NDPR & NDPA Compliance

Medlitics handles personal health data — one of the most sensitive categories of information. We take our legal obligations under Nigerian data protection law seriously and have built compliance into the foundation of our platform, not as an afterthought.

This page explains how we comply with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, and what this means for you as a user.

Our compliance commitments at a glance

What NDPR/NDPA means for health data

Health data is classified as a "special category" of personal data under Nigerian law, requiring a higher standard of protection. Specifically, we may only process your health data if:

• You have given explicit, informed, and freely given consent (which you can withdraw at any time)
• Processing is necessary for the provision of healthcare services (i.e., connecting you with your doctor)
• Processing is required for reasons of substantial public interest, under appropriate safeguards

At no stage do we process your health data for advertising, profiling for non-health purposes, or sale to third parties. These uses are prohibited by law and by our own internal policy.

Data Protection Officer

Medlitics has appointed a Data Protection Officer (DPO) responsible for overseeing our compliance programme. Our DPO can be contacted at:

• Email: privacy@medlitics.com
• Subject line: "DPO Enquiry"

Cross-border data transfers

We store all primary health data within Nigeria or in jurisdictions with equivalent data protection standards. Where data is processed outside Nigeria (for example, by a cloud infrastructure provider), we ensure:

• A formal Data Transfer Agreement is in place
• The receiving country or entity offers equivalent protections under the NDPA 2023
• No health data is transferred to countries without adequate data protection frameworks

Your rights under Nigerian law

The NDPA 2023 gives you the following rights, all exercisable at no cost:

• Right to be informed — we tell you clearly what data we collect and why
• Right of access — request a full copy of your data within 30 days
• Right to rectification — correct errors in your personal data
• Right to erasure — request deletion, subject to legal retention periods
• Right to data portability — export your health data in JSON or CSV format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — at any time, for consent-based processing

To exercise any right, email privacy@medlitics.com with "Data Rights Request" in the subject line.

Complaints

If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

• Website: ndpc.gov.ng
• Email: info@ndpc.gov.ng

We encourage you to contact us first at privacy@medlitics.com — most concerns can be resolved quickly and directly.

This compliance statement reflects our obligations under the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and related NDPC guidelines. We review and update our compliance posture at least annually.