Privacy Policy
We take the privacy of patient data and hospital information seriously. This policy explains how VirtuCare collects, uses, and protects data on its platform.
Last updated: 9 June 2025
1. Introduction
VirtuCare (“we”, “our”, or “us”) provides a hospital management platform designed to help private healthcare facilities manage appointments, patient records, laboratory workflows, pharmacy inventory, drug delivery, billing, and departmental operations.
This Privacy Policy describes how we collect, use, store, and protect personal data in the course of providing our services. It applies to all users of the VirtuCare platform, including hospital administrators, clinical staff, and any individuals whose data is processed through the platform.
This policy is written in compliance with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA).
2. Who We Are
VirtuCare is a software-as-a-service (SaaS) platform for private hospitals. In the context of data protection law, VirtuCare acts as a data processor — we process personal data on behalf of the hospital (the data controller) under the instructions set out in our Data Processing Agreement.
Where VirtuCare independently determines the purpose and means of processing (such as for platform analytics, security monitoring, or compliance records), we act as a data controller.
For questions regarding this policy, contact us at: privacy@virtucare.io
3. Information We Collect
3.1 Hospital and Staff Information
When a hospital registers and uses VirtuCare, we collect information about the organisation and its authorised staff, including:
- Hospital name, address, and registration details
- Contact information of the hospital administrator
- Staff names, roles, email addresses, and login credentials
- Billing information for subscription management
- System usage data and access logs
3.2 Patient Health Information
VirtuCare processes patient health data on behalf of the hospital. This includes:
- Patient names, date of birth, sex, and contact details
- Medical history, diagnosis notes, and clinical observations
- Prescriptions, dispensing records, and medication history
- Laboratory test requests, results, and turnaround records
- Appointment history and consultation summaries
- Billing records and payment status
- Drug delivery records where applicable
Patient health data is classified as sensitive personal data under the NDPA. VirtuCare processes it strictly under instructions from the hospital as data controller and in accordance with our Data Processing Agreement.
3.3 Usage and Technical Data
We automatically collect technical data to operate and improve the platform:
- IP addresses and device identifiers
- Browser and operating system information
- Pages and features accessed, and session duration
- Error logs and platform performance metrics
4. How We Use Information
We use the information collected to:
- Provide, maintain, and improve the VirtuCare platform
- Process patient records, appointments, prescriptions, and billing on behalf of the hospital
- Manage user accounts and enforce role-based access controls
- Send service-related communications (e.g. account notifications, downtime alerts)
- Comply with legal and regulatory obligations under Nigerian law
- Detect, investigate, and prevent fraud, security breaches, and misuse
- Generate aggregated, anonymised analytics to improve platform performance
We do not use patient health data for advertising, profiling, or any purpose unrelated to the provision of the service to the hospital.
5. Legal Basis for Processing
Under the NDPA 2023, we rely on the following legal bases for processing personal data:
5.1 Contractual Necessity
Processing hospital staff account data, billing data, and system usage data is necessary for the performance of our subscription agreement with the hospital.
5.2 Legitimate Interests
We process technical and usage data to monitor platform security, prevent abuse, and improve our services. We balance this against the rights of data subjects and implement appropriate safeguards.
5.3 Legal Obligation
We may process and retain certain data to comply with applicable Nigerian laws, including financial record-keeping requirements.
5.4 Processing on Behalf of the Hospital
Patient health data is processed under the hospital's instructions as data controller. The hospital is responsible for ensuring it has a valid legal basis (such as healthcare provision or consent) for processing patient data within VirtuCare.
6. Data Sharing
We do not sell, rent, or share personal data with third parties for commercial purposes. We may share data in the following limited circumstances:
- With sub-processors who help us operate the platform (e.g. cloud hosting providers, payment processors), under contractual data protection obligations
- With the hospital's authorised staff, in accordance with role-based access controls configured by the hospital administrator
- With law enforcement or regulatory authorities where required by Nigerian law or valid legal process
- In the event of a merger, acquisition, or sale of assets — subject to the same data protection obligations
A current list of sub-processors is available upon request at privacy@virtucare.io.
7. Data Retention
We retain personal data for as long as necessary to provide the service and comply with legal obligations.
- Hospital account and staff data: retained for the duration of the subscription and up to 12 months after termination
- Patient health records: retained for the duration of the hospital's subscription; the hospital may export all data before termination
- Usage and technical logs: retained for up to 12 months for security and audit purposes
- Billing records: retained for 7 years in accordance with Nigerian financial record-keeping requirements
On termination of a hospital's subscription, all patient health data is made available for export for 30 days, after which it is securely deleted from our systems.
8. Your Rights
Under the NDPA 2023, individuals whose data is processed through VirtuCare have the following rights:
- Right to access — request a copy of personal data held about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of personal data, subject to legal retention requirements
- Right to restriction — request that processing be limited in certain circumstances
- Right to data portability — receive data in a structured, commonly used format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent
Patients exercising these rights should contact their hospital directly, as the hospital is the data controller for patient health records processed through VirtuCare. We will support the hospital in fulfilling these requests.
For requests related to VirtuCare's own data processing, contact: privacy@virtucare.io
9. Security
VirtuCare implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction:
- AES-256 encryption for data at rest
- TLS 1.3 for all data in transit
- Role-based access controls enforced at the API level
- Tamper-resistant audit logs for all platform actions
- Regular security assessments and vulnerability reviews
- Enterprise-grade cloud infrastructure with 24/7 monitoring
See our Security page for a full overview of our security practices.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify registered users by email and update the “Last updated” date at the top of this page.
Continued use of the platform following notification of changes constitutes acceptance of the updated policy.
12. Contact Us
For any questions about this Privacy Policy, to exercise your rights, or to report a data protection concern, please contact us:
- Email: privacy@virtucare.io
- General enquiries: hello@virtucare.io
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data has been processed unlawfully.