Privacy Policy

Good Health 360 is a healthcare administration software platform used by clinics, service providers, and authorised staff to manage operational workflows such as appointments, patients, encounters, billing, claims, statements, communications, and email. For privacy enquiries, contact support@goodhealth.co.bw.

This policy is written for the current Good Health 360 operational deployment. It is a strong working draft and should be reviewed by legal and healthcare compliance advisers before broad external launch.

We collect account and tenant administration data such as names, email addresses, roles, permissions, clinic or service-provider profile details, login/session metadata, support requests, and configuration settings.

Where the tenant uses clinical or billing features, the platform may process patient, appointment, encounter, prescription, certificate, claim, invoice, medical-aid, statement, remittance, payment, and reconciliation records entered by authorised users or imported from configured systems.

For email features, we process mailbox connection details, selected mailbox metadata, message content that users create or send through Good Health 360, message delivery status, attachments selected by users, and logs required to operate and troubleshoot the email module.

Good Health 360 uses Google OAuth so users can connect a Google account without typing a Gmail password into the application. The first production version requests only the minimum Google access needed for the approved workflow.

The current Google scopes are:

• https://www.googleapis.com/auth/gmail.send
• https://www.googleapis.com/auth/userinfo.email
• https://www.googleapis.com/auth/userinfo.profile

Gmail data is used only to provide the email functionality requested by the user or tenant, such as sending email from a connected Google account. We do not sell Gmail data, use Gmail data for advertising, or use Gmail data to build advertising profiles. We do not allow humans to read Gmail content except where necessary to provide support, investigate abuse or security issues, comply with law, or act with tenant authorisation.

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We use information to authenticate users, enforce tenant access controls, provide healthcare administration workflows, send and receive authorised communications, maintain audit trails, troubleshoot errors, protect the platform, and comply with legal or contractual obligations.

We do not use patient, medical-aid, claim, Gmail, or tenant operational data for unrelated marketing or advertising.

Portal credentials, mailbox passwords, OAuth access tokens, and OAuth refresh tokens are handled server-side and are not displayed to tenant users. Sensitive mailbox secrets are stored encrypted at rest using application-managed encryption. Access is tenant-scoped and role-controlled.

We use practical safeguards such as HTTPS, secure session handling, server-side OAuth callbacks, CSRF state validation, access controls, audit logging, and operational monitoring. No security control is perfect, but we design the platform to reduce avoidable risk and limit access to authorised users.

We may share limited information with service providers required to operate the platform, such as hosting, database, email, storage, monitoring, and support providers. These providers may process data only for authorised operational purposes.

We may also disclose information where required by law, to protect users or patients, to investigate security incidents, or with tenant instruction.

Records are retained for as long as needed for tenant operational, audit, financial, healthcare administration, legal, and contractual requirements. Tenants may request deletion or export of appropriate records by contacting support.

Users can disconnect a Google mailbox from within Good Health 360. Users can also revoke Good Health 360 access from their Google Account security settings. After disconnection or revocation, the application will stop using the revoked credentials.

Good Health 360 is designed for a Botswana healthcare administration context. We aim to handle personal data consistently with applicable Botswana data protection obligations and practical healthcare confidentiality expectations, including purpose limitation, access control, data minimisation, security safeguards, and appropriate handling of data subject requests.

Depending on the context and applicable law, authorised users, patients, or tenants may request access, correction, deletion, restriction, or information about how their data is processed. Requests should be sent to support@goodhealth.co.bw.

If we become aware of a security incident affecting personal information, we will investigate and notify affected tenants or relevant parties where required and appropriate.