Privacy Policy

1. Introduction

VitaLink provides a comprehensive healthcare technology platform designed to connect patients, healthcare providers, and public health systems across Africa. Our services include:

• Electronic Medical Records (EMR)
• Health Identity Services
• VitaCard NFC Identity
• Patient Mobile Applications
• Telemedicine Services
• Insurance Integration
• VitaMind AI (Clinical Intelligence)
• VitaLink Sentinel (Disease Surveillance)
• Healthcare Analytics

This Privacy Policy explains how we collect, use, protect, and share your personal and health information in accordance with applicable data protection laws, including the Nigeria Data Protection Act (NDPA), Nigeria Data Protection Regulation (NDPR), and GDPR principles where applicable.

2. Information We Collect

Patient Information

• Full Name
• Date of Birth
• Gender
• Contact Information (phone, email, address)
• Next of Kin details

Medical Information

• Medical diagnoses and conditions
• Current and past medications
• Laboratory test results
• Clinical notes and observations
• Allergies and adverse reactions
• Immunization records
• Vital signs and health metrics

Technical Information

• Device information and type
• Browser information
• IP address
• Login history and timestamps
• Audit logs of system access
• Location data (with consent)

3. How We Use Information

We use your information for the following purposes:

• Patient Care: To enable healthcare providers to access your medical records for diagnosis and treatment
• Healthcare Operations: To manage appointments, referrals, and care coordination
• Appointment Management: To schedule and remind you of medical appointments
• Clinical Decision Support: To provide healthcare professionals with relevant clinical information
• Disease Surveillance: To monitor and track disease patterns for public health purposes (anonymized where required)
• Insurance Administration: To process insurance claims and verify coverage
• Security Monitoring: To detect and prevent unauthorized access or fraudulent activity
• Regulatory Reporting: To comply with legal and regulatory requirements
• Service Improvement: To analyze usage patterns and improve our services

4. Legal Basis for Processing

Our processing of personal data is based on the following legal grounds under the Nigeria Data Protection Act (NDPA) and Nigeria Data Protection Regulation (NDPR):

• Consent: When you explicitly consent to the processing of your data for specific purposes
• Contract: When processing is necessary for the performance of our services under a contract
• Legal Obligation: When required by law for healthcare reporting, public health, or regulatory compliance
• Vital Interests: When necessary to protect your life or in emergency medical situations
• Public Task: When processing is necessary for public health surveillance and disease control
• Legitimate Interests: For fraud prevention, security, and service improvement, where your interests do not override

For international users, we also comply with GDPR principles where applicable, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and accountability.

5. Data Sharing

VitaLink never sells personal health information. We only share your data in the following circumstances:

• Authorized Healthcare Providers: Doctors, nurses, and other medical professionals involved in your care
• Patient-Approved Parties: Individuals or organizations you have explicitly authorized to access your information
• Insurance Providers: To process claims and verify coverage when you have authorized insurance integration
• Government Authorities: When required by law, court order, or regulatory investigation
• Public Health Agencies: For disease surveillance and public health monitoring (anonymized or aggregated where possible)
• Emergency Access: When emergency medical personnel need access to critical health information
• Service Providers: With trusted third-party service providers who assist in operating our platform, under strict confidentiality agreements

6. VitaCard Privacy

The VitaCard NFC card is designed for secure, offline identity verification and emergency access. Important privacy features:

• VitaCard NFC cards do not contain complete medical records
• Cards only store secure identifiers that link to encrypted records on VitaLink servers
• Emergency access information is stored on the card only if you have explicitly enabled this feature
• Full medical records remain encrypted on VitaLink servers and are not stored on the physical card
• Card readers require proper authentication to access any information
• Lost or stolen cards can be immediately deactivated through your account or by contacting support

7. Emergency Access

VitaLink provides emergency access functionality to allow medical personnel to obtain critical health information in life-threatening situations when you cannot provide consent.

