1. Information We Collect

We collect several types of information to provide and improve our Service:

1.1 Organization Information

• Organization name, address, and contact details
• Laboratory accreditation information
• Branch location details
• Billing and payment information

1.2 User Account Information

• Name and email address
• Professional credentials and role
• Login credentials (passwords are encrypted)
• User preferences and settings

1.3 Patient Data

• Patient identification information
• Test orders and requisition details
• Sample information and tracking data
• Laboratory test results
• Medical history relevant to testing

1.4 Usage and Technical Information

• IP addresses and device information
• Browser type and operating system
• Access times and usage patterns
• Audit logs and activity records
• Performance and error logs

1.5 Communication Data

• Support ticket correspondence
• Email communications
• Feedback and survey responses

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Delivery

• Provide, operate, and maintain the Service
• Process laboratory orders and manage workflows
• Generate and deliver test reports
• Manage user accounts and access control
• Enable multi-branch operations

2.2 Service Improvement

• Analyze usage patterns to improve features
• Develop new functionality
• Troubleshoot and fix technical issues
• Optimize performance and user experience

2.3 Communication

• Send service updates and notifications
• Provide customer support
• Respond to inquiries and requests
• Send administrative information

2.4 Security and Compliance

• Protect against security threats
• Detect and prevent fraud or abuse
• Maintain audit trails for compliance
• Comply with legal obligations

2.5 Business Operations

• Process payments and subscriptions
• Generate invoices and receipts
• Manage contracts and agreements
• Conduct internal research and analytics

3. Data Storage and Security

We implement comprehensive security measures to protect your data:

3.1 Technical Safeguards

• Encryption: All data transmitted over networks is encrypted using TLS/HTTPS protocols
• Data at Rest: Stored data is encrypted using industry-standard algorithms
• Secure Authentication: Multi-factor authentication support and secure password policies
• UUID-Based Architecture: Non-sequential identifiers prevent enumeration attacks
• Database Security: Encrypted database connections and secure credential storage

3.2 Access Controls

• Role-Based Access Control (RBAC): Five-tier permission system (Owner, General Manager, Manager, Receptionist, Lab Technician)
• Branch Isolation: Data segregation between laboratory branches
• Audit Logging: Complete activity logs for all user actions
• Session Management: Automatic timeout and secure session handling

3.3 Infrastructure Security

• Hosting on secure cloud infrastructure (AWS, Railway)
• Regular security updates and patches
• Firewall protection and intrusion detection
• DDoS protection and rate limiting
• Regular security assessments and penetration testing

3.4 Data Backup and Recovery

• Automated daily backups
• Geographically distributed backup storage
• Disaster recovery procedures
• Regular backup restoration testing

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

4.1 Within Your Organization

Data is accessible to authorized users within your organization based on their assigned roles and branch access.

4.2 Service Providers

We may share data with trusted third-party service providers who assist in:

• Cloud hosting and infrastructure (AWS, Railway)
• Payment processing
• Email delivery services
• Analytics and monitoring
• Customer support tools

These providers are bound by strict confidentiality agreements and may only use data to perform services on our behalf.

4.3 Legal Requirements

We may disclose information when required to:

• Comply with legal obligations, court orders, or subpoenas
• Respond to lawful requests from government authorities
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Comply with healthcare regulatory requirements

4.4 Business Transfers

If Nefe Tech LMS is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have.

5. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data is retained for the duration of your subscription
• Terminated Accounts: Data is typically retained for 90 days after termination to allow for data export
• Audit Logs: Maintained for compliance purposes, typically 7 years
• Patient Records: Retained according to healthcare regulations (typically 7-10 years depending on jurisdiction)
• Legal Hold: Data subject to legal obligations may be retained longer

After the retention period, data is securely deleted or anonymized.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

6.1 Access and Portability

• Request access to your personal information
• Export your data in a structured, machine-readable format
• Obtain copies of reports and records

6.2 Correction and Updating

• Correct inaccurate or incomplete information
• Update account details and preferences
• Amend records with proper authorization

6.3 Deletion and Restriction

• Request deletion of your personal information (subject to legal obligations)
• Restrict processing in certain circumstances
• Soft-delete records (marked as inactive rather than permanently deleted)

6.4 Communication Preferences

• Opt out of marketing communications
• Configure notification settings
• Manage email preferences

6.5 Withdrawal of Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

To exercise these rights, contact us at info@nefetechltd.com. We will respond to requests within 30 days.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Use of Standard Contractual Clauses (SCCs) for international transfers
• Compliance with GDPR, HIPAA, and other applicable regulations
• Data residency options where available
• Adequate security measures regardless of location

8. Compliance with Healthcare Regulations

Nefe Tech LMS is designed to support compliance with healthcare data protection regulations:

8.1 HIPAA (United States)

For U.S. customers handling Protected Health Information (PHI), we enter into Business Associate Agreements (BAA) and implement HIPAA-compliant security measures.

8.2 GDPR (European Union)

For EU customers, we comply with GDPR requirements including data subject rights, Data Protection Impact Assessments (DPIA), and lawful basis for processing.

8.3 Other Jurisdictions

We work to comply with local healthcare and data protection regulations in all jurisdictions where we operate.

9. Children's Privacy

Nefe Tech LMS is intended for use by healthcare professionals and laboratory staff. The Service is not directed at children under 13, and we do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 13, we will take steps to delete it promptly.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand how you use the Service
• Performance Cookies: Monitor and improve Service performance

You can control cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to account administrators
• Prominent notice within the Service
• Updating the "Last Updated" date at the top of this policy

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Data Breach Notification

In the event of a data breach that affects your information, we will notify you and relevant authorities as required by law, typically within 72 hours of discovery. We will provide information about the breach, its impact, and steps we are taking to address it.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: info@nefetechltd.com
• Address: Suite C11 Lake City Plaza Gudu District, Abuja, FCT, Nigeria
• Phone: +234 (803) 886-6521

For GDPR-related inquiries, you may also contact your local data protection authority.