Privacy Policy

This Privacy Policy describes how FASTCLINIC LIMITED ("Fastclinic," "we," "us," or "our") processes personal data when you visit fastclinic.xyz, use our enterprise healthcare software, APIs, mobile or web applications, support channels, or otherwise engage with our services (collectively, the "Services").

Fastclinic provides software to hospitals, clinics, insurers, laboratories, pharmacies, and related healthcare organisations. Depending on the context, we may act as a data controller (for example, for website visitors, marketing contacts, and our own personnel data) or as a data processor on behalf of our customers (for example, when hosting or processing patient records that our customers upload to the platform). Where we act as a processor, the customer's privacy notice and our data processing agreement govern processing of end-user and patient data, and this Policy supplements those instruments by describing our practices at an organisational level.

By using the Services or submitting personal data to us, you acknowledge that you have read this Policy. If you do not agree, you must not use the Services.

For personal data that we determine the purposes and means of processing, the controller is:

• FASTCLINIC LIMITED (RC 1919428), a company incorporated in Nigeria under the Companies and Allied Matters Act 2020 ("CAMA 2020")
• Registered address: Abuja, FCT, Nigeria
• Contact: contact@fastclinic.xyz

For personal data processed on behalf of a healthcare organisation customer, that organisation is typically the controller and Fastclinic processes such data only on documented instructions, except where applicable law requires otherwise.

We process personal data in accordance with the Nigeria Data Protection Act 2023 ("NDPA 2023"), subsidiary legislation and guidance issued by the Nigeria Data Protection Commission, and, where applicable, other Nigerian laws. Where our processing relates to companies incorporated under CAMA 2020, we also observe corporate governance and record-keeping obligations that may affect how certain business records are retained.

We rely on lawful bases recognised under NDPA 2023, which may include: performance of a contract; compliance with a legal obligation; consent, where required and validly obtained; protection of vital interests; performance of a task carried out in the public interest or in the exercise of official authority; and legitimate interests that are not overridden by the rights and freedoms of data subjects (for example, securing our networks, improving service reliability, and preventing fraud), where permitted.

Special categories of personal data, including health data, receive enhanced protection. We process such data only where a specific legal basis under NDPA 2023 applies and with appropriate technical and organisational safeguards.

Depending on how you interact with us, we may collect:

• Identity and contact data: name, title, employer, work email, phone number, postal or office address.
• Account and authentication data: usernames, role assignments, credentials, security tokens, multi-factor authentication factors, and session identifiers.
• Technical and usage data: IP address, device type, browser, operating system, approximate location derived from IP, log timestamps, pages viewed, feature usage, error reports, and performance diagnostics.
• Communication data: messages you send to support, sales, or security teams, call recordings where lawfully recorded with notice, and metadata associated with those communications.
• Commercial data: billing address, purchase history, subscription tier, tax identifiers where required, and payment-related references (payment card data is handled by certified payment processors where applicable).
• Health and clinical data: where customers use our platform to manage care, we may process patient demographics, identifiers, medical record numbers, diagnoses, medications, laboratory results, imaging metadata, appointment information, and other clinical or operational data that customers or their authorised users submit.
• Marketing and preferences: event registrations, newsletter subscriptions, content downloads, and cookie-derived preferences where you have consented or another lawful basis applies.

We use personal data to:

• Provide, operate, maintain, and improve the Services;
• Authenticate users, enforce access controls, and detect unauthorised activity;
• Process orders, invoices, and payments, and manage enterprise contracts;
• Provide customer support, professional services, training, and documentation;
• Meet legal, regulatory, and audit requirements, including healthcare, tax, and corporate obligations;
• Conduct security monitoring, incident response, backups, disaster recovery, and business continuity;
• Analyse aggregated or de-identified usage to improve product design, reliability, and documentation;
• Send service notices, administrative messages, and, where permitted, marketing communications (you may opt out of marketing as described in those messages);
• Develop and operate machine-learning or analytical features in line with our Responsible AI Policy and customer agreements, including with human oversight where clinically or operationally appropriate.

Patient and other health-related data processed through the Services is treated as sensitive personal data under NDPA 2023. Access is restricted by role, purpose limitation, and contractual obligation. We do not sell patient data. Processing is carried out for the purposes instructed by the healthcare organisation controller (for example, care delivery, billing, quality improvement, and regulatory reporting) or as required by law.

Authorised personnel may access such data only on a need-to-know basis, subject to employment confidentiality, training, and technical controls. We maintain procedures for data minimisation, pseudonymisation where appropriate, and segregation of environments where customer configurations require it.

We may share personal data with:

• Service providers and subprocessors who host infrastructure, provide email delivery, analytics (where configured), customer relationship tools, payment processing, or professional services, under written agreements that impose confidentiality and data protection obligations consistent with NDPA 2023;
• Professional advisers including lawyers, accountants, and insurers, subject to professional duties of confidence;
• Authorities when required by court order, subpoena, or applicable law, or when necessary to protect rights, safety, or security;
• Corporate transactions such as a merger, acquisition, or asset sale, with appropriate safeguards and notice where required.

A current list of key infrastructure and service subprocessors is available to enterprise customers under NDA upon request. We perform due diligence on vendors that handle personal data and require them to implement appropriate security measures.

Our primary operations are oriented toward secure processing within Nigeria and Africa-aligned deployments. Where personal data is transferred outside Nigeria, we do so in compliance with NDPA 2023 and applicable regulations, which may include adequacy decisions, standard contractual clauses, binding corporate rules, or other approved mechanisms, together with supplementary measures where appropriate.

Enterprise customers may specify data residency or processing constraints in their order form or data processing agreement, subject to technical feasibility and agreed service scope.

We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. Retention criteria include the duration of the customer relationship, statutory limitation periods, regulatory retention rules applicable to healthcare operators (where data is processed on their behalf), and backup rotation cycles.

Upon contract termination, we delete or return customer data in accordance with the applicable agreement, subject to limited retention for disputes, security logs, or legal holds.

We implement administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit and at rest where applicable, access control, logging, vulnerability management, and incident response procedures. Further detail is set out in our Security documentation. No method of transmission or storage is completely secure; we commit to notifying affected parties and regulators where required by NDPA 2023 in the event of a personal data breach.

We use cookies and similar technologies on our websites and, where applicable, in authenticated product sessions. For categories, purposes, and choices, see our Cookie Policy. Where consent is the lawful basis for non-essential cookies, you may withdraw consent through our cookie controls or browser settings.

Subject to NDPA 2023 and applicable guidance, you may have the right to: obtain confirmation of processing and access to your personal data; request rectification or erasure; restrict or object to certain processing; data portability where technically feasible; withdraw consent where processing is consent-based; and lodge a complaint with the Nigeria Data Protection Commission.

To exercise rights against Fastclinic as controller, contact contact@fastclinic.xyz. Where we process data solely as a processor on behalf of a customer, we will direct you to that organisation, which is responsible for responding to patient or end-user requests in the first instance; we will assist our customers as required by contract and law.

We have designated a Data Protection Officer (or equivalent responsible contact) to oversee compliance with NDPA 2023. You may reach the DPO at contact@fastclinic.xyzwith the subject line "Data Protection Inquiry." We will respond within a reasonable period and in line with statutory timelines where applicable.

Our Services are intended for use by healthcare organisations and authorised adults. We do not knowingly collect personal data from children for consumer purposes. Patient records may include minors' data as instructed by healthcare providers; such processing is governed by the controller's legal bases and clinical obligations.

We may update this Policy to reflect legal, regulatory, or operational changes. We will post the revised version on this page and update the "Last updated" date. Where changes are material and we are required to obtain consent or provide notice under NDPA 2023, we will do so in accordance with applicable law. Continued use of the Services after the effective date constitutes acceptance of the revised Policy where permitted by law.