Astute Medic - Simplifying Healthcare

Introduction

Astute Medic ("we," "us," "our," or "Astute Medic") is committed to protecting the privacy and security of your personal information, particularly your health information, which we recognize as highly sensitive and deserving of the highest level of protection.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you:

Visit our website at www.astutemedic.com
Use our mobile applications
Register for and use our healthcare management platform ("Platform")
Interact with our services as a patient, healthcare provider, or other user

We understand the sensitive nature of healthcare information and take our responsibility to protect it seriously.

Our Commitment to Compliance

We comply with:

Nigeria Data Protection Regulation (NDPR) 2019 and all guidelines issued by the National Information Technology Development Agency (NITDA)
Health Insurance Portability and Accountability Act (HIPAA) for our operations involving U.S. healthcare providers
Other applicable Nigerian and international privacy and data protection laws

When there is any conflict between different regulatory frameworks, the NDPR takes precedence for all data relating to individuals in Nigeria or Nigerian citizens abroad.

Transparency Commitment

We are committed to:

Being transparent about what data we collect and why
Giving you control over your personal information
Protecting your data with industry-leading security measures
Respecting your privacy rights under Nigerian law
Processing your data lawfully, fairly, and transparently

If you have any questions about this Privacy Policy, please contact our Data Protection Officer using the details in Section 18.0.

Who We Are

Data Controller Information

Company Name: Autem Tec (trading as Astute Medic)
Business Address: Warri, Delta State
Registration Number: BN 3231575
Email: info@autemtec.com
WhatsApp: +234 811 438-7433
Website: www.autemtec.com

Data Controller Status

Astute Medic acts as a Data Controller under the NDPR. This means we determine the purposes for which and the manner in which your personal data is processed.

When providing services to healthcare facilities, we may also act as a Data Administrator (Data Processor) on behalf of healthcare providers who are the primary Data Controllers of patient health records.

Data Protection Officer (DPO)

As required by Article 4.1(2) of the NDPR, we have appointed a Data Protection Officer to oversee our compliance with data protection laws and serve as your primary contact for privacy matters.

Data Protection Officer Details:

Name: Austin Mrakpor
Title: Data Protection Officer
Email: dpo@astutemedic.com
Phone: +234 811 438-7433
Address: Warri, Delta State
Office Hours: Monday - Friday, 9:00 AM - 5:00 PM (WAT)

You may contact our DPO for:

Questions about how we process your personal data
Requests to exercise your data protection rights
Privacy concerns or complaints
Information about our data protection practices
Reporting suspected data breaches

Our DPO is responsible for:

Monitoring our compliance with the NDPR
Advising our organization on data protection obligations
Serving as the point of contact with NITDA
Conducting Data Protection Impact Assessments
Coordinating responses to data subject requests
Overseeing our data protection training program

Scope and Application

Who This Policy Applies To

This Privacy Policy applies to:

Patients who use our Platform to access healthcare services
Healthcare Providers (doctors, nurses, clinicians) who use our Platform
Healthcare Facilities (hospitals, clinics) that subscribe to our services
Website Visitors who browse our website
Administrative Users at healthcare organizations
Any individual whose personal data we process in connection with our services

Geographic Scope

This Privacy Policy applies to the processing of personal data of:

Individuals residing in Nigeria, regardless of nationality
Nigerian citizens residing outside Nigeria
Any person whose data is processed in connection with our Nigerian operations

Does This Policy Apply to You?

If you answer YES to any of the following, this Privacy Policy applies to you:

Do you live in Nigeria?
Are you a Nigerian citizen living abroad?
Do you use our Platform to access or provide healthcare services?
Have you registered an account with Astute Medic?
Do you visit our website or mobile applications?
Have you contacted us for support or information?

Legal Framework

Governing Laws and Regulations

Our data protection practices are governed by:

Primary Legislation:

Nigeria Data Protection Regulation (NDPR) 2019
National Information Technology Development Agency (NITDA) Act 2007
Nigerian Constitution (Right to Privacy)
Freedom of Information Act 2011

Implementation Guidelines:

NDPR Implementation Framework 2019
Guidelines for the Management of Personal Data by Public Institutions and Private Organisations (NITDA)
Nigeria Cloud Computing Policy (where applicable)

International Standards:

Health Insurance Portability and Accountability Act (HIPAA) - for U.S. operations
ISO/IEC 27001:2013 - Information Security Management
ISO/IEC 27018 - Protection of Personally Identifiable Information in Public Clouds

Regulatory Authority

The National Information Technology Development Agency (NITDA) is the supervisory authority responsible for monitoring and enforcing compliance with the NDPR in Nigeria.

NITDA Contact Information:

Website: www.nitda.gov.ng
Email: info@nitda.gov.ng
Address: National Information Technology Development Agency, No. 28 Port Harcourt Crescent, Off Gimbiya Street, Area 11, Garki, Abuja, Nigeria

You have the right to lodge a complaint with NITDA if you believe we have violated your data protection rights (see Section 19.0).

Types of Information We Collect

We collect different types of information depending on how you interact with our Platform. All health-related information is classified as Sensitive Personal Data under the NDPR and receives enhanced protection.

Personal Information

Contact and Identity Information:

Full name (surname, first name, middle name)
Email address
Phone number (mobile and/or landline)
Residential address
Date of birth
Gender
Nationality
National Identification Number (NIN) - only when legally required
Photograph (profile picture)

Account Information:

Username and password (encrypted)
Account preferences and settings
Communication preferences
Security questions and answers

Professional Information (for Healthcare Providers):

Medical license number and issuing authority
Specialty and qualifications
Professional registration details
Employment information
Hospital/clinic affiliations

Protected Health Information (PHI) - Sensitive Personal Data

Under the NDPR, health data is classified as Sensitive Personal Data requiring enhanced consent and security measures.

We may collect and process the following health information:

Patient Demographics:

Patient ID number
Emergency contact information
Insurance information (provider, policy number)
Next of kin details

Medical Information:

Medical history (past illnesses, surgeries, hospitalizations)
Current health conditions and diagnoses
Medications (current and past prescriptions)
Allergies and adverse reactions
Immunization records
Laboratory and diagnostic test results
Vital signs (blood pressure, temperature, heart rate, etc.)
Clinical notes and observations
Treatment plans and care instructions
Surgical and procedural reports
Radiology and imaging reports
Referrals and consultation notes

Lifestyle and Social History:

Smoking, alcohol, and substance use history
Dietary information
Exercise habits
Occupation (when medically relevant)
Social determinants of health

Billing and Claims Information:

Insurance claims data
Payment history
Billing records
Healthcare services received

Special Categories of Health Data:

Genetic information (only with explicit consent)
Mental health records (with enhanced protection)
HIV/AIDS status (with special consent and confidentiality measures)
Sexual and reproductive health information (with enhanced privacy)

Usage and Technical Information

Device Information:

Device type (smartphone, tablet, computer)
Operating system and version
Browser type and version
Device identifiers (IP address, device ID)
Mobile network information
Screen resolution and device capabilities

Usage Data:

Pages visited on our website
Features used on our Platform
Time spent on pages and in the application
Click paths and navigation patterns
Search queries
Timestamps of access
Session duration and frequency
Interaction with features

Log Data:

Access logs (who accessed what and when)
Error logs and crash reports
System performance data
Security logs (login attempts, authentication events)

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. See Section 14.0 for detailed information about cookies and how to manage them.

Types of Cookies We Use:

Essential cookies (required for Platform functionality)
Performance cookies (analytics and usage patterns)
Functional cookies (remember your preferences)
Security cookies (fraud prevention, secure access)

Information from Third Parties

We may receive information about you from:

Healthcare Providers: Medical records transferred from your previous healthcare provider (with your consent), referral information from other doctors, lab results from diagnostic centers
Insurance Companies: Insurance verification data, coverage and eligibility information, claims processing information
Payment Processors: Payment confirmation and transaction details, billing information verification
Public Sources: Medical license verification from regulatory bodies, professional registration validation

Important: We only collect information from third parties when we have a lawful basis to do so, and we inform you when we receive such information.

Information You Provide Voluntarily

Communication Records:

Support requests and customer service inquiries
Feedback and survey responses
Messages sent through our Platform
Complaints or concerns raised
Testimonials or reviews (only published with your explicit consent)

Application and Registration Information:

Information provided when creating an account
Information submitted in application forms
Verification documents uploaded

Legal Basis for Processing

Under the NDPR, we must have a lawful basis to process your personal data. We process your information only when one or more of the following legal bases apply:

Consent (Article 2.2(a) NDPR)

We process your data based on your explicit consent when:

You have given us clear, informed, and unambiguous consent
You have actively opted-in to specific processing activities
You have agreed to receive marketing communications
You have consented to share your data with third parties
You have agreed to optional features requiring data processing

Your consent is:

Freely given - without coercion or undue influence
Specific - for defined purposes clearly explained to you
Informed - you understand what you're consenting to
Unambiguous - through a clear affirmative action (not pre-checked boxes)
Withdrawable - you can withdraw consent at any time

You can withdraw your consent at any time by contacting our DPO or using the unsubscribe mechanism in communications. Withdrawal does not affect the lawfulness of processing before withdrawal.

Performance of Contract (Article 2.2(b) NDPR)

We process your data when necessary to:

Create and manage your account
Provide the healthcare services you requested
Process your payments and billing
Fulfill our contractual obligations to you
Enable communication between you and your healthcare provider
Deliver technical support and maintenance

Processing for contract performance is necessary - without this processing, we cannot provide our services to you.

