legal guardian. We do not knowingly collect personal information from children without appropriate consent, and we will take reasonable steps to delete such information if we become aware of it.
18. International and Third-Party Processing
Some service providers may process information on servers located outside Uganda. Where this occurs, we take reasonable steps to ensure appropriate safeguards consistent with applicable law, including contractual protections with our processors. Third-party services you choose to use (such as payment, video-call, or identity providers) process information under their own policies.
19. Data Breach Handling
We maintain processes to detect, record, and respond to personal-data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant regulator and affected individuals as required by law, and we maintain an internal breach register and reporting workflow for compliance purposes.
20. Changes to This Policy
We may update this Privacy Policy from time to time to reflect new features, legal requirements, or operational practices. The effective date at the top of this page will change when updates are published, and we may notify you through the Platform where appropriate. Continued use of the Platform after an update means you accept the revised Policy.
21. Contact Us
For privacy questions, data-subject requests, or concerns about how your information is handled, contact us:
- Email: walaxhealth@gmail.com
- Phone: +256 757 072701 (also available on WhatsApp)
- Address: Muyenga, Kampala, Uganda
If you participate in a workplace mental-health program, you may also contact your employer’s Data Protection Officer or authorized privacy contact where one has been designated for your organization.