Privacy Policy — MediSeen HMS

1. Data Controller & Contact

Company	MediSeen Health Systems Limited
RC Number	9352905
TIN	2620199413538
Data Protection Officer	Kalu Ifeanyi Mba
Email	[email protected] 3, Inyima Lane, Ebem, Abia State, Nigeria
Phone	+234 816 516 0797

2. Scope

This Privacy Policy explains how MediSeen Health Systems Limited ("we", "us", "our") collects, processes, stores, and protects personal data through our hospital management system accessible at app.mediseenhms.com ("the Platform"). It applies to all users including patients, healthcare providers, hospital administrators, and staff.

3. Personal Data We Collect

3.1 Patient Data

Category	Examples	Lawful Basis
Identity Data	Full name, date of birth, gender, photograph, national ID number	Performance of contract; Legal obligation
Sensitive Health Data	Medical history, diagnoses, prescriptions, lab results, treatment plans, allergies, vitals	Explicit consent (NDP Act s.30); Vital interests; Medical purposes (NDP Act s.31)
Contact Data	Phone number, email, residential address, next-of-kin details	Performance of contract
Financial/Billing Data	Invoice records, payment history, HMO details, insurance information	Performance of contract; Legal obligation

3.2 Staff Data

Category	Examples	Lawful Basis
Employment Data	Name, role, qualifications, professional licence numbers, contact details	Performance of employment contract; Legal obligation
Access & Activity Logs	Login timestamps, actions performed, IP addresses	Legitimate interest (security & audit)

3.3 Technical Data

Browser type, device information, IP address, cookies, and usage analytics collected automatically when you access the Platform.

4. How We Use Your Data

• Providing and managing healthcare services through the Platform
• Processing billing, invoicing, and payments
• Managing hospital operations, scheduling, and staff administration
• Complying with medical record-keeping regulations
• Ensuring security, preventing fraud, and maintaining audit trails
• Communicating service-related updates and notifications
• Improving the Platform through anonymised analytics

5. Sensitive Personal Data

Health data is classified as sensitive personal data under Section 30 of the Nigeria Data Protection Act 2023. We process health data only where:

• You have given explicit consent;
• Processing is necessary for medical diagnosis, treatment, or care management (NDP Act s.31);
• Processing is necessary to protect your vital interests (e.g., emergencies); or
• Processing is required by law (e.g., mandatory disease reporting).

6. Third-Party Processors & Cross-Border Transfers

Processor	Purpose	Location
DigitalOcean, LLC	Cloud hosting & infrastructure	London, United Kingdom (LON1)
Paystack Payments Limited	Payment processing	Nigeria / International
Flutterwave Technology Solutions Limited	Payment processing	Nigeria / International

Cross-border transfer: Your data is stored on DigitalOcean servers in London, UK. This constitutes a cross-border transfer from Nigeria. We ensure adequate safeguards pursuant to Section 43 of the NDP Act 2023, including:

• The UK has adequate data protection legislation (UK GDPR / Data Protection Act 2018);
• Contractual clauses (Data Processing Agreements) with all processors;
• Technical security measures (encryption in transit and at rest).

7. Data Retention

Data Type	Retention Period	Basis
Patient medical records	10 years from last interaction	Medical record-keeping standards; NDP Act
Financial & billing records	7 years	Tax & financial regulations (FIRS)
Staff employment data	Duration of employment + 2 years	Employment law; legitimate interest
Technical logs	12 months	Security & operational necessity

After the retention period, data is securely deleted or irreversibly anonymised.

8. Your Rights as a Data Subject

Under the NDP Act 2023 and GDPR (where applicable), you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion (subject to legal retention obligations)
• Restriction — limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting prior lawful processing

To exercise any right, contact our DPO at [email protected]
3, Inyima Lane, Ebem, Abia State, Nigeria. We will respond within 30 days.

9. Security Measures

• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls (RBAC) with audit logging
• Regular security assessments and vulnerability testing
• Multi-factor authentication for administrative access
• Automated backups with encrypted storage
• Staff training on data protection and confidentiality

10. Cookies

The Platform uses cookies for:

Type	Purpose	Duration
Essential	Authentication, session management, security	Session / 24 hours
Functional	User preferences, language settings	Up to 12 months
Analytics	Anonymised usage statistics to improve the Platform	Up to 12 months

We do not use advertising or tracking cookies. You may manage cookie preferences through your browser settings.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours;
• Inform affected data subjects without undue delay where there is a high risk;
• Document the breach and remedial actions taken.

12. Complaints

If you are dissatisfied with how we handle your data:

1. Contact us first: Email our DPO at [email protected]
   3, Inyima Lane, Ebem, Abia State, Nigeria or call +234 816 516 0797.
2. Lodge a complaint with the NDPC:
   Nigeria Data Protection Commission
   Website: https://ndpc.gov.ng
   Email: [email protected]
3. For EU/UK residents: You may also lodge a complaint with your local supervisory authority.

13. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via the Platform and/or email. The "Effective" date at the top indicates the latest revision. Continued use after changes constitutes acceptance.

14. Governing Law

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act 2023, the NDPA 2019 Implementation Framework, and — for international users — the EU General Data Protection Regulation (GDPR) and UK GDPR where applicable.