Legal Obligation (Article 2.2(c) NDPR)

We process your data to comply with legal obligations, including:

Nigerian healthcare regulations and reporting requirements
Medical record retention laws
Anti-money laundering and fraud prevention laws
Tax and accounting regulations
Court orders and legal process
Regulatory requests from NITDA or other authorities
Professional licensing and accreditation requirements
Public health reporting obligations

Vital Interests (Article 2.2(d) NDPR)

We may process your data without consent in medical emergencies when:

Processing is necessary to protect your life or physical integrity
You are physically or legally incapable of giving consent
Immediate action is required to prevent serious harm
Emergency medical treatment is being provided

This basis is used only in genuine emergencies and is narrowly construed.

Public Interest (Article 2.2(e) NDPR)

We may process data for public health purposes, including:

Disease surveillance and outbreak response
Public health monitoring and reporting
Healthcare quality and safety improvements
Medical research (when anonymized or with specific consent)

Legitimate Interests

We may process data based on our legitimate interests when:

Preventing fraud and ensuring Platform security
Improving our services and Platform functionality
Conducting internal analytics to enhance user experience
Managing business operations and legal matters
Protecting our legal rights and interests

We balance our legitimate interests against your rights - we only rely on this basis when your interests and rights do not override our legitimate interests.

Processing of Sensitive Personal Data

Health data requires additional justification under the NDPR. We process your health information based on:

Your explicit consent for specific health data processing
Necessary for medical diagnosis and healthcare provision by qualified healthcare professionals
Protection of vital interests in medical emergencies
Public health obligations under Nigerian law
Medical research with appropriate safeguards and ethics approval

We never process your health information for marketing purposes.

How We Use Your Information

Primary Purposes

To Provide Healthcare Services:

Enable consultations between patients and healthcare providers
Maintain electronic health records (EHR)
Facilitate diagnosis, treatment, and care coordination
Schedule appointments and send reminders
Provide telehealth and remote monitoring services
Generate medical reports and prescriptions
Share information among your care team (with your consent)
Coordinate referrals to specialists
Support continuity of care

To Manage Your Account:

Create and maintain your user account
Authenticate your identity and secure access
Process your preferences and settings
Communicate important account updates
Provide customer support and technical assistance
Respond to your inquiries and requests

To Process Payments:

Process billing and payments for services
Generate invoices and receipts
Verify insurance coverage and process claims
Prevent payment fraud
Maintain financial records (as required by law)

To Ensure Platform Security:

Detect and prevent fraudulent activity
Protect against unauthorized access
Monitor for security threats and vulnerabilities
Investigate and respond to security incidents
Enforce our Terms of Service
Comply with legal and regulatory requirements

Secondary Purposes (Requiring Separate Consent)

Service Improvement and Analytics:

Analyze usage patterns to improve Platform functionality
Conduct user experience research
Develop new features and services
Perform quality assurance testing
Generate de-identified aggregate statistics

Marketing and Communications (opt-in only):

Send newsletters and healthcare tips
Notify you about new features or services
Provide personalized recommendations
Conduct customer satisfaction surveys

Medical Research (with specific consent and ethics approval):

Support medical research using de-identified data
Contribute to public health studies
Participate in clinical trials (voluntary, with explicit consent)

Important: We will always seek your separate, explicit consent for secondary purposes. You can refuse consent without affecting your access to our core services.

Automated Decision-Making

We use limited automated processing for:

Appointment scheduling and availability matching
Automated appointment reminders
Basic triage and symptom checking (preliminary only, not diagnostic)
Fraud detection algorithms
System performance optimization

We do NOT use automated decision-making for:

Medical diagnosis or treatment decisions
Determination of healthcare coverage
Any decision that produces legal effects concerning you
Decisions requiring professional medical judgment

You have the right to:

Be informed when automated processing is used
Request human intervention in automated decisions
Challenge automated decisions
Opt-out of automated profiling

Consent

How We Obtain Consent

We obtain your consent through clear, specific, and affirmative actions:

Valid Consent Mechanisms:

Clicking "I agree" or "I consent" after reading clear information
Checking an unchecked box (pre-ticked boxes are NOT valid consent)
Signing a consent form (physically or electronically)
Verbal consent (documented and recorded for medical procedures)
Selecting specific preferences in your account settings

Invalid Consent (we do NOT use):

Pre-ticked boxes or default opt-ins
Silence or inactivity
Consent bundled with terms and conditions
Implied consent through continued use (except cookies - see Section 14.0)
Consent obtained through deception or coercion

What You're Consenting To

When you consent to data processing, we clearly explain:

What data we will collect
Why we need it (specific purposes)
How we will use it
Who will have access to it
How long we will keep it
Your rights regarding this data
How to withdraw your consent

Separate Consent for Different Purposes

We obtain separate consent for:

Processing of sensitive health data
Marketing communications
Sharing data with third parties
Use of data for research
Optional Platform features requiring additional data

You can consent to some purposes and refuse others - this will not affect your access to core services.

Enhanced Consent for Sensitive Health Data

Because health data is Sensitive Personal Data under the NDPR, we require explicit, documented consent that:

Is obtained through a specific, clear statement
Is separate from other consents
Cannot be implied from general consent
Is documented and recorded in your account
Clearly identifies the health data being collected
Specifies the healthcare purpose

Ticking a box is insufficient for health data - we use enhanced consent mechanisms including:

Signed consent forms for medical procedures
Explicit consent statements for each category of health data
Separate consent for each healthcare provider who will access your records
Periodic re-confirmation of consent for ongoing processing

Consent from Parents/Guardians

For minors (individuals under 18 years):

Consent must be obtained from a parent or legal guardian
We verify parental authority before accepting consent
We may require documentation of guardianship
The minor's best interests are our primary consideration
We process the minimum data necessary for healthcare

Consent Records

We maintain comprehensive records of all consents, including:

Who gave consent
When consent was given
How consent was obtained
What was consented to
Version of the Privacy Policy at the time of consent
Any changes or withdrawals of consent

You can request a copy of your consent records by contacting our DPO.

Withdrawing Consent

You have the absolute right to withdraw your consent at any time.

How to Withdraw Consent:

For All Consents: Email our DPO at: dpo@astutemedic.com, Call: [INSERT DPO PHONE NUMBER], Log into your account and update consent preferences, Send written notice to our registered address
For Marketing Communications: Click "Unsubscribe" in any marketing email, Update preferences in your account settings, Reply "STOP" to SMS messages
For Specific Healthcare Providers: Use the access control settings in your account, Submit a request through the Platform, Contact our support team

Effect of Withdrawal:

Processing stops immediately (except where required by law)
Withdrawal does not affect previous processing based on consent
We may retain some data if required by legal obligations
You can re-consent at any time
Core services remain available (where processing is based on other legal grounds)

Processing Time: We process consent withdrawal requests within 72 hours of receipt.

Your Rights as a Data Subject

Under the NDPR, you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights promptly and free of charge.

Right to Be Informed (Article 3.1(7) NDPR)

You have the right to know:

What personal data we hold about you
Why we collect and process your data
Who has access to your data
How long we keep your data
Your rights regarding your data
How to contact us and NITDA

This Privacy Policy fulfills our obligation to inform you. We also provide specific notices at the point of data collection.

Right to Access (Article 3.1(a) NDPR)

You have the right to:

Request a copy of all personal data we hold about you
Receive the information in an accessible, understandable format
Know the source of your data (where not collected directly from you)
Understand how your data is being processed

How to Request Access:

Submit a Data Access Request to our DPO (Section 18.0)
Verify your identity (for security purposes)
Specify what information you want to access
We will respond within 30 days

We will provide:

A copy of your personal data in electronic format (PDF or Excel)
Information about the purposes of processing
Categories of data being processed
Recipients or categories of recipients
Retention periods
Your rights (including correction, deletion, restriction, objection)
The right to lodge a complaint with NITDA

First Copy is FREE - we do not charge for your first data access request in a 12-month period. Subsequent requests may incur a reasonable administrative fee.

Through Your Account: You can also access much of your data directly by logging into your account settings and viewing your profile, health records, and transaction history.

Right to Rectification (Article 3.1(b) NDPR)

You have the right to:

Correct inaccurate personal data
Complete incomplete data
Update outdated information

How to Request Correction:

Self-Service: Log into your account and update your profile information, contact details, and preferences
Assisted Correction: Contact our support team for assistance with corrections
Medical Record Corrections: Request correction through your healthcare provider or our DPO (medical records may require healthcare provider verification)

Processing Time:

Self-service updates: Immediate
Assisted corrections: Within 7 business days
Medical record corrections: Within 14 days (may require healthcare provider input)

Important: For medical records, we may need to verify corrections with your healthcare provider to ensure medical accuracy. Original records may be retained with annotations showing corrections.

Right to Erasure ("Right to Be Forgotten") (Article 3.1(c) NDPR)

You have the right to request deletion of your personal data when:

The data is no longer necessary for the purpose it was collected
You withdraw consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Deletion is required to comply with a legal obligation

Limitations on Deletion:

We cannot delete your data when:

We are legally required to retain it (e.g., medical record retention laws require us to keep health records for 7 years after last treatment)
Needed to establish, exercise, or defend legal claims
Required for public health purposes
Necessary for archiving purposes in the public interest
The healthcare provider has an overriding legal obligation to retain medical records

How to Request Deletion:

Submit a Data Deletion Request to our DPO
Specify what data you want deleted
We will assess your request within 14 days
If approved, deletion will occur within 30 days
If denied, we will explain the reason

What Happens When We Delete:

Your account will be deactivated
Personal identifiers will be permanently erased
Health records will be de-identified (where retention is legally required)
Backups will be purged according to our backup retention schedule (maximum 90 days)
Third parties who received your data will be notified to delete it

Account Closure: Requesting deletion will close your account. This action is irreversible.

Right to Data Portability (Article 3.1(d) NDPR)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format
Transmit your data to another service provider without hindrance
Request direct transfer to another controller (where technically feasible)

How to Request Data Portability:

Submit a Data Portability Request to our DPO
Specify the format you prefer (CSV, JSON, PDF, HL7 FHIR for health data)
We will provide your data within 30 days

What We Provide:

Your account information
Your health records in standard medical format (HL7 FHIR)
Usage history and preferences
Communication records

Destination Options:

Download to your device
Direct transfer to another healthcare platform (where supported)
Provision to your healthcare provider

This Service is FREE.

Right to Object (Article 3.1(e) NDPR)

You have the right to object to:

Processing based on legitimate interests
Processing for direct marketing purposes
Automated decision-making and profiling

How to Object:

Marketing: Click "Unsubscribe" or update preferences
Other Processing: Contact our DPO with your objection and reasons

Effect of Objection:

Marketing: We will stop immediately, no questions asked
Other Processing: We will assess and stop unless we demonstrate compelling legitimate grounds that override your interests

Right to Restrict Processing (Article 3.1(f) NDPR)

You have the right to request restriction (pausing) of processing when:

You contest the accuracy of the data (while we verify)
Processing is unlawful but you don't want deletion
We no longer need the data, but you need it for legal claims
You have objected to processing (while we verify grounds)

During Restriction:

We can only store your data
Processing requires your consent or is for legal claims
We will inform you before lifting restriction

How to Request Restriction: Contact our DPO specifying:

What data should be restricted
Reason for restriction
Duration (if temporary)

Right to Be Notified

You have the right to be notified when:

We make corrections to your data
We delete your data
We restrict processing of your data
There is a data breach affecting your data (see Section 16.0)

We will notify:

You directly within specified timeframes
Third parties who received your data (where feasible)

Right to Lodge a Complaint (Article 3.1(g) NDPR)

You have the right to lodge a complaint with NITDA if you believe:

We have violated your data protection rights
We have not responded adequately to your requests
We are processing your data unlawfully
We have failed to protect your data

How to Complain to NITDA:

Website: www.nitda.gov.ng
Email: info@nitda.gov.ng
Phone: [NITDA CONTACT NUMBER]
Address: National Information Technology Development Agency, No. 28 Port Harcourt Crescent, Off Gimbiya Street, Area 11, Garki, Abuja, Nigeria

You can also complain to us first - we encourage you to contact our DPO so we can attempt to resolve your concern before you escalate to NITDA.

Right to Compensation

You have the right to compensation if:

You suffer damage due to our violation of the NDPR
You incur financial loss due to our data breach
You experience distress due to our mishandling of your data

Claims can be pursued through:

NITDA's Administrative Redress Panel
Nigerian courts
Alternative dispute resolution mechanisms

How We Respond to Rights Requests

Our Commitment:

Free Service: Exercising your rights is free (except manifestly unfounded or excessive requests)
Fast Response: We respond within 72 hours to acknowledge receipt, with full response within 30 days (may be extended to 90 days for complex requests with notification)
Clear Communication: We explain our response in plain language
Identity Verification: We may request identification to protect your privacy
No Retaliation: Exercising your rights will not affect your service quality

Right	Acknowledgment	Full Response
Access	72 hours	30 days
Rectification	72 hours	7-14 days
Erasure	72 hours	30 days
Data Portability	72 hours	30 days
Restriction	72 hours	14 days
Objection	Immediate (marketing)	14 days (other)
Complaint	72 hours	30 days

Data Security

Our Security Commitment

We implement comprehensive technical, administrative, and physical security measures to protect your personal data against:

Unauthorized access or disclosure
Accidental loss or destruction
Theft, cyberattacks, or viral attacks
Manipulation or alteration
Damage from natural disasters

We comply with:

NDPR Security Requirements (Article 2.6)
ISO/IEC 27001:2013 Information Security Management System
HIPAA Security Rule
Nigerian Cybersecurity Standards

Technical Security Measures

Encryption:

End-to-End Encryption for data in transit (TLS 1.3)
At-Rest Encryption using AES-256 for stored data
Database Encryption for all health records
Encrypted Backups with secure key management
Encrypted Communications for all data exchanges

Access Controls:

Role-Based Access Control (RBAC) - users only access data necessary for their role
Multi-Factor Authentication (MFA) for healthcare providers and administrators
Strong Password Requirements (minimum 12 characters, complexity requirements)
Session Management with automatic timeout
Principle of Least Privilege - minimum necessary access
Access Logging - all data access is logged and monitored

Network Security:

Firewalls protecting all network boundaries
Intrusion Detection and Prevention Systems (IDS/IPS)
DDoS Protection to prevent service disruption
Network Segmentation isolating sensitive data
VPN Requirements for remote access
Regular Penetration Testing by independent security firms

Application Security:

Secure Coding Practices following OWASP guidelines
Regular Security Patching within 48 hours of critical vulnerabilities
Input Validation to prevent injection attacks
Anti-Malware Protection on all systems
Security Code Reviews before deployment
Vulnerability Scanning (weekly automated scans)

Data Protection:

Data Anonymization for analytics and research
Data Pseudonymization where appropriate
Secure Data Disposal using certified destruction methods
Backup Encryption with geographically distributed backups
Backup Testing (monthly restoration tests)

Administrative Security Measures

Policies and Procedures:

Comprehensive Information Security Policy
Data Protection and Privacy Policy (this document)
Incident Response Plan
Business Continuity and Disaster Recovery Plan
Acceptable Use Policy
Email and Communications Security Policy
Vendor Management Policy

Personnel Security:

Background Checks for all employees with data access
Confidentiality Agreements signed by all staff
Security Training - mandatory upon hiring and annually thereafter
NDPR Training - all staff trained on data protection requirements
Role-Specific Training for personnel handling health data
Access Revocation - immediate upon termination

Vendor Management:

Due Diligence on all vendors processing data
NDPR-Compliant Contracts with all processors
Security Assessments of third-party services
Ongoing Monitoring of vendor compliance

Governance:

Data Protection Officer oversight
Information Security Committee
Regular Management Reviews
Compliance Audits (quarterly internal, annual external)

Security Monitoring and Incident Response

Continuous Monitoring:

24/7 Security Operations Center (SOC)
Real-time threat detection and alerting
Automated anomaly detection
Log aggregation and analysis (SIEM)
User behavior analytics

Incident Response:

Dedicated Incident Response Team
15-minute response time for critical incidents
Forensic investigation capabilities
Incident documentation and reporting
Post-incident review and improvement

Regular Security Assessments

We conduct:

Internal Audits: Quarterly
External Security Audits: Annually by certified auditors
Penetration Testing: Semi-annually
Vulnerability Assessments: Monthly
Risk Assessments: Annually or when significant changes occur
Data Protection Impact Assessments (DPIA): For new processing activities

Your Security Responsibilities

While we implement robust security, you also play a crucial role:

Please:

Keep your password confidential and secure
Use a strong, unique password for your account
Enable multi-factor authentication if available
Log out after using shared or public devices
Keep your contact information updated
Report suspicious activity immediately
Be cautious of phishing attempts
Do not share your account credentials

Report Security Concerns:

Email: security@astutemedic.com
Phone: +234 811 438 7433
Available: 24/7 for critical security issues

Security Limitations

Important Notice:

While we implement industry-leading security measures, no system is 100% secure. We cannot guarantee absolute security against all threats. Internet transmission carries inherent risks.

We commit to:

Using best-practice security measures
Continuously improving our security posture
Responding promptly to security incidents
Being transparent about security limitations
Notifying you of any breach affecting your data (see Section 16.0)

By using our Platform, you acknowledge:

You understand the inherent risks of internet transmission
You accept that absolute security cannot be guaranteed
You will take reasonable precautions with your account

Data Retention

Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Our retention policy is based on:

Purpose Limitation: Data is kept only while needed for its stated purpose
Legal Requirements: Compliance with Nigerian record retention laws
Minimization: We periodically review and delete unnecessary data
Security: Retained data receives ongoing protection

Retention Periods by Data Category

Data Category	Retention Period	Legal Basis
Medical Records (PHI)	7 years after last treatment or consultation	Nigerian medical record retention laws; professional medical standards
Minor's Medical Records	7 years after reaching age 18, or 7 years after last treatment (whichever is longer)	Protection of minors; medical practice standards
Account Information	Duration of active account + 2 years after account closure	Contract performance; legitimate interests
Billing and Payment Records	7 years after transaction	Tax and accounting laws (Federal Inland Revenue Service requirements)
Insurance Claims Data	7 years after claim closure	Insurance regulations; legal claims
Audit Logs and Access Records	3 years	Security and compliance requirements
Marketing Consent Records	Until consent withdrawn + 2 years	NDPR compliance; proof of consent
CCTV Footage (if applicable)	90 days unless needed for investigation	Security; legitimate interests
Cookies	See Section 14.0	Varies by cookie type
Anonymized Research Data	Indefinitely	Cannot be linked back to individuals
Customer Service Records	3 years after last contact	Service improvement; complaint resolution

