Privacy Policy

This Privacy Policy describes how FASTCLINIC LIMITED("Fastclinic," "we," "us," or "our") processes personal data when you visit fastclinic.xyz, register for a FastLogin account at idms.fastclinic.xyz, use our enterprise healthcare software, APIs, mobile or web applications, support channels, or otherwise engage with our services (collectively, the "Services").

Fastclinic provides software for hospitals, clinics, insurers, laboratories, pharmacies, pharmaceutical companies, and related healthcare organisations, as well as a unified identity platform (FastLogin) that allows individuals to sign in once and access authorised products across the Fastclinic ecosystem. Our role under the Nigeria Data Protection Act 2023 ("NDPA 2023") depends on the context of processing — see Our role below.

By using the Services or submitting personal data to us, you acknowledge that you have read this Policy. If you do not agree, you must not use the Services.

We process personal data in two capacities, which carry different obligations under NDPA 2023. It matters which capacity applies because it determines who decides the purpose of processing and who you approach to exercise rights.

• Fastclinic as controller. When an individual (for example, a patient, provider, or workforce user) registers a personal FastLogin account at idms.fastclinic.xyz, when someone subscribes to our newsletter, completes a demo request, contacts support on their own behalf, or submits information to our website forms, Fastclinic determines the purposes and means of processing. Fastclinic is the controller of that data.
• Fastclinic as processor. When a healthcare organisation (our enterprise customer) uses our platform to manage patient records, clinical operations, billing, or similar workflows, the customer is the controller of that patient and operational data. Fastclinic processes such data on documented instructions under a data processing agreement (see our Data Processing Agreement).

The same individual may interact with us in both capacities — for example, a clinician who holds a personal FastLogin account (controller: Fastclinic) and also uses it to access a hospital's FastLogin-integrated deployment (controller: the hospital, where Fastclinic is processor for the hospital's workflow data). Where this Policy says "we decide" or similar, it refers to processing in which Fastclinic is the controller.

For processing in which Fastclinic is the controller:

• FASTCLINIC LIMITED (RC 1919428), a company incorporated in Nigeria under the Companies and Allied Matters Act 2020 ("CAMA 2020"), registered on April 14, 2022.
• Registered address: 16 Zone D, Road 1, Ushafa, Abuja, Nigeria (901101).
• General contact: contact@fastclinic.xyz.
• Privacy and data-protection contact (see Data Protection Officer): same email with subject line "Data Protection Inquiry."

Where Fastclinic processes data on behalf of a healthcare organisation customer, that organisation is the controller for that data. We will direct you to that organisation if you contact us about patient or end-user records we hold on their behalf.

We process personal data in accordance with NDPA 2023, subsidiary legislation and guidance issued by the Nigeria Data Protection Commission ("NDPC"), and other applicable Nigerian laws. Where our processing relates to companies incorporated under CAMA 2020, we also observe corporate record-keeping obligations that may affect how certain business records are retained.

We rely on the lawful bases recognised under NDPA 2023, including:

• Performance of a contract — maintaining your FastLogin account, provisioning products you subscribe to, processing orders and invoices, and providing support.
• Compliance with a legal obligation — keeping tamper-evident audit trails, responding to regulator inquiries, meeting record-retention duties under NDPA 2023, CAMA 2020, and sector-specific healthcare rules.
• Consent — marketing communications, optional product features, and the scope grants you make when authorising a Fastclinic product to read your data via our OAuth2 consent screen. Consent may be withdrawn at any time (see Exercising your rights).
• Legitimate interests — preventing fraud and account takeover, securing our networks, detecting abuse of our APIs, and improving service reliability. We balance these interests against your rights and freedoms.
• Vital interests and public interest — limited scenarios such as emergency disclosures to protect life or cooperation with lawful authorities.

Special categories of personal data, including health data, receive enhanced protection. We process such data only where a specific legal basis under NDPA 2023 applies and with appropriate technical and organisational safeguards.

Depending on how you interact with us, we may collect:

• Identity and contact data — given name, middle name (optional), family name, preferred display name, date of birth, gender, state and city of residence, phone number, email address, postal or office address, organisational affiliation (where applicable).
• Account and authentication data — see Authentication data for detail.
• Provider verification data — where you register as a healthcare professional or facility, see Provider verification.
• Technical and usage data — IP address, device type, browser, operating system, approximate location derived from IP (often at country level only via our network edge), log timestamps, pages viewed, feature usage, error reports, and performance diagnostics.
• Communication data — messages you send to support, sales, or security teams, call recordings where lawfully recorded with notice, and metadata associated with those communications.
• Commercial data — billing address, purchase history, subscription tier, tax identifiers where required, and payment-related references. Payment card numbers are handled by certified payment processors and do not reach our systems.
• Health and clinical data — where customers use our platform to manage care, we process on their behalf patient demographics, identifiers, medical record numbers, diagnoses, medications, laboratory results, imaging metadata, appointment information, and other clinical or operational data that customers or their authorised users submit.
• Marketing and preferences — event registrations, newsletter subscriptions, content downloads, and cookie-derived preferences where you have consented or another lawful basis applies.

