Plain English summary: We collect only the health and personal data you give us or that your devices send us. We use it to power your health monitoring and connect you with doctors. We never sell your data. Ever. You can request deletion at any time.
1. Who we are
Medlitics Limited ("Medlitics", "we", "us", or "our") operates the Medlitics platform, accessible at medlitics.com and related subdomains, including app.medlitics.com and doctor.medlitics.com. We are a health technology company incorporated and operating in Nigeria.
For the purposes of the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, Medlitics is the Data Controller for the personal data you provide through our platform.
Our Data Protection Officer can be contacted at: [email protected]
2. Data we collect
2.1 Data you provide directly
- Account information: name, email address, phone number, date of birth, gender, city/state
- Health profile: medical conditions, current medications, allergies, family history, health goals
- Health records you log manually: blood pressure readings, blood glucose, weight, temperature, symptoms
- Communications: messages sent to your assigned doctor or our support team
- Payment information: if you subscribe to a paid plan (processed by our payment partners — we do not store card details)
- For doctors: medical licence number, specialisation, hospital affiliation, professional biography
- For organisations: company name, registration number, authorised contact details
2.2 Data collected automatically from devices
- Health metrics synced from Samsung Health, Google Fit, Fitbit, Apple Health, or other connected wearables (only with your explicit authorisation)
- Device type, operating system, app version, and unique device identifiers
- Usage logs: features accessed, session duration, error logs (no health content)
- IP address and approximate location (city level) for security and fraud prevention
2.3 Data we do NOT collect
- We do not collect health data from your devices without your explicit, revocable consent
- We do not track your location in real time or in the background
- We do not read your messages outside the Medlitics platform
- We do not collect data from your contacts or social media accounts
3. How we use your data
- To provide the Medlitics platform — health tracking dashboards, doctor assignment, and alert systems
- To generate health trend analyses and surface them to you and your assigned doctor
- To send alerts when your health readings cross defined thresholds
- To facilitate secure communication between you and your doctor
- To process subscription payments and maintain your account
- To verify doctor credentials and maintain the quality of our clinical network
- To improve platform performance and fix bugs (using anonymised, aggregated usage data only)
- To send transactional emails (appointment reminders, alert confirmations, account updates)
- To comply with legal and regulatory obligations
We do not use your personal health data to serve you advertisements. We do not sell, rent, or trade your data to any third party for commercial purposes.
4. Legal basis for processing
Under the NDPA 2023, we process your data under the following bases:
- Explicit consent — for processing special category health data, device sync authorisations, and optional marketing communications
- Contract performance — to deliver the service you have signed up for
- Legitimate interests — for platform security, fraud prevention, and service improvement
- Legal obligation — where required by Nigerian law or regulatory bodies
You may withdraw consent for health data processing at any time by deleting your account or contacting [email protected]. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. Who we share data with
5.1 Your assigned doctor
Your health records are visible only to the doctor(s) explicitly assigned to your account. No other clinician can access your data without your consent.
5.2 Service providers (data processors)
We share limited data with trusted third-party processors who act only on our instructions and under strict data processing agreements:
- Cloud infrastructure: encrypted hosting and database services
- Payment processing: 1app (payment data only; no health data shared)
- Email delivery: transactional email service providers
- SMS alerts: telecommunications gateway providers
- Analytics: anonymised, aggregated usage data only — no personally identifiable or health data
5.3 Insurance partners
If you explicitly opt in to an insurance product via Medlitics, we share only the data required to process your policy — with your documented consent and under a formal data sharing agreement with the insurer.
5.4 Legal requirements
We may disclose data if required by a court order, regulatory authority, or Nigerian law. We will notify you of any such request unless legally prohibited from doing so.
5.5 We never sell your data
Medlitics does not and will never sell personal health data to advertisers, data brokers, or any third party for commercial gain.
6. Data security
- All health data is encrypted at rest using AES-256 encryption
- All data in transit is protected using TLS 1.2 or higher (HTTPS everywhere)
- Access to production systems is restricted by role-based access control and multi-factor authentication
- We conduct regular security audits and penetration testing
- In the event of a data breach, we will notify affected users and the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware, as required by law
No system is completely immune to breaches. If you suspect unauthorised access to your account, contact us immediately at [email protected].
7. Data retention
- Active accounts: data retained for the lifetime of your account plus 12 months after closure
- Health records: retained for 5 years after your last activity, or longer where required by Nigerian medical record regulations
- Doctor verification records: retained for 7 years after the end of the doctor's engagement with Medlitics
- Financial records: retained for 7 years as required by Nigerian tax law
- You may request earlier deletion of your personal data (see Section 8)
8. Your rights
Under the NDPA 2023, you have the following rights regarding your personal data:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to data portability — receive your health data in a machine-readable format (JSON or CSV)
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — at any time for consent-based processing
To exercise any of these rights, email [email protected] with the subject line "Data Rights Request". We will respond within 30 days. You may also lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
9. Cookies
Our website uses strictly necessary cookies for session management and security. We do not use advertising or tracking cookies. For full details, see our Cookie Policy.
10. Children
Medlitics is not intended for use by persons under the age of 18 without parental or guardian consent. If you believe a child has registered on our platform without appropriate consent, please contact [email protected] and we will delete the account promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, notify you by email at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
12. Contact us
For any privacy-related questions, requests, or concerns:
This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019.