Medical Record Retention Details

Minimum 7-Year Retention Required For:

Clinical notes and consultation records
Diagnostic reports (lab results, imaging, etc.)
Treatment plans and prescriptions
Surgical and procedural reports
Immunization records
Referral letters and specialist reports

Extended Retention May Apply For:

Pediatric records (until patient is 25)
Mental health records (10 years)
Obstetric records (25 years)
Oncology records (10 years)
Records subject to ongoing legal proceedings (until resolved + 2 years)
Records with research or public health significance

Account Closure and Deletion

Upon Account Closure:

You Request Closure:

Account is deactivated immediately
Personal identifiers are removed within 30 days
Medical records are retained per legal requirements (7 years minimum)
Health data is de-identified to disconnect from you while retaining it for legal compliance
Backup copies purged within 90 days

We Close Your Account (inactivity):

After 24 months of inactivity, we send reminder emails
After 30 months of inactivity with no response, account is deactivated
Data retention periods commence from deactivation date

Healthcare Provider Accounts:

Cannot be fully deleted while associated patient records exist
Account is deactivated and de-identified
Provider information retained with medical records per legal requirements

Legal Hold

We may extend retention when:

Subject to litigation, investigation, or regulatory inquiry
Required by court order or legal process
Necessary to establish, exercise, or defend legal claims
Required by law enforcement or regulatory authorities

Legal hold overrides standard retention periods until the legal matter is resolved.

Data Deletion Methods

Secure Deletion Procedures:

Electronic Data:

Cryptographic erasure (encryption keys destroyed)
Multi-pass overwriting (DoD 5220.22-M standard)
Secure database record deletion with referential integrity cleanup
Backup purging according to backup retention schedule

Physical Media:

Hard drives: Physical destruction or degaussing
Documents: Cross-cut shredding
Certified destruction with certificate of destruction

Third-Party Data:

Notification to third parties to delete data
Verification of deletion where possible

Retention Schedule Review

We review our retention schedule:

Annually to ensure compliance with current laws
When laws or regulations change
Following significant changes to our business operations
After recommendations from Data Protection Impact Assessments

Access to Retained Data

During the retention period:

You can access your data (see Section 9.2)
You can request corrections (see Section 9.3)
You can object to processing (see Section 9.6)

After the retention period:

Data is permanently deleted and cannot be recovered
We cannot provide copies or access to deleted data
Medical records are archived in de-identified format per legal requirements

Backup Retention

Backup Policy:

Daily incremental backups retained for 30 days
Monthly full backups retained for 90 days
Annual backups retained for 1 year (health data only)
Deleted data persists in backups until backup expiration
Backups are encrypted and secured with same standards as live data

Backup Restoration:

Used only for disaster recovery or system restoration
Not used to circumvent deletion requests
Subject to same access controls as primary data

Sharing Your Information

General Principle

We do not sell your personal data to anyone, ever.

We only share your information when:

You have given explicit consent
Necessary to provide our services
Required by law
Necessary to protect vital interests

All data sharing complies with NDPR Article 2.7 and Implementation Framework Section 14.

Healthcare Providers

Shared With: Licensed healthcare providers you have chosen to consult

Data Shared:

Your medical history and health records
Current symptoms and health concerns
Lab results and diagnostic reports
Medication and allergy information
Insurance and payment information

Purpose: Enable your healthcare providers to deliver proper medical care

Legal Basis: Necessary for healthcare delivery; your explicit consent

Your Control: You can control which providers access your health records through access settings in your account

Healthcare Facilities

Shared With: Hospitals, clinics, diagnostic centers where you receive care

Data Shared:

Patient demographics
Appointment information
Medical records relevant to your visit
Insurance and billing information

Purpose: Coordinate care and facilitate services

Legal Basis: Necessary for healthcare delivery; contract performance

Third-Party Service Providers (Data Processors)

We engage third-party companies to perform services on our behalf. These processors act only on our instructions and are bound by NDPR-compliant Data Processing Agreements.

Current Third-Party Processors

Category	Third Party	Location	Data Shared	Purpose
Cloud Hosting	[INSERT PROVIDER]	[INSERT LOCATION]	All platform data	Infrastructure and data storage
Payment Processing	[INSERT PROVIDER]	[INSERT LOCATION]	Billing information, payment details	Process payments securely
Email Services	[INSERT PROVIDER]	[INSERT LOCATION]	Email addresses, communication content	Send transactional and marketing emails
SMS/WhatsApp	[INSERT PROVIDER]	[INSERT LOCATION]	Phone numbers, message content	Send appointment reminders and notifications
Analytics	[INSERT PROVIDER]	[INSERT LOCATION]	Usage data (de-identified where possible)	Platform improvement and analytics
Customer Support	[INSERT PROVIDER]	[INSERT LOCATION]	Support tickets, communication records	Provide customer support
Security Services	[INSERT PROVIDER]	[INSERT LOCATION]	Log data, security events	Security monitoring and threat detection

Note: This list is current as of the "Last Updated" date of this policy. We will update this section when we add or change processors.

Processor Obligations

All our data processors must:

Process data only according to our documented instructions
Maintain confidentiality
Implement appropriate security measures
Engage sub-processors only with our approval
Assist with data subject rights requests
Assist with data breach notifications
Delete or return data upon termination of services
Comply with NDPR requirements
Submit to audits and inspections

Insurance Companies

Shared With: Your health insurance provider (when you authorize)

Data Shared:

Services received and diagnoses
Treatment details for claims processing
Provider information
Dates and costs of services

Purpose: Process insurance claims and verify coverage

Legal Basis: Your explicit consent; contract performance

Your Control: You authorize each specific insurance claim submission

Legal and Regulatory Authorities

Shared With: Government agencies, regulators, law enforcement

Data Shared: Minimum necessary to comply with legal requirements

Circumstances:

Court orders or subpoenas
Legal obligations under Nigerian law
Public health reporting requirements
Regulatory investigations
Law enforcement requests with proper legal authority
Protection of national security (with appropriate authorization)

Legal Basis: Legal obligation; public interest

Notice: We will notify you of legal requests for your data unless prohibited by law or court order

Public Health Authorities

Shared With: Nigerian public health agencies (e.g., NCDC, FMOH)

Data Shared: De-identified or aggregate health data for:

Disease surveillance
Outbreak investigation and response
Public health monitoring
Healthcare quality reporting

Legal Basis: Public health obligations; legal requirement

Protection: We share only the minimum necessary information, preferring de-identified data where possible

Research Institutions

Shared With: Approved medical research organizations

Data Shared: De-identified or anonymized health data

Requirements:

Your explicit, separate consent (opt-in only)
Ethics committee approval
Institutional Review Board (IRB) review
Data use agreement ensuring NDPR compliance
Prohibition on re-identification
You can withdraw consent at any time

Purpose: Advance medical knowledge and improve healthcare

We NEVER share identifiable health data for research without your explicit consent.

Business Transfers

In the event of:

Merger or acquisition
Sale of assets
Corporate restructuring
Bankruptcy proceedings

Your data may be transferred to:

The successor entity
Potential purchasers (under strict confidentiality)

Protections:

You will be notified before the transfer
The successor entity must honor this Privacy Policy
You can request data deletion before transfer (subject to legal limitations)
NDPR compliance is maintained

Emergency Situations

We may share your data without consent when:

Your life or physical integrity is at immediate risk
You are incapacitated and unable to consent
Emergency medical treatment is required
Delay in obtaining consent would cause serious harm

Shared With: Emergency healthcare providers, emergency services

Legal Basis: Protection of vital interests (Article 2.2(d) NDPR)

Limitation: Only essential health information is shared

Your Designated Representatives

Shared With: Individuals you have explicitly authorized

Examples:

Next of kin or emergency contacts (for emergency notifications only)
Legal representatives or guardians
Family members authorized to access your account
Healthcare proxies or medical power of attorney

How to Authorize: Update your account settings or submit a written authorization to our DPO

Your Control: You can add or remove authorized representatives at any time

Data Sharing Notifications

We will inform you:

At the point of data collection who will receive your data
Before sharing your data for new purposes
Of material changes to our sharing practices
When required by law (unless prohibited)

You have the right to:

Know who has received your data
Receive a list of third-party recipients (upon request)
Object to specific data sharing (see Section 9.6)
Withdraw consent for optional sharing

Cross-Border Data Transfers

Our Data Localization Commitment

Primary Data Storage: All personal data of Nigerian users is primarily stored in Nigeria on servers located within Nigerian territory.

Nigerian Data Center:

Location: [INSERT SPECIFIC NIGERIAN DATA CENTER LOCATION]
Certifications: [INSERT CERTIFICATIONS]
Security: Tier III/IV facility with 24/7 security

This ensures your data is subject to Nigerian law and NDPR protections.

When We Transfer Data Abroad

Despite our primary Nigerian storage, we may transfer data internationally in the following limited circumstances:

Necessary Transfers:

Cloud Infrastructure Redundancy: For backup and disaster recovery purposes
Third-Party Services: When using international service providers (e.g., payment processors)
Healthcare Provider Request: When you consult with a healthcare provider located outside Nigeria
Emergency Medical Care: When you receive emergency treatment abroad
Research Collaboration: When you consent to participate in international medical research

NDPR Requirements for Cross-Border Transfers (Article 2.11-2.12)

Under the NDPR, we can only transfer your data to foreign countries when:

Option 1: Adequate Data Protection Laws The destination country has data protection laws that NITDA considers adequate. Currently recognized countries include:

All European Union member states (GDPR)
United Kingdom (UK GDPR)
[INSERT OTHER COUNTRIES FROM NDPR WHITE LIST]

Option 2: Appropriate Safeguards When the destination country lacks adequate laws, we implement:

Standard Contractual Clauses (SCCs) approved by NITDA
Binding Corporate Rules
Data Processing Agreements with NDPR-compliant terms
Additional technical safeguards (encryption, pseudonymization)

Option 3: Explicit Consent We obtain your explicit, informed consent after informing you of:

The destination country
The risks of transfer to a country without adequate protection
The safeguards we have implemented
Your right to withdraw consent

Option 4: Necessary for Specific Purposes Transfers necessary for:

Your medical treatment (e.g., medical evacuation abroad)
Legal claims establishment, exercise, or defense
Protection of vital interests when you cannot consent

Current International Transfers

Service Provider	Country	Data Transferred	Safeguard	Your Consent Required?
[INSERT CLOUD PROVIDER]	[COUNTRY]	Encrypted backups only	SCCs + Encryption	No (legitimate interest - backup)
[INSERT PAYMENT PROCESSOR]	[COUNTRY]	Payment information	Adequate laws (GDPR)	No (necessary for contract)
[INSERT EMAIL PROVIDER]	[COUNTRY]	Email communications	SCCs + Encryption	Yes (for marketing emails)

This list is current as of [INSERT DATE]. We update this section when international transfers change.

Supervision by NITDA and Attorney General

For transfers to countries without adequate protection:

We have submitted our cross-border transfer mechanisms to NITDA for approval
Where required, transfers are supervised by the Attorney General of the Federation
We maintain documentation of all international transfers
We report significant transfers to NITDA in our annual audit

NITDA Approval Reference: [INSERT REFERENCE NUMBER IF APPLICABLE]

Your Rights Regarding International Transfers

You have the right to:

Know where your data is stored and processed
Know which countries receive your data
Be informed of the risks of cross-border transfers
Receive information about safeguards in place
Withdraw consent for transfers based on consent
Object to transfers based on legitimate interests
Request that your data remain in Nigeria (where feasible)

How to Exercise These Rights: Contact our DPO (Section 18.0)

Risks of International Transfers

We inform you that international data transfers may carry risks:

Foreign governments may have access to data (e.g., U.S. CLOUD Act, surveillance laws)
Different legal protections may apply
Enforcement of your rights may be more difficult
Data breach notification requirements may differ
Legal recourse may be limited

We mitigate these risks through:

Contractual protections requiring NDPR compliance
Technical safeguards (encryption, pseudonymization)
Due diligence on international partners
Regular audits and compliance monitoring
Choosing processors in jurisdictions with adequate laws where possible

EU-Nigeria Data Transfers

For users in the EU or Nigeria with ties to the EU:

We comply with both GDPR and NDPR when transferring data between the EU and Nigeria. We use:

Standard Contractual Clauses (EU Commission approved)
Supplementary measures as recommended by the European Data Protection Board
Data Processing Agreements compliant with both frameworks

Data Sovereignty

Nigerian Government Data: For data owned or commissioned by Nigerian government entities, we comply with data sovereignty requirements:

Storage exclusively in Nigeria
Processing exclusively in Nigeria
No cross-border transfers without explicit government authorization
Enhanced security controls

Notification of Changes

We will notify you:

30 days in advance of material changes to our international transfer practices
Via email and prominent website notice
With opportunity to object or withdraw consent before changes take effect

How to Restrict International Transfers

If you do not want your data transferred internationally:

Contact our DPO to request Nigeria-only data processing
We will assess feasibility - some services may not be available without international processors
We will implement restrictions where technically feasible
You may need to accept limitations on certain Platform features

We commit to maximizing data localization wherever possible.

Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit our website or use our Platform. They help us recognize you, remember your preferences, and improve your experience.

Similar technologies we use:

Web beacons/pixels: Small graphics that track page views and email opens
Local storage: Browser-based storage for preferences
Session storage: Temporary storage cleared when you close your browser
Device fingerprinting: Collecting device characteristics for fraud prevention

NDPR Requirements for Cookies (Implementation Framework Section 8.4)

Under the NDPR:

Consent required: For non-essential cookies
Clear information: You must understand what cookies do
Easy opt-out: You can reject or delete cookies at any time
Continued use consent: Your continued use of our website after seeing the cookie notice constitutes consent for non-essential cookies

We obtain consent through:

Cookie banner on first visit
Clear information about each cookie type
Accept/Reject options
Cookie settings management tool

Types of Cookies We Use

Essential Cookies (No Consent Required)

Purpose: Enable core Platform functionality

Examples:

Authentication cookies (keep you logged in)
Security cookies (protect against fraud, CSRF attacks)
Load balancing cookies (distribute traffic)
Session management cookies (remember your current session)

Retention: Session or up to 30 days

Can You Opt Out? No - these are strictly necessary for the Platform to function. Blocking them will prevent you from using our services.

Performance Cookies (Consent Required)

Purpose: Analyze Platform usage to improve performance

Examples:

Page load time tracking
Error logging
Feature usage analytics
Traffic source tracking

Information Collected:

Pages visited
Time on site
Browser type
Device type
Referring website

Third Parties: Google Analytics [ADD OTHERS IF APPLICABLE]

Retention: Up to 2 years

Can You Opt Out? Yes - manage in cookie settings

Functional Cookies (Consent Required)

Purpose: Remember your preferences and enhance functionality

Examples:

Language preference
Region/location settings
Display preferences (theme, text size)
"Remember me" functionality
Recently viewed items

Retention: Up to 1 year

Can You Opt Out? Yes - but some features may not work as expected

Marketing Cookies (Explicit Consent Required)

Purpose: Deliver targeted advertisements and measure campaign effectiveness

Examples:

Ad targeting based on interests
Frequency capping (limiting ad repetition)
Campaign performance measurement
Cross-site tracking for retargeting

Third Parties: [INSERT ADVERTISING PARTNERS IF APPLICABLE]

Retention: Up to 2 years

Can You Opt Out? Yes - we do not use marketing cookies unless you explicitly opt-in

Important: We currently do not use marketing cookies. If we introduce them in the future, we will:

Notify you prominently
Request explicit opt-in consent
Provide detailed information about advertising partners
Offer easy opt-out mechanisms

Cookie Details Table

Cookie Name	Type	Purpose	Provider	Duration	Consent Required
session_id	Essential	Session management	Astute Medic	Session	No
csrf_token	Essential	Security (CSRF protection)	Astute Medic	Session	No
auth_token	Essential	Authentication	Astute Medic	30 days	No
_ga	Performance	Google Analytics	Google	2 years	Yes
_gid	Performance	Google Analytics	Google	24 hours	Yes
user_preferences	Functional	Remember settings	Astute Medic	1 year	Yes

Updated Cookie List: Available at [INSERT COOKIE POLICY URL]

Managing Your Cookie Preferences

Cookie Settings Tool

You can manage cookies through our Cookie Settings:

Visit [INSERT COOKIE SETTINGS URL] or click the cookie icon in the footer
Select your preferences for each cookie category
Save your choices
Your preferences are stored and respected on future visits

Browser Settings

You can also control cookies through your browser:

Chrome:

Settings → Privacy and Security → Cookies and other site data
Choose your preferred option
Manage exceptions for specific sites

Safari:

Preferences → Privacy → Manage Website Data
Remove cookies or block all cookies

Firefox:

Options → Privacy & Security → Cookies and Site Data
Clear data or manage permissions

Edge:

Settings → Cookies and site permissions
Manage and delete cookies

Mobile Browsers: Check your browser's help section for instructions

Note: Blocking all cookies may prevent you from using certain features of our Platform.

Third-Party Opt-Out Tools

Google Analytics Opt-Out: Install the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
Industry Opt-Out Programs:

Network Advertising Initiative: www.networkadvertising.org/choices
Digital Advertising Alliance: www.aboutads.info/choices
European Interactive Digital Advertising Alliance: www.youronlinechoices.eu

Do Not Track (DNT)

Our current position: We do not currently respond to DNT signals because there is no industry-wide standard for compliance.

What is DNT? A browser setting that requests websites not to track your browsing activity.

Why we don't respond yet: There is no agreed interpretation of what DNT means or how websites should respond.

Alternative: Use our Cookie Settings tool (Section 14.5.1) for granular control over tracking.

Mobile App Tracking

Our mobile applications may use:

Device identifiers: For authentication and security
Analytics SDKs: To measure app performance
Push notification tokens: To send notifications you've requested
Crash reporting: To identify and fix bugs

Mobile Opt-Out:

iOS: Settings → Privacy → Tracking → Disable "Allow Apps to Request to Track"
Android: Settings → Google → Ads → Opt out of Ads Personalization
App Permissions: You can manage app permissions in your device settings.

Email Tracking

We use tracking pixels in emails to:

Measure email open rates
Track link clicks
Improve email content and timing
Personalize future communications

Information Collected:

Whether you opened the email
When you opened it
Which links you clicked
Your device and email client

Opt-Out:

All marketing emails: Click "Unsubscribe" in any marketing email
Email tracking only: Configure your email client to block remote images
Transactional emails: Cannot opt-out (necessary for service delivery), but we limit tracking

Social Media Plugins

We may use social media plugins:

Facebook Like/Share buttons
Twitter/X sharing
LinkedIn sharing
WhatsApp sharing

These plugins may:

Set cookies from the social media platform
Track your browsing across sites
Collect your IP address and pages visited

Your control:

Log out of social media platforms when not using them
Use browser extensions to block social media trackers
Adjust privacy settings on social media platforms

We do not have access to data collected by social media platforms through their plugins.