Fields marked optional in a form are not required to use the Services; fields marked required support core account or contract operations. You may be asked for additional data if you opt into specific features.

FastLogin is our unified identity platform. When you create a FastLogin account at idms.fastclinic.xyz, we collect and store the following as controller:

• Registration traits — names, date of birth, gender, state and city, and your primary identifier (phone or email) plus a secondary identifier where you choose to add one.
• Account state — creation timestamp, last-updated timestamp, account status (active, inactive, scheduled for deletion), display name preferences, and optional public metadata you set (for example, a dismissal timestamp for our passkey enrolment prompt so we do not nag you again).
• Entitlements — which Fastclinic products you have access to, grant source (personal subscription, organisation membership, or promotional), expiry timestamps, and any administrative status flags.
• Organisation memberships — if you belong to a hospital, clinic, HMO, or other organisation on the platform, your membership record, role, and join timestamp.

You can view most of this data via your dashboard at idms.fastclinic.xyz/dashboard and export the full set as a machine-readable JSON bundle at any time (see Exercising your rights).

Account security is grounded in credentials we store in a separate, access-restricted store:

• Password hash. Passwords are hashed with a modern memory-hard algorithm before storage. The plaintext never leaves your browser in a form we keep.
• Time-based one-time password (TOTP) secret. Where you enrol an authenticator app for multi-factor authentication, we store the shared secret needed to verify the codes you enter.
• Backup recovery codes. One-time codes generated when you set up multi-factor authentication. Stored as hashes; once used, a code cannot be reused.
• WebAuthn credentials (passkeys, security keys).When you enrol a passkey or hardware security key, your device generates a public/private keypair. We store only the public key, credential identifier, and an authenticator attestation identifier ("AAGUID") that identifies the type of device. The private key never leaves your device. Any biometric signal (fingerprint, face) used to unlock the credential stays on your device — Fastclinic does not receive or store biometric template data.
• Session records. A session identifier bound to your browser or app that lets us recognise you across requests without reprompting for credentials, along with the authentication factors used and the time they completed.
• SMS one-time codes. Used for identity proofing during registration and for self-service account recovery only — not for routine sign-in. Codes are short-lived and not retained after verification.

Authentication data is used to confirm that a request comes from you, to enforce multi-factor requirements, and to detect credential-stuffing attempts. For accounts with elevated privileges, we apply additional controls described in our Security Practices.

Registering as a healthcare professional or facility requires verification. If you submit a verification request, we process:

• Licence information — professional licence number and issuing authority, licence expiry date.
• Supporting documents — images or PDFs of your licence, government identification, facility registration, or other documents you upload to support the request.
• Review metadata — review status, reviewer comments, decision timestamps, and any follow-up information we request from you.

Licence numbers and document contents are encrypted at rest under keys dedicated to verification material. Access is restricted to authorised reviewers acting on a need-to-know basis with step-up authentication, and is audit-logged. We do not share verification documents outside Fastclinic except where required by law or under a documented regulatory inquiry.

Verification records are retained for up to seven (7) years from rejection or suspension of a request, in line with professional-registration record-keeping expectations. On a successful erasure request (see Exercising your rights), we apply the exception in NDPA 2023 Section 16(2) only where a legal obligation requires continued retention, and we will tell you if that applies.

To prevent account takeover, credential stuffing, and SIM-swap fraud — particularly on accounts with clinical reach — we generate and store limited security signals:

• Device binding. On provider accounts, we record a per-browser identifier derived from a first-party cookie combined with your User-Agent and Accept-Language header, all hashed so the raw values are never stored. This lets us tell a trusted device from a new one and prompt for additional verification on unrecognised devices. You can view and revoke bound devices in your dashboard.
• Login context. On provider accounts, we derive signals such as the country of the network you are logging in from (from our network edge, not a precise location), whether the device is new or trusted, and whether the login is outside your typical hours, to compute a risk score that may trigger a step-up authentication prompt.
• Signal retention. Risk signals are held for thirty (30) days in an append-only forensic store; older rows are purged automatically. Device bindings persist while the binding is active and are removed when you revoke them.

We rely on legitimate interest as the lawful basis for these signals — preventing fraud against you and across the ecosystem — and we balance that interest against your rights. The signals do not drive automated decisions with legal or similarly significant effect; they can only cause a request for additional verification, never a silent denial of service.

We use personal data to:

• Provide, operate, maintain, and improve the Services;
• Create and manage your FastLogin account and cross-product entitlements;
• Authenticate users, enforce multi-factor requirements, and detect unauthorised activity;
• Process orders, invoices, and payments, and manage enterprise contracts;
• Provide customer support, professional services, training, and documentation;
• Meet legal, regulatory, and audit requirements, including under NDPA 2023, CAMA 2020, and sector-specific healthcare rules;
• Operate security monitoring, fraud detection, incident response, backups, and business continuity;
• Generate aggregated or de-identified analytics to improve product design, reliability, and documentation;
• Send service notices, administrative messages, and — where permitted — marketing communications you may unsubscribe from via the message footer or your preferences;
• Develop and operate machine-learning or analytical features in line with our Responsible AI Policy and customer agreements, with human oversight where clinically or operationally appropriate.

Patient and other health-related data processed through the Services is treated as sensitive personal data under NDPA 2023. Access is restricted by role, purpose limitation, and contractual obligation. We do not sell patient data. Processing is carried out for the purposes instructed by the healthcare organisation controller (for example, care delivery, billing, quality improvement, and regulatory reporting) or as required by law.

Authorised personnel may access such data only on a need-to-know basis, subject to employment confidentiality, training, and technical controls. We maintain procedures for data minimisation, pseudonymisation where appropriate, and segregation of environments where customer configurations require it. Clinical tools require phishing-resistant authentication factors.

When you authorise a Fastclinic product or an integrated third-party application to access your FastLogin account, we record the consent in an append-only log. The record includes the product or client, the specific scopes you granted, the time and date, and the network address of the authorisation event. You can view your active consents and the audit trail for each in your dashboard.

Consents automatically expire twelve (12) months after they are granted and require re-authorisation on next use. You can revoke any consent at any time, and you can revoke individual scopes within a consent without revoking the whole grant. Revocation takes effect immediately for new requests; access tokens already issued remain valid until they expire (typically within the hour) or are explicitly invalidated.

Administrative actions, privilege changes, verification decisions, authentication events, and sensitive workflow steps are recorded in a tamper-evident audit log. Each entry is hash-chained to the previous entry, and daily root hashes are published to write-once storage for long-term integrity.

The audit trail is retained for seven (7) years. Even where you exercise the right to erasure, audit entries that reference your account identifier are retained under the NDPA 2023 Section 16(2) exception for compliance with legal obligations, because the integrity of the chain depends on preserving every entry. Sensitive content (tokens, cryptographic secrets, raw credentials) is never written to the audit log — a redaction check rejects any attempt at the write layer.

We may share personal data with:

• Subprocessors who host infrastructure, deliver messages, or provide professional services on our behalf (listed below), under written agreements that impose confidentiality and data-protection obligations consistent with NDPA 2023;
• Professional advisers including lawyers, accountants, and insurers, subject to professional duties of confidence;
• Authorities when required by court order, subpoena, or applicable law, or when necessary to protect rights, safety, or security;
• Corporate transactions such as a merger, acquisition, or asset sale, with appropriate safeguards and notice where required.

Our current principal subprocessors are:

• Amazon Web Services, Inc. — cloud hosting for databases, object storage, managed secrets, and write-once audit storage. Primary data in regions aligned with Nigerian deployment; transfer safeguards are described in International transfers.
• Termii Limited (Nigeria) — SMS delivery for one-time codes during registration and account recovery. Receives the recipient phone number and the code.
• Resend, Inc. (United States) — transactional email delivery for account notifications, verification, and support messages. Receives the recipient email address, message subject, and body.
• Cloudflare, Inc. — network edge, TLS termination, and abuse protection (where enabled). Handles connection metadata including IP address and request headers.

Enterprise customers may request the full subprocessor list and material changes under their data processing agreement (see our DPA). We commit to providing at least thirty (30) days' notice of new subprocessors that handle customer personal data, giving customers an opportunity to object on reasonable grounds relating to data protection.

Our primary operations are oriented toward secure processing within Nigeria and Africa-aligned deployments. Primary identity, verification, and clinical data stores are hosted in regions aligned with our Nigerian deployment.

Where personal data is transferred outside Nigeria, we do so in compliance with NDPA 2023 and applicable regulations. This may include adequacy decisions, standard contractual clauses approved by the NDPC, binding corporate rules, other legally recognised transfer mechanisms, or narrowly applicable derogations such as explicit consent or contract performance. In particular, transactional email delivery via a United States processor (Resend) is supported by standard contractual clauses; limited network metadata routed through global edge services (for example, Cloudflare) is handled under the relevant processor's cross-border safeguards.

Enterprise customers may specify data residency or processing constraints in their order form or data processing agreement, subject to technical feasibility and agreed service scope.

We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. The following retention periods apply to the categories we control:

• FastLogin identity (profile, credentials, entitlements, memberships): for the lifetime of the account plus a forty-eight (48) hour cool-off window on erasure requests, during which you can sign in and cancel the request.
• Consent records: twelve (12) months from grant if unused, or seven (7) years from revocation or expiry where retained as part of the audit trail.
• Provider verification records: up to seven (7) years from rejection or suspension, or for the lifetime of an active verification.
• Audit log: seven (7) years (NDPA 2023 Section 16(2) exception applies — see Audit trail retention).
• Device binding records: while the binding is active; removed on self-service revocation.
• Risk signal rows: thirty (30) days rolling, automatically purged.
• Session records: typically up to twenty-four (24) hours, subject to sooner invalidation on sign-out or policy change.
• Transactional SMS / email bodies: retained by the processor under its own retention policy; Fastclinic retains only delivery metadata for operational troubleshooting.
• Support tickets: up to three (3) years from resolution.
• Billing records: as required by applicable tax and company law, typically six (6) years.

Backups are rotated on a defined cycle; personal data within backups may persist up to the rotation window after deletion from live systems. Upon contract termination, we delete or return customer data in accordance with the applicable agreement, subject to limited retention for disputes, security logs, or legal holds.

We implement administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit and at rest, role-based access control with phishing-resistant multi-factor authentication for privileged roles, tamper-evident audit logging, and documented incident response. Detail is set out in our Security Practices.

No method of transmission or storage is completely secure. In the event of a personal data breach, we will notify affected parties and regulators where required by NDPA 2023 — for data we control, within the statutory 72-hour window; for data we process on behalf of a customer, without undue delay per our DPA.

We use cookies and similar technologies on our websites and in authenticated product sessions. For categories, purposes, lifetimes, and choices — including the specific cookies we set on authenticated sessions — see our Cookie Policy.

Subject to NDPA 2023 and applicable guidance, you have the following rights in relation to personal data we control about you. Many of these are available as self-service controls in your FastLogin dashboard; others require a written request to our privacy contact.

• Access.Download a machine-readable JSON bundle containing your profile, authentication metadata, consents, entitlements, organisation memberships, and verification-request metadata via your dashboard's export function. We aim to respond to subject-access requests within the statutory timeframe, typically within thirty (30) days.
• Rectification. Correct your profile fields directly in your dashboard. For data you cannot edit in-app (for example, review metadata), contact our privacy address below.
• Erasure.Request immediate erasure via the self-service "Erase my account" flow. This starts a forty-eight (48) hour cool-off window during which you can sign in and cancel. After the window, we delete identity traits, credentials, session state, device bindings, and risk signals, and revoke active consents. Audit entries and records we are required to retain under legal obligation (for example, financial records, completed verification records within their statutory window) persist per the retention schedule above; we will tell you which apply.
• Restriction and objection. Revoke specific consent scopes from your dashboard, or contact us to object to processing grounded in legitimate interest. We will consider each objection on its merits under NDPA 2023.
• Withdrawal of consent. Where processing relies on consent, you may withdraw it through your dashboard or message preferences. Withdrawal does not affect the lawfulness of prior processing.
• Data portability. The self-service export is provided in a commonly used, machine-readable format (JSON). Export to another controller on your behalf is not currently automated; contact us for assistance.
• Complaint to the regulator. You may lodge a complaint with the NDPC at any time. We ask that you contact us first so we can attempt to address the concern, but this is not a precondition to your right.

To exercise rights against Fastclinic as controller, contact contact@fastclinic.xyz with subject line "Data Protection Inquiry." Where we process data solely as a processor on behalf of a customer, we will direct you to that organisation, which is responsible for responding to patient or end-user requests in the first instance; we assist our customers as required by contract and law.

We do not make decisions with legal or similarly significant effect about you by automated means alone. Rule-based signals we use to detect unusual sign-in activity (see Device and risk signals) may prompt an additional verification step, but they do not silently deny service, and a human reviewer is involved in any decision to suspend or restrict an account for suspected abuse.

We have designated an internal role responsible for oversight of NDPA 2023 compliance, with direct escalation to the company's executive leadership. You may reach the Data Protection Officer (or current designate) at contact@fastclinic.xyz with the subject line "Data Protection Inquiry." We will acknowledge your message and respond in line with statutory timeframes.

Our Services are intended for use by healthcare organisations and authorised adults. We do not knowingly collect personal data from children for consumer purposes. Patient records may include minors' data as instructed by healthcare providers; such processing is governed by the controller's legal bases and clinical obligations.

We may update this Policy to reflect legal, regulatory, or operational changes. We will post the revised version on this page and update the "Last updated" date. Where changes are material and we are required to obtain consent or provide notice under NDPA 2023, we will do so in accordance with applicable law. Continued use of the Services after the effective date constitutes acceptance of the revised Policy where permitted by law.