This Privacy Notice explains how MedVirtualConnect Limited (“we”, “us”, “our”) collects, uses, shares, and safeguards your personal data, including any data you provide when using our services, submitting consultations for review, or interacting with our platform, website and services. It also informs you of your privacy rights and how the law protects you.
In compliance with the Nigeria Data Protection Act 2023 and other relevant laws in Nigeria, it is our responsibility to bring this notice to your attention.
MedVirtualConnect Limited (RC: 9141694) is the data controller of your personal data. To demonstrate the importance we place on ensuring the protection of your personal data, we are registered as a Data Controller of Major Importance with the Nigeria Data Protection Commission under registration number NDPC/DCP/10980.
If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer at dpo@medvirtualconnect.ng or contact us at info@medvirtualconnect.ng or +234 911 233 0033.
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (info@ndpc.gov.ng, tel: +234 916 061 5551). However, we would sincerely appreciate the opportunity to address your concerns directly before you approach the Commission.
We keep our Privacy Notice under regular review. We will notify you of any changes via email, SMS, or when you next access our mobile application or website. For material changes, the new policy may be displayed on-screen, and you may be required to read and accept the changes to continue use of the platform.
We will ensure that users accessing our services via 2G networks or non-internet-enabled devices are appropriately informed of any updates. In such cases, notifications will primarily be delivered via SMS, containing a clear summary of any material changes and instructions on how to obtain further information.
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed of any changes to your personal data during your relationship with us.
The mobile application and website may include links to third-party websites, plug-ins and applications, including pharmacy websites, hospital and referral facility websites, educational health content, and regulatory body websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our platform, we encourage you to read the Privacy Notice of every website you visit.
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped as follows:
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data is not considered personal data in law, as it does not directly or indirectly reveal your identity. However, if we combine aggregated data with your personal data so that it can identify you, we treat the combined data as personal data.
We process health data, which is classified as sensitive personal data under the Nigeria Data Protection Act 2023. In the future, we may also process biometric data, including fingerprint and facial or retinal data, to enable biometric authentication options and enhance the security of your account. We will notify you in advance before commencing any such processing and will obtain your explicit consent.
We do not collect any other sensitive personal data about you, such as your race, religious or philosophical views, political opinion or trade union membership, genetic data, nor do we collect information about criminal convictions and offences.
Where we are required to collect personal data by law or under the terms of a contract with you, and you fail to provide such data when requested, we may be unable to perform the contract. In such circumstances, we may need to cancel the relevant service, and we will notify you accordingly.
You may give us your identity data, contact data, health data, credential data, among others, by filling in forms or by corresponding with us. This includes personal data when you:
As you interact with our platform, we may automatically collect anonymised device information (model, OS version, app version), usage analytics (screens viewed, features used, session duration), and crash reports and performance monitoring (IP address and approximate location).
Real-time consultation sessions collect data such as session authentication status, message delivery status, and connection state for quality assurance. We also make limited use of cookies and similar technologies, as described in Section 6. Certain data may be processed automatically through the use of artificial intelligence; further details are provided in Section 7.
We may receive information about you from publicly available sources, data brokers or aggregators.
We may use the personal information we collect from you for several purposes, including:
We will not process your data without your permission for purposes beyond those disclosed to you. If we intend to process your personal data for an unrelated purpose, we will notify you and explain the legal basis. You retain the right to opt out. However, restricting the use of your data may limit your access to certain features or services.
We will use your personal data as permitted by law, most commonly in the following circumstances:
| Processing Activity | Legal Basis |
|---|---|
| Account registration and management | Contract performance / Consent |
| Tailoring and enhancing user experience | Contract performance / Consent |
| Improving our service offering | Contract performance / Legitimate interest |
| Service delivery, including consultations | Contract performance and consent |
| Health data processing | Consent |
| Emergency location processing (Cell-ID) | Consent + Vital interests |
| Payment processing | Contract performance |
| Provider credential verification | Legitimate interest / Legal obligation (MDCN, PCN, NMCN Acts) |
| Periodic communications | Legitimate interest |
| Marketing communications | Legitimate interest (soft opt-in) or consent |
| Promotions and surveys | Legitimate interest |
| Analytics and platform improvement | Legitimate interest |
| Legal/regulatory compliance | Legal obligation |
| Aggregated or anonymised analytics | Legitimate interest |
| Fraud prevention and security | Legitimate interest |
We may use your personal data to understand your preferences and determine which products, services, or offers may be relevant to you. We may send marketing communications based on our existing business relationship with you and our legitimate interests, provided that such communications relate to similar products or services. Where they do not, or where required by applicable law, we will obtain your express opt-in consent.
