Privacy Policy

Last updated: May 17, 2026

Emergency notice. The Mobile Doctor is not a replacement for emergency services. If your life is in danger, call your local emergency number (in Uganda dial 112 or 999) in addition to using this app.

This Privacy Policy explains how The Mobile Doctor ("we", "us", "our") collects, uses, shares, and protects information about you ("you", "your", "the user") when you use our website, mobile app, and related services (together, the "Service"). By creating an account or using the Service you confirm that you have read this notice and agree to the practices it describes.

1. Who we are

The Service is operated by The Mobile Doctor team based in Kampala, Uganda. We act as the "data controller" for information you provide directly to us. Service providers you connect with through the Service (doctors, nurses, therapists, ambulance operators, clinics, hospitals, pharmacies) are independent professionals or organisations and may process your information as separate data controllers in their own right.

2. Information we collect

2.1 Information you give us

Account details: full name, email address, phone number, password (stored only as a one-way cryptographic hash), profile photo, role (patient, doctor, nurse, therapist, ambulance operator, facility manager).
Provider details (for doctors, nurses, therapists, ambulance and facility accounts): professional title, specialty or practitioner type, licence number, biography, consultation fee, vehicle plate, facility name, opening hours and physical address. This information is used by our team to verify the account and is shown to other users so they can find and choose a provider.
Health-related information you choose to share: the short description you enter when requesting emergency assistance, notes you attach to an appointment booking, and the content of messages you exchange with providers through the in-app chat.
Location: when you use the emergency button, the "nearest provider" search, or the "share my location" feature, we collect the latitude and longitude reported by your device's geolocation. Providers (doctors, ambulance operators) also share their location while they are on duty so we can match you with the closest one.

2.2 Information we collect automatically

Device and connection: IP address, browser type and version, operating system, and the pages you view inside the Service. We use this for security, troubleshooting and analytics in aggregate form.
Session cookies: we set a single first-party session cookie to keep you signed in. We do not use third-party advertising cookies or behavioural ad trackers.
Verification codes (OTPs): when you sign up with a phone number we generate a 6-digit one-time code, send it to you by SMS, and store its short-lived record so we can confirm you entered it correctly.

2.3 Information we receive from others

Where you connect with a provider, that provider may share with us information about your interaction (such as appointment status, dispatch acceptance, or messages). Our admin team may add or verify limited information about places (hospitals, pharmacies, clinics, labs) from public records.

3. How we use your information

We use information for the following purposes:

Delivering the Service: creating and maintaining your account, authenticating you, matching patients to the closest available provider, dispatching emergency requests, displaying nearby facilities on the map, facilitating messages and video / audio calls, and processing your appointment bookings.
Communication: sending SMS verification codes, welcome messages, appointment notifications, and other operational messages. We do not send marketing SMS without your separate consent.
Safety and integrity: verifying provider credentials, detecting and preventing fraud and abuse, enforcing our Terms of Service, and ensuring the Service remains available and secure.
Improvement: understanding how the Service is used (in aggregate) so we can improve features, fix bugs, and design new functionality.
Legal: complying with applicable law, responding to lawful requests by public authorities, and protecting our rights, your safety, or the safety of others.

4. Legal bases (for users in the EU/EEA, UK, and similar regimes)

We rely on the following lawful bases:

Performance of a contract when we provide the Service that you have signed up for.
Your consent for processing your precise location, your health-related descriptions, and special-category data; you may withdraw consent at any time by stopping use of the relevant feature.
Legitimate interests in keeping the Service secure, preventing abuse, and improving the product, balanced against your rights and freedoms.
Vital interests when we share your location with an ambulance unit responding to an emergency request you have made.
Legal obligation where we are required to retain or disclose information by law.

5. When we share information

We share the minimum information necessary, and only in these circumstances:

With service providers you connect with. When you book a doctor or send an emergency request, the matched provider sees your name, phone number, profile photo, the relevant location, and any description or notes you have attached. This sharing is intrinsic to the Service and cannot be opted out of for the specific interaction.
With our infrastructure partners (processors who act on our instructions):
- SMS gateway (UGSMS Uganda) - receives phone numbers and message content to deliver OTPs and operational SMS.
- Jitsi Meet (8x8 Inc., or self-hosted) - powers in-app audio and video calls between you and your provider. Call participation data transits Jitsi servers.
- OpenStreetMap / CARTO / Nominatim / OSRM - supply map tiles, geocoding (address lookup) and driving routes. Your coordinates are sent to these services when their feature is used.
- Hosting and database providers - store the application's data so the Service can run.
With your admin / facility manager. If you sign up as a member of a healthcare facility, the facility administrator may see your account.
Where law requires. We may disclose information when compelled by a valid court order, regulator, or law enforcement request; or to defend ourselves in legal proceedings.
Business transfers. If we merge with, are acquired by, or sell assets to another entity, information may transfer with the business. We will notify you and honour the protections of this Policy.

We do not sell your personal information. We do not share it for third-party advertising.

6. International transfers

Some of our processors (notably Jitsi, OpenStreetMap services, and certain hosting providers) operate servers outside Uganda. Where this involves transferring your information across borders, we rely on the recipient's published privacy programme, appropriate contractual protections, and applicable derogations (for example performance of a contract you have requested).

7. How long we keep your information

Account data is kept for as long as your account is active and for a reasonable period afterwards to defend legal claims or comply with law.
Messages and appointment history are kept while the account is active so you can refer back to them.
Emergency request records are kept for at least one year for safety, audit and incident-review purposes.
Location records ("last known location") are continuously overwritten; we do not keep a historical trail of every coordinate.
Verification codes (OTPs) expire after ten minutes and are deleted on a rolling basis.
Server logs with IP addresses are kept for up to 90 days.

Where retention is mandated by Ugandan or other applicable law (for example tax, accounting, or medical records legislation), those longer periods apply.

8. How we protect your information

Passwords are stored as one-way bcrypt-style hashes - we never see your clear-text password.
All database queries use parameter binding, and the application protects against cross-site request forgery, cross-site scripting, click-jacking, and content-type sniffing.
Production traffic is served over HTTPS. We strongly recommend you do not use the Service over unencrypted public Wi-Fi.
Uploaded files (such as profile photos) are stored outside the application directory and re-encoded by our server, which strips embedded metadata and prevents script execution.
Administrative access to the production environment is limited to a small number of authorised people.

No service can be 100% secure. If we ever experience a breach affecting your personal information, we will notify you and the relevant regulator as required by law.

9. Your rights

Subject to applicable law (including Uganda's Data Protection and Privacy Act, 2019 and, where relevant, the EU/UK GDPR), you have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate or incomplete information - most of this can be done directly from your profile page.
Delete your account and the personal data attached to it, except where we are required to keep certain records (for example unresolved emergency incidents or financial records).
Object to or restrict certain processing.
Receive your data in a portable, machine-readable format.
Withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Lodge a complaint with a supervisory authority - in Uganda, the Personal Data Protection Office at the National Information Technology Authority - Uganda (NITA-U); in the EU/EEA, your national data protection authority.

To exercise any of these rights, contact us using the details in section 14. We will respond within thirty (30) days.

10. Children

The Service is not directed at children under thirteen (13). If you are between 13 and the age of legal majority in your jurisdiction, you may only use the Service with the consent and supervision of a parent or legal guardian. If we discover that we have collected information from a child below 13 without the required parental consent, we will delete it.

11. Cookies and similar technologies

We use a single first-party session cookie (typically named PHPSESSID) to keep you signed in. We do not use advertising cookies, third-party tracking pixels, or social-media tracking. Modern browsers let you clear cookies or block them entirely; doing so may prevent the Service from working.

12. Links to other services

The Service may link to third-party websites that are not under our control. We are not responsible for the privacy practices of those sites; please review their own notices.

13. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes we will give you reasonable advance notice by email or in-app message. Continuing to use the Service after the change takes effect means you accept the updated Policy.

14. Contact us

Questions, requests, or complaints about this Policy can reach us at:

Email: privacy@themobiledoctor.com
Phone: +256 782 926 197 or +256 754 714 999
Postal: The Mobile Doctor, Kampala, Uganda (full address available on request).

For other questions, see the contact page.

This Policy is provided to inform you of our current data practices. It is not legal advice. Where local law gives you stronger rights than those described here, those local rights apply.