Privacy Policy

Effective Date: 22 February 2023

This Privacy Policy explains how Pay for Med ("PayForMed", "we", "us" or "our") collects, uses, shares and protects your personal information when you use our website, mobile application and related services (the "Services"). PayForMed is a healthcare payments and medical fundraising platform operated in Nigeria. We process your personal information in accordance with the Nigeria Data Protection Act 2023 (the "NDPA") and the directives of the Nigeria Data Protection Commission (the "NDPC").

1. Who We Are and Our Role

PayForMed is the data controller responsible for the personal information processed through the Services. We determine why and how your personal information is processed, and we are accountable for it under the NDPA. You provide personal information to us in order to use the Services, and we process only the information you provide and the information generated by your use of the Services.

We have appointed a Data Protection Officer (DPO) who oversees our compliance with data protection law. You can contact our DPO desk at Data Protection Officer (Chigozie Duru) — [email protected]. Please use the DPO contact above for all privacy-related requests and enquiries.

2. What Personal Information We Collect

We collect the following categories of personal information. We collect only what we need to provide the Services (see the Data Security and Minimisation section).

  • Identity and contact data: your full name, email address and phone number.
  • Identity-verification (KYC) data: your Bank Verification Number (BVN), National Identification Number (NIN) and date of birth, which we verify through Mono in order to activate your wallet.
  • Health data: medical invoices and information about the medical condition or need that is the subject of a campaign, together with related patient and healthcare-facility information. This is sensitive personal information.
  • Donation and payment data: information necessary to process your donations and payments, and to operate your wallet.
  • Account data: your login credentials and the security information associated with your account and wallet.
  • Device and usage data: technical information generated when you use the Services, such as device and log information, used to keep the Services secure.

4. Sensitive Personal Information (Health Data)

Because PayForMed exists to help fund medical needs, we process health data — including medical invoices and details of a medical condition. Under the NDPA, health data is sensitive personal information and requires a higher standard of protection. We process it only on the basis of your explicit consent, given at the point you provide it or create a campaign, and we do not use it for any purpose other than facilitating medical fundraising and payment to healthcare facilities.

5. Public Campaigns — Consent and Indemnity

When a campaign is created on PayForMed, the patient's health information and story become publicly visible so that the campaign can receive donations. Before any such information is published, we require the explicit consent of the data subject (the patient, or their authorised representative) to make that information public.

The person who creates a campaign confirms that they have obtained this consent, and agrees to indemnify and hold PayForMed harmless against any claim, loss or liability arising from the publication of the patient's information where the required consent was not validly obtained. A data subject may withdraw consent and request that their campaign be taken down at any time by contacting our DPO desk.

6. How We Share Your Information

We do not sell your personal information. We share it only with the service providers (data processors) that operate parts of the Services on our behalf, and only to the extent necessary for the purposes stated below. We share only the information necessary for each purpose, and we are putting data-processing agreements in place with our processors to require them to protect your information in line with the NDPA.

Processor / recipientPurposeLocation of processing
VFD Microfinance BankWallet and banking infrastructureNigeria
MonoIdentity and KYC verification (BVN, NIN)Nigeria
Flutterwave; PaystackPayment and donation processingNigeria
Amazon Web Services (S3)Secure storage of documents and mediaEuropean Union (Ireland)
GoogleAccount sign-in and facility location mappingUnited States / global
ResendDelivery of transactional emailUnited States
Cloudflare; Vercel; Google CloudHosting, content delivery and securityGlobal / United States

We may also disclose personal information where we are required to do so by law, by a court, or by a competent regulator (including the CBN, the NDPC or law-enforcement authorities).

7. Cross-Border Transfers of Data

Some of our processors store or process personal information outside Nigeria — for example, document storage in the European Union (Ireland) and certain hosting and email services in the United States. Where we transfer your personal information outside Nigeria, we do so only in accordance with the NDPA: to a jurisdiction or recipient that provides an adequate level of protection, under contractual safeguards that require the recipient to protect your information to NDPA standards, or on the basis of your consent. Contact our DPO desk for more information about these safeguards.

8. How Long We Keep Your Information

We keep your account, identity and banking information for as long as your account is active. When you delete your account, we delete your personal and account information — except records that we are required by law to retain, such as financial and KYC records that must be kept for the statutory period under CBN and anti-money-laundering rules. After that period those records are securely deleted.

We also retain aggregated, de-identified information (such as age range, gender and general location) to understand usage trends and improve our Services. Because this information no longer identifies you, it is not subject to the deletion described above.

9. Data Security and Data Minimisation

We implement appropriate technical and organisational measures to protect your personal information, including encryption of sensitive fields, access controls, secured storage and audit logging. Sensitive identifiers such as your BVN are stored in encrypted form. No method of transmission or storage is completely secure, so while we protect your information diligently we cannot guarantee absolute security.

We also practise data minimisation: we collect and retain only the personal information that is necessary for the specific purpose for which it is processed, and no more.

10. Cookies and Similar Technologies

We use only strictly necessary cookies — specifically, secure session and security cookies that keep you signed in and protect your account. These cookies are essential for the Services to function and, under the NDPA, do not require your prior consent. We do not use analytics, advertising or tracking cookies, and we do not track you across other websites. Because we use no non-essential cookies, no cookie-consent banner is required.

11. Your Rights as a Data Subject

Data protection rights are the same for every data subject, wherever you are located. Under the NDPA you have the following rights in relation to your personal information:

  • to be informed about how your information is processed;
  • to access the personal information we hold about you;
  • to have inaccurate information corrected (rectification);
  • to have your information deleted (erasure);
  • to restrict how we process your information;
  • to receive your information in a portable format (portability);
  • to object to processing based on our legitimate interest;
  • to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • not to be subject to a decision based solely on automated processing;
  • to deactivate or delete your account;
  • to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

To exercise any of these rights, contact our DPO desk at [email protected]. We will respond within the timeframe required by the NDPA. Exercising your rights is free of charge.

12. Information From or About Minors

The Services are intended for persons aged 18 and above, and BVN-based wallet activation is restricted to adults. We do not knowingly collect personal information from a person under 18 without the consent of a parent or guardian. Where a campaign concerns a minor, it must be created and consented to by the minor's parent or legal guardian. If you believe we hold information about a minor without appropriate consent, contact our DPO desk and we will delete it.

13. Data Breaches

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the NDPC within 72 hours of becoming aware of it, and will inform affected data subjects where the NDPA requires us to do so.

14. Changes to This Policy

We review this Privacy Policy on a scheduled basis and whenever there is a significant change to our Services or to the law. When we make a material change, we will update the effective date and, where appropriate, notify you.

15. How to Contact Us

For any question about this Privacy Policy or about how we handle your personal information, contact our Data Protection Officer at [email protected]. You also have the right to contact the Nigeria Data Protection Commission (NDPC) directly if you have a concern about our processing of your personal