This policy explains how TrovinaCare collects, uses, stores, and protects your information when you use our Hospital Management System and EHR platform.
TrovinaCare processes both personal data and sensitive health (medical) data on behalf of hospitals and clinics ("Data Controllers"). If you are a patient, your primary data rights should be exercised directly with your healthcare provider. If you are a healthcare organization, please review our Data Processing Agreement (DPA) which governs our obligations as a Data Processor.
TrovinaCare ("we", "our", or "us") is a cloud-based Hospital Management System (HMS) and Electronic Health Record (EHR) platform operated by TrovinaCare Ltd., a company incorporated and operating across Africa. We are committed to protecting the privacy and security of all personal data processed through our platform.
This Privacy Policy applies to:
By accessing or using TrovinaCare, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the platform and contact your healthcare provider or our team at privacy@trovinacare.com.
We collect different categories of information depending on how you interact with TrovinaCare.
When a hospital or clinic registers on TrovinaCare, we collect:
Patient records are entered and managed by your healthcare provider. This data may include:
We process personal data only for lawful purposes. Below is a summary of our uses:
We do not use patient health data for advertising, sell data to third parties, or use data in ways that conflict with the purposes for which it was originally collected.
TrovinaCare does not sell, rent, or trade personal data. We share data only in the following limited circumstances:
We engage carefully vetted third-party vendors to help operate our platform — including cloud hosting providers, SMS gateway partners, payment processors, and analytics tools. All sub-processors are bound by data processing agreements and may only use data to perform services on our behalf.
We may disclose data when required to do so by law, court order, or government authority, including applicable data protection authorities in countries where we operate. We will notify affected organizations where legally permitted to do so.
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected users prior to any such transfer and ensure continuity of data protection standards.
Patient data is shared with and managed by your healthcare provider (the Data Controller). TrovinaCare acts solely as a Data Processor in this context and follows the instructions of the healthcare organization that engaged our services.
We take data security seriously and implement industry-standard technical and organizational measures to protect all data processed on our platform.
While we implement robust security measures, no system is completely immune to security risks. In the event of a data breach that poses a risk to your rights, we will notify affected organizations within 72 hours in accordance with applicable data protection laws.
Special Category Data: Health and medical information is classified as "special category data" under most African data protection frameworks (e.g., Nigeria's NDPR, Kenya's Data Protection Act, South Africa's POPIA) and the GDPR. This data receives the highest level of protection under our policies.
TrovinaCare processes patient health data exclusively as a Data Processor, acting on the documented instructions of our healthcare provider clients (Data Controllers). We commit to the following with respect to health data:
Depending on your jurisdiction, you may have the following rights regarding your personal data. These rights apply to data for which TrovinaCare is the Data Controller (such as account holder and website visitor data). For patient health records, rights must be exercised with the healthcare provider.
To exercise any of these rights, please email us at privacy@trovinacare.com with the subject line "Data Rights Request". We will respond within 30 days. We may need to verify your identity before processing your request.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.
TrovinaCare primarily stores and processes data within Africa. Where data is transferred outside the country of origin for cloud infrastructure or support purposes, we ensure appropriate safeguards are in place, including:
Healthcare organizations can request a data residency arrangement in their country or region under our Enterprise plan. Please contact privacy@trovinacare.com for details.
The TrovinaCare platform is intended for use by healthcare organizations and their adult staff members. We do not knowingly collect personal data directly from individuals under the age of 18 for account registration purposes.
Pediatric patient records may be created and managed within the platform by healthcare providers. In such cases, the healthcare provider (as Data Controller) is responsible for ensuring appropriate consent is obtained from parents or legal guardians in accordance with local laws and clinical standards.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Your continued use of TrovinaCare after changes become effective constitutes acceptance of the updated policy.
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection team: