1. Who We Are
VitalCheck is operated by Mazano Health (Pvt) Ltd, registered in Zimbabwe. We provide biometric health screening services to employers and insurers for occupational wellness monitoring.
Data Protection Officer: dpo@mazano.co.zw
Supervisory Authority: Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)
2. What Data We Collect
We collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identity | Employee ID, first name |
| Authentication | Hashed date of birth (SHA-256 — never stored in plain text) |
| Health (Special Category) | Heart rate, blood pressure, SpO₂, breathing rate, stress level, HRV, wellness score |
| Occupational | Department, shift pattern, site location, job risk category |
| Technical | Device type, scan quality score, timestamps |
We do not collect facial images, video recordings, GPS location, or browsing history.
3. How We Use Your Data
- Perform biometric health screening and generate wellness scores
- Triage results into risk bands (GREEN / AMBER / RED) for clinical review
- Detect potential comorbidity patterns for early intervention
- Generate anonymized, k-aggregated reports for employers and insurers
- Facilitate clinical follow-up for high-risk findings
- Comply with legal and regulatory obligations
4. Legal Basis for Processing
- Explicit consent (GDPR Art.6(1)(a) + Art.9(2)(a); Zim DPA § 30) — for health data processing
- Contract performance (Art.6(1)(b)) — for employer screening services
- Vital interests (Art.6(1)(d) + Art.9(2)(c)) — for clinical triage escalation
- Legitimate interests (Art.6(1)(f)) — for aggregated workforce analytics
- Legal obligation (Art.6(1)(c)) — for audit trails and regulatory compliance
5. How We Protect Your Data
- AES-256-GCM encryption for sensitive fields at rest
- TLS 1.3 encryption for all data in transit
- JWT session tokens with 1-hour expiry
- Role-based access control (6 role tiers)
- k-anonymity enforcement (cohorts below 5 are suppressed)
- Complete audit trail of all data access
- DOB hashed client-side (SHA-256) before transmission
- Patient data isolation by organization
6. Your Rights
Under the Zimbabwe DPA 2021 and GDPR, you have the right to:
| Right | Reference | How to Exercise |
|---|---|---|
| Access your data | Art.15 / § 14 | Dashboard → Download My Data |
| Correct your data | Art.16 / § 15 | Dashboard → Request Correction |
| Delete your data | Art.17 / § 17 | Email dpo@mazano.co.zw |
| Data portability | Art.20 / § 16 | Dashboard → Download My Data (JSON) |
| Withdraw consent | Art.7(3) / § 30 | Email dpo@mazano.co.zw |
| Lodge a complaint | Art.77 / § 23 | Contact POTRAZ |
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Raw scan data | Per organization policy (default: 2 years) |
| Anonymized aggregates | 5 years |
| Audit logs | 7 years |
| Deleted employee records | 90 days (soft delete), then permanently erased |
8. Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Binah.ai | Vital signs SDK (processing only) | Israel / EU |
| Resend | Transactional email delivery | United States |
| Database Provider | Data storage | SADC region (preferred) |
| Vercel | Application hosting | United States |
All sub-processors are bound by Data Processing Agreements with Standard Contractual Clauses for international transfers.
9. International Transfers
Some of our sub-processors are located outside Zimbabwe and the SADC region. International transfers are protected by EU Standard Contractual Clauses (SCCs) and equivalent safeguards recognized under the Zimbabwe DPA 2021.
We prioritize SADC-region data residency where technically feasible.
10. Children’s Data
VitalCheck is designed for adult employees in workplace settings. We do not knowingly collect data from individuals under 18 years of age.
11. Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify POTRAZ within 72 hours of becoming aware (Zim DPA § 22 / GDPR Art.33)
- Notify affected individuals without undue delay if the breach is HIGH or CRITICAL severity
- Document all breaches in our incident register regardless of severity
12. Contact Us
Supervisory Authority
Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)
Block 1, Emerald Park, 30 The Chase (West), Mount Pleasant, Harare