Privacy Policy

1. Introduction & Scope

Atlas Software Corporation ("Atlas," "we," "us," or "our") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy describes how we collect, use, disclose, store, and safeguard your information when you download, register for, or use VaxCPass — our digital health passport application available on the Google Play Store for Android devices, and accessible through our website at https://vaxcpass.com (collectively, the "Service").

VaxCPass enables travellers to securely store vaccination certificates and health records, generate tamper-proof QR codes for verification by border authorities, airlines, and other authorised parties, and receive AI-powered travel health recommendations. The Service operates in 180+ countries and is designed to function offline using zero-knowledge encryption (AES-256), ensuring that your sensitive health data remains under your control at all times.

This Privacy Policy applies to all users of the Service worldwide. Because we operate across multiple jurisdictions, we have designed this policy to comply with — and in many cases exceed — the requirements of applicable data protection laws, including but not limited to:

• The General Data Protection Regulation (EU GDPR, Regulation 2016/679) and the UK GDPR for individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.
• The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents.
• The Protection of Personal Information Act (POPIA, 2013) for South African data subjects.
• The Personal Data Protection Act (PDPA) for users in Thailand and Singapore.
• The Kenya Data Protection Act, 2019 and regulations issued thereunder, given our registered office in Nairobi, Kenya.
• Principles aligned with the Health Insurance Portability and Accountability Act (HIPAA), although Atlas Software Corporation is not a HIPAA covered entity.

By downloading or using VaxCPass, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms herein, please do not use the Service. Where this policy uses terms defined in our Terms of Service, those definitions apply.

2. Information We Collect

2.1 Personal Data

We collect personal data that you voluntarily provide when creating an account, setting up your health profile, or communicating with us. This includes:

• Identity data: full legal name (as it appears on your travel documents), date of birth, gender, nationality, and government-issued identification numbers (e.g., passport number or national ID).
• Contact data: email address, phone number, and residential or mailing address.
• Account credentials: username and a hashed/encrypted password. We never store passwords in plaintext.
• Travel data: passport photograph, travel itinerary details, intended destinations, and travel history stored for personalised recommendations.
• Subscription data: selected plan tier (Individual, Family, or Premium), billing information, and renewal preferences.

2.2 Health Data (Special Category Data)

Health data constitutes "special category data" under GDPR Article 9 and "sensitive personal information" under CCPA/CPRA. We collect and process the following health-related information solely to provide the core functionality of VaxCPass:

• Vaccination records: vaccine type, manufacturer, batch/lot number, date(s) of administration, administering facility, and the name of the healthcare professional.
• Health certificates: digital or scanned copies of official vaccination certificates, COVID-19 test results, and other health clearance documents.
• Medical history relevant to travel: declared allergies, chronic conditions, and medications you voluntarily enter for AI-powered travel health recommendations.
• Body metrics: height and weight (optional) used to calculate dosage recommendations where applicable.

Important: Health data is encrypted on-device using AES-256 in a zero-knowledge architecture. Atlas does not have access to the unencrypted contents of your health records. Data is only decrypted locally on your device at the point of use.

2.3 Device Data

We automatically collect certain technical information from your Android device to ensure the proper functioning and security of the Service:

• Device make, model, and Android OS version.
• Unique device identifier (Android advertising ID or a VaxCPass-assigned installation UUID).
• Device locale, language settings, and time zone.
• Screen resolution and hardware capabilities relevant to QR code rendering.
• Secure Enclave and hardware security module (HSM) status for cryptographic operations.
• Battery level and connectivity status (Wi-Fi, cellular, offline).

2.4 Usage Data

We collect anonymised and aggregated usage data to improve the Service, understand user behaviour, and enhance security. This includes:

• Feature usage patterns (e.g., which QR codes are generated, how often offline mode is used).
• Frequency and duration of app sessions.
• Pages viewed and navigation paths within the app.
• Crash reports, performance metrics, and error logs.
• AI recommendation interaction data (e.g., recommendations accepted or dismissed).

2.5 Payment Data

To process subscription payments, we rely on trusted third-party payment processors. We do not store full credit card numbers, debit card details, or bank account credentials on our servers. The payment data we may retain includes:

• A tokenised payment method reference provided by our payment processor (e.g., Stripe or Google Play Billing).
• Transaction history (date, amount, currency, plan tier, and payment status).
• Billing address and the last four digits of your payment card for receipt purposes.

3. How We Collect Information

3.1 Directly From You

Most of the data we hold is provided by you directly through the VaxCPass application or website. This includes information you enter during account registration, health profile setup, vaccination record uploads, travel itinerary configuration, and any communications you initiate with our customer support team via email, in-app chat, or phone. We also collect data when you voluntarily complete surveys, provide feedback, or participate in beta testing programmes.

When you upload vaccination certificates or health documents, our system extracts structured data (vaccine type, dates, batch numbers) using optical character recognition (OCR) and AI-powered document parsing. The extracted data is presented to you for review and confirmation before being stored. You may edit or reject the extracted data at any time.

3.2 Automatically

When you use VaxCPass, certain information is collected automatically through our mobile application, servers, and third-party analytics services. This includes device data (as described in Section 2.3), usage data (Section 2.4), and log data such as IP address, browser or app version, access times, and pages or screens interacted with. We also collect anonymised location data (country and city level only, never precise GPS coordinates) to provide country-specific travel health recommendations and compliance information.

3.3 From Third Parties

We may receive information about you from the following third-party sources:

• Google Play Store: your Google account email, app purchase and subscription details, device information, and age verification status as provided through Google Play Billing.
• Payment processors: billing and transaction data necessary to process your subscription payments and issue refunds.
• Identity verification services: if you elect to verify your identity for enhanced features, we may use third-party KYC (Know Your Customer) providers who will share verification results with us.
• Health authorities and immunisation registries: with your explicit consent, VaxCPass may connect to authorised government health portals to retrieve and validate vaccination records. This data is encrypted end-to-end before storage.
• Travel and airline partners: if you link VaxCPass with participating airlines or travel platforms, we may receive itinerary and booking confirmation data to pre-populate your travel health recommendations.

4. How We Use Your Information

We use your personal data only for specific, explicitly stated purposes that are lawful, fair, and transparent, consistent with the principles of purpose limitation (GDPR Article 5(1)(b)) and our contractual obligations to you.

4.1 Core Service Delivery (Contractual Necessity)

The primary purposes for which we process your data are essential to delivering the VaxCPass Service under our Terms of Service:

• Creating, maintaining, and securing your account and health profile.
• Encrypting, storing, and organising your vaccination certificates and health records in your personal digital wallet.
• Generating tamper-proof QR codes and digital health passes for presentation at border crossings, airports, healthcare facilities, and other verification points.
• Providing AI-powered travel health recommendations, including vaccine requirements, malaria prophylaxis guidance, and destination-specific health advisories.
• Enabling offline functionality so that your health passes remain accessible without an internet connection.
• Managing your subscription, processing payments, and sending billing receipts and renewal notifications.

4.2 Legitimate Interests

Where we rely on legitimate interests as a legal basis (GDPR Article 6(1)(f)), we conduct and document a Legitimate Interests Assessment (LIA) to ensure that our processing does not override your rights and freedoms. These purposes include:

• Security and fraud prevention: detecting, investigating, and preventing fraudulent activity, unauthorised access, and abuse of the Service.
• Service improvement: analysing aggregated, anonymised usage data to improve app performance, fix bugs, and develop new features.
• Communication: sending service-related notifications, security alerts, and important updates about changes to the app or your account.
• Compliance: complying with applicable laws, regulations, court orders, and lawful requests from public authorities.

4.3 Consent-Based Processing

For certain processing activities, we obtain your explicit consent before proceeding. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Consent-based processing includes:

• Receiving optional marketing communications, newsletters, and promotional offers.
• Sharing your health data with third-party travel verification systems (e.g., airline check-in, border control APIs).
• Connecting to government immunisation registries or health authority portals.
• Participating in anonymised research or product improvement programmes.

5. Legal Basis for Processing

We process personal data only when we have a lawful basis to do so. The table below summarises the legal bases we rely on for different categories of processing, as required by the GDPR and analogous provisions in other applicable data protection laws:

Under the Kenya Data Protection Act, 2019, we similarly rely on the grounds listed in Section 26, including consent, contractual necessity, legitimate interests, legal obligation, and vital interests. Health data is treated as "sensitive personal data" under Section 31, and we only process it with your explicit consent or as authorised under Sections 32 and 33.

6. Data Sharing & Third Parties

Atlas Software Corporation does not sell your personal data to any third party. We treat your data with the highest level of confidentiality. However, in the limited circumstances described below, we may share your information with carefully vetted third parties who are contractually obligated to protect it.

6.1 Payment Processors

We share the minimum payment data necessary with PCI DSS-compliant payment processors (such as Stripe Payments Europe, Ltd. or Google Commerce Limited) to facilitate subscription billing and payment processing. These processors operate under strict data processing agreements and are prohibited from using your payment data for their own marketing purposes.

6.2 Analytics and Performance Partners

We use privacy-respecting analytics services to understand how users interact with VaxCPass. Any data shared with analytics providers is pseudonymised and aggregated. We do not permit analytics partners to re-identify individual users or to combine VaxCPass data with data from other sources for advertising purposes.

6.3 Cloud Infrastructure Providers

Your encrypted data is stored on secure cloud infrastructure provided by reputable providers that maintain SOC 2 Type II, ISO 27001, and GDPR-compliant data processing certifications. Data stored in the cloud remains encrypted at rest (AES-256) and in transit (TLS 1.3), and the cloud provider has no access to your encryption keys.

6.4 Travel Verification Partners

With your explicit, affirmative consent, VaxCPass may share your verified health pass data (in the form of a signed, tamper-proof digital token) with:

• Airlines and aviation authorities for pre-departure health verification.
• Border control and immigration authorities who scan your QR code for entry clearance.
• Hotels, event venues, and other establishments that require proof of vaccination or health status.
• Partner healthcare providers for vaccination validation.

When data is shared for verification purposes, only the minimum necessary information is transmitted — typically a cryptographic proof of validity, the traveller's name, date of birth, and vaccine status — not the full medical record. You may revoke consent for any specific sharing arrangement at any time through your app settings.

6.5 Government Authorities and Legal Obligations

We may disclose your personal data if required to do so by law, regulation, court order, or binding legal process. This includes responding to lawful requests from law enforcement, regulatory bodies, or public health authorities in any jurisdiction where we operate. Where legally permissible, we will notify you of such disclosures unless doing so would compromise an investigation or violate a legal prohibition.

6.6 Corporate Transactions

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of such transaction. We will notify you via email and/or a prominent notice within the app before your data becomes subject to a different privacy policy.

7. International Data Transfers

As a global Service operating in 180+ countries with a registered office in Nairobi, Kenya, your data may be transferred to, stored, and processed in jurisdictions outside your country of residence. These transfers are subject to the safeguards described below to ensure your data remains protected in accordance with applicable laws, including GDPR Articles 44-49 and the Kenya Data Protection Act Section 48-50.

7.1 Standard Contractual Clauses (SCCs)

Where data is transferred from the EEA, UK, or other jurisdictions with data transfer restrictions to countries not deemed to have adequate data protection laws, we rely on Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision 2021/914) as the primary transfer mechanism. These SCCs impose binding obligations on data importers to protect your personal data to standards equivalent to the GDPR.

Where appropriate, we supplement SCCs with additional measures, including technical protections (encryption in transit and at rest), organisational measures (access controls, staff training, and audit rights), and, where required, specific transfer impact assessments conducted in accordance with the guidance of the European Data Protection Board (EDPB).

7.2 Adequacy Decisions

Where the European Commission has issued an adequacy decision confirming that a country ensures an adequate level of data protection (e.g., the UK, Japan, South Korea, Canada for commercial organisations, and others), transfers to that country may proceed without additional safeguards. We maintain an up-to-date list of adequacy decisions and ensure our processing activities align with the conditions set out in each decision.

7.3 Explicit Consent

In limited circumstances, we may seek your explicit consent for international data transfers, particularly where no other valid transfer mechanism is available. Such consent is informed, specific, and freely given, and you may withdraw it at any time through your app settings or by contacting our Data Protection Officer.

Under the Kenya Data Protection Act, 2019 (Sections 48-50), cross-border data transfers are restricted to countries with comparable data protection frameworks or where adequate safeguards have been established. Atlas Software Corporation ensures that all international transfers from Kenya meet these statutory requirements.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, enforce our agreements, and maintain legitimate business operations. The specific retention periods for different categories of data are set out below:

Upon account deletion, your health records and personal data are purged from our servers within 30 days. Encrypted data stored locally on your device remains until you uninstall the app or manually delete the app data through your device settings. Backup copies stored in disaster recovery systems are overwritten within 90 days of account deletion.

9. Your Rights

Under the GDPR (Articles 12-23), CCPA/CPRA, Kenya Data Protection Act (Sections 25-38), POPIA, and other applicable data protection laws, you have a comprehensive set of rights over your personal data. We are committed to facilitating the exercise of these rights promptly and without undue burden.

9.1 Right of Access

You have the right to obtain confirmation of whether we process your personal data and, if so, to access a copy of that data along with supplementary information about the processing. You may exercise this right at any time through the "Download My Data" feature in the app settings or by submitting a written request to our Data Protection Officer. We will respond within 30 days (or within the shorter timelines required by applicable law).

9.2 Right to Rectification

You have the right to have any inaccurate or incomplete personal data corrected without undue delay. Most data can be edited directly within the VaxCPass app. If you are unable to make a correction yourself, please contact our support team, and we will assist you. For health data, you may update your vaccination records by uploading corrected certificates or manually editing the extracted data.

9.3 Right to Erasure (Right to Be Forgotten)

You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing and there is no overriding legitimate ground, or when the data has been unlawfully processed. To delete your account and all associated data, use the "Delete Account" feature in the app or contact us. Please note that certain data may be retained as permitted or required by law (e.g., financial records for tax compliance).

9.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV, or HL7 FHIR for health records) and to transmit that data to another data controller without hindrance. Use the "Export My Data" function in the app settings to download a portable copy of all your stored data, including vaccination records and health certificates.

9.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in the following circumstances: (a) you contest the accuracy of the data pending verification; (b) processing is unlawful but you prefer restriction over deletion; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of legitimate grounds. Restricted data will be stored but not otherwise processed.

9.6 Right to Object

You have the right to object to processing based on legitimate interests (Article 6(1)(f)) or processing for direct marketing purposes at any time. We will cease processing for direct marketing immediately upon receipt of your objection. For processing based on legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

9.7 Right to Withdraw Consent

Where processing is based on your consent (e.g., marketing communications, data sharing with travel verification partners, or connecting to government health registries), you may withdraw consent at any time through the app settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

9.8 Rights Related to Automated Decision-Making

VaxCPass uses AI algorithms to provide travel health recommendations and to verify the authenticity of vaccination certificates. You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. If our AI systems are used in any capacity that could materially affect your ability to travel or access services, we will implement appropriate safeguards, including the right to obtain human intervention, express your point of view, and contest the decision (GDPR Article 22).

How to exercise your rights:You may exercise any of the above rights by navigating to the "Privacy" section within VaxCPass app settings, or by submitting a written request to our Data Protection Officer at the contact details provided in Section 15 below. We will acknowledge your request within 10 business days and respond substantively within 30 days. We will never discriminate against you for exercising your privacy rights.

10. Data Security

The security of your personal and health data is our highest priority. Atlas Software Corporation implements a comprehensive, multi-layered security programme designed to protect your data against unauthorised access, alteration, disclosure, or destruction. Our security measures are aligned with industry best practices and are regularly reviewed through internal audits and independent third-party security assessments.

10.1 Encryption & Zero-Knowledge Architecture

All health data stored in VaxCPass is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), the same encryption standard used by governments and financial institutions worldwide. We employ a zero-knowledge architecture, meaning that Atlas Software Corporation does not possess or have access to your encryption keys. Your keys are generated and stored exclusively within the secure enclave of your Android device (using hardware-backed keystore technology). This ensures that even in the event of a server breach, your health data remains unreadable.

10.2 Secure Enclaves & Hardware Security

VaxCPass leverages your device's Secure Enclave(or equivalent Trusted Execution Environment) to perform all cryptographic operations in an isolated, tamper-resistant hardware environment. This means encryption, decryption, and digital signature operations never expose your private keys to the main operating system or to Atlas's servers. QR codes generated for verification are cryptographically signed using your device's secure enclave, making them tamper-proof and independently verifiable by scanning parties.

10.3 Additional Security Measures

• Transport Layer Security (TLS 1.3): all data transmitted between the VaxCPass app and our servers is encrypted using TLS 1.3 with strong cipher suites.
• Encryption at rest: all server-side data stores are encrypted at rest using AES-256 with keys managed through a hardware security module (HSM).
• Access controls: role-based access control (RBAC) with the principle of least privilege ensures that only authorised personnel can access production systems, and all access is logged and audited.
• Biometric authentication: the app supports fingerprint and face recognition to prevent unauthorised access to your health data on your device.
• Vulnerability management: we conduct regular penetration testing, dependency scanning, and bug bounty programmes to identify and remediate vulnerabilities proactively.
• Incident response: a documented incident response plan ensures rapid detection, containment, and notification in the event of a data breach, in compliance with GDPR Article 33 and 34 (72-hour notification to supervisory authorities and affected individuals where required).

Under the Kenya Data Protection Act, 2019 (Sections 41-43), Atlas maintains appropriate technical and organisational measures to ensure the security of personal data and notifies the Data Protection Commissioner and affected data subjects without undue delay in the event of a breach likely to result in a risk to rights and freedoms.

11. Children's Privacy

VaxCPass is a general-audience health travel tool. However, we recognise that minors may use the Service, particularly within Family subscription plans where a parent or guardian manages accounts on behalf of family members. We are committed to protecting the privacy of children and comply with all applicable laws governing the collection and processing of children's data.

11.1 Age Thresholds

• European Economic Area (EEA) & UK: We do not knowingly collect personal data from children under 16 years of age (or the lower age of digital consent applicable in specific member states, as low as 13) without verifiable parental or guardian consent (GDPR Article 8).
• United States (COPPA): We do not knowingly collect personal information from children under 13 years of agewithout verifiable parental consent, in compliance with the Children's Online Privacy Protection Act.
• Kenya: Under the Kenya Data Protection Act, 2019 (Section 55), we obtain verifiable consent from a parent or guardian before processing personal data of a child under18 years of age.
• Other jurisdictions: We comply with the minimum age requirements established by local law in each country where the Service is available.

11.2 Parental & Guardian Controls

Within a Family subscription plan, the designated primary account holder (parent or guardian) may create and manage sub-profiles for minor family members. The primary account holder has full control over the health data stored in minor sub-profiles, including the ability to view, edit, export, or delete such data. VaxCPass does not target children with advertising or allow children to independently make in-app purchases.

If we become aware that we have inadvertently collected personal data from a child below the applicable age threshold without parental consent, we will take immediate steps to delete that data from our servers. If you believe that a child has provided us with personal information in violation of this policy, please contact us at the details provided in Section 15.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights with respect to your personal information. This section supplements Section 9 by detailing those rights specific to California law.

12.1 Right to Know and Access

You have the right to request that we disclose the categories and specific pieces of personal information we have collected, used, disclosed, and sold about you in the preceding 12 months, along with the categories of sources from which the information was collected, the business purposes for collecting and using the information, and the categories of third parties with whom the information was shared. You may submit a verifiable consumer request through the app or by contacting us. We will respond within 45 days (extendable by an additional 45 days with notice).