Changes to Cookie Practices

We will notify you of material changes:

Update this section of the Privacy Policy
Display prominent notice on our website
Request renewed consent if required
Provide 30 days' notice before implementing changes

Contact About Cookies

Questions about our cookie practices?

Contact our DPO:

Email: dpo@astutemedic.com
Phone: [INSERT DPO PHONE]

Children's Privacy

Our Commitment to Protecting Minors

We are committed to protecting the privacy of children and recognize that minors (individuals under 18 years of age) require special protection under Nigerian law.

Age of Majority in Nigeria: 18 years

Parental/Guardian Consent Required

We do not knowingly collect personal data from children under 18 without parental or legal guardian consent.

For minors to use our Platform:

A parent or legal guardian must create the account
The parent/guardian must provide consent for data processing
The parent/guardian controls access and privacy settings
Medical treatment requires parental/guardian involvement per Nigerian law

Verification of Parental Authority

We verify parental authority through:

Requiring parent/guardian to create account with their own verified identity
Requesting documentation of guardianship when necessary (e.g., court orders, birth certificates)
Telephone or video verification for sensitive matters
Healthcare provider verification for medical accounts

We may request:

Guardian's identification documents
Proof of relationship to the child
Court-appointed guardianship documents (where applicable)

Information We Collect About Minors

With parental/guardian consent, we collect:

Profile Information:

Child's name and date of birth
Contact information (parent/guardian)
Relationship to parent/guardian
Emergency contacts

Health Information:

Medical history
Vaccination records
Growth and development data
Current health conditions
Medications and allergies
Healthcare provider notes

Note: All health information about minors is classified as Sensitive Personal Data requiring enhanced protection.

How We Use Minor's Information

We use children's data only for:

Providing healthcare services
Maintaining medical records
Communicating with parents/guardians about the child's health
Appointment scheduling and reminders
Billing and insurance (parent/guardian account)
Legal compliance (e.g., vaccination reporting)

We do NOT:

Use minors' data for marketing
Share minors' data with third parties (except healthcare providers and as required by law)
Use minors' data for behavioral advertising
Build profiles of minors for commercial purposes
Allow minors to post public content

Parental Rights

Parents and legal guardians have enhanced rights:

All Standard Data Subject Rights (Section 9.0):

Access their child's data
Correct inaccurate information
Request deletion (subject to medical record retention requirements)
Object to processing
Restrict processing
Data portability

Additional Parental Rights:

Withdraw consent at any time
Refuse consent for optional processing
Control who has access to the child's health records
Receive notifications about the child's account activity
Close the child's account

How to Exercise: Contact our DPO with verification of parental authority

Adolescent Privacy

For adolescents (ages 13-17):

We recognize that adolescents have evolving capacity for privacy and autonomy:

Healthcare Provider Consultations: Depending on maturity and healthcare laws, adolescents may have some privacy in consultations
Sensitive Health Matters: For matters like reproductive health or mental health, Nigerian law may allow adolescents some confidentiality - we follow medical ethics guidelines and applicable law
Parent/Guardian Oversight: Parents/guardians retain ultimate control over account and can access information
Transition to Adult Account: At age 18, the account can be transitioned to the individual's control

We balance:

Parental rights and responsibilities
Adolescent privacy and autonomy
Legal requirements
Medical ethics and best practices

Extended Retention for Minors

Medical records for minors are retained:

7 years after the child reaches age 18, OR
7 years after last treatment
Whichever is longer

This extended retention:

Protects the child's access to their medical history as an adult
Complies with pediatric record retention best practices
Ensures continuity of care into adulthood

Special Protection Measures

Enhanced security for minors' data:

Additional access controls
Mandatory parental notifications for significant account changes
Extra scrutiny of third-party access
Prohibition on marketing use
Age-verification mechanisms
Parental dashboard with full transparency
Automatic privacy-protective defaults

Educational Resources

We provide resources for parents/guardians:

Guide to managing your child's health account
Privacy and safety tips for minors online
Understanding your child's health data rights
How to talk to children about health privacy

Available at: [INSERT RESOURCE URL]

Transition to Adult Account

When a minor turns 18:

We notify the parent/guardian and the individual
The individual can assume control of their account
Parental access is removed (unless the individual authorizes continued access)
The individual must review and consent to the Privacy Policy
Account settings are reviewed and updated
Retention periods adjust to adult schedule

The individual can:

Request full account control immediately upon turning 18
Request deletion of data collected while a minor (subject to legal retention)
Authorize parents/guardians as designated representatives

If We Learn Data Was Collected Improperly

If we discover we collected data from a child without proper parental consent:

We immediately suspend processing of that data
We notify the parent/guardian within 72 hours
We request proper consent
If consent is not provided within 14 days, we delete the data
We investigate how the improper collection occurred
We implement measures to prevent recurrence

Reporting Concerns

If you believe:

A child is using our Platform without proper parental consent
We have improperly collected a child's data
There are safety concerns regarding a minor's account

Please contact us immediately:

Email: children-privacy@astutemedic.com
Phone: [INSERT CHILD SAFETY HOTLINE]
DPO: dpo@astutemedic.com

Data Breach Notification

Our Breach Response Commitment

We take data security seriously and have implemented comprehensive measures to prevent breaches. However, we recognize that no system is completely immune to security incidents.

Our commitment:

Detect breaches quickly through 24/7 monitoring
Respond immediately to contain and remediate
Investigate thoroughly to understand cause and impact
Notify affected individuals and authorities promptly
Prevent recurrence through corrective actions

What Constitutes a Data Breach

A data breach is:

Unauthorized access to personal data
Accidental or unlawful destruction of data
Loss of data
Unauthorized alteration of data
Unauthorized disclosure of data
Any compromise of data confidentiality, integrity, or availability

Examples:

Hacker access to our systems
Ransomware attack
Lost or stolen devices containing data
Unauthorized employee access
Accidental email to wrong recipient
Third-party processor breach
Physical document theft

NDPR Breach Notification Requirements

Under NDPR Article 4.1(8) and Implementation Framework Section 12:

To NITDA (Mandatory):

Timeline: Within 72 hours of becoming aware of the breach
Method: Through NITDA's official breach notification portal or email

To Affected Individuals:

Timeline: Without undue delay when breach poses high risk to rights and freedoms
Method: Direct communication (email, SMS, phone, letter)

Information Reported to NITDA

Our breach notification to NITDA includes:

Description of the breach:

Nature of the breach (unauthorized access, loss, etc.)
Circumstances of the breach
How the breach was discovered

Date and time information:

When the breach occurred (or estimated timeframe)
When we became aware of the breach
Duration of the breach

Personal data involved:

Categories of data affected (contact info, health data, financial data)
Examples of specific data elements compromised
Volume of data affected
Sensitivity classification

Risk assessment:

Potential consequences for data subjects
Likelihood of harm occurring
Severity of potential harm (financial loss, identity theft, privacy violation, discrimination, etc.)
Vulnerability of affected individuals

Number of individuals affected:

Exact number if known
Estimated range if exact number unavailable
Breakdown by category (patients, providers, staff)

Steps taken to reduce risk:

Immediate containment actions
Investigation measures
Evidence preservation
Communication with affected parties
Law enforcement involvement (if applicable)
Remedial measures planned:
Security improvements to prevent recurrence
Timeline for implementation
Additional safeguards being deployed

Contact information:

DPO name and contact details
Incident response team contact
How individuals can contact us with concerns

Information Provided to Affected Individuals

If we determine the breach poses high risk to you, we will inform you directly, including:

Clear description of the breach in plain language:

What happened
When it happened
What data was affected

What data was involved:

Specific types of your data that were compromised
Whether the data was encrypted or protected

Likely consequences:

Potential risks you may face
Examples of how the breach could affect you
Realistic assessment of harm likelihood

Steps we have taken:

How we contained the breach
What we're doing to prevent recurrence
Investigation status

Steps you should take:

Specific recommendations to protect yourself
Whether to change passwords
Whether to monitor accounts
How to detect fraud or identity theft
Free services we're offering (e.g., credit monitoring)

How to contact us:

Dedicated breach response hotline
Email address for questions
DPO contact information
Hours of availability

Your rights:

Right to file complaint with NITDA
Right to seek compensation
How to exercise your rights

Support resources:

Identity theft assistance
Credit monitoring services (if applicable)
Counseling services (for sensitive breaches)

Notification Methods

How we will contact you:

Primary Method:

Email to your registered email address
SMS to your registered phone number
In-app notification when you next log in

Secondary Methods (if primary fails):

Phone call from our breach response team
Written letter to your registered address

Public Notice (only if individual notification is impossible or disproportionately difficult):

Prominent notice on our website
Newspaper advertisement in major Nigerian publications
Social media announcements
Press release to media

We will use at least TWO methods to ensure you receive the notification.

