HeliosTerms & Conditions

Policy Center

Privacy Policy

Last Modified April 30, 2026

Your privacy

Helios Health Ltd (“Helios”, “we”, “us”) is a medical technology company headquartered in Kampala, Uganda. We build proactive healthcare infrastructure: the Health Plus Card, the Helios Pulse wearable, and the Health Plus clinical platform: for patients, doctors, and healthcare facilities across Africa.

This Privacy Policy applies to all Helios services: helioshealths.com, app-healthplus.com, the Health Plus App, the Health Plus Card, and the Helios Pulse device. It explains exactly what data we collect, why we collect it, how we protect it, and what rights you have over it.

We process your data in compliance with the Uganda Data Protection and Privacy Act (DPPA) 2019. We do not sell your personal data. We do not use your health data for advertising.

What data we collect

Identity & Account Data

  • Full name, date of birth, gender, nationality
  • Email address, phone number, profile photo (optional)
  • Government-issued ID (for identity verification where required by law)
  • Account credentials (passwords stored as irreversible cryptographic hashes)

Health & Medical Data (Special Category)

  • Medical history, chronic conditions, allergies, immunizations, blood type
  • Prescription records, lab results, consultation notes
  • Real-time biometrics from Helios Pulse: ECG, SpO₂, heart rate, blood pressure estimates, body temperature, motion and activity data
  • Emergency medical data stored on your Health Plus Card (accessible offline by NFC/QR scan at partner facilities in emergencies)

Health data is classified as a special category under the DPPA and receives the highest level of protection. We process this data only with your explicit consent or in emergency situations where your vital interests are at risk.

Financial & Transaction Data

  • Health Plus Wallet balance and transaction history
  • Payment method references (full card numbers are never stored: processed by PCI-DSS compliant payment providers)
  • Mobile Money transaction references

Device & Usage Data

  • IP address, browser type, operating system, device identifiers
  • Pages visited, features used, session duration, error logs
  • Cookies and similar technologies (see Our Policies section)

How we use your data

  • Service delivery: Managing your account, Health Plus Card, wallet, appointments, and consultations
  • Health monitoring: Processing Helios Pulse biometric data to generate real-time health insights and clinical alerts
  • Emergency care: Displaying critical health data to authorised healthcare providers in life-threatening situations
  • Payments: Processing wallet top-ups and facility transactions securely
  • Communications: Appointment reminders, health alerts, prescription notifications, support responses
  • Safety & compliance: Fraud detection, unauthorized access prevention, legal obligations
  • Platform improvement: Anonymized, aggregated analytics to improve reliability and features

Legal basis for processing

Processing activityLegal basis
Account creation and service deliveryContract performance
Health data and biometric monitoringExplicit consent
Consultation recordingExplicit consent (both parties)
Emergency health data accessVital interests
Financial transaction processingContract performance
Fraud detection and securityLegitimate interests
Legal and regulatory complianceLegal obligation
Anonymized research and analyticsLegitimate interests / Consent

Research data

Helios operates at the intersection of healthcare delivery and public health research. Understanding population-level health trends: prevalence of hypertension, diabetes onset patterns, care access gaps: helps us improve the platform and contributes to the broader fight against non-communicable diseases in Africa.

Our core research commitment

We do not use individually identifiable health data for research without your explicit, informed consent. Any data contributed to research is de-identified and aggregated to a level where no individual can be identified. You can participate in research or opt out at any time from your account settings, without affecting your access to Helios services.

Types of research data use

  • Anonymized platform analyticsAggregated, de-identified usage data (e.g. feature adoption rates, system performance) used to improve the platform. No individual can be identified. No consent required beyond accepting these terms.
  • De-identified health trend researchAggregate epidemiological data (e.g. hypertension prevalence in a region) shared with academic institutions and public health bodies. Data is stripped of all identifiers before use. Opt-out available in settings.
  • Clinical validation studiesDevice accuracy validation and clinical efficacy studies use de-identified biometric data from consenting users. Explicit consent required before enrollment.
  • AI model improvementAnonymized sensor data from Helios Pulse is used to improve our health monitoring algorithms. You can opt out of contributing to model training in your account settings without losing monitoring functionality.

Your research data rights

  • Withdraw from research participation at any time: retroactive de-identification applied
  • Access information about which research studies your data has contributed to
  • Request a full export of all data associated with your account
  • Object to specific types of data processing for research purposes

Privacy protection

Your health data is among the most sensitive information that exists. Our privacy protection architecture is built on the principle of minimum necessary access: only the people and systems that genuinely need your data to provide your care can access it.

Consent management

You control precisely who can see your medical records. The platform uses a granular consent system: you grant access to specific providers for specific record types for defined time periods. Every grant of access is logged. You can revoke consent at any time.

Standard access

Requires your explicit consent before any doctor or facility can view your records

Emergency access

Break-the-glass access in life-threatening situations: time-limited, fully logged, you are notified within 24 hours

Audit trail

Every record access event is permanently logged with timestamp, accessor identity, and purpose

Consent withdrawal

You can withdraw consent for any provider at any time from your account settings: effective immediately

Data sharing

We share your data only in these circumstances:

  • Authorized providers: Doctors and facilities you have explicitly granted access to through the consent system
  • Service providers: Third-party vendors (cloud hosting, payment processing, SMS delivery) operating under strict data processing agreements that prohibit them from using your data for any purpose other than providing services to Helios
  • Legal requirements: When required by a valid court order or statutory obligation under Ugandan law: we will notify you unless legally prohibited from doing so
  • Business transfers: In the event of a merger or acquisition, you will be notified at least 30 days in advance and may request deletion before any transfer occurs

We never share your data for advertising

Your health data is never sold, rented, or used to build advertising profiles. Full stop.

Your rights

Access

Request a full copy of all personal data we hold about you

Correction

Request correction of any inaccurate or incomplete data

Deletion

Request deletion of your account and personal data (subject to legal retention requirements for medical records)

Portability

Receive your data in a structured, machine-readable format (JSON / PDF)

Object

Object to processing based on legitimate interests

Restrict

Request restriction of processing in specific circumstances

Withdraw consent

Withdraw consent for health data processing at any time without penalty

Complain

Lodge a complaint with the Uganda Personal Data Protection Office (PDPO)

To exercise any of these rights, email centraloffice@helioshealths.com. We respond within 30 days.

Security standards

Medical data demands medical-grade security. Our infrastructure is designed from the ground up to protect biometric data, clinical records, and financial transactions against unauthorized access, breaches, and misuse.

Encryption at rest and in transit

All health and personal data is encrypted at rest using AES-256. All data in transit is protected by TLS 1.3. Database fields containing biometric data use field-level encryption with keys managed by a dedicated secrets management system.

Role-based access control (RBAC)

Access to patient data is strictly role-based. Patients, doctors, facility staff, community health workers, and administrators each have precisely scoped permissions. No role has broader access than required for its function. Privilege escalation requires multi-factor approval.

Full audit logging

Every data access event: read, write, export, emergency access: is recorded with a timestamp, user identity, IP address, and declared purpose. Audit logs are tamper-evident and retained for a minimum of 7 years.

Multi-factor authentication (MFA)

MFA is required for all healthcare provider accounts and strongly encouraged for patient accounts. Administrative access to production systems requires hardware security keys.

Offline-first device security (Helios Pulse)

Biometric data stored on Helios Pulse is encrypted on-device. NFC communication uses ISO/IEC 14443 with secure element authentication. Data synced to the cloud is transmitted over an encrypted BLE channel and re-encrypted at ingestion.

Infrastructure and penetration testing

Our infrastructure undergoes regular security assessments and third-party penetration testing. Critical vulnerabilities are remediated within 24 hours. Our security posture is reviewed quarterly.

Breach response

In the event of a confirmed data breach affecting personal or health data, we will notify affected users and the Uganda PDPO within 72 hours of discovery, in compliance with the DPPA 2019.

Our policies

Data retention

Data typeRetention periodBasis
Account & identity dataDuration of account + 30 days after deletionContract performance
Medical recordsMinimum 7 years from last clinical eventUganda Health Records Regulations
Prescription records7 yearsPharmacy & Drugs Act (Uganda)
Transaction records7 yearsFinancial compliance (Uganda)
Audit logs7 yearsDPPA 2019 compliance
Helios Pulse biometric data2 years rolling (configurable by patient)Consent
Anonymized research dataIndefiniteLegitimate interests
AI chat logs (public widget)90 days (not linked to account)Legitimate interests

Cookies policy

We use cookies and similar technologies to operate our websites. You manage your preferences through the cookie banner shown on first visit. Your choices are stored in your browser and respected on return visits.

Required

Strictly necessary

Session management, authentication, security tokens. Required for the website to function. Cannot be disabled.

Optional

Functional

Remember your language preference, region, and UI settings across sessions.

Optional

Performance

Anonymized analytics (page views, error rates, load times) to understand platform usage. No individual tracking.

Optional

Targeting

Used only with your explicit consent to show relevant content. We do not use targeting cookies for third-party advertising networks.

Children's privacy

Our Services are not directed at children under 13. We do not knowingly collect personal data from children under 13. Users between 13 and 17 require documented parental or guardian consent to create an account. If you believe a child has provided us with personal data without appropriate consent, contact centraloffice@helioshealths.com and we will delete the data promptly.

International data transfers

Patient health and biometric data is primarily stored and processed within Uganda. Where operational requirements involve processing in other jurisdictions (e.g. cloud infrastructure providers), we ensure appropriate safeguards are in place including standard contractual clauses and data processing agreements. We do not transfer personal health data to jurisdictions without adequate data protection frameworks without explicit consent.

Changes to this policy

We will notify you of material changes to this policy by email and through a prominent notice on our websites at least 14 days before the changes take effect. The “Last Modified” date at the top of this page reflects the most recent revision. Continued use of our Services after changes take effect constitutes acceptance of the revised policy.

Contact us

For any privacy-related questions, data subject requests, or concerns about how Helios handles your personal data, contact us through the channels below. We respond to all privacy requests within 30 days.

Privacy & Legal

Helios Health Ltd

Kampala, Uganda

centraloffice@helioshealths.com

Platform Support

For account-specific issues, lost card, data export requests, or consent management help.

support@app-healthplus.com

Uganda Personal Data Protection Office (PDPO)

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Uganda PDPO, the national supervisory authority for data protection. Visit pdpo.go.ug for contact details.

We use cookies to provide core website functionality and to analyze site usage, enable social media features and provide tailored content and ads. You can review, modify or withdraw your consent at any time. Read our Privacy Policy.

We use cookies to provide core website functionality and to analyze site usage, enable social media features and provide tailored content and ads. You can review, modify or withdraw your consent at any time. Read our Privacy Policy.