Privacy Policy

MedLync Technologies Ltd ("MedLync", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal and health information when you use the MedLync platform, including all products, APIs, mobile applications, and associated services (collectively, the "Platform"). By accessing or using the Platform, you confirm that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Platform.

MedLync Technologies Ltd is a healthcare infrastructure company registered in Nigeria. We operate a unified health data exchange platform connecting patients, healthcare providers, pharmacies, laboratories, health maintenance organisations (HMOs), and government health agencies across Nigeria and the African continent. For the purposes of Nigeria's National Data Protection Regulation (NDPR), MedLync acts as both a data controller and, in certain service arrangements, a data processor on behalf of healthcare providers who use the Platform.

We collect the following categories of information: Identity Information: Name, date of birth, National Identification Number (NIN), BVN reference, passport number, phone number, and biometric identifiers (fingerprint and facial recognition data) used solely for identity verification. Health Information: Medical history, diagnoses, treatment plans, laboratory results, prescriptions, vaccination records, imaging reports, vital signs, allergies, chronic conditions, surgical history, and other clinical data generated through the Platform. Insurance & Financial Information: HMO membership details, insurance coverage data, and claims information — shared by your insurer or HMO through the Platform. Device & Usage Information: IP address, device identifiers, browser type, operating system, pages visited, and interaction logs, collected for security monitoring and service improvement. Communications: Messages and support requests you submit to MedLync. We do not collect health information without your explicit consent or a lawful basis under the NDPR.

We use your information to: • Provide, operate, and maintain the MedLync Platform and all its products. • Verify your identity and authenticate you across healthcare touchpoints. • Enable healthcare providers to access your records, subject to your consent settings. • Process prescriptions, lab orders, referrals, and insurance claims. • Send you notifications about your health records, appointments, and prescriptions. • Ensure the security and integrity of the Platform through audit logging and monitoring. • Comply with legal and regulatory obligations under Nigerian law. • Generate anonymised, aggregated population health analytics for public health purposes — in a form that cannot identify you individually. We will never use your health information for advertising, sell it to third parties, or share it with employers without your explicit consent.

We process your personal data on the following legal bases under the NDPR: Consent: For processing sensitive health data, your explicit, informed, and freely given consent is our primary legal basis. You may withdraw consent at any time through your account settings. Contractual Necessity: To fulfil our agreements with you and healthcare providers who use our Platform. Legal Obligation: Where processing is required to comply with Nigerian law, court orders, or regulatory requirements. Vital Interests: In genuine medical emergencies where access to your data is necessary to protect your life or that of another person. Legitimate Interests: For fraud prevention, security monitoring, and improving our services — where these interests do not override your fundamental rights.

We share your information only as follows: Healthcare Providers: With hospitals, clinics, laboratories, pharmacies, and specialists you have authorised — strictly within the scope of consent you have granted. Your consent settings are configurable and revocable at any time. HMOs & Insurers: With your health maintenance organisation or insurer for eligibility verification and claims processing, as required by your insurance arrangement. Government Authorities: With federal and state health agencies (e.g. FMOH, NCDC, NHIA) where required by law or for mandatory public health reporting such as notifiable disease notifications. Service Providers: With trusted technology partners who help us operate the Platform (e.g. cloud infrastructure providers). All sub-processors are contractually bound to data protection obligations equivalent to those in this Policy. Legal Requirements: Where disclosure is required by law, regulation, court order, or to protect the rights, safety, or property of MedLync or others. We will never sell your personal or health data.

We retain your health records in line with Nigeria's medical records retention requirements, which mandate a minimum of five (5) years for adult patient records and until the age of 25 for records created when the patient was a minor. Account data is retained for the duration of your account and for a period of five (5) years following account closure. Audit logs are retained for three (3) years for security and compliance purposes. You may request deletion of your account data at any time, subject to our legal retention obligations.

We protect your information using industry-leading security controls, including: • AES-256 encryption at rest for all personal and health data. • TLS 1.3 encryption for all data in transit. • Zero-trust network architecture — no implicit trust, every request authenticated. • Hardware security modules (HSMs) for cryptographic key management. • Role-based access controls limiting data access to authorised personnel only. • Continuous audit logging and real-time security monitoring. • Quarterly third-party penetration testing. No data transmission over the internet is 100% secure. While we implement all reasonable safeguards, we cannot guarantee absolute security.

Under the NDPR, you have the following rights in relation to your personal data: Right of Access: To obtain a copy of the personal data we hold about you. Right to Rectification: To have inaccurate or incomplete data corrected. Right to Erasure: To request deletion of your data, subject to legal retention obligations. Right to Restrict Processing: To limit how we use your data in certain circumstances. Right to Data Portability: To receive your data in a structured, machine-readable format. Right to Object: To object to processing based on legitimate interests. Right to Withdraw Consent: To withdraw consent for processing health data at any time — without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at privacy@medlync.io. We will respond within 30 days.

We use cookies and similar technologies to maintain session security, remember your preferences, and analyse platform usage. For full details, see our Cookie Policy. You can manage your cookie preferences at any time.

The MedLync Platform supports the creation of family and paediatric health records. Where records are created for individuals under 18, consent is obtained from a parent or legal guardian. We do not knowingly collect data from minors without appropriate parental consent.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page and, where changes are material, notify you via the Platform or by email. Continued use of the Platform after notification constitutes acceptance of the updated Policy.

For privacy-related questions, requests, or complaints: Email: privacy@medlync.io Post: MedLync Technologies Ltd, Nigeria You also have the right to lodge a complaint with Nigeria's National Information Technology Development Agency (NITDA), the supervisory authority for the NDPR.