Privacy Policy

Your privacy is fundamental to our service.

1. About This Policy

This Privacy Policy explains how HealthGrid Africa Limited ("HealthGrid Africa", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our AI-powered health triage service (Jewel AI).

HealthGrid Africa Limited is a Nigerian company registered with the Corporate Affairs Commission (RC 7535941). We are registered with the Nigeria Data Protection Commission as a Major Data Processor under registration number NDPC/DCP/09680, valid to February 2028.

Last Updated: May 2026

2. Regulatory Framework

We comply with the following Nigerian privacy and data protection instruments:

  • The Nigeria Data Protection Act 2023 (NDPA), the primary statute governing data protection in Nigeria.
  • The Nigeria Data Protection Regulation 2019 (NDPR), where its provisions remain in force under the transitional framework.
  • The implementation guidance issued by the Nigeria Data Protection Commission (NDPC), including sectoral guidance for health data.

Our processing of your personal data is lawful, fair, and transparent, consistent with section 25 of the NDPA.

3. Information We Collect

Information You Provide

  • Your WhatsApp phone number and any other contact details you share
  • Health symptoms, medical history, and health concerns you describe during triage
  • Responses to triage questions
  • Language preferences (English, Pidgin, Yoruba, Igbo, Hausa)

Communication Records

  • Text messages exchanged through WhatsApp and SMS
  • Voice recordings when you use voice channels
  • Conversation timestamps

Automatically Collected

  • Device type and operating system
  • General location at city level (not precise)

4. How We Use Your Information

We use your personal information for the following purposes:

  • Providing AI-powered health triage and symptom assessment
  • Connecting you with licensed healthcare providers, pharmacies, and laboratories
  • Sending service-related communications (with your consent)
  • Improving the quality and accuracy of our services (see Section 5 below for important detail on AI model training)
  • Complying with legal and regulatory obligations under Nigerian law

We never sell your personal health information to third parties.

5. AI Processing and Model Training

Our triage service uses AI inference services provided by Amazon Web Services. The AI processes your messages in real time to deliver triage responses. The following commitments apply:

  • The AI inference service does not retain your messages beyond the immediate processing window required to generate a response.
  • The AI inference service does not use your messages or your health information to train AI models.
  • You may decline AI processing at any time by replying STOP, in which case your follow-up is handled by a human team member.

6. Consent

We obtain your consent before collecting, using, or disclosing your personal information. By replying YES to the consent prompt when you first contact our service, you consent to the collection and use of information as described in this policy.

You may withdraw your consent at any time by writing to privacy@healthgridafrica.ng or by replying STOP on the WhatsApp conversation. Please note that withdrawing consent may affect our ability to provide certain services.

7. Disclosure and Sub-Processors

We share your information only as required to deliver our services or as required by law. The categories of recipients are:

  • Healthcare Providers: Licensed Nigerian physicians and healthcare professionals you choose to consult with.
  • Cloud Infrastructure and AI Inference Provider: Amazon Web Services, which hosts our compute, storage, networking, and AI inference services. AWS acts as a data processor on our behalf under a Data Processing Agreement (see Section 8).
  • Telephony and Messaging Provider: Twilio, which delivers our WhatsApp, SMS, and voice messages.
  • Pharmacy Fulfilment Partner: OneHealth Pharmaceuticals Limited, which dispenses prescriptions issued during your triage encounter, when you request pharmacy fulfilment.
  • Legal Authorities: When required by Nigerian law or to protect safety.

We do not share your personal health information with employers, insurers, or other third parties without your explicit consent. Additional sub-processors are available for review on request to our Privacy Officer under a confidentiality arrangement.

8. Cross-Border Data Processing

Some of your information is processed outside Nigeria by our cloud infrastructure provider. The following describes how this works:

  • Cloud infrastructure and AI inference: processed in the United States, in Amazon Web Services US East region (Virginia). Your messages are sent to this region for the moments needed to generate a triage response, and are not retained by the AI service beyond that processing window.
  • Pharmacy fulfilment data: when you request prescription dispensing, the relevant data is shared with OneHealth Pharmaceuticals Limited in Nigeria.

