Privacy Policy

Your trust matters. Learn how we collect, use, and safeguard your personal information in compliance with international data protection standards.

Last updated: —

NDPA 2023

Nigeria Data Protection Act

GDPR

EU General Data Protection

Encrypted

HTTPS/TLS in transit

Consent-first

Analytics only with opt-in

On this page

Introduction
Data Controller
Information We Collect
Lawful Basis
Data Retention
Cookies & Consent
Third Parties
Your Rights
Security
Contact

Introduction

This Privacy Policy explains how Olayemi Hospital ("we", "us", the Data Controller) collects, uses, stores, and protects personal information when you use our website and secure portal. We are committed to protecting your data in compliance with the Nigeria Data Protection Act (NDPA) 2023, the EU General Data Protection Regulation (GDPR), and applicable healthcare privacy standards.

Data Controller

Olayemi Hospital & Mental Health Centre
Lagos, Nigeria
Email: info@olayemihospital.com

For data protection queries, contact us at the email above or write "Attn: Data Protection Officer" on your correspondence.

Information We Collect

Account & contact details (name, email, phone) — to provide portal access and communication.
Clinical information (appointments, prescriptions, medical records) — to deliver healthcare services.
Billing & financial information (invoices, payments, payment plans) — to process transactions and meet tax/audit obligations.
Security/audit information (login events, IP address, approximate location, device type) — to protect accounts and prevent misuse. Collected under legitimate interest.
Preferences (theme, sidebar state) stored locally on your device — to improve usability. No personal data is sent to our servers.
Optional analytics — only collected if you consent via the cookie banner.

Lawful Basis for Processing

Purpose	Lawful Basis
Providing healthcare services & portal access	Performance of a contract / Vital interest
Security logging & fraud prevention	Legitimate interest
Billing & financial records	Legal obligation (tax/audit compliance)
Analytics & service improvement	Consent (opt-in via cookie banner)
Legal & regulatory compliance	Legal obligation

Data Retention

Medical records 6 years after last visit (aligned with healthcare regulations).

Financial records 6 years (tax & audit compliance).

Audit/security logs 365 days (configurable), then automatically purged.

Deletion requests Processed within 30 days; records retained 90 days after resolution.

Consent records Duration of consent (max 12 months before renewal).

Cookies & Consent

We use essential local storage for portal functionality (e.g., authentication tokens, theme preference). These cannot be disabled as they are necessary for the service to function. Optional analytics cookies are only set if you give explicit consent via the cookie banner.

You can change your preferences at any time using the floating cookie button () shown on every page, or by clicking below:

Third-party Services & Data Transfers

We use the following third-party services to operate the portal:

Supabase (database & authentication) — data may be stored on servers in the EU/US. Supabase Privacy Policy.
Netlify (hosting & serverless functions) — infrastructure located in multiple regions. Netlify Privacy Policy.
IP geolocation service — used server-side only for security audit logging. IP addresses are not shared with third parties beyond this lookup.

Where data is transferred outside Nigeria, appropriate safeguards (such as standard contractual clauses) are in place as required by the NDPA.

Your Rights

Under the NDPA and GDPR, you have the right to:

Access Request a copy of your personal data (via "Export My Data" in the patient portal).

Rectification Update or correct your personal information through the portal profile settings.

Erasure Request account deletion (via "Request Account Deletion"), subject to legal retention requirements.

Restrict processing Ask us to limit how we use your data.

Data portability Receive your data in a structured, machine-readable format (JSON export).

Withdraw consent For analytics, at any time via the cookie preferences panel.

Object To processing based on legitimate interest.

Lodge a complaint With the Nigeria Data Protection Commission (NDPC) or your local EU supervisory authority.

Security Measures

Row-level security (RLS) ensuring users can only access their own data.
Encrypted connections (HTTPS/TLS) for all data in transit.
Server-side IP/geo resolution — your IP address is never exposed to third-party scripts in the browser.
Comprehensive audit trail of all system access and data changes.
Session timeouts (30-minute inactivity) and role-based access controls.

Get In Touch

If you have questions about privacy or wish to exercise your rights, contact us with "Attn: Data Protection Officer" in the subject line.

Olayemi Hospital
—

—