Legal

Privacy Policy

Version 1.0 • June 2026

This policy applies to the XeraCore website and programme activities and may be supplemented by local privacy notices and participant information sheets during field deployments.

1. Introduction

PROTUS ("we", "our", or "us") operates the XeraCore digital health platform and research programme. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our platform, website, and services.

We are committed to protecting your privacy and ensuring the security of your personal and health information in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), Ghana's Data Protection Act (Act 843), Burkina Faso's Law No. 001-2021/AN, Zimbabwe's Cyber and Data Protection Act and other relevant national legislation.

2. Information We Collect

2.1 Health Information

When you receive healthcare services through XeraCore, we collect:

  • Clinical assessment data and diagnostic information
  • Health history and clinical information
  • Biometric data (where applicable and with explicit consent)
  • Treatment and prescription records

2.2 Personal Identifiers

We assign each beneficiary a universally unique identifier (UUID) that serves as a pseudonymised identifier for your health record. Personal identifying information is separated from clinical data at the point of capture.

2.3 Location Data

Approximate service location data may be captured at service delivery points to support geospatial health intelligence and identify healthcare access gaps. This data is pseudonymised and used for public health planning purposes.

2.4 Website Usage Data

When you visit our website, we may collect standard web analytics data including IP addresses, browser type, and pages visited to improve our services.

3. How We Use Your Information

We use collected information for the following purposes:

  • Healthcare Delivery: To provide clinical services, maintain continuity of care, and facilitate medical referrals
  • Research: To generate pseudonymised datasets for public health research, epidemiological studies, and healthcare planning
  • Platform Improvement: To enhance XeraCore's functionality, accessibility, and effectiveness
  • Compliance: To meet legal and regulatory obligations
  • Communication: To provide health summaries, digital health passports, and service updates

4. Pseudonymisation and Data Protection

XeraCore employs privacy-by-design principles:

  • Automatic Pseudonymisation: Personal identifiers are separated from clinical data at the point of capture
  • Offline-First Architecture: Data is captured and stored locally on secure devices, minimising cloud exposure
  • Encryption: All data is encrypted both in transit and at rest
  • Access Controls: Strict role-based access controls limit who can view identifiable information
  • Audit Trails: Every data access event is logged with user ID, timestamp, and purpose

5. Data Sharing and Disclosure

5.1 Joint Data Governance

All data collected through XeraCore is jointly owned by PROTUS and the partnering organisation under a strict bilateral framework. Neither party can utilise data unilaterally, and all research applications require mutual consent.

5.2 Research Partnerships

Pseudonymised data may be shared with approved research partners and academic institutions for public health research. All such sharing is governed by data sharing agreements and ethical review board approval.

5.3 Legal Requirements

We may disclose information where required by law, court order, or governmental regulation.

6. Your Rights

Under applicable data protection laws, you have the following rights:

  • Right to Access: Request copies of your personal and health information
  • Right to Rectification: Request correction of inaccurate or incomplete information
  • Right to Erasure: Request deletion of your data (subject to legal and clinical obligations)
  • Right to Restrict Processing: Request limitation on how we use your data
  • Right to Data Portability: Receive your data in a portable digital format
  • Right to Object: Object to certain types of data processing
  • Right to Withdraw Consent: Withdraw consent for data processing where consent is the legal basis

To exercise any of these rights, please contact us using the details in Section 10.

7. Data Retention

We retain health information for as long as necessary to:

  • Provide continuity of care and maintain longitudinal health records
  • Comply with legal and regulatory requirements
  • Support ongoing research projects (in pseudonymised form)

Retention periods comply with national healthcare record-keeping requirements and may vary by jurisdiction.

8. International Data Transfers

XeraCore's offline-first architecture ensures that clinical data is stored locally within the country of collection. Data is not routinely transferred internationally. Where international transfers are necessary for research collaboration, appropriate safeguards including data sharing agreements and adequacy assessments are implemented.

9. Children's Privacy

XeraCore provides healthcare services to individuals of all ages. When collecting health information from children, we obtain consent from parents or legal guardians in accordance with applicable laws.

10. Contact Information

For questions about this Privacy Policy or to exercise your data protection rights, please contact:

Data Protection Officer
PROTUS
Email: privacy@xeracore.com

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website with a revised "Last updated" date.

12. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.