GENO Wellness Hub
GENO Wellness logo
GENO Wellness · Privacy policy

GENO Wellness Privacy Policy

Version 2026-06-13.2·Effective 12 June 2026

1. Summary

This Privacy Policy describes how GENO Wellness Ltd. ("GENO", "we", "us") handles your information when you use the GENO Wellness Hub — the website (genoessence.com), customer web app, and the GENO Wellness mobile app (collectively, the "Service"). GENO is incorporated in Kenya and primarily serves the East African Community (EAC).

The Short Version:

  • We collect what we need to run your account, connect you to wellness providers, take payments via mobile money or card, and personalize the experience. We do not collect anything we do not need.
  • We never sell your personal information — including health, wellness, or payment data — to anyone.
  • You can export or delete your data at any time from inside the Service.
  • This policy is governed by the Kenya Data Protection Act, 2019 (Cap 411C). Equivalent rights apply across the EAC.

If you use the GENO Steps app or the GENO Provider app, separate per-app privacy policies apply:

2. Who Is Responsible for Your Data
Data Controller GENO Wellness Ltd. (Kenya)
Registered Office Nairobi, Kenya
Primary Regulator Office of the Data Protection Commissioner (ODPC), Kenya
Email privacy@genoessence.com
Web https://genoessence.com/privacy

3. The Information We Collect

3.1 Information You Give Us Directly

  • Account Details: name, email address, password (stored only in hashed form — see §6), phone number, country, time zone, preferred language.
  • Optional Profile Fields: display name, date of birth or age, gender, wellness goals, short bio, profile photo.
  • Wellness Entries: mood, habits, journal notes — only when you record them inside the Service.
  • Booking Information: which providers you book, the date and service, and any notes you give the provider.
  • Payment Information: the mobile-money account (such as M-Pesa or Airtel Money), card, or other payment method you register, and the transaction history of every booking you make on GENO.
  • Sign-In Identifiers: if you sign in with Google, we receive your Google account email and a stable Google user ID. We do not receive your Google password.

3.2 Operational Information

  • Your appointment, session, and message history with providers
  • Points and badges you earn from wellness challenges
  • The articles and programs you save or complete
  • Your reviews and ratings of providers
  • Delivery records for the notifications, emails, and SMS we have sent you

3.3 Device and Technical Information

  • Device type, operating system, browser version (web), App version (mobile)
  • An IP address and approximate region derived from it
  • A first-party authentication cookie or token that keeps you signed in
  • Anonymized diagnostic logs to help us fix bugs
  • A notification token if you have enabled push on the mobile App

3.4 What We Do Not Collect

  • Precise GPS location
  • Microphone or camera access unless you actively start a session that uses them
  • Your contacts, calendar, SMS, or call logs
  • Behavioural-advertising identifiers — we do not use the IDFA, the Android Advertising ID, or third-party tracking pixels

4. How We Use Your Information

Purpose Lawful Basis (Kenya DPA, s. 30)
Running your account, matching you with providers, processing bookings Performance of our contract with you
Charging your payment method and routing earnings to providers Performance of our contract with you
Personalizing recommendations, programs, and reminders Performance of our contract with you
Sending the reminders, session updates, and account notifications you opted in to Your consent
Detecting and preventing fraud, abuse, or platform-rule violations Our legitimate interest
Investigating bugs and security incidents Our legitimate interest
Sending account emails (security alerts, password resets) Our legitimate interest
Marketing emails about GENO products Your consent (off by default)
Complying with tax, AML, and law-enforcement obligations Legal obligation

5. Sharing Your Information

5.1 With Wellness Providers You Book

When you book a session, the provider sees your display name, photo, the service, the time, and any booking notes you wrote. They do not see your payment details, your other bookings, or your account email unless you choose to share them.

5.2 With Tax and Law-Enforcement Authorities

We may disclose information when required by the Kenya Revenue Authority, the Uganda Revenue Authority, the Tanzania Revenue Authority, the Rwanda Revenue Authority, a valid court order, an ODPC order, or an equivalent order from a competent authority. Where the law permits we will notify you first.

5.3 In a Corporate Transaction

If GENO is acquired or restructured, your information may transfer to the acquirer under the same privacy commitments. We will notify you in advance.

6. How We Protect Your Information

We take the security of your personal data seriously and apply technical and organisational measures appropriate to the risk, including:

  • Industry-standard encryption of personal data in transit and at rest
  • Strong, one-way cryptographic hashing of account passwords — we never store, log, or transmit passwords in plain text
  • Restricted, audited access to production systems on a least-privilege basis
  • Regular review of third-party libraries and security advisories
  • A process for receiving and responding to responsible-disclosure reports at security@genoessence.com

No internet service can guarantee perfect security. If we ever discover a personal-data breach that is likely to result in a risk to your rights, we will notify the ODPC and, where required, you, within the timeframe set by section 43 of the Kenya DPA.

7. How Long We Keep Your Information

We keep personal data only as long as we need it, or as long as the law requires.

  • Profile Data is kept while your account is active.
  • Wellness Entries are kept until you delete them or your account.
  • Booking and Transaction Records are kept for the period required by tax law in your country.
  • Messages with Providers are kept while the relationship is active, then deleted on a rolling basis.
  • Diagnostic Logs and Delivery Records are kept for a short period for security and reliability.
  • Backups are overwritten on a rolling schedule after live data is deleted.

When you delete your account we erase your profile, wellness entries, and personal identifiers within a reasonable period. Transaction records that tax law requires us to keep are isolated from the live service.

8. Cross-Border Transfers

Some of the service providers we work with operate from outside the EAC, which means your personal data may be transferred outside Kenya. We only work with providers that contractually commit to data-protection standards equivalent to or better than the Kenya DPA, and we add additional safeguards as required by sections 48–49 of the Kenya DPA and equivalent provisions in Uganda, Tanzania, and Rwanda.

9. Your Rights

Under section 26 of the Kenya Data Protection Act, 2019 you have the right to be informed of, access, correct, delete, object to or restrict the processing of, and receive a copy of your personal data. Equivalent rights apply across the EAC.

You can exercise these rights inside the Service: Settings → Privacy to delete your account, Settings → Notifications to control consent, Settings → Export My Data for a JSON export. Other requests go to privacy@genoessence.com.

If you believe we have mishandled your data you can complain to the ODPC (https://www.odpc.go.ke) or the equivalent authority in your country.

10. Children

The Service is not directed at children under 13. Under section 33 of the Kenya DPA, "child" means anyone under 18. If you are under 18 and resident in Kenya, Uganda, Tanzania, or Rwanda, you may use the Service only with the consent of a parent or guardian, who may at any time request access, rectification, or deletion of your data via privacy@genoessence.com.

11. International Users (Outside the EAC)

If you use the Service from the European Union, the United Kingdom, the United States or another jurisdiction with its own data-protection law, the protections described above are extended to you under your local law (EU GDPR, UK GDPR, CCPA / CPRA or equivalent). We rely on Standard Contractual Clauses for cross-border transfers to the United States and we do not "sell" or "share" your personal information for cross-context behavioural advertising.

12. Cookies and Tracking

The web version of the Service uses only first-party cookies to keep you signed in and remember your preferences. We do not use third-party advertising cookies, behavioural-tracking pixels, or session-recording tools.

13. Changes to This Privacy Policy

We may update this Policy. The "Effective" date is updated whenever a new version is published. For material changes we will show you the new policy inside the Service and ask you to acknowledge it before continuing, and email the address on your account in advance.

14. Contact

GENO Wellness Ltd. Nairobi, Kenya

This privacy policy is published in English. If you read it in another language and notice a discrepancy, the English version prevails.

Effective from the "Last updated" date shown at the top of this page.

GENO Steps privacy policyGENO Provider privacy policyTerms & conditionsContact privacy team