Marketing communications may be sent via SMS, email, or push notifications.
We do not engage in third-party marketing. Should this position change, we will obtain your express opt-in consent before sharing your personal data with any third party for marketing purposes.
You may ask us to stop sending you marketing messages at any time by following the opt-out link in any marketing communication, or by contacting dpo@medvirtualconnect.ng or info@medvirtualconnect.ng or +234 911 233 0033. Opting out will not affect personal data provided in connection with service transactions.
We provide you with granular control over how and when you receive communications. You can independently select or disable each communication channel (SMS, push notifications, email) and each type of notification (appointment reminders, prescription alerts, service updates, marketing).
You can update your preferences through the notification settings within the application, unsubscribe links in our communications, or by contacting us at info@medvirtualconnect.ng.
Certain service-related communications (appointment reminders, prescription alerts, security notifications) are necessary for service delivery and are not considered marketing. However, where technically possible, you may still control the channel through which they are delivered.
Our mobile application does not use browser cookies, but relies on secure local storage for session management and user preferences. On our web-based platforms, including the Progressive Web App and Provider Console, only essential cookies are used to maintain authenticated sessions, enable secure login, and remember basic user settings. We do not use cookies for advertising, behavioural tracking, or marketing purposes.
We use artificial intelligence (AI) to help deliver our services in the following ways: symptom triage and clinical decision support, translation of consultation communications, and the generation of clinical documentation such as consultation summaries and patient instructions.
To protect your privacy, patient identifiers such as your name, phone number, address, and identity documents are not transmitted to the AI API provided by Anthropic (our AI service provider), and the data sent cannot be used to re-identify you. We also ensure that API logs containing prompts and responses are retained by Anthropic for no longer than seven days.
We operate an internal governance mechanism called the Knowledge Evolution Engine (KEE). This is not a machine-learning system used to train AI models. It operates entirely within our own infrastructure and uses only de-identified case summaries. Any changes made through the KEE to our authorised rules, structured symptom categories, or clinical knowledge prompts are subject to human review by our clinical review panel before adoption. Our commercial terms with Anthropic prohibit machine learning on API data during the period in which it is stored.
As a user, you may exercise your rights in relation to the use of AI tools in your care, including the right to access AI-generated outputs relating to your consultation history, the right to rectification of any factual inaccuracies in your consultation records, the right to object to the use of AI tools in your care (where your consultation may continue without AI assistance at the discretion of the healthcare provider where clinically appropriate), and the right to data portability of your consultation history including relevant AI-related records.
Certain disclosures may be required by law, vital interest, or public interest:
All mandatory disclosures are fully documented, with the specific legal basis clearly identified, and limited to the minimum information necessary. Individuals will be notified either before or after such disclosures occur, unless notification is expressly prohibited by law.
We may share personal data with the following categories of third parties:
We may share your personal data with certain third parties in Nigeria. We enter into appropriate data processing agreements and carry out vendor security assessments before engagement and periodically thereafter. Where disclosure is required by law, such sharing may occur without a data processing agreement.
Some third parties are based outside Nigeria. When we transfer your personal data outside Nigeria, we ensure it is afforded a similar degree of protection by implementing Standard Contractual Clauses (SCCs) and appropriate data processing agreements. Where required, we conduct Data Transfer Impact Assessments (DTIAs). All personal data transferred outside Nigeria is encrypted in transit and at rest.
| Processor | Country | Services | Certifications |
|---|---|---|---|
| Africa’s Talking (AWS EU) | European Union (Ireland) | USSD, SMS, Voice/IVR | ISO 27001, SOC 2 Type II |
| Vultr | United Kingdom | Cloud infrastructure | — |
| Google/Firebase | United States | Analytics, crash reporting | ISO 27001, SOC 2 |
| Anthropic | United States | AI/LLM (CDS + Translation) | SOC 2 Type II |
| Cloudflare | United States | DNS, CDN, SSL | ISO 27001, SOC 2 |
| Railway | United States | Backup cloud deployment | SOC 2 |
Please contact us at dpo@medvirtualconnect.ng for more information on the specific transfer mechanisms used.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Access to patient data is strictly restricted to complaint resolution, dispute investigation, and situations where it is legally required. All access is subject to full audit logging and role-based access controls. No administrator is permitted to modify or delete medical records.
We limit access to your personal data to those employees, agents, and third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Where a breach is likely to result in a high risk to your fundamental rights and freedoms, we will notify you without undue delay. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within 72 hours.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which it is processed, and the applicable legal requirements.
| Data Type | Retention Period |
|---|---|
| Medical records / consultation records | 10 years (regulatory compliance) |
| Prescriptions | 10 years |
| AI-generated clinical documents | 10 years (as part of medical records) |
| Financial transactions | 7 years (tax/audit requirements) |
| Account data (non-medical) | Duration of account + 2 years |
| Technical/analytics data | 2 years |
| Marketing consent records | Duration of consent + 3 years |
| Audit logs (PHI access) | 10 years (regulatory compliance) |
| Other personal data | Anonymised or securely deleted within 30 days of deactivation |
Users will be informed of retention periods at the point of account deactivation and offered the option to download their data before deletion.
Under the Nigeria Data Protection Act 2023, you have the following rights:
To exercise any of these rights, please contact our Data Protection Officer at dpo@medvirtualconnect.ng or contact us at info@medvirtualconnect.ng or +234 911 233 0033. You do not have to pay to access your personal data. However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. For regulatory complaints, contact the Nigeria Data Protection Commission at info@ndpc.gov.ng, tel: +234 916 061 5551.
We may need to request specific information from you to confirm your identity. We will typically respond within 30 days. For high-priority requests involving a medical emergency, we may respond within 7 days. Complex or multiple requests may take longer, and we will notify you of the progress.
Your data protection rights are not absolute and may be subject to certain lawful limitations. For example, we may not comply with a request for erasure where processing is necessary to meet a legal obligation, safeguard freedom of expression, or for the establishment, exercise, or defence of legal claims. Your right to object may be overridden where we demonstrate compelling legitimate grounds. Your right not to be subject to automated decision-making may not apply where such processing is authorised by law, necessary for a contract, or based on your consent. Any restriction of your rights will be applied proportionately and in accordance with applicable law.
We may share anonymised and aggregated data with third parties for legitimate public interest purposes, including public health research such as disease surveillance, health trend analysis, healthcare access studies, and initiatives aimed at improving outcomes in underserved communities. All such data is processed in a manner that ensures no individual can be identified. We do not sell personal data under any circumstances.
We do not knowingly collect personally identifiable information from children except where necessary to create and manage a dependent profile under a parent or legal guardian account.
Dependent profiles follow a defined lifecycle. The parent or legal guardian creates the profile, may access the dependent’s health records and consultation history, may initiate consultations on their behalf, and may exercise data subject rights in respect of the dependent profile. When the dependent reaches 18, they may request account independence and exercise all data subject rights in their own capacity, including data portability. Upon such transition, the parent or legal guardian’s access to the dependent’s records will be revoked.
The platform implements age verification at registration, which may include submission of government-issued identification documents and verification of date of birth. If you are aware of any concern regarding children’s data, please contact us at info@medvirtualconnect.ng or +234 911 233 0033.
We use Firebase Analytics to collect anonymised and aggregated usage data to help us improve platform performance and user experience. This data does not identify individual users and is used solely for internal analytics. You can opt out of having your activity made available to Google Analytics by installing the opt-out browser add-on. For more information on the privacy practices of Google, please visit the Google Privacy and Terms web page.
This Privacy Notice is intended to comply with the Nigeria Data Protection Act 2023 and the GAID 2025. Data protection law is subject to change. We reserve the right to update this notice in response to new legislation or regulatory guidance. Where changes materially affect your rights or our obligations, we will notify you using the channels provided under Section 1.5.
We keep this Privacy Notice under regular review, as outlined in Section 1.5. We will update the notice where there are significant changes to our data processing practices, including the introduction of new processors or new purposes, as well as in response to regulatory changes or updated guidance. At a minimum, the Privacy Notice is reviewed annually.
© 2026 MedVirtualConnect Limited. All rights reserved.
RC: 9141694 | NDPC/DCP/10980
dpo@medvirtualconnect.ng | info@medvirtualconnect.ng | +234 911 233 0033