Privacy notice
PHB Health Systems Ltd · RC 8663073 · Lagos, Nigeria
Last updated: June 2026 · Licensed by the Nigeria Data Protection Commission under the NDPA 2023
What this means in plain language.
1. Who we are and how to contact us
PHB Health Systems Ltd (RC 8663073), Lagos, Nigeria, is the data controller for the personal and health data you provide to PHB. We are licensed by the Nigeria Data Protection Commission under the Nigeria Data Protection Act 2023.
Our appointed Data Protection Officer can be reached at dpo@phbhealth.com.
2. What data we collect
We collect the following categories of data:
- Identity data: name, date of birth, gender, NIN or professional licence number (collected at onboarding for HPN issuance).
- Contact data: phone number and email address (used for notifications and account recovery).
- Health record data: visits, diagnoses, prescriptions, lab results, immunisations, referrals and other clinical events entered by you or your consented providers.
- Wallet and payment data: top-up amounts, payment method references (tokenised — we do not store raw card numbers), transaction history.
- Access log data: a record of every access to your health record — who, when, why and from which channel.
- Channel usage data: which channels you use (app, web, USSD, IVR) and session metadata, used to improve service reliability.
3. Legal basis for processing
We process your data on the following legal bases under the NDPA 2023:
- Contract: to issue your HPN and provide the services you request (appointments, records, wallet).
- Legitimate interest: to maintain the security and integrity of the platform and audit trail.
- Legal obligation: to comply with NDPC requirements, NHIA reporting and professional council verification obligations.
- Consent: to share your health record with providers. You may withdraw consent at any time.
4. Where data is stored
All health data is stored in Nigeria. Primary storage is in Lagos (NG-WEST). A hot mirror is maintained in Abuja (NG-NORTH) with automatic failover in under 90 seconds. Sovereign backups are kept in-country.
A Sovereignty Gateway enforces at the network layer that health data cannot be written outside Nigeria. Egress is border-locked and every attempt is logged.
5. Who we share data with
We share your data only in the following circumstances:
- Healthcare providers: only providers you have explicitly consented to, limited to the data you authorised, for the duration you specified.
- NHIA and insurers: eligibility and claims data as required for your cover. Sponsors and insurers receive k-anonymised aggregate data only — never individual PHI.
- Payment processors: Paystack and Monnify receive tokenised payment data necessary to process wallet transactions.
- Regulators: as required by Nigerian law (NDPC, NHIA, relevant professional councils).
- We do not sell your data. We do not share your data with advertisers.
6. Retention
Your health record and the audit log are retained for a minimum of 7 years from the date of the last entry, in accordance with the NDPA 2023 and relevant health records legislation.
If you request erasure, your account is hard-locked — sessions ended, login disabled — and your PHI is sealed. Data required to be retained by law (the audit log, financial records) is held for the statutory period and then deleted.
7. Your rights
Under the NDPA 2023 you have the right to access, correct, port, object to processing, and request erasure of your data. You also have the right to withdraw consent at any time without affecting the lawfulness of prior processing. See the DSAR page for full details and how to make a request.
8. Changes to this notice
We may update this notice from time to time. Material changes will be communicated via in-app notification and email at least 30 days before they take effect. The effective date is shown at the top of this page.
For questions about this notice, to exercise your rights, or to raise a data protection concern, contact our DPO: