Skip to content
PHB/Public Health Bureau
ENEnglishSign inCreate an HPN →
Legal Privacy notice

Privacy notice

PHB Health Systems Ltd · RC 8663073 · Lagos, Nigeria

Last updated: June 2026 · Licensed by the Nigeria Data Protection Commission under the NDPA 2023

Plain-language summary

What this means in plain language.

Who we are
PHB Health Systems Ltd (RC 8663073) is the data controller. We are licensed by the Nigeria Data Protection Commission.
What we collect
Your identity details at registration, your health record (entered by you or your providers), your wallet transactions and your access log.
Why we collect it
To issue and maintain your HPN, to connect you with care providers, to process payments and to keep an audit trail of record access.
Where it's stored
In Nigeria only — primary in Lagos, hot mirror in Abuja. Data never crosses Nigerian borders. Egress is border-locked.
Who we share it with
Only providers you have consented to, NHIA/insurers (aggregated only, no PHI), and regulators as required by Nigerian law.
Your rights
Access, correct, port, object, and request erasure. Exercise them in the app or by emailing dpo@phbhealth.com. See the DSAR page for full details.

1. Who we are and how to contact us

PHB Health Systems Ltd (RC 8663073), Lagos, Nigeria, is the data controller for the personal and health data you provide to PHB. We are licensed by the Nigeria Data Protection Commission under the Nigeria Data Protection Act 2023.

Our appointed Data Protection Officer can be reached at dpo@phbhealth.com.

2. What data we collect

We collect the following categories of data:

  • Identity data: name, date of birth, gender, NIN or professional licence number (collected at onboarding for HPN issuance).
  • Contact data: phone number and email address (used for notifications and account recovery).
  • Health record data: visits, diagnoses, prescriptions, lab results, immunisations, referrals and other clinical events entered by you or your consented providers.
  • Wallet and payment data: top-up amounts, payment method references (tokenised — we do not store raw card numbers), transaction history.
  • Access log data: a record of every access to your health record — who, when, why and from which channel.
  • Channel usage data: which channels you use (app, web, USSD, IVR) and session metadata, used to improve service reliability.

3. Legal basis for processing

We process your data on the following legal bases under the NDPA 2023:

  • Contract: to issue your HPN and provide the services you request (appointments, records, wallet).
  • Legitimate interest: to maintain the security and integrity of the platform and audit trail.
  • Legal obligation: to comply with NDPC requirements, NHIA reporting and professional council verification obligations.
  • Consent: to share your health record with providers. You may withdraw consent at any time.

4. Where data is stored

All health data is stored in Nigeria. Primary storage is in Lagos (NG-WEST). A hot mirror is maintained in Abuja (NG-NORTH) with automatic failover in under 90 seconds. Sovereign backups are kept in-country.

A Sovereignty Gateway enforces at the network layer that health data cannot be written outside Nigeria. Egress is border-locked and every attempt is logged.

5. Who we share data with

We share your data only in the following circumstances:

  • Healthcare providers: only providers you have explicitly consented to, limited to the data you authorised, for the duration you specified.
  • NHIA and insurers: eligibility and claims data as required for your cover. Sponsors and insurers receive k-anonymised aggregate data only — never individual PHI.
  • Payment processors: Paystack and Monnify receive tokenised payment data necessary to process wallet transactions.
  • Regulators: as required by Nigerian law (NDPC, NHIA, relevant professional councils).
  • We do not sell your data. We do not share your data with advertisers.

6. Retention

Your health record and the audit log are retained for a minimum of 7 years from the date of the last entry, in accordance with the NDPA 2023 and relevant health records legislation.

If you request erasure, your account is hard-locked — sessions ended, login disabled — and your PHI is sealed. Data required to be retained by law (the audit log, financial records) is held for the statutory period and then deleted.

7. Your rights

Under the NDPA 2023 you have the right to access, correct, port, object to processing, and request erasure of your data. You also have the right to withdraw consent at any time without affecting the lawfulness of prior processing. See the DSAR page for full details and how to make a request.

8. Changes to this notice

We may update this notice from time to time. Material changes will be communicated via in-app notification and email at least 30 days before they take effect. The effective date is shown at the top of this page.

Contact the Data Protection Officer

For questions about this notice, to exercise your rights, or to raise a data protection concern, contact our DPO:

dpo@phbhealth.com
PHB Health Systems Ltd · RC 8663073 · Lagos, Nigeria