Acceptable Use Policy

This Acceptable Use Policy ("AUP") sets out rules for using websites, software, APIs, and related services provided by FASTCLINIC LIMITED ("Fastclinic"). It applies to all customers, authorised users, and others who access or interact with our systems ("you").

This AUP is incorporated by reference into our Terms of Service and enterprise agreements. Violations may result in suspension, termination, legal action, or referral to law enforcement. Capitalised terms not defined here have the meaning given in the Terms.

You must not use the Services to:

• Violate any applicable law, including NDPA 2023, healthcare confidentiality rules, anti-corruption laws, export controls, sanctions, or child protection statutes;
• Store, process, or transmit Customer Data without lawful authority, valid consent where required, or a proper healthcare legal basis;
• Access or attempt to access data, accounts, or systems belonging to others without authorisation, including credential stuffing, phishing, or social engineering;
• Introduce malware, ransomware, bots (except approved integrations), denial-of-service traffic, or other harmful code;
• Reverse engineer, circumvent, or disable security, usage limits, billing meters, or licence controls, except as mandatory law allows;
• Send unsolicited bulk commercial email, spam, or deceptive messages through or in connection with the Services;
• Infringe intellectual property, privacy, publicity, or other rights of third parties;
• Harass, threaten, defame, or discriminate unlawfully against individuals or groups;
• Mine cryptocurrency, operate file-sharing hubs for infringing content, or run unrelated high-load workloads without written approval;
• Use the Services to develop, train, or benchmark a competing product using our proprietary interfaces or data obtained in breach of agreement;
• Misrepresent affiliation with Fastclinic, impersonate another user, or falsify clinical or operational records.

Enterprise Customers agree to:

• Maintain strong passwords and enrol a phishing-resistant second factor (WebAuthn / passkey / security key) on all administrative accounts;
• Promptly revoke access for departing personnel and contractors, and rotate credentials after suspected compromise;
• Keep systems used to access the Services patched and free of malware, using organisation-appropriate endpoint protection;
• Report suspected security incidents affecting the Services or Customer Data to contact@fastclinic.xyz without undue delay;
• Use only supported integrations and APIs in accordance with documentation and rate limits;
• Segregate production and non-production environments where required by your internal policies or regulatory obligations.

If you hold an Individual FastLogin account — a personal account registered directly at idms.fastclinic.xyz — the following also applies:

• Custody of credentials. Do not share your password, one-time codes, backup recovery codes, passkey, or security key with anyone — including colleagues, family members, employers, or Fastclinic staff. Fastclinic will never ask for your password or a backup code. A request to do so is an attempted account takeover and should be reported.
• Keep a recovery path available. Keep at least one recovery channel verified (phone or email) and at least one backup authentication option (backup codes, or a second passkey / security key). Account recovery without these is manual and may take several business days.
• Do not sell, rent, or transfer the account. Accounts are personal. Allowing another person to use your credentials creates an audit-trail problem and may breach sector-specific rules for healthcare professionals; the account stays fully accountable to you.
• No automated credential testing. Do not script sign-in attempts, run credential stuffing against your own or any other account, or use the authentication endpoints for availability monitoring or performance testing.
• Tidy your devices. Review the list of trusted devices in your dashboard periodically. Revoke any device you no longer use, particularly after selling, gifting, or losing a phone or laptop.
• Report suspicious activity.If you see a sign-in you don't recognise, a consent you didn't grant, or a verification request you didn't submit, report it to contact@fastclinic.xyz immediately.
• Professional conduct for providers. If you register as a healthcare professional or facility, you are responsible for keeping your licence information accurate, notifying us promptly if your licence is suspended or revoked, and using the clinical tools only in line with the relevant professional conduct rules.

You are responsible for configuring the Services to meet your regulatory obligations, including under NDPA 2023, professional conduct rules, hospital licensing, HMO requirements, laboratory accreditation, and pharmaceutical regulations, as applicable to your organisation.

You must not configure workflows or permissions in a manner that is reasonably likely to cause unlawful disclosure of patient data. You will cooperate with audits, data subject requests, and breach notifications that involve your use of the Services, including providing accurate contact points for your Data Protection Officer or privacy office.

You retain rights in Customer Data you submit. You warrant that you have the rights necessary to upload and process such data through the Services. You must not upload content that is illegal, malicious, or that violates third-party rights.

We may remove or restrict content that violates this AUP or law, or that poses a security risk, subject to contractual notice requirements where applicable.

Where the Services include artificial intelligence, machine learning, or rules-based automation, you must use them in accordance with our Responsible AI Policy and product documentation. You must maintain human oversight for clinical decisions, validate outputs where patient safety is implicated, and not rely on automated outputs as the sole basis for critical care without appropriate professional review.

We may monitor technical metadata, logs, and usage patterns to ensure security, performance, billing accuracy, and compliance with this AUP. We do not routinely access the content of Customer Data except as necessary to provide support with your permission, to prevent or address security incidents, to comply with law, or as otherwise agreed in writing.

We reserve the right to investigate suspected violations and to cooperate with law enforcement and regulators, including under NDPA 2023 and sector-specific healthcare laws.

If you become aware of a violation of this AUP, report it to contact@fastclinic.xyz with sufficient detail for us to assess the issue. We will treat good-faith reports confidentially to the extent consistent with investigation and legal obligations.

Depending on severity, we may: issue a warning; require remediation steps; suspend specific accounts or features; suspend or terminate the agreement; withhold service credits; and pursue legal remedies. We are not liable to you for any loss arising from a suspension or termination undertaken in good faith to address a violation.

We may disclose information, including Customer Data, where required by lawful process or to protect vital interests. Nothing in this AUP limits our obligations under Nigerian law, including company law under CAMA 2020 where corporate records or disclosures are implicated.