Privacy Policy

Effective Date: 12 June 2026

At Walax Health (“Walax”, “we”, “us”, or “our”), we are committed to protecting your privacy and handling personal information responsibly and lawfully. This Privacy Policy explains what we collect, how and why we use it, who may access it, how long we keep it, and the choices and rights available to you when you use our website, applications, application programming interfaces, and related services (collectively, the “Platform”).

This Policy should be read together with our Terms and Conditions. It is intended to comply with the Data Protection and Privacy Act, 2019 of Uganda and related regulations, as well as applicable occupational health and safety requirements.

Sensitive data summary: Walax processes health and mental-health information, including workplace screening responses and risk indicators, only with a valid legal basis and the required consents. Company owners never receive your individual screening answers or scores. You can withdraw mental-health processing consent at any time from your profile.

1. Who This Policy Applies To

This Policy applies to:

2. Data Controller and Roles

Walax Health is the data controller for personal information processed to operate the Platform. Where your employer enables a workplace mental-health or OSH program, your employer may act as a data controller or co-controller for certain employment and workplace-health records, and Walax may act as a processor or co-controller depending on program configuration and applicable law. Your organization’s designated Data Protection Officer (DPO) and OSH officer, where appointed, share responsibility for lawful handling of workplace-health data.

3. Information We Collect

Depending on how you use the Platform, we may collect the following categories of information:

CategoryExamples
Account and identity dataName, email address, phone number, hashed password, profile photo, gender, date of birth, account type and role, authentication provider, active status, email-verification status, and current device/session identifiers
Employment and company dataPrimary company, department, employee ID, job title, employment date and type, company membership status and history, and company registration documents (for owners)
Consent and compliance dataConsent text snapshots, consent and withdrawal timestamps, IP address and device/user-agent captured at consent, mental-health access level, and audit-log entries
Fitness and learning dataVideo, conference, and playlist watch progress, watch seconds, last position, completion status, likes, saves, ratings, goals, purposes, fitness level, and recommendations
Booking and commerce dataEvent bookings, doctor appointments, subscriptions, packages, free-trial status, payments, transaction IDs, receipts, service-specific data, and company deduction pricing
Healthcare interaction dataSelected providers, specialties, appointment type, date, time, notes, doctor feedback, and consultation-related records created through the Platform
CME dataParticipant profile (license number, organization, country), event registrations, waitlist position, attendance records and signatures, certificates (numbers, verification codes, credits, CPD points), feedback, downloaded resources, and annual transcripts
Mental health and OSH dataScreening questionnaires and responses, scores and subscale results, risk indicators, recommendations, consent records, referrals, attachments, schedules, incident reports, surveillance plans, risk flags, and related audit events
Messaging dataChat room membership and roles, anonymous group display names, message content, attachments and their metadata, edit/delete metadata, typing status, read receipts, unread counts, and scheduled group-call details
User-generated contentBlog posts, comments, ratings, feedback, and uploaded files such as avatars, documents, and images
Technical and usage dataDevice information, browser type, IP address, log files, cookies, session and access tokens, and analytics about how features are used (including client-side analytics events)
Communications dataSupport and contact-form requests, notifications sent to you, broadcasts, and your responses to surveys or forms

4. Sensitive and Health-Related Information

Some information we process is sensitive because it relates to physical or mental health, wellbeing, or workplace safety. This may include screening answers and scores, risk classifications, high-risk flags, clinical referrals and their status, incident reports, consent history, appointment notes, and related occupational-health records.

We process this information only where permitted by law and where you or your organization have provided the required notices and consents. Before starting any workplace mental-health or OSH screening, you must provide data-processing consent, and additional screening consent may be required for each assessment session. Sensitive data is subject to stricter access controls and is not exposed to company owners.

5. How We Collect Information

We collect information:

6. How We Use Your Information

We use personal information to:

We process personal information on one or more of the following bases:

You may withdraw consent for mental-health data processing from your profile at any time. Withdrawal stops new screenings but does not automatically erase records that must be retained by law or for legitimate workplace-safety purposes, nor does it affect processing carried out before withdrawal.

