Lawful Basis for Processing

In accordance with Section 25 of the NDPA, we process your personal data on the following lawful bases:

• Consent: Where you have given explicit consent for specific processing purposes (e.g., marketing communications)
• Contractual Necessity: Processing necessary to perform the Service under your subscription agreement
• Legal Obligation: Processing required to comply with Nigerian laws including healthcare regulations and tax obligations
• Vital Interest: Processing necessary to protect the vital interests of a patient or data subject
• Legitimate Interest: Processing for our legitimate business interests (e.g., service improvement, fraud prevention), balanced against your rights

1. Information We Collect

We collect several types of information to provide and improve our Service:

1.1 Organization Information

• Organization name, address, and contact details
• Laboratory accreditation information
• Branch location details
• Billing and payment information

1.2 User Account Information

• Name and email address
• Professional credentials and role
• Login credentials (passwords are encrypted)
• User preferences and settings

1.3 Patient Data

• Patient identification information
• Test orders and requisition details
• Sample information and tracking data
• Laboratory test results
• Medical history relevant to testing

1.4 Usage and Technical Information

• IP addresses and device information
• Browser type and operating system
• Access times and usage patterns
• Audit logs and activity records
• Performance and error logs

1.5 Communication Data

• Support ticket correspondence
• Email communications
• Feedback and survey responses

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Delivery

• Provide, operate, and maintain the Service
• Process laboratory orders and manage workflows
• Generate and deliver test reports
• Manage user accounts and access control
• Enable multi-branch operations

2.2 Service Improvement

• Analyze usage patterns to improve features
• Develop new functionality
• Troubleshoot and fix technical issues
• Optimize performance and user experience

2.3 Communication

• Send service updates and notifications
• Provide customer support
• Respond to inquiries and requests
• Send administrative information

2.4 Security and Compliance

• Protect against security threats
• Detect and prevent fraud or abuse
• Maintain audit trails for compliance
• Comply with legal obligations

2.5 Business Operations

• Process payments and subscriptions
• Generate invoices and receipts
• Manage contracts and agreements
• Conduct internal research and analytics

3. Data Storage and Security

We implement comprehensive security measures to protect your data:

3.1 Technical Safeguards

• Encryption: All data transmitted over networks is encrypted using TLS/HTTPS protocols
• Data at Rest: Stored data is encrypted using industry-standard algorithms
• Secure Authentication: Multi-factor authentication support and secure password policies
• Tamper-Proof Identifiers: Non-sequential, non-guessable identifiers prevent enumeration attacks
• Database Security: Encrypted database connections and secure credential storage

3.2 Access Controls

• Role-Based Access Control (RBAC): Five-tier permission system (Owner, General Manager, Manager, Receptionist, Lab Technician)
• Branch Isolation: Data segregation between laboratory branches
• Audit Logging: Complete activity logs for all user actions
• Session Management: Automatic timeout and secure session handling

3.3 Infrastructure Security

• Hosting on secure cloud infrastructure (AWS, Railway)
• Regular security updates and patches
• Firewall protection and intrusion detection
• DDoS protection and rate limiting
• Regular security assessments and penetration testing

3.4 Data Backup and Recovery

• Automated daily backups
• Geographically distributed backup storage
• Disaster recovery procedures
• Regular backup restoration testing

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

4.1 Within Your Organization

Data is accessible to authorized users within your organization based on their assigned roles and branch access.

4.2 Service Providers

We may share data with trusted third-party service providers who assist in:

• Cloud hosting and infrastructure (AWS, Railway)
• Payment processing
• Email delivery services
• Analytics and monitoring
• Customer support tools

These providers are bound by strict confidentiality agreements and may only use data to perform services on our behalf.

4.3 Legal Requirements

We may disclose information when required to:

• Comply with legal obligations, court orders, or subpoenas
• Respond to lawful requests from government authorities
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Comply with healthcare regulatory requirements

4.4 Business Transfers

If Cloud Lab Pro is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have.

5. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data is retained for the duration of your subscription
• Terminated Accounts: Data is typically retained for 90 days after termination to allow for data export
• Audit Logs: Maintained for compliance purposes, typically 7 years
• Patient Records: Retained according to healthcare regulations (typically 7-10 years depending on jurisdiction)
• Legal Hold: Data subject to legal obligations may be retained longer

After the retention period, data is securely deleted or anonymized.

6. Your Rights Under the NDPA

Under Sections 34-38 of the Nigeria Data Protection Act 2023, you have the following rights as a Data Subject:

6.1 Right to Access and Data Portability (Section 34 & 38)

• Request access to your personal data and obtain a copy
• Receive your data in a structured, commonly used, machine-readable format
• Request transmission of your data directly to another Data Controller where technically feasible

6.2 Right to Rectification (Section 34(1)(c))

• Correct inaccurate, out-of-date, or incomplete personal data
• Update account details and preferences
• Amend records with proper authorisation

6.3 Right to Erasure / Right to Be Forgotten (Section 34(1)(d))

• Request deletion of your personal data where it is no longer necessary for the purpose collected
• Request erasure when you withdraw consent (where consent is the lawful basis)
• Note: This right is subject to legal retention obligations under healthcare regulations

6.4 Right to Restrict Processing (Section 34(1)(v))

• Restrict processing when accuracy is contested
• Restrict processing when it is unlawful but you prefer restriction to erasure

6.5 Right to Object (Section 36)

• Object to processing based on legitimate interest or public interest grounds
• Object to processing for direct marketing purposes (this right is absolute)

6.6 Right to Withdraw Consent (Section 35)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of data processing that occurred before the withdrawal. It shall be as easy to withdraw consent as it was to give it.