This cross-border processing complies with sections 41 to 43 of the Nigeria Data Protection Act 2023. The transfer is governed by our Data Processing Agreement with Amazon Web Services, which incorporates the Standard Contractual Clauses adopted by the European Commission as a cross-border transfer safeguard. The NDPC has indicated, in published guidance, that the Standard Contractual Clauses are an acceptable safeguard for transfers from Nigeria to jurisdictions without an adequacy decision.

The legal basis for the transfer is your express consent at the point of first contact with our service. The current version of the AWS Data Processing Addendum is published at d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf.

9. Data Security

We implement security measures appropriate to the sensitivity of your information:

  • Industry-standard encryption in transit (TLS 1.2 or higher) for all communications between you and our services, and between our services and our sub-processors.
  • Encryption at rest using Amazon Web Services Key Management Service for all data stored in our cloud infrastructure.
  • Role-based access controls limiting who within HealthGrid Africa can view your information, with audit logging.
  • Regular security audits and vulnerability assessments by our cloud infrastructure provider and our internal team.
  • Employee training on Nigerian data protection law and security practices.

10. Breach Notification

In the event of a personal data breach affecting your information, where the breach is likely to result in a risk to your rights and freedoms:

  • We will notify the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach, as required by section 40 of the NDPA.
  • Where the risk to you is high, we will notify you directly without undue delay, and provide guidance on any steps you can take to reduce the risk of harm.
  • We will notify any other organisation that may be able to reduce or mitigate the harm.

HealthGrid Africa maintains an internal breach log and incident response procedure.

11. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Triage conversation transcripts: retained for the duration of your relationship with the service, plus the retention period required by applicable Nigerian health information rules.
  • Voice recordings: retained for thirty (30) days from the date of the call by default. Customer contracts may specify a different retention period; where they do, the contracted period applies.
  • Consent records: retained for the duration of your relationship with the service, plus seven (7) years thereafter for audit purposes.
  • Clinical summary records: retained in accordance with Nigerian clinical record-keeping standards.

You may request deletion of your personal information at any time by writing to privacy@healthgridafrica.ng, subject to legal retention requirements.

12. Your Rights

Under the Nigeria Data Protection Act 2023, you have the right to:

  • Access your personal information held by HealthGrid Africa (section 34)
  • Request correction of inaccurate information (section 35)
  • Request deletion of your information, subject to legal retention requirements (section 36)
  • Object to processing of your personal information (section 37)
  • Receive your personal information in a structured, commonly used technological format, the right to data portability (section 38)
  • Withdraw your consent at any time
  • Lodge a complaint with the Nigeria Data Protection Commission (section 32)

We will respond to requests to exercise these rights within thirty (30) days of receipt. To exercise a right or to make a request, write to our Privacy Officer at privacy@healthgridafrica.ng, or reply to the WhatsApp conversation with a clear request.

To file a complaint with the regulator, contact the Nigeria Data Protection Commission via the NDPC website at ndpc.gov.ng.

13. Children's Privacy

Our services are commonly used by parents and guardians to seek health guidance for their children, and we recognise that this means we routinely process personal information relating to minors. We treat this information with the same care as any other patient information, and the following rules apply:

  • Parental and guardian consent: when a parent or guardian uses the service to describe a child's symptoms or seek guidance for a child, the parent or guardian provides consent on the child's behalf. By using the service in this way, you confirm that you have parental or guardian authority over the child whose information you are sharing.
  • Direct use by minors: the service is not designed for direct, unsupervised use by children under 18 years of age. We do not knowingly accept consent from a minor acting alone. If a minor contacts the service directly, our triage flow encourages the involvement of a parent or guardian.
  • Rights of the minor: all rights described in Section 12 of this policy apply to a minor's information. A parent or guardian may exercise those rights on the child's behalf by writing to privacy@healthgridafrica.ng.
  • Sensitive paediatric data: health information about a child is sensitive personal data under NDPA 2023 and is processed only for the purposes of the triage and any referral or fulfilment the parent or guardian requests.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this website and, where appropriate, through direct communication on the WhatsApp channel.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

HealthGrid Africa Limited
RC: 7535941
NDPC Registration: NDPC/DCP/09680
Lagos, Nigeria
Privacy enquiries: privacy@healthgridafrica.ng
WhatsApp: +234 702 595 8853

You may also contact the Nigeria Data Protection Commission at ndpc.gov.ng if you have concerns about our privacy practices.