8. Who We Share Information With

We do not sell your personal information. We may share information only as necessary with:

Third-party payment processors (MTN Mobile Money, Airtel Money), video-call infrastructure (such as Jitsi), email, and analytics tools process data according to their own policies and our contractual safeguards where applicable.

9. Employer and Company Roles

Where your employer participates in a Walax workplace program:

10. Payment Information

When you pay for services, we and our payment partners process information needed to complete and record the transaction, including the amount, currency, payment method, provider transaction identifiers, status, the service being paid for, and provider callback data. We do not store full card details on our own systems; mobile-money and other payment processing is handled by the relevant provider. We retain transaction records for accounting, fraud-prevention, and legal-compliance purposes.

11. Messaging, Calls, Notifications, and Safety Workflows

If you use chat, group calls, or receive notifications, we store communications and related metadata needed to deliver the service and support safety workflows. Group features may display an anonymized name instead of your real name to other participants, though the system retains the underlying association. Video and audio calls may be handled by a third-party provider. In some cases, elevated screening risk levels may trigger automated outreach to authorized clinical support channels, recommended follow-up actions, or display of emergency contact information where clinically appropriate.

12. CME, Certificates, and Professional Records

For continuing medical education, we process your professional details, registrations, attendance, feedback, and the certificates and transcripts you earn. Certificates contain a unique certificate number and verification code and can be independently verified through the public verification page. When a certificate is verified, the verifier may see that the certificate is valid along with limited associated details (such as the recipient name, event, credits, and dates). We record verification and download events for integrity and audit purposes.

13. Cookies, Analytics, and Tracking

We use cookies, session identifiers, and similar technologies to keep you signed in, remember preferences, secure the Platform, and understand how features are used. We also collect usage and analytics data, which may include client-side events, watch metrics, and content interaction counts (for example views and clicks on offers or blogs). You can manage cookies through your browser settings, though disabling some cookies may affect functionality.

14. Data Retention

We retain information only for as long as necessary for the purposes described in this Policy, unless a longer period is required by law. In general:

When information is no longer needed, we delete, anonymize, or securely archive it where feasible. Organization-specific retention periods may apply to workplace data.

15. Security

We use administrative, technical, and organizational safeguards designed to protect personal information, including role-based access controls, restricted access to sensitive screening data, audit logging for sensitive areas, hashed passwords, authentication tokens, and secure transmission where supported. No online system is completely secure, so please protect your credentials, sign out of shared devices, and notify us promptly of any suspected unauthorized access.

16. Your Rights

Subject to applicable Ugandan data-protection law, including the Data Protection and Privacy Act, 2019, you may have the right to:

We may need to verify your identity before fulfilling a request and may decline requests that are unlawful, excessive, or that would undermine the rights of others or our legal obligations.

17. Children’s Privacy

Walax Health is intended primarily for adults and supervised workplace use. Children under 18 should use the Platform only with the consent and supervision of a parent or legal guardian. We do not knowingly collect personal information from children without appropriate consent, and we will take reasonable steps to delete such information if we become aware of it.

18. International and Third-Party Processing

Some service providers may process information on servers located outside Uganda. Where this occurs, we take reasonable steps to ensure appropriate safeguards consistent with applicable law, including contractual protections with our processors. Third-party services you choose to use (such as payment, video-call, or identity providers) process information under their own policies.

19. Data Breach Handling

We maintain processes to detect, record, and respond to personal-data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant regulator and affected individuals as required by law, and we maintain an internal breach register and reporting workflow for compliance purposes.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect new features, legal requirements, or operational practices. The effective date at the top of this page will change when updates are published, and we may notify you through the Platform where appropriate. Continued use of the Platform after an update means you accept the revised Policy.

21. Contact Us

For privacy questions, data-subject requests, or concerns about how your information is handled, contact us:

If you participate in a workplace mental-health program, you may also contact your employer’s Data Protection Officer or authorized privacy contact where one has been designated for your organization.