12.2 Right to Delete

You have the right to request the deletion of your personal information that we have collected, subject to certain exceptions permitted by law (e.g., information needed to complete a transaction, comply with a legal obligation, detect security errors, or enable solely internal uses). Once we receive and verify your deletion request, we will direct our service providers to delete your personal information from their records, unless an exception applies.

12.3 Right to Opt-Out of Sale or Sharing

Atlas Software Corporation does NOT sell your personal information.We have not sold, and will not sell, your personal data to third parties for monetary or other valuable consideration. Accordingly, the right to opt-out of the sale of personal information under CCPA Section 1798.120 is not applicable. Additionally, we do not "share" personal information for cross-context behavioural advertising. If this practice ever changes, we will provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on our website homepage and within the app.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not deny you goods or services, charge different prices or rates, provide a different level of quality, or suggest that you may receive a different price or rate based on your exercise of privacy rights. However, we may offer financial incentives (e.g., discounts on Premium subscriptions) related to the collection, sale, or deletion of personal information. Any such incentives will be reasonably related to the value of your data and will be presented in clear terms.

12.5 Right to Limit Use of Sensitive Personal Information

Under CPRA, you have the right to direct us to limit our use and disclosure of your sensitive personal information (which includes health data) to only those uses necessary to perform our services, provide goods, or as otherwise permitted by law. To exercise this right, submit a request through the app settings or contact us. We will acknowledge your request within 10 business days and comply without discrimination.

12.6 Authorised Agent

You may designate an authorised agent to submit verifiable consumer requests on your behalf. The agent must provide a signed power of attorney or a signed written declaration authorising them to act on your behalf, and we may verify the request directly with you before taking action.

13. Cookies & Tracking Technologies

Our website at https://vaxcpass.com may use cookies, web beacons, pixels, and similar tracking technologies to enhance your browsing experience, analyse website traffic, and understand how visitors interact with our content. The VaxCPass mobile application itself does not use browser cookies but may use analogous local storage technologies for session management, preferences, and caching.

We use the following categories of cookies on our website:

• Strictly necessary cookies: required for basic website functionality such as session management and security. These cannot be disabled.
• Analytics cookies: help us understand how visitors interact with our website by collecting anonymised, aggregated data. These are set only with your consent.
• Functional cookies: remember your preferences (e.g., language, region) to provide a more personalised experience. These are set only with your consent.
• Marketing cookies: used to track visitors across websites to display relevant advertisements. We do not use marketing or advertising cookies on our website without your explicit consent.

For a complete, detailed description of the cookies we use, their purposes, third-party cookies, and instructions on how to manage your cookie preferences, please refer to our Cookie Policy. You can manage cookie consent through the cookie consent banner displayed on your first visit to our website, or by adjusting your browser settings.

14. Changes to This Policy

Atlas Software Corporation reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other operational factors. We are committed to keeping this policy accurate, current, and transparent.

When we make material changes to this Privacy Policy, we will notify you through one or more of the following channels:

• An in-app notification displayed prominently the next time you launch VaxCPass after the updated policy takes effect.
• An email notification sent to the email address associated with your account, summarising the key changes and providing a link to the revised policy.
• A prominent noticeon the "Last updated" date displayed at the top of this page and within the app's Privacy settings.
• A post on our website or blog announcing significant privacy-related updates.

For non-material changes (e.g., corrections, clarifications, or updates to contact information), we may update the policy without advance notice, but the "Last updated" date will always reflect the most recent revision.

Your continued use of VaxCPass after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you disagree with any changes, you may terminate your account and request deletion of your data as described in Section 9.3. We encourage you to review this policy periodically to stay informed about how we protect your information.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or the exercise of your privacy rights, we encourage you to contact us. We are committed to responding to all inquiries promptly and transparently.

You may also contact us to lodge a complaint or request with respect to our processing of your personal data. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the Office of the Data Protection Commissioner in Kenya, the Information Commissioner's Office (ICO) in the UK, or the relevant data protection authority in your EEA member state).

This Privacy Policy is effective as of June 15, 2025, and applies to all users of VaxCPass worldwide. We encourage you to bookmark this page and review it periodically for any updates.