6.7 Right Against Automated Decision-Making (Section 37)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you.

6.8 Right to Lodge a Complaint (Section 34)

You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.

To exercise any of these rights, contact our Data Protection Officer at info@nefetechltd.com. We will respond to your request within 30 days.

7. International Data Transfers

Your data may be transferred to and processed in countries other than Nigeria. In accordance with Sections 41-42 of the NDPA, we ensure appropriate safeguards are in place:

• Transfers only to jurisdictions with adequate data protection levels as determined by the NDPC, or with appropriate safeguards
• Data Processing Agreements (DPAs) with all third-party processors as required by Section 29 of the NDPA
• Standard Contractual Clauses or Binding Corporate Rules where applicable
• Compliance with the NDPA, GAID, and other applicable data protection regulations
• Adequate technical and organisational security measures regardless of data location

8. Regulatory Compliance

Cloud Lab Pro is designed to support compliance with healthcare data protection regulations:

8.1 Nigeria Data Protection Act 2023 (NDPA)

As our primary regulatory framework, we comply fully with the NDPA and the GAID 2025, including data subject rights (Sections 34-38), Data Protection Impact Assessments for sensitive data processing, breach notification to the NDPC within 72 hours (Section 40), and Data Controller obligations. As a health sector service provider processing sensitive personal data, Cloud Lab Pro recognises its obligations as a Data Controller of Major Importance (DCPMI) under the NDPA.

8.2 National Health Act 2014

We comply with Nigerian healthcare data provisions, including patient confidentiality requirements and medical records management standards.

8.3 GDPR (European Union)

For customers processing data of EU residents, we comply with GDPR requirements including data subject rights, Data Protection Impact Assessments, and lawful basis for processing.

8.4 Other Jurisdictions

We work to comply with local healthcare and data protection regulations in all jurisdictions where we operate.

9. Children's Privacy

Cloud Lab Pro is intended for use by healthcare professionals and laboratory staff. The Service is not directed at children under 18, and we do not knowingly collect personal information directly from children. Under Section 31 of the NDPA, a child is any person below the age of 18. If we become aware that we have collected information from a child under 18 without appropriate parental or guardian consent, we will take steps to delete it promptly. Where patient data pertains to minors, it is entered and managed by authorised healthcare professionals and is processed under the lawful basis of vital interest or contractual necessity.

10. Cookies and Tracking Technologies

In accordance with the GAID 2025, we inform you that this Service uses cookies. We use only essential (necessary) cookies that are strictly required for the Service to function:

• Session Cookie (sessionid): Required for user authentication and maintaining your login session. This cookie expires when you log out or after a period of inactivity.
• CSRF Cookie (csrftoken): Required for security — protects against Cross-Site Request Forgery attacks on form submissions.

Under the GAID, necessary cookies that enable core functionality such as security and accessibility do not require explicit accept/reject consent. However, we believe in full transparency and notify all users of cookie usage.

We do NOT use:

• Analytics or tracking cookies
• Advertising or marketing cookies
• Third-party cookies
• Cross-site tracking technologies

You can control cookie preferences through your browser settings. Note that disabling essential cookies will prevent you from using the Service as they are required for authentication and security.

10.1 Security Services (Cloudflare Turnstile)

To protect against bots and automated abuse, certain pages (login, registration, and contact forms) use Cloudflare Turnstile, a security challenge service provided by Cloudflare, Inc. When you interact with these pages, Turnstile may collect:

• Your IP address
• Browser type and characteristics
• Interaction signals (mouse movements, keystrokes timing)

This data is processed by Cloudflare solely for the purpose of distinguishing human users from bots. Turnstile does not set persistent tracking cookies and is not used for advertising or profiling. For more information, see Cloudflare's Privacy Policy.

11. Third-Party Services and Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

11.1 Embedded Content

Our contact page includes an embedded Google Maps widget to display our office location. When this page loads, your browser may connect to Google's servers, and Google may collect browsing data including your IP address in accordance with Google's Privacy Policy. No personal data is sent to Google by us through this embed.

11.2 Content Delivery Networks

We use industry-standard Content Delivery Networks (CDNs) to serve front-end libraries. These CDN providers may log your IP address in their server access logs as part of standard web delivery. No personal data or cookies are exchanged with these providers by us.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to account administrators
• Prominent notice within the Service
• Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Data Breach Notification

In accordance with Section 40 of the NDPA, in the event of a personal data breach, we will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms
• Provide details including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
• Document all breaches and remediation actions taken

14. Data Protection Officer & Contact

In compliance with Section 32 of the NDPA, Cloud Lab Pro has designated a Data Protection Officer (DPO) responsible for overseeing data protection compliance. For questions, concerns, or to exercise your data subject rights, please contact:

• Data Protection Officer: info@nefetechltd.com
• General Inquiries: info@nefetechltd.com
• Address: Suite C11 Lake City Plaza Gudu District, Abuja, Nigeria.
• Phone: +234 708 127 8530

We will respond to data subject requests within 30 days as required by the NDPA.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng or by emailing info@ndpc.gov.ng.