InfectoSnap | Snap, Detect, Protect

Introduction

InfectoSnap is committed to protecting personal data in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and guidelines issued by the Nigeria Data Protection Commission (NDPC). This Data Protection Policy outlines our approach to data protection and our obligations as a Data Controller and Data Processor.

1. Our Data Protection Commitment

InfectoSnap recognizes that data protection is fundamental to trust in healthcare technology. We are committed to:

Accountability: Taking responsibility for how we handle personal data
Transparency: Being clear about our data processing activities
Lawfulness: Processing data only with valid legal basis
Purpose Limitation: Using data only for specified, legitimate purposes
Data Minimization: Collecting only necessary data
Accuracy: Keeping data accurate and up-to-date
Storage Limitation: Retaining data only as long as necessary
Security: Implementing appropriate technical and organizational measures
Rights Respect: Honoring data subject rights

2. Regulatory Framework

2.1 Applicable Laws

Our data protection practices comply with:

Nigeria Data Protection Act 2023 (NDPA): Primary data protection legislation
Nigeria Data Protection Regulation 2019 (NDPR): Supplementary regulatory framework
National Health Act 2014: Healthcare-specific data requirements
Cybercrimes (Prohibition, Prevention, etc.) Act 2015: Cybersecurity obligations
NDPC Guidelines and Circulars: Regulatory guidance from the Commission

2.2 Registration Status

InfectoSnap is registered with the Nigeria Data Protection Commission as required under the NDPA for organizations processing personal data above prescribed thresholds.

3. Data Controller and Processor Roles

3.1 InfectoSnap as Data Controller

We act as Data Controller when we:

Determine purposes and means of processing for our platform operations
Process data for our own business purposes
Handle user account and registration data
Conduct analytics and service improvement activities

3.2 InfectoSnap as Data Processor

We act as Data Processor when we:

Process patient data on behalf of Healthcare Institutions
Store and manage data as directed by subscribing organizations
Provide AI diagnostic analysis services as instructed

3.3 Healthcare Institution Responsibilities

Healthcare Institutions using InfectoSnap remain Data Controllers for patient data and are responsible for:

Obtaining valid consent from patients
Ensuring lawful basis for processing
Responding to data subject requests
Compliance with healthcare-specific regulations

4. Categories of Personal Data

4.1 Standard Personal Data

Category	Examples	Sensitivity
Identity Data	Name, date of birth, gender	Standard
Contact Data	Email, phone, address	Standard
Professional Data	Job title, qualifications, license number	Standard
Account Data	Username, password (hashed), preferences	Standard

4.2 Special Category Data (Sensitive)

Category	Examples	Additional Protections
Health Data	Diagnoses, medical history, symptoms	Explicit consent required
Biometric Data	Diagnostic images	Purpose-limited processing
Genetic Data	If collected for diagnostics	Strict access controls

5. Legal Basis for Processing

We rely on the following legal bases:

5.1 Consent

We rely on consent for:

Processing health data for diagnostic purposes
Marketing communications
Non-essential analytics
Sharing data with third parties beyond service delivery

Consent Requirements:

Freely given, specific, informed, and unambiguous
Clear affirmative action required
Easy withdrawal mechanism provided
Consent records maintained

5.2 Other Legal Bases

Contractual Necessity: To provide subscribed services
Legal Obligation: To comply with healthcare regulations
Legitimate Interests: For security and service improvement
Vital Interests: In emergency healthcare situations

6. Data Subject Rights

Right	Description	Response Time
Access	Obtain copy of personal data	30 days
Rectification	Correct inaccurate data	30 days
Erasure	Request deletion of data	30 days
Restriction	Limit processing activities	30 days
Portability	Receive data in portable format	30 days
Objection	Object to certain processing	30 days

To exercise your rights, contact: privacy@infectosnap.com

7. Data Security Measures

7.1 Technical Measures

Encryption at Rest: AES-256 encryption for stored data
Encryption in Transit: TLS 1.3 for all data transmission
Access Control: Role-based access with MFA
Audit Logging: Comprehensive activity logging
Intrusion Detection: Real-time threat monitoring
Vulnerability Management: Regular scanning and patching
Backup and Recovery: Encrypted backups with tested recovery

7.2 Organizational Measures

Security Policies: Documented and enforced policies
Staff Training: Annual data protection training
Access Reviews: Quarterly access audits
Vendor Assessment: Due diligence on sub-processors
Incident Response: Documented procedures and team

8. Data Breach Management

8.1 Breach Response Procedure

Containment: Immediate actions to limit breach impact
Assessment: Evaluate nature, scope, and severity
Notification: Notify NDPC within 72 hours (if required)
Communication: Inform affected data subjects (if high risk)
Remediation: Implement measures to prevent recurrence
Documentation: Maintain breach register

8.2 Notification Requirements

To NDPC: Within 72 hours of becoming aware of a breach likely to result in risk to data subjects
To Data Subjects: Without undue delay when breach is likely to result in high risk to their rights and freedoms

9. Data Retention

Data Category	Retention Period	Legal Basis
Patient Health Records	6 years minimum	Healthcare regulations
Diagnostic Images	As specified by institution	Contractual agreement
Account Data	Account lifetime + 2 years	Legitimate interest
Audit Logs	7 years	Legal compliance
Payment Records	6 years	Tax regulations

10. International Data Transfers

When transferring data outside Nigeria, we ensure adequate protection through:

Adequacy Decisions: Transfers to countries deemed adequate by NDPC
Standard Contractual Clauses: NDPC-approved contract terms
Binding Corporate Rules: For intra-group transfers
Explicit Consent: For specific, informed transfers

11. Data Protection Officer

InfectoSnap has appointed a Data Protection Officer (DPO) as required under the NDPA.

DPO Responsibilities:

Advising on data protection obligations
Monitoring compliance with data protection laws
Cooperating with the NDPC
Acting as contact point for data subjects and NDPC

DPO Contact:
Email: dpo@infectosnap.com

12. Complaints and Enforcement

12.1 Internal Complaints

Data subjects may lodge complaints by contacting:

Email: privacy@infectosnap.com
DPO: dpo@infectosnap.com

We acknowledge complaints within 5 business days and respond within 30 days.

12.2 NDPC Complaints

Data subjects have the right to lodge complaints with the Nigeria Data Protection Commission:

Nigeria Data Protection Commission
Website: https://ndpc.gov.ng
Email: info@ndpc.gov.ng

13. Policy Review

This Data Protection Policy is reviewed:

Annually, at minimum
Following significant regulatory changes
After major security incidents
When processing activities change materially

14. Contact Information

InfectoSnap Data Protection Team
General Privacy Inquiries: privacy@infectosnap.com
Data Protection Officer: dpo@infectosnap.com
Legal Team: legal@infectosnap.com
General Inquiries: hello@infectosnap.com

InfectoSnap is committed to protecting your personal data and upholding your data protection rights under Nigerian law.