Privacy Policy

Effective Date: March 26, 2026

ClinicOS Limited (“ClinicOS,” “we,” “us,” or “our”) is a Digital Health Technology company committed to protecting the privacy and security of the data entrusted to us. This Privacy Policy describes how we collect, use, store, and protect personal and sensitive health information in compliance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable Nigerian healthcare regulations.

By using the ClinicOS platform, you acknowledge that you have read and understood the practices described in this policy.

1. DEFINITIONS

  • “Personal Data” means any information relating to an identified or identifiable natural person (e.g., name, phone number).
  • “Sensitive Personal Data” refers to data relating to a person’s health, medical condition, genetic data, or biometric data, which requires a higher level of protection under the NDPA.
  • “Data Controller” refers to the healthcare facility or clinic that determines why and how data is processed.
  • “Data Processor” refers to ClinicOS Limited, which processes data on behalf of the Data Controller.
  • “Data Subject” means the individual (patient or staff) whose data is being processed.

2. THE SCOPE OF OUR ROLE

ClinicOS Limited primarily acts as a Data Processor. We provide the infrastructure (the Platform) that allows clinics (the Data Controllers) to manage their records. While we provide the security and architecture, the individual clinic remains responsible for obtaining patient consent and ensuring the clinical accuracy of the data entered.

3. INFORMATION WE COLLECT

We collect and process information necessary to provide a high-performance clinic management experience:

A. Clinic & Staff Information

  • Identity Data: Names, professional titles, and registration numbers of healthcare providers and staff.
  • Contact Data: Business email addresses, phone numbers, and clinic addresses.
  • Authentication Data: Usernames and encrypted passwords for platform access.

B. Patient Information (Sensitive Health Data)

  • Demographic Data: Names, ages, gender, and contact details of patients.
  • Medical Records: Clinical notes, diagnoses, treatment plans, immunization records, and medical histories.
  • Prescription Data: Medication history and pharmacy dispensing records.
  • Financial Data: Billing records, payment history, and National Health Insurance Authority (NHIA) or private HMO insurance details.

C. Technical & Usage Data

  • Metadata: Timestamps of entries and modifications (Audit Trails).
  • Device Data: Information about the mobile devices used to access the platform to ensure security and authorized access.

4. PURPOSES OF DATA PROCESSING

We process data for the following specific purposes:

  1. Clinical Continuity: To enable healthcare providers to access patient medical histories at the point of care.
  2. Operational Efficiency: To manage appointment scheduling, patient check-ins, and queue management.
  3. Revenue Management: To automate billing, invoice generation, and HMO claim preparation.
  4. Resource Intelligence: To track pharmacy inventory and provide stock alerts.
  5. Regulatory Compliance: To maintain audit trails and meet medical record-keeping standards in Nigeria.

5. LAWFUL BASIS FOR PROCESSING

Under the NDPA 2023, we process data based on:

  • Contractual Necessity: Processing is required to perform the services agreed upon with the clinic.
  • Legal Obligation: To comply with health regulations and insurance standards set by the NHIA.
  • Consent: Explicit consent obtained from patients by the clinic at the point of registration.
  • Vital Interests: Processing necessary to protect the life or health of a patient in emergency situations.

6. DATA SECURITY AND ARCHITECTURE

We employ a Resilient Mobile-Native Architecture to ensure that sensitive health data is protected from unauthorized access or environmental loss.

  • Encryption: All data is encrypted using industry-standard protocols (AES-256) both at rest on our servers and in transit across networks.
  • Proprietary Synchronization: Our system utilizes a proprietary synchronization engine that maintains data integrity during connectivity fluctuations, ensuring no records are lost during the reconciliation process.
  • Access Control: We implement role-based access control (RBAC), ensuring that pharmacy staff cannot view clinical notes and front desk staff cannot view sensitive diagnostic data unless authorized.
  • Cloud Resilience: Data is backed up across secure, high-availability cloud servers to prevent data loss due to physical disasters at the clinic site.

7. DATA SHARING AND DISCLOSURE

ClinicOS does not sell, rent, or trade personal or health data to third parties for marketing purposes. Data is only shared under the following conditions:

  • HMO/Insurance Providers: To facilitate the processing of medical claims and reimbursements as directed by the clinic.
  • Legal Requirements: If required by a court of law, the Nigeria Data Protection Commission (NDPC), or other authorized regulatory bodies.
  • Service Providers: We may use trusted third-party cloud infrastructure providers who are equally bound by strict confidentiality and NDPA-compliant data processing agreements.

8. DATA SUBJECT RIGHTS

Under the NDPA 2023, patients and staff (Data Subjects) have the following rights, which can be exercised through the clinic:

  1. Right to Access: The right to request a copy of the personal data being processed.
  2. Right to Rectification: The right to correct inaccurate or incomplete medical or personal information.
  3. Right to Erasure: The right to request the deletion of data (subject to medical record retention laws).
  4. Right to Object: The right to object to specific processing activities.
  5. Right to Data Portability: The right to receive data in a structured, machine-readable format.
  6. Right to Withdraw Consent: The right to withdraw consent for processing at any time.

9. DATA RETENTION

We retain medical records for as long as necessary to fulfill the purposes outlined in this policy or as required by Nigerian medical laws and the Federal Ministry of Health guidelines. Upon termination of a clinic’s subscription, data is returned to the Data Controller and subsequently deleted from our active servers following a standard transition period.

10. INTERNATIONAL DATA TRANSFERS

Where data is stored on cloud servers located outside of Nigeria, ClinicOS ensures that the destination country has adequate data protection laws or that appropriate safeguards (such as Standard Contractual Clauses) are in place to meet NDPA 2023 requirements.

11. CONTACT AND COMPLIANCE

ClinicOS Limited has appointed a Data Protection Lead to oversee our privacy practices.

ClinicOS Limited Attn: Data Protection Department

Email: contact@clinicoslimited.com

Phone: +234 805 633 3336

RC: 8031294

If you believe your data has been handled improperly, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

12. AMENDMENTS

We may update this Privacy Policy to reflect changes in our technology or Nigerian law. We will notify clinics of any material changes via email or through an in-app notification.