Privacy Policy

1. Introduction

BloodConnect Africa ("we", "our", or "us") operates the BloodLinks.org platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our blood donation platform.

We are committed to protecting your privacy and ensuring the security of your personal and health information. This policy applies to all users of our platform, including blood donors, recipients, healthcare providers, and blood bank administrators.

As a healthcare platform handling Protected Health Information (PHI), we comply with applicable healthcare privacy regulations including HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), and local healthcare data protection laws.

2. HIPAA Compliance

BloodConnect Africa adheres to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the HITECH Act. We have implemented comprehensive safeguards to protect your Protected Health Information (PHI).

2.1 Administrative Safeguards

Designated Privacy Officer and Security Officer
Workforce training on privacy and security policies
Risk analysis and management procedures
Sanctions policy for policy violations
Contingency planning for data protection
Regular policy review and updates

2.2 Physical Safeguards

Secure data centers with access controls
Workstation security policies
Device and media controls
Facility access controls and validation

2.3 Technical Safeguards

Unique user identification and authentication
Automatic session termination
AES-256-GCM encryption for PHI at rest
TLS 1.3 encryption for PHI in transit
Comprehensive audit controls and logging
Access controls based on role and minimum necessary standard
Integrity controls to prevent unauthorized alteration
Multi-factor authentication for administrative access

3. Protected Health Information (PHI)

Protected Health Information includes any individually identifiable health information that we create, receive, maintain, or transmit. This includes:

Blood type and Rh factor
Medical history and health screening responses
Donation eligibility status
Test results and health assessments
Donation history and records
Any health-related communications

3.1 Minimum Necessary Standard

We apply the "minimum necessary" standard to all uses and disclosures of PHI. This means we only access, use, or disclose the minimum amount of PHI needed to accomplish the intended purpose.

3.2 PHI Access Controls

Access to PHI is strictly controlled through role-based access control (RBAC). Only authorized personnel with a legitimate need can access your health information, and all access is logged and audited.

4. Information We Collect

4.1 Personal Information

When you create an account, we collect:

Full name and contact information (email, phone number)
Date of birth and gender
Physical address and location data (with your consent)
Government-issued identification (for verification purposes)
Profile photo (optional)

4.2 Health Information (PHI)

To ensure safe blood donation matching, we collect health-related information:

Blood type and Rh factor
Medical history relevant to blood donation eligibility
Current medications and recent vaccinations
Recent travel history (for disease screening)
Previous donation history and any adverse reactions
Screening questionnaire responses

4.3 Technical Information

Device information and browser type
IP address and approximate location
Usage patterns and interaction data
Cookies and similar tracking technologies

5. How We Use Your Information

We use your information to:

Match donors with blood requests using our AI-powered matching algorithm
Verify donation eligibility based on WHO and local health guidelines
Send notifications about donation opportunities, appointments, and emergencies
Improve our services through analytics and machine learning
Ensure platform security and prevent fraud
Comply with legal obligations including healthcare regulations
Communicate with you about your account and our services

5.1 Legal Basis for Processing (GDPR)

Consent: For health data processing and marketing communications
Contract: To provide our blood matching services
Legal obligation: To comply with healthcare regulations
Vital interests: For emergency blood requests
Legitimate interests: For platform security and improvement

5.2 HIPAA Permitted Uses and Disclosures

Under HIPAA, we may use or disclose your PHI without your authorization for:

Treatment: Coordinating blood donations and transfusions
Payment: Processing donations and healthcare billing
Healthcare Operations: Quality improvement and compliance activities
Public Health Activities: Disease prevention and blood supply management
Required by Law: When mandated by federal, state, or local law

7. Business Associate Agreements

In compliance with HIPAA, we require all third-party service providers who may access, create, receive, maintain, or transmit PHI on our behalf to sign a Business Associate Agreement (BAA). These agreements ensure that:

Business associates use appropriate safeguards to protect PHI
They report any security incidents or breaches promptly
They ensure their subcontractors also comply with HIPAA requirements
They return or destroy PHI upon termination of the agreement
They make their practices available for compliance audits

If you are a healthcare provider or organization seeking to integrate with BloodConnect, please contact compliance@bloodlinks.org to request a BAA.

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption: AES-256-GCM encryption for sensitive data at rest (FIPS 140-2 compliant)
Transport Security: TLS 1.3 for all data in transit
Access Control: Role-based access with multi-factor authentication
Audit Logging: Comprehensive logging of all data access with integrity verification
Regular Testing: Security audits and penetration testing
Data Minimization: We only collect data necessary for our services
Incident Response: 24/7 security monitoring and response procedures

9. Breach Notification

In the event of a data breach involving your Protected Health Information, we will:

Notify affected individuals within 60 days of discovery (as required by HIPAA)
Report to the HHS Secretary as required by law
Notify media if the breach affects more than 500 residents of a state
Provide details about what information was involved, steps we are taking, and what you can do to protect yourself
Document the breach and our response in our incident log

For GDPR-covered individuals, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay when the breach is likely to result in high risk to rights and freedoms.

To report a suspected security incident, contact: security@bloodlinks.org

10. Your HIPAA Rights

Under HIPAA, you have the following rights regarding your Protected Health Information:

Right to Access: You may request copies of your PHI. We will provide this within 30 days of your request.
Right to Amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete.
Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI.
Right to Confidential Communications: You may request that we communicate with you in a specific way or at a specific location.
Right to a Paper Copy: You may request a paper copy of this privacy notice.
Right to File a Complaint: You may file a complaint with us or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.

To exercise these rights, contact our Privacy Officer at privacy@bloodlinks.org.

11. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the following rights:

Right of Access: Request a copy of your personal data we hold
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Data Portability: Export your data in a machine-readable format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to certain types of processing
Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at privacy@bloodlinks.org or use the privacy settings in your account dashboard.

12. Data Retention

We retain your data for the following periods:

Account data: Until you request deletion
Medical records and PHI: 7 years (healthcare compliance requirement)
Donation records: 10 years (blood bank regulatory requirement)
Health screening data: 5 years after last donation
Audit logs: 6 years (HIPAA requirement)
Technical logs: 90 days

Note: Some data may be retained longer if required by law or for legitimate business purposes.

13. Cookies and Tracking

We use cookies for:

Essential cookies: Required for platform functionality
Analytics cookies: To understand usage patterns (with consent)
Preference cookies: To remember your settings

You can manage cookie preferences through our cookie consent banner or your browser settings.

14. International Data Transfers

Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by relevant data protection authorities.

15. Children's Privacy

Our platform is not intended for users under 18 years of age (or the minimum blood donation age in your jurisdiction). We do not knowingly collect data from children.

16. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or platform notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact Us

For privacy-related inquiries or to exercise your data rights:

Privacy Officer: privacy@bloodlinks.org

HIPAA Compliance: compliance@bloodlinks.org

Data Protection Officer: dpo@bloodlinks.org

Security Incidents: security@bloodlinks.org

General Inquiries: support@bloodlinks.org

File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

Our Privacy Officer (contact above)
U.S. Department of Health and Human Services, Office for Civil Rights
Your local data protection authority (for GDPR)

We will not retaliate against you for filing a complaint.

1. Introduction

2. HIPAA Compliance

2.1 Administrative Safeguards

Designated Privacy Officer and Security Officer
Workforce training on privacy and security policies
Risk analysis and management procedures
Sanctions policy for policy violations
Contingency planning for data protection
Regular policy review and updates

2.2 Physical Safeguards

Secure data centers with access controls
Workstation security policies
Device and media controls
Facility access controls and validation

2.3 Technical Safeguards

Unique user identification and authentication
Automatic session termination
AES-256-GCM encryption for PHI at rest
TLS 1.3 encryption for PHI in transit
Comprehensive audit controls and logging
Access controls based on role and minimum necessary standard
Integrity controls to prevent unauthorized alteration
Multi-factor authentication for administrative access

3. Protected Health Information (PHI)

Protected Health Information includes any individually identifiable health information that we create, receive, maintain, or transmit. This includes:

Blood type and Rh factor
Medical history and health screening responses
Donation eligibility status
Test results and health assessments
Donation history and records
Any health-related communications

3.1 Minimum Necessary Standard

We apply the "minimum necessary" standard to all uses and disclosures of PHI. This means we only access, use, or disclose the minimum amount of PHI needed to accomplish the intended purpose.

3.2 PHI Access Controls

4. Information We Collect

4.1 Personal Information

When you create an account, we collect:

Full name and contact information (email, phone number)
Date of birth and gender
Physical address and location data (with your consent)
Government-issued identification (for verification purposes)
Profile photo (optional)

4.2 Health Information (PHI)

To ensure safe blood donation matching, we collect health-related information:

Blood type and Rh factor
Medical history relevant to blood donation eligibility
Current medications and recent vaccinations
Recent travel history (for disease screening)
Previous donation history and any adverse reactions
Screening questionnaire responses

4.3 Technical Information

Device information and browser type
IP address and approximate location
Usage patterns and interaction data
Cookies and similar tracking technologies

5. How We Use Your Information

We use your information to:

Match donors with blood requests using our AI-powered matching algorithm
Verify donation eligibility based on WHO and local health guidelines
Send notifications about donation opportunities, appointments, and emergencies
Improve our services through analytics and machine learning
Ensure platform security and prevent fraud
Comply with legal obligations including healthcare regulations
Communicate with you about your account and our services

5.1 Legal Basis for Processing (GDPR)

Consent: For health data processing and marketing communications
Contract: To provide our blood matching services
Legal obligation: To comply with healthcare regulations
Vital interests: For emergency blood requests
Legitimate interests: For platform security and improvement

5.2 HIPAA Permitted Uses and Disclosures

Under HIPAA, we may use or disclose your PHI without your authorization for:

Treatment: Coordinating blood donations and transfusions
Payment: Processing donations and healthcare billing
Healthcare Operations: Quality improvement and compliance activities
Public Health Activities: Disease prevention and blood supply management
Required by Law: When mandated by federal, state, or local law

7. Business Associate Agreements

Business associates use appropriate safeguards to protect PHI
They report any security incidents or breaches promptly
They ensure their subcontractors also comply with HIPAA requirements
They return or destroy PHI upon termination of the agreement
They make their practices available for compliance audits

If you are a healthcare provider or organization seeking to integrate with BloodConnect, please contact compliance@bloodlinks.org to request a BAA.

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption: AES-256-GCM encryption for sensitive data at rest (FIPS 140-2 compliant)
Transport Security: TLS 1.3 for all data in transit
Access Control: Role-based access with multi-factor authentication
Audit Logging: Comprehensive logging of all data access with integrity verification
Regular Testing: Security audits and penetration testing
Data Minimization: We only collect data necessary for our services
Incident Response: 24/7 security monitoring and response procedures

9. Breach Notification

In the event of a data breach involving your Protected Health Information, we will:

Notify affected individuals within 60 days of discovery (as required by HIPAA)
Report to the HHS Secretary as required by law
Notify media if the breach affects more than 500 residents of a state
Provide details about what information was involved, steps we are taking, and what you can do to protect yourself
Document the breach and our response in our incident log

To report a suspected security incident, contact: security@bloodlinks.org

10. Your HIPAA Rights

Under HIPAA, you have the following rights regarding your Protected Health Information:

Right to Access: You may request copies of your PHI. We will provide this within 30 days of your request.
Right to Amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete.
Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI.
Right to Confidential Communications: You may request that we communicate with you in a specific way or at a specific location.
Right to a Paper Copy: You may request a paper copy of this privacy notice.
Right to File a Complaint: You may file a complaint with us or the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.

To exercise these rights, contact our Privacy Officer at privacy@bloodlinks.org.

11. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the following rights:

Right of Access: Request a copy of your personal data we hold
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Data Portability: Export your data in a machine-readable format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to certain types of processing
Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at privacy@bloodlinks.org or use the privacy settings in your account dashboard.

12. Data Retention

We retain your data for the following periods:

Account data: Until you request deletion
Medical records and PHI: 7 years (healthcare compliance requirement)
Donation records: 10 years (blood bank regulatory requirement)
Health screening data: 5 years after last donation
Audit logs: 6 years (HIPAA requirement)
Technical logs: 90 days

Note: Some data may be retained longer if required by law or for legitimate business purposes.

13. Cookies and Tracking

We use cookies for:

Essential cookies: Required for platform functionality
Analytics cookies: To understand usage patterns (with consent)
Preference cookies: To remember your settings

You can manage cookie preferences through our cookie consent banner or your browser settings.

14. International Data Transfers

15. Children's Privacy

Our platform is not intended for users under 18 years of age (or the minimum blood donation age in your jurisdiction). We do not knowingly collect data from children.

16. Changes to This Policy

17. Contact Us

For privacy-related inquiries or to exercise your data rights:

Privacy Officer: privacy@bloodlinks.org

HIPAA Compliance: compliance@bloodlinks.org

Data Protection Officer: dpo@bloodlinks.org

Security Incidents: security@bloodlinks.org

General Inquiries: support@bloodlinks.org

File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

Our Privacy Officer (contact above)
U.S. Department of Health and Human Services, Office for Civil Rights
Your local data protection authority (for GDPR)

We will not retaliate against you for filing a complaint.

HIPAA Compliance Notice

Quick Navigation

1. Introduction

2. HIPAA Compliance

2.1 Administrative Safeguards

2.2 Physical Safeguards

2.3 Technical Safeguards

3. Protected Health Information (PHI)

3.1 Minimum Necessary Standard

3.2 PHI Access Controls

4. Information We Collect

4.1 Personal Information

4.2 Health Information (PHI)

4.3 Technical Information

5. How We Use Your Information

5.1 Legal Basis for Processing (GDPR)

5.2 HIPAA Permitted Uses and Disclosures

6. Data Sharing and Disclosure

7. Business Associate Agreements

8. Data Security

9. Breach Notification

10. Your HIPAA Rights

11. Your Rights (GDPR)

12. Data Retention

13. Cookies and Tracking

14. International Data Transfers

15. Children's Privacy

16. Changes to This Policy

17. Contact Us

File a Complaint

Privacy Policy

HIPAA Compliance Notice

Quick Navigation

1. Introduction

2. HIPAA Compliance

2.1 Administrative Safeguards

2.2 Physical Safeguards

2.3 Technical Safeguards

3. Protected Health Information (PHI)

3.1 Minimum Necessary Standard

3.2 PHI Access Controls

4. Information We Collect

4.1 Personal Information

4.2 Health Information (PHI)

4.3 Technical Information

5. How We Use Your Information

5.1 Legal Basis for Processing (GDPR)

5.2 HIPAA Permitted Uses and Disclosures

6. Data Sharing and Disclosure

7. Business Associate Agreements

8. Data Security

9. Breach Notification

10. Your HIPAA Rights

11. Your Rights (GDPR)

12. Data Retention

13. Cookies and Tracking

14. International Data Transfers

15. Children's Privacy

16. Changes to This Policy

17. Contact Us

File a Complaint