Appearance

Privacy Policy

1. Introduction

MedStock Limited ("MedStock", "we", "us", or "our") respects your privacy and is committed to protecting the personal and corporate data you share with us. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of information when you use our B2B pharmaceutical supply chain and financing platform (the "Platform").

We operate in strict compliance with the Data Protection Act of Kenya and are registered with the Office of the Data Protection Commissioner (ODPC).

2. Information We Collect

To provide our services effectively, we collect the following categories of information:

A. Corporate & Identity Data (KYB/KYC)

  • Business registration certificates, KRA PINs, and PPB licenses.
  • Directors' identity documents, including National IDs or Passports via our integrated partner, Didit.
  • Contact information: registered addresses, phone numbers, and official email addresses.

B. Financial & Transaction Data

  • Bank account details, mobile money numbers (M-Pesa), and financial standing statements.
  • Purchase histories on the MedStock Platform, loan disbursement records, and repayment behaviors.

C. Technical & Usage Data

  • IP addresses, browser types, device identifiers, and login timestamps.
  • Platform interaction data, feature usage, and navigational logs (collected via secure cookies and internal analytics).

3. How We Use Your Information

We process your data for the following essential business purposes:

  • Service Delivery: To create your account, verify your eligibility, and facilitate pharmaceutical trades and inventory financing.
  • Risk Assessment: To calculate dynamic credit limits and evaluate the risk of default using internal and external financial models.
  • Compliance: To fulfill Anti-Money Laundering (AML) checks and regulatory reporting required by the Central Bank of Kenya (CBK).
  • Communication: To send transaction alerts, OTPs, repayment reminders, and customer support responses.
  • Platform Improvement: To analyze usage trends, troubleshoot technical issues, and improve our services.

4. Information Sharing & Disclosure

MedStock never sells your data to third parties. Responses are shared only with essential partners under strict confidentiality agreements:

  • Identity Verification Partners: We share identity documents with services like Didit for real-time KYC/AML validation.
  • Credit Bureaus (CRB): As a licensed Digital Credit Provider, we are mandated to share credit performance data (positive and negative) with registered CRBs in Kenya.
  • Wholesale Partners: Retailer's business names and delivery addresses are shared with the specific Wholesalers fulfilling their orders.
  • Regulatory Authorities: We may disclose data if required by the CBK, ODPC, PPB, or law enforcement agencies with valid jurisdiction.

5. Credit Scoring and CRB

By accepting financing from MedStock, you explicitly consent to our continuous monitoring of your credit profile. We may retrieve your credit history from licensed Credit Reference Bureaus during the onset of our relationship and periodically thereafter. Late repayments exceeding the 60-day threshold will negatively impact your CRB standing.

6. Your Privacy Rights

Under the Data Protection Act (Kenya), you hold several fundamental rights regarding your data:

  • Right to Access: You may request a copy of the personal or corporate data we hold about you.
  • Right to Rectification: You may request updates or corrections to inaccurate data via the MedStock Admin Dashboard or by contacting support.
  • Right to Erasure: You may request the deletion of your account and related data, subject to local banking regulations governing mandatory financial data retention.
  • Right to Object: You may object to the processing of your data for direct marketing purposes.

7. Data Security

We implement enterprise-grade security controls (ISO 27001 aligned) to protect your data. This includes AES-256 encryption for data at rest, TLS 1.3 for data in transit, strict role-based access controls, and recurring third-party penetration testing.

While we strive to use commercially acceptable means to protect your information, no method of transmission over the internet is completely secure.

8. Data Retention

MedStock retains your data only for as long as necessary to provide the services requested, or as mandated by law. Specifically, financial transaction records and CRB reporting history must be retained for a minimum of 7 yearsunder Kenyan financial regulations, even after an account is closed.

9. Contact Us

If you have any questions about this Privacy Policy, your rights, or data handling practices, please contact our Data Protection Officer (DPO):

Data Protection Officer

MedStock Limited

Nairobi Global Centre, 5th Floor, Argwings Kodhek Rd

Email: privacy@medstock.co.ke

Last updated: February 24, 2026