Timeline for Individual Notification

High-risk breaches:

Within 72 hours of confirming the breach poses high risk
Simultaneously with NITDA notification when possible
No later than 96 hours after becoming aware of the breach

Lower-risk breaches:

We are not required to notify individuals
However, we may choose to notify as a courtesy and to maintain trust
Timeline: Within 14 days if we decide to notify

Our Incident Response Process

Phase 1: Detection (Ongoing)

24/7 security monitoring and alerting
Anomaly detection systems
Employee reporting channels
Third-party notifications
User reports

Phase 2: Containment (Immediate - within minutes to hours)

Isolate affected systems
Preserve evidence
Stop ongoing breach
Prevent expansion
Activate incident response team

Phase 3: Assessment (Within 24 hours)

Determine scope and impact
Identify data affected
Count affected individuals
Assess risk level
Classify breach severity

Phase 4: Notification (Within 72 hours)

Report to NITDA
Notify affected individuals (if high risk)
Notify third parties (processors, partners)
Internal stakeholder notification

Phase 5: Investigation (Ongoing - weeks to months)

Forensic analysis
Root cause identification
Documentation of timeline and events
Identification of vulnerabilities
Collaboration with authorities if needed

Phase 6: Remediation (Days to months)

Patch vulnerabilities
Implement corrective actions
Strengthen security controls
Update policies and procedures
Staff training

Phase 7: Post-Incident Review (Within 30 days)

Lessons learned analysis
Effectiveness of response
Improvements needed
Report to management and board
Update breach response plan

Types of Breaches and Likely Notifications

Breach Type	Risk Level	NITDA Notification	Individual Notification
Encrypted health data lost (encryption key secure)	Low	Yes (72 hours)	Likely no
Unencrypted contact information	Medium	Yes (72 hours)	Yes (if high risk determined)
Unencrypted health records	High	Yes (72 hours)	Yes (immediately)
Financial data compromised	High	Yes (72 hours)	Yes (immediately)
Login credentials exposed	Medium-High	Yes (72 hours)	Yes
De-identified research data	Low	Yes (72 hours)	No
Single patient record accessed by unauthorized employee	Medium	Yes (72 hours)	Yes

Third-Party Breaches

If a third-party processor experiences a breach:

They must notify us within 24 hours (per our Data Processing Agreement)
We assess the breach as if it were our own
We notify NITDA within 72 hours of learning of the breach
We notify affected individuals if high risk
We investigate the processor's breach response
We may terminate the processor relationship

Your Role in Breach Prevention and Response

Help us protect your data:

Preventive Measures:

Use strong, unique passwords
Enable multi-factor authentication
Don't share your account credentials
Log out from shared devices
Keep your contact information updated
Be cautious of phishing attempts

If you suspect your account was compromised:

Change your password immediately
Contact us: security@astutemedic.com or [INSERT SECURITY HOTLINE]
Review your account activity for unauthorized access
Enable additional security features
Monitor your account for unusual activity

Report suspicious activity:

Unexpected password reset emails
Login alerts from unfamiliar locations
Unauthorized changes to your account
Unusual data access patterns
Suspicious communications claiming to be from us

Breach Compensation and Support

If a breach occurs due to our negligence:

You may be entitled to:

Compensation for proven damages
Reimbursement of costs incurred (e.g., credit monitoring, identity theft resolution)
Free credit monitoring services
Identity theft resolution assistance
Legal support

How to claim:

Document all damages and costs
Submit claim to: claims@astutemedic.com
Provide supporting evidence
We will review within 30 days
If disputed, you can pursue through NITDA's Administrative Redress Panel or courts

We maintain cyber insurance to cover breach-related liabilities.

Learning from Breaches

Continuous improvement:

Every breach (or near-miss) generates a lessons-learned report
Root cause analysis identifies systemic issues
Security measures are enhanced based on findings
Staff training is updated
Policies and procedures are revised
Technology improvements are implemented

Transparency:

We publish annual security reports (anonymized)
We share learnings with the healthcare community
We participate in information sharing initiatives

Breach Statistics

We maintain records of:

All data breaches (reported and unreported)
Security incidents that didn't result in breaches
Trends and patterns
Response effectiveness metrics

You can request:

General breach statistics (anonymized)
Our breach response track record
Lessons learned from past incidents

Contact: dpo@astutemedic.com

Changes to This Policy

Our Right to Update

We reserve the right to update this Privacy Policy to reflect:

Changes in our data processing practices
New features or services
Changes in applicable laws or regulations
Technological advancements
Feedback from users and regulators
Best practice developments

All changes will comply with NDPR requirements.

Material vs. Non-Material Changes

Material Changes (significantly affect your rights or how we process data):

Changes to purposes of processing
New categories of data collected
Changes to data sharing practices
New international data transfers
Reduced retention periods requiring data deletion
Changes to your rights
New uses of sensitive personal data

Non-Material Changes (clarifications, minor updates):

Formatting and organization improvements
Correction of typos or grammatical errors
Updated contact information
Addition of examples or clarifications
Changes required to maintain legal compliance without affecting practices

How We Notify You of Changes

For Material Changes:

30 Days Advance Notice via:

Email to your registered email address
Prominent banner on our website and Platform
In-app notification when you next log in
SMS for critical changes (if you've opted in)

The notice will include:

Summary of changes
Why we're making the changes
How the changes affect you
Effective date of changes
Link to updated Privacy Policy with changes highlighted
Your options (continue using service, opt-out, request deletion)

Your Choices:

Accept: Continue using our services under the new policy
Opt-Out: Object to specific changes (where possible)
Delete Account: Request account deletion before effective date

For Non-Material Changes:

We update the "Last Updated" date at the top of this policy
Changes take effect immediately upon posting
We may send a courtesy notification email
No action required from you

Consent for Material Changes

When required by NDPR:

If changes require new consent (e.g., new sensitive data processing)
We will seek your explicit, affirmative consent
Services continue under old terms until you consent
You can refuse consent without penalty (may limit access to new features)
We will not process data under new terms without consent

How we obtain consent:

Clear consent request in email notification
Consent dialog when you next log in
Option to review changes before consenting
Cannot use service without consenting (for changes requiring consent)

Version Control

We maintain:

All previous versions of this Privacy Policy
Archive available upon request
Clear version numbering and dating
Change log describing each update

Current Version: 2.0 (NDPR Compliant)

Previous Version: 1.0 (HIPAA-focused)

Version Archive: Available at [INSERT URL]

Right to Object to Changes

You can object to changes by:

Contacting our DPO within 30 days of notification
Explaining your objection
We will assess and respond within 14 days
If we cannot accommodate your objection:
We explain why
We offer alternatives (if available)
You can request account deletion

Automatic Review Schedule

We review this Privacy Policy:

Annually as part of our compliance program
Quarterly for regulatory changes
Upon significant business changes (new services, acquisitions, etc.)
After security incidents or breaches
Following regulatory guidance or enforcement actions

Next Scheduled Review: [INSERT DATE]

Staying Informed

To stay updated on privacy changes:

Subscribe to our privacy newsletter
Follow us on [INSERT SOCIAL MEDIA]
Enable email notifications in account settings
Bookmark our Privacy Center: [INSERT URL]
Visit this page periodically

Feedback on Changes

We welcome your feedback:

Email: privacy-feedback@astutemedic.com
Submit through our website contact form
Participate in user surveys about privacy
Join our privacy advisory panel (if interested)

Your input helps us:

Make policies clearer
Address user concerns
Balance privacy with functionality
Maintain trust and transparency

Contact Us

Data Protection Officer (Primary Contact)

For all privacy and data protection matters:

Name: [INSERT DPO NAME]
Title: Data Protection Officer
Email: dpo@astutemedic.com
Phone: [INSERT DPO DIRECT LINE]
WhatsApp: [INSERT DPO WHATSAPP]
Address:

Data Protection Officer
Astute Medic / Autem Tec
[INSERT NIGERIAN BUSINESS ADDRESS]

Office Hours: Monday - Friday, 9:00 AM - 5:00 PM (WAT)
Emergency Line: [INSERT 24/7 EMERGENCY NUMBER] (for security breaches only)

Response Time: We acknowledge all inquiries within 72 hours and provide substantive response within 14 days.

Other Contacts

General Privacy Inquiries:

Email: privacy@astutemedic.com
Phone: +1 (808) 319-5242
WhatsApp: +1 (808) 319-5242

Security Incidents:

Email: security@astutemedic.com
Emergency Hotline: [INSERT SECURITY HOTLINE - 24/7]

Data Subject Rights Requests:

Email: rights@astutemedic.com
Portal: [INSERT ONLINE RIGHTS REQUEST PORTAL]

Customer Support:

Email: support@astutemedic.com
Phone: [INSERT SUPPORT NUMBER]
Live Chat: Available on website during business hours

Breach Notifications:

Email: breach-response@astutemedic.com
Hotline: [INSERT BREACH HOTLINE - 24/7]

Children's Privacy Concerns:

Email: children-privacy@astutemedic.com
Phone: [INSERT CHILD SAFETY HOTLINE]

Corporate Information

Legal Entity:

Company Name: Autem Tec
Trading As: Astute Medic
CAC Registration Number: [INSERT RC NUMBER]
Registered Address: [INSERT REGISTERED ADDRESS]

Correspondence Address:

Astute Medic
[INSERT CORRESPONDENCE ADDRESS]
[INSERT CITY, STATE]
Nigeria

Website: www.astutemedic.com
Business Email: info@astutemedic.com

How to Submit Requests

Email Requests:

Use the appropriate email address from Section 18.2
Include your full name and registered email/phone
Clearly state your request
Provide necessary verification information
Attach supporting documents if applicable

Written Requests:

Address to the DPO at our registered address
Include all relevant details
Sign the request
Provide copy of identification (for verification)

Phone Requests:

Call during business hours
Have your account information ready
We may ask security questions to verify identity
Follow up with written confirmation will be sent

Online Portal:

Log into your account
Navigate to Privacy Center
Use the appropriate request form
Upload any necessary documents
Track request status online

What to Include in Your Request

To help us process your request quickly, please include:

Your Information:

Full name
Email address used for your account
Phone number
Account username (if applicable)
Date of birth (for verification)

Type of Request:

Clearly state what you're requesting (access, deletion, correction, etc.)
Reference the specific right you're exercising
Specify the data involved

Verification:

We may request additional information to verify your identity
For sensitive requests, we may require photo ID
For minor's data, proof of parental authority

Preferred Response Method:

Email, phone, mail, or online portal
Preferred data format (for access requests)

Urgency:

Standard processing or urgent request
Reason if urgent

Language

We communicate in:

English (primary language)
Pidgin English (available upon request)
Hausa, Yoruba, Igbo (translation available for major communications)

Translation services:

Request translation when submitting inquiry
We will respond in your preferred language (where feasible)
Complex legal matters may require English for accuracy

Accessibility

We are committed to accessible communication:

Large print versions of this policy available upon request
Audio version available
Alternative formats for visually impaired users
Assistance available for those with disabilities

Request accessible formats:

Email: accessibility@astutemedic.com
Phone: [INSERT ACCESSIBILITY SUPPORT LINE]

Complaint Process

If you're not satisfied with our response:

Internal Escalation:

Request escalation to Senior Management
Email: escalations@astutemedic.com
We will review within 7 days

Complaint to NITDA:

See Section 19.0 for NITDA contact information
You can complain to NITDA at any time, even before contacting us

Business Hours and Response Times

Contact Type	Business Hours	Response Time
DPO Email	Mon-Fri 9AM-5PM WAT	72 hours acknowledgment, 14 days full response
Security Hotline	24/7	Immediate for emergencies
Customer Support	Mon-Fri 8AM-6PM WAT	24 hours
Phone Inquiries	Mon-Fri 9AM-5PM WAT	During call or 24 hours callback
Written Mail	Mon-Fri 9AM-5PM WAT	7-14 days
Rights Requests	Mon-Fri 9AM-5PM WAT	30 days (may extend to 90 days)

Public Holidays: We observe Nigerian public holidays. Emergency security issues are handled 24/7 regardless of holidays.

Regulatory Authority

NITDA as Supervisory Authority

The National Information Technology Development Agency (NITDA) is the regulatory authority responsible for data protection in Nigeria under the NDPR.

NITDA's Role:

Enforce compliance with the NDPR
Investigate data protection complaints
Conduct audits and inspections
Issue compliance orders
Impose administrative sanctions
Provide guidance and regulations
Approve cross-border data transfers
Maintain registry of Data Protection Compliance Organizations (DPCOs)

Your Right to Lodge a Complaint with NITDA

Under Article 3.1(g) of the NDPR, you have the right to file a complaint with NITDA if you believe:

We have violated your data protection rights
We are processing your data unlawfully
We have not adequately responded to your requests
We have failed to protect your data
We have breached NDPR requirements

You can complain to NITDA even if:

You have not contacted us first (though we encourage direct contact)
We have responded to you (if you're unsatisfied with our response)
The matter is ongoing

Filing a complaint with NITDA is free.

How to Contact NITDA

National Information Technology Development Agency (NITDA)

Main Office:

National Information Technology Development Agency
No. 28 Port Harcourt Crescent
Off Gimbiya Street, Area 11
Garki, Abuja
Federal Capital Territory
Nigeria

Contact Information:

Website: www.nitda.gov.ng
Email: info@nitda.gov.ng
Data Protection Email: [INSERT SPECIFIC DPO EMAIL IF AVAILABLE]
Phone: [INSERT NITDA PHONE NUMBER]
Complaint Portal: [INSERT NITDA COMPLAINT PORTAL URL IF AVAILABLE]
Office Hours: Monday - Friday, 8:00 AM - 4:00 PM (WAT)

How to File a Complaint with NITDA

Steps to file a complaint:

Prepare Your Complaint:

Write down the facts (what happened, when, who was involved)
Gather supporting evidence (emails, screenshots, documents)
Identify which NDPR provisions were violated
Explain how you were harmed
State what resolution you seek

Submit Your Complaint:

Online: Through NITDA's complaint portal (if available)
Email: Send to info@nitda.gov.ng
Mail: Send to NITDA's registered address
In Person: Visit NITDA's office in Abuja

Include in Your Complaint:

Your full name and contact information
Name of organization (Astute Medic / Autem Tec)
Detailed description of the issue
Dates and timeline of events
Supporting documentation
Previous attempts to resolve (if any)
Desired outcome

NITDA's Investigation:

NITDA will acknowledge your complaint
They may request additional information
NITDA may investigate us
NITDA may request our response
You may be asked to participate in the investigation

Possible Outcomes:

NITDA may issue compliance orders
NITDA may impose administrative sanctions
NITDA may refer to Administrative Redress Panel
NITDA may facilitate mediation
NITDA may dismiss complaint if unfounded

Administrative Redress Panel

NITDA has established an Administrative Redress Panel (ARP) to resolve data protection disputes.

ARP Composition:

Accomplished IT professionals
Public administrators
Legal practitioners

How ARP Works:

NITDA may refer your complaint to the ARP
ARP conducts hearings (primarily in writing)
ARP issues decisions and remedies
ARP can award compensation for violations
ARP decisions can be appealed to Nigerian courts

Our Commitment to Regulatory Cooperation

We commit to:

Fully cooperate with NITDA investigations
Provide requested information promptly
Implement NITDA's compliance orders
Respect NITDA's authority
Participate in good faith in resolution processes
Learn from regulatory feedback

We maintain:

Open communication channel with NITDA
Annual audit reports submitted to NITDA
Registration with NITDA (if required based on data volume)
Compliance with all NITDA guidelines and regulations

Other Relevant Authorities

Depending on the nature of your concern, you may also contact:

For Healthcare-Specific Complaints:

Federal Ministry of Health
State Ministries of Health
Medical and Dental Council of Nigeria (MDCN)
Nigerian Medical Association (NMA)

For Consumer Protection:

Federal Competition and Consumer Protection Commission (FCCPC)
Website: www.fccpc.gov.ng

For Financial Transactions:

Central Bank of Nigeria (CBN) (for payment issues)
Securities and Exchange Commission (SEC) (for investment-related data)

For Criminal Matters:

Nigerian Police Force (NPF)
Economic and Financial Crimes Commission (EFCC)
Nigerian Cybercrime Advisory Council

For Legal Action:

Nigerian Courts (you can file civil lawsuits for data protection violations)
Legal Aid Council (for legal assistance)

International Cooperation

For cross-border data protection issues:

If you're in the EU and have concerns: You can also contact your national Data Protection Authority. EU DPAs can cooperate with NITDA on cross-border cases.
African Regional Cooperation: NITDA participates in African data protection networks, regional cooperation on cross-border data flows, shared best practices and enforcement.

Quick Navigation

Need Help?

Introduction

Our Commitment to Compliance

Transparency Commitment

Who We Are

Data Controller Information

Data Controller Status

Data Protection Officer (DPO)

Scope and Application

Who This Policy Applies To

Geographic Scope

Does This Policy Apply to You?

Legal Framework

Governing Laws and Regulations

Regulatory Authority

Types of Information We Collect

Personal Information

Protected Health Information (PHI) - Sensitive Personal Data

Usage and Technical Information

Cookies and Tracking Technologies

Information from Third Parties

Information You Provide Voluntarily

Legal Basis for Processing

Consent (Article 2.2(a) NDPR)

Performance of Contract (Article 2.2(b) NDPR)

Legal Obligation (Article 2.2(c) NDPR)

Vital Interests (Article 2.2(d) NDPR)

Public Interest (Article 2.2(e) NDPR)

Legitimate Interests

Processing of Sensitive Personal Data

How We Use Your Information

Primary Purposes

Secondary Purposes (Requiring Separate Consent)

Automated Decision-Making

Consent

How We Obtain Consent

What You're Consenting To

Separate Consent for Different Purposes

Enhanced Consent for Sensitive Health Data

Consent from Parents/Guardians

Consent Records

Withdrawing Consent

Your Rights as a Data Subject

Right to Be Informed (Article 3.1(7) NDPR)

Right to Access (Article 3.1(a) NDPR)

Right to Rectification (Article 3.1(b) NDPR)

Right to Erasure ("Right to Be Forgotten") (Article 3.1(c) NDPR)

Right to Data Portability (Article 3.1(d) NDPR)

Right to Object (Article 3.1(e) NDPR)

Right to Restrict Processing (Article 3.1(f) NDPR)

Right to Be Notified

Right to Lodge a Complaint (Article 3.1(g) NDPR)

Right to Compensation

How We Respond to Rights Requests

Data Security

Our Security Commitment

Technical Security Measures

Administrative Security Measures

Security Monitoring and Incident Response

Regular Security Assessments

Your Security Responsibilities

Security Limitations

Data Retention

Retention Principles

Retention Periods by Data Category

Medical Record Retention Details

Account Closure and Deletion

Legal Hold

Data Deletion Methods

Retention Schedule Review

Access to Retained Data

Backup Retention

Sharing Your Information

General Principle

Healthcare Providers

Healthcare Facilities

Third-Party Service Providers (Data Processors)

Current Third-Party Processors

Processor Obligations