Privacy Policy

1 Who We Are

MSOptiq+ is a product of M&S Innovation Lab Ltd, a company registered under the laws of the Republic of Rwanda.

• Company Name: M&S Innovation Lab Ltd
• Registration / Tax Number: 121487676
• Registered Office: Rwanda
• Support Email: info@msilab.rw
• General Contact: contact@msilab.rw
• Phone / WhatsApp: 0798 652 943

References to "MSOptiq+", "we", "us", or "our" in this Policy refer to M&S Innovation Lab Ltd and the MSOptiq+ platform.

2 Scope of This Policy

This Policy applies to:

• Visitors to the MSOptiq+ public website (msoptiq.rw and related domains).
• Clinic administrators, staff members, and other authorised users who access the MSOptiq+ application.
• Any individual whose personal data is entered into the system by a clinic (for example, patients).

This Policy does not apply to third-party websites or services that may be linked from our platform. We encourage you to review the privacy policies of those third parties separately.

Roles Under Data Protection Law

Clinic as Data Controller: The clinic (the entity that subscribes to MSOptiq+) is the data controller for all patient health records and staff data it enters into the system. The clinic determines the purposes and means of processing that personal data.

M&S Innovation Lab Ltd as Data Processor: We process personal data on behalf of the clinic under their instructions and under the terms of our Data Processing Agreement, which forms part of our subscription terms.

3 Information We Collect

3.1 Account and Clinic Information

When a clinic registers for MSOptiq+, we collect:

• Clinic name, address, and contact details
• Administrator name, job title, and email address
• Billing information (processed via secure third-party payment providers)
• Custom branding preferences (logo, colours)

3.2 Staff User Data

For each staff account created on the platform, we store:

• Full name, username, and email address
• Role and assigned permissions
• Login timestamps and activity logs

3.3 Patient Health Records (Processed on Behalf of Clinics)

Clinics may enter the following categories of patient data, which we process as a data processor:

• Full name, date of birth, gender, and contact information
• Medical history, diagnoses, and clinical notes
• Eye examination findings (visual acuity, IOP, refraction data)
• Optical prescriptions and dispensing records
• Insurance details and claim records
• Invoices and payment records

This data constitutes sensitive personal data (health data) and is treated with the highest level of protection.

3.4 Technical and Usage Data

We automatically collect certain technical data when you use the platform:

• IP address and browser type
• Pages visited, features used, and session duration
• Error logs and system performance metrics
• Device type and operating system

This data is used solely for system security, performance monitoring, and service improvement. It is not sold or shared with advertisers.

4 How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the MSOptiq+ platform.
• Account Management: To create and manage clinic and staff accounts, authenticate users, and assign permissions.
• Billing: To process subscription payments and issue invoices.
• Support: To respond to technical support requests and troubleshoot issues.
• Security: To detect and prevent fraud, unauthorised access, and abuse of our systems.
• Communication: To send service-related notifications, system updates, and maintenance alerts.
• Improvement: To analyse usage patterns and improve system performance, features, and user experience.
• Legal Compliance: To comply with applicable laws, regulations, and lawful requests from government authorities.

We do not use patient health records for any purpose beyond providing the contracted clinic management services. We do not sell any personal data to third parties under any circumstances.

5 Legal Basis for Processing

We process personal data on the following legal bases:

• Contract Performance: Processing necessary to fulfil our subscription agreement with the clinic.
• Legitimate Interests: Security monitoring, fraud prevention, and service improvement, where these interests are not overridden by the rights of data subjects.
• Legal Obligation: Where processing is required to comply with applicable laws or court orders.
• Consent: Where we have obtained your explicit consent, such as for marketing communications (which you may withdraw at any time).

For patient health data specifically, clinics are responsible for establishing their own lawful basis (typically consent of the patient or necessity for medical care) under applicable law.

6 Data Storage and Security

Multi-Tenant Isolation

Each clinic's data is stored in a logically isolated database. No clinic can access another clinic's data. Administrative access to individual tenant databases is restricted to authorised M&S Innovation Lab Ltd engineers on a need-to-know basis and is fully logged.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Database backups and sensitive fields at rest are encrypted using industry-standard algorithms.

Access Controls

The platform uses role-based access control (RBAC). Each staff member can only access the modules and data their clinic administrator has permitted. All logins are authenticated with credentials and session tokens that expire automatically.

Infrastructure

MSOptiq+ is hosted on secure server infrastructure. We apply regular security patches, conduct vulnerability assessments, and maintain system backups to ensure continuity and integrity of data.

Incident Response

In the event of a data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected clinics without undue delay and within the timeframes required by applicable law. We will cooperate with regulatory authorities as required.

7 Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may share data in the following limited circumstances:

• Service Providers: Trusted third-party vendors who assist us in operating the platform (e.g., hosting providers, payment processors) under strict confidentiality and data processing agreements.
• Authorised Clinic Staff: Within the platform, data is visible to staff members based on their assigned role and permissions, as configured by the clinic administrator.
• Legal Requirements: If required by law, court order, or a competent government authority, we may disclose data to the extent necessary to comply with such obligation. We will notify the relevant clinic where legally permitted to do so.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to a successor entity, subject to the same privacy obligations set out in this Policy.

8 Data Retention

We retain personal data for as long as necessary to provide the services and as required by law:

• Active clinic accounts: Data is retained for the duration of the subscription.
• Terminated accounts: Upon termination, clinic data is retained for a period of 90 days to allow for data export, after which it is securely deleted from our systems.
• Billing records: Retained for a minimum of 7 years to comply with Rwandan tax and financial record-keeping requirements.
• Security and audit logs: Retained for a minimum of 12 months.

Clinics may request early deletion of their data by contacting us at info@msilab.rw. Note that deletion of patient health records must comply with the clinic's own legal obligations regarding medical record retention.

9 Your Rights

Depending on your relationship with MSOptiq+ and applicable law, you may have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected.
• Right to Restriction: Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, commonly used format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

For patients: If you are a patient whose data has been entered by a clinic, please contact the clinic directly to exercise your rights, as the clinic is the data controller. The clinic may then request action from us as the data processor.

To exercise your rights as a clinic administrator or staff member, contact us at info@msilab.rw. We will respond within 30 days.

10 Cookies and Tracking

The MSOptiq+ application uses the following types of cookies and local storage:

• Session Cookies: Required for authentication and to maintain your login session. These are essential and cannot be disabled without affecting the functionality of the service.
• CSRF Tokens: Security tokens to protect against cross-site request forgery attacks.
• Preference Storage: Browser local storage may be used to remember your UI preferences (e.g., dark mode, last selected module).

We do not use third-party advertising cookies or tracking pixels on the MSOptiq+ application. The public marketing website may use minimal analytics to understand visitor behaviour in aggregate. No personally identifiable information is included in analytics data.

11 Children's Privacy

MSOptiq+ is a professional business-to-business software platform intended for use by healthcare professionals and clinic staff who are adults. We do not knowingly collect personal data from children under the age of 18 as system users.

Clinics may enter health records for minor patients in the course of providing healthcare services. This data is processed strictly as a data processor under the clinic's instructions and the clinic's own obligations to the patients and their guardians under applicable law.

12 International Data Transfers

MSOptiq+ is primarily operated and hosted within the Republic of Rwanda. If data is transferred to or accessed from outside Rwanda for legitimate operational purposes (such as cloud infrastructure or support staff), we ensure that appropriate safeguards are in place, including contractual data processing agreements with all third-party recipients.

13 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of MSOptiq+. When we make material changes, we will:

• Update the "Effective Date" at the top of this page.
• Display an in-app notification to clinic administrators.
• Send an email notification to the registered administrator email address for the clinic.

Continued use of MSOptiq+ after the effective date of a revised Policy constitutes acceptance of the updated terms. If you do not agree with the changes, you may terminate your subscription in accordance with our Terms of Service.

14 Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:

We are committed to resolving privacy concerns promptly and transparently.