Emergency Access Workflow

• Emergency personnel can access limited critical information (blood type, allergies, major conditions) using your VitaCard or through emergency access protocols
• All emergency access events are logged with timestamp, location, and requesting personnel
• Patients can review their complete emergency access history at any time
• You may choose to enable or disable emergency access features in your account settings
• You can specify what information is visible during emergency access

Emergency access is strictly limited to situations where immediate medical attention is required and you are unable to provide consent.

8. AI Services (VitaMind)

VitaMind AI provides clinical decision support to assist healthcare professionals. Important considerations:

• AI assists healthcare professionals – it does not replace licensed medical practitioners
• AI recommendations are informational and must be reviewed by qualified healthcare personnel
• Clinical decisions remain the responsibility of healthcare professionals
• VitaLink is not liable for clinical decisions made solely based on AI outputs without professional review
• AI processing may involve analyzing anonymized data to improve accuracy and performance
• AI interactions are logged for audit and quality improvement purposes

9. Disease Surveillance (VitaLink Sentinel)

VitaLink Sentinel is our disease surveillance and public health monitoring system. Privacy protections include:

• Sentinel uses anonymized and aggregated data for disease tracking and public health monitoring
• Used for outbreak detection, trend analysis, and early warning systems
• No personally identifiable information is disclosed without explicit authorization or legal requirement
• Data shared with public health agencies follows strict de-identification protocols
• Surveillance data is used solely for public health purposes and research

10. Security Measures

VitaLink implements industry-standard security measures to protect your health information:

• Encryption at Rest: All data is encrypted using AES-256 encryption when stored
• Encryption in Transit: All data transfers use TLS 1.3 encryption
• Multi-Factor Authentication (MFA): Required for all healthcare provider accounts
• Role-Based Access Control (RBAC): Strict access controls based on user roles and permissions
• Comprehensive Audit Logs: All access, modifications, and downloads are logged
• Secure Backups: Regular encrypted backups with disaster recovery capabilities
• Continuous Monitoring: 24/7 security monitoring and intrusion detection
• Penetration Testing: Regular security assessments by independent third parties
• Employee Training: All staff undergo security and privacy training

11. User Rights

Under the NDPA, NDPR, and applicable data protection laws, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your data where legally permissible
• Right to Portability: Request transfer of your data to another service
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests
• Right to Lodge a Complaint: File a complaint with the Nigeria Data Protection Commission or relevant authority

To exercise these rights, contact us at privacy@vitalink.health. Some rights may be limited by legal requirements, particularly for medical records that must be retained for healthcare purposes.

12. Data Retention

We retain your data in accordance with legal and healthcare requirements:

• Medical Records: Retained according to healthcare regulatory requirements (typically minimum of 10-20 years, or longer for certain conditions)
• Account Data: Retained while your account is active and for a reasonable period after closure
• Audit Logs: Retained for security and compliance purposes (typically 7 years)
• Marketing Data: Retained only while you have not opted out of marketing communications

Data is securely deleted or anonymized when retention periods expire, unless longer retention is required by law.

13. Children's Privacy

VitaLink services may be used by minors with parental or guardian consent. For children under 18:

• We require parental or guardian consent for creating accounts and processing personal data
• Parents and guardians have the right to access, review, and request deletion of their child's data
• We limit data collection from children to what is necessary for healthcare services
• We do not knowingly market to children or collect data for commercial purposes from minors

14. International Transfers

VitaLink primarily stores and processes data within Nigeria. However, we may transfer data internationally in the following circumstances:

• When you access services while traveling abroad
• When using cloud services with international data centers (with appropriate safeguards)
• When required for emergency medical care outside Nigeria
• When sharing with international health organizations for public health purposes (anonymized where required)

All international transfers comply with NDPA requirements and include appropriate safeguards such as Standard Contractual Clauses or adequacy decisions where applicable.

15. Breach Notification

In the event of a data security breach that poses a risk to your rights and freedoms:

• We will notify you within 72 hours of becoming aware of the breach, as required by NDPA
• Notification will include the nature of the breach, categories of data affected, and recommended actions
• We will also notify the Nigeria Data Protection Commission as required by law
• We will take immediate steps to contain the breach and mitigate any harm

16. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal data: