NDPA Compliant

Privacy Policy

We take the privacy of patient data and hospital information seriously. This policy explains how VirtuCare collects, uses, and protects data on its platform.

Last updated: 9 June 2025

1. Introduction

VirtuCare (“we”, “our”, or “us”) provides a hospital management platform designed to help private healthcare facilities manage appointments, patient records, laboratory workflows, pharmacy inventory, drug delivery, billing, and departmental operations.

This Privacy Policy describes how we collect, use, store, and protect personal data in the course of providing our services. It applies to all users of the VirtuCare platform, including hospital administrators, clinical staff, and any individuals whose data is processed through the platform.

This policy is written in compliance with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA).

2. Who We Are

VirtuCare is a software-as-a-service (SaaS) platform for private hospitals. In the context of data protection law, VirtuCare acts as a data processor — we process personal data on behalf of the hospital (the data controller) under the instructions set out in our Data Processing Agreement.

Where VirtuCare independently determines the purpose and means of processing (such as for platform analytics, security monitoring, or compliance records), we act as a data controller.

For questions regarding this policy, contact us at: privacy@virtucare.io

3. Information We Collect

3.1 Hospital and Staff Information

When a hospital registers and uses VirtuCare, we collect information about the organisation and its authorised staff, including:

  • Hospital name, address, and registration details
  • Contact information of the hospital administrator
  • Staff names, roles, email addresses, and login credentials
  • Billing information for subscription management
  • System usage data and access logs

3.2 Patient Health Information

VirtuCare processes patient health data on behalf of the hospital. This includes:

  • Patient names, date of birth, sex, and contact details
  • Medical history, diagnosis notes, and clinical observations
  • Prescriptions, dispensing records, and medication history
  • Laboratory test requests, results, and turnaround records
  • Appointment history and consultation summaries
  • Billing records and payment status
  • Drug delivery records where applicable

Patient health data is classified as sensitive personal data under the NDPA. VirtuCare processes it strictly under instructions from the hospital as data controller and in accordance with our Data Processing Agreement.

3.3 Usage and Technical Data

We automatically collect technical data to operate and improve the platform:

  • IP addresses and device identifiers
  • Browser and operating system information
  • Pages and features accessed, and session duration
  • Error logs and platform performance metrics

4. How We Use Information

We use the information collected to:

  • Provide, maintain, and improve the VirtuCare platform
  • Process patient records, appointments, prescriptions, and billing on behalf of the hospital
  • Manage user accounts and enforce role-based access controls
  • Send service-related communications (e.g. account notifications, downtime alerts)
  • Comply with legal and regulatory obligations under Nigerian law
  • Detect, investigate, and prevent fraud, security breaches, and misuse
  • Generate aggregated, anonymised analytics to improve platform performance

We do not use patient health data for advertising, profiling, or any purpose unrelated to the provision of the service to the hospital.

6. Data Sharing

We do not sell, rent, or share personal data with third parties for commercial purposes. We may share data in the following limited circumstances:

  • With sub-processors who help us operate the platform (e.g. cloud hosting providers, payment processors), under contractual data protection obligations
  • With the hospital's authorised staff, in accordance with role-based access controls configured by the hospital administrator
  • With law enforcement or regulatory authorities where required by Nigerian law or valid legal process
  • In the event of a merger, acquisition, or sale of assets — subject to the same data protection obligations

A current list of sub-processors is available upon request at privacy@virtucare.io.

7. Data Retention

We retain personal data for as long as necessary to provide the service and comply with legal obligations.

  • Hospital account and staff data: retained for the duration of the subscription and up to 12 months after termination
  • Patient health records: retained for the duration of the hospital's subscription; the hospital may export all data before termination
  • Usage and technical logs: retained for up to 12 months for security and audit purposes
  • Billing records: retained for 7 years in accordance with Nigerian financial record-keeping requirements

On termination of a hospital's subscription, all patient health data is made available for export for 30 days, after which it is securely deleted from our systems.

8. Your Rights

Under the NDPA 2023, individuals whose data is processed through VirtuCare have the following rights:

  • Right to access — request a copy of personal data held about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of personal data, subject to legal retention requirements
  • Right to restriction — request that processing be limited in certain circumstances
  • Right to data portability — receive data in a structured, commonly used format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent

Patients exercising these rights should contact their hospital directly, as the hospital is the data controller for patient health records processed through VirtuCare. We will support the hospital in fulfilling these requests.

For requests related to VirtuCare's own data processing, contact: privacy@virtucare.io

9. Security

VirtuCare implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction:

  • AES-256 encryption for data at rest
  • TLS 1.3 for all data in transit
  • Role-based access controls enforced at the API level
  • Tamper-resistant audit logs for all platform actions
  • Regular security assessments and vulnerability reviews
  • Enterprise-grade cloud infrastructure with 24/7 monitoring

See our Security page for a full overview of our security practices.

10. Cookies

The VirtuCare marketing website uses a limited number of cookies for functional and analytical purposes. The platform application uses session cookies required for authenticated access and security.

We do not use third-party advertising cookies or track users across third-party websites. You can configure your browser to refuse cookies, though this may affect the functionality of the platform.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify registered users by email and update the “Last updated” date at the top of this page.

Continued use of the platform following notification of changes constitutes acceptance of the updated policy.

12. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to report a data protection concern, please contact us:

  • Email: privacy@virtucare.io
  • General enquiries: hello@virtucare.io

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data has been processed unlawfully.