Privacy Policy

NesChade Global Ltd (“we”, “us”, or “Cliniqa”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information obtained through the Cliniqa mobile application, the Cliniqa Lab Portal (lab.cliniqa.cloud), and our website (cliniqa.cloud) (collectively, the “Services”).

This policy is drafted in compliance with the Nigeria Data Protection Act 2023 (NDPA), the regulations and directives issued by the Nigeria Data Protection Commission (NDPC), and the General Application and Implementation Directive (GAID). Where applicable, it also reflects principles from the EU General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA) as best practices for health data.

The data controller responsible for your personal data is:

• Personal Data — any information relating to an identified or identifiable individual, as defined in Section 65 of the NDPA 2023.
• Sensitive Personal Data— data revealing health conditions, genetic data, biometric data, or data concerning a person's physical or mental health. Lab results, health profiles, medical conditions, medications, and allergies fall under this category and receive enhanced protection under the NDPA.
• Data Subject — you, the individual whose personal data is being processed.
• Processing — any operation performed on personal data, including collection, storage, use, sharing, and deletion.

4.1 Information You Provide Directly

• Account registration: First name, last name, email address, phone number, password (stored as a BCrypt hash, never in plain text).
• Health profile: Date of birth, gender, blood group, medical conditions, current medications, allergies, profile photo.
• Lab results: Photographs or PDF uploads of laboratory reports, including all biomarker names, values, units, and reference ranges extracted via OCR.
• Feedback and support: Ratings, written feedback, and support requests.

4.2 Information Generated by Our Services

• AI interpretations: Machine-generated analysis of your lab results, including severity flags, treatment suggestions, and trend data.
• Health trends: Derived longitudinal data showing how your biomarkers change over time.
• Usage data: App feature usage, session duration, and device information (OS version, device model) for service improvement.

4.3 Information from Third Parties

• Lab-pushed results: If your medical laboratory uses the Cliniqa Lab Portal, they may push your lab results directly to your account.
• Payment processors: Subscription payment status from Google Play Billing or Apple StoreKit. We do not receive or store your full payment card details.

Under the NDPA 2023, we process your personal data on the following lawful bases:

Your lab results, health profile, medical conditions, medications, and allergies constitute sensitive personal data under the NDPA 2023. We apply the following enhanced safeguards:

• Explicit consent required: We only process your health data after you provide clear, affirmative consent. You can withdraw this consent at any time.
• Encryption at rest and in transit: All health data is encrypted using AES-256 at rest and TLS 1.3 in transit.
• Access controls: Health data is accessible only to you and to authorized system processes (OCR engine, AI interpretation engine). Human access is restricted to authorized support personnel under strict data access agreements.
• Data minimization: We only extract and store the specific biomarker data needed for interpretation. Raw uploaded images are processed and the original files are stored in encrypted object storage with access logging.
• No sale of health data: We will never sell, rent, or trade your health data to any third party, for any purpose, under any circumstances.

Cliniqa uses artificial intelligence to interpret your lab results. Under the NDPA 2023, you have the right to be informed about automated decision-making:

• What the AI does: Analyses extracted biomarker values against clinical reference ranges, generates plain-language explanations, identifies abnormal values, and suggests treatment options.
• What the AI does NOT do: It does not make medical diagnoses. It does not prescribe medication. All AI-generated content carries a medical disclaimer and is for educational and informational purposes only.
• Your right to object: You may challenge or request human review of any AI-generated interpretation by contacting us at support@cliniqa.cloud.
• Third-party AI providers: AI processing is performed using Anthropic (Claude API) as the primary provider and OpenAI (GPT-4) as a fallback. Data sent to these providers is limited to the extracted lab values (not your name, email, or other identifying information). Both providers have data processing agreements that prohibit training on our data.

We share personal data only when necessary and with appropriate safeguards:

• AI providers (Anthropic, OpenAI): De-identified lab values only, for generating interpretations. No PII is shared.
• Cloud infrastructure (AWS/GCP): Encrypted data storage and computing. Data resides in secure, SOC 2-compliant facilities.
• Google Cloud Vision: Lab result images for OCR text extraction. Images are processed and not retained by Google.
• Payment processors: Google Play / Apple App Store for subscription management. We do not store card details.
• Your medical laboratory: Only if you registered through a lab partner, and only the data necessary for result delivery.
• Law enforcement: Only when required by a valid court order or legal obligation under Nigerian law.

We do not share your data with advertisers, data brokers, insurance companies, employers, or any other commercial third party.

• Account data: Retained for as long as your account is active. Upon account deletion, personal data is anonymized within 30 days.
• Health data (lab results, interpretations, trends): Retained for as long as your account is active, to enable health trend tracking. Deleted or anonymized within 30 days of account deletion.
• Uploaded lab result images: Stored in encrypted object storage. Deleted within 30 days of account deletion.
• Usage analytics: Aggregated and anonymized data may be retained indefinitely for service improvement. This data cannot be linked back to you.
• Legal hold: Data may be retained longer if required by Nigerian law or an active legal proceeding.

As a data subject under the Nigeria Data Protection Act 2023, you have the following rights:

To exercise any of these rights, email support@cliniqa.cloud or use the “Export My Data” and “Delete My Account” features within the app. We will respond within 30 days as required by the NDPA.

We implement appropriate technical and organizational measures as required by the NDPA 2023:

• Encryption: AES-256 at rest, TLS 1.3 in transit for all data.
• Authentication: BCrypt password hashing (cost factor 12+), JWT-based sessions with 15-minute access tokens and rotating refresh tokens.
• Access control: Role-based access control (RBAC). Database schemas are isolated per module. No cross-module data access without authorization.
• Rate limiting: API rate limiting to prevent abuse (5 login attempts/min per IP, 60-200 requests/min per user depending on tier).
• File validation: Uploaded files are validated by magic bytes and scanned for malware before processing.
• Monitoring: Continuous security monitoring, audit logging, and anomaly detection.
• Incident response: In the event of a data breach, we will notify affected users and the NDPC within 72 hours as required by the NDPA.

Some of our service providers operate outside Nigeria (cloud infrastructure, AI providers). Any international transfer of your personal data is conducted in accordance with the NDPA 2023 requirements:

• Transfers are only made to countries or organizations that provide adequate data protection, or under appropriate safeguards (contractual clauses, binding corporate rules).
• Data processing agreements are in place with all international providers prohibiting unauthorized use of your data.
• Health data sent to AI providers is de-identified (no PII attached to the lab values).

Cliniqa is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18 without verifiable parental consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at support@cliniqa.cloud.

Our website (cliniqa.cloud) uses only essential cookies required for core functionality (security, session management). We do not use advertising cookies or third-party tracking pixels. In accordance with the NDPC's GAID, essential cookies do not require opt-in consent. If we introduce non-essential cookies in the future, we will obtain your consent before activating them.

Medical laboratories using the Cliniqa Lab Portal act as joint data controllers with Cliniqa for patient data they process through the portal. Laboratories are responsible for:

• Ensuring they have lawful authority to share patient lab results through digital channels.
• Obtaining patient consent where required before pushing results to the Cliniqa platform.
• Maintaining the accuracy of lab results they publish.
• Complying with all applicable professional and regulatory standards, including MLSCN guidelines.

A Data Processing Agreement (DPA) governs the relationship between Cliniqa and each registered laboratory.

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

• We will notify you via in-app notification and/or email at least 14 days before the changes take effect.
• The “Last updated” date at the top of this page will be revised.
• If changes affect how we process your sensitive personal data, we will request your renewed consent.

If you have questions, concerns, or wish to exercise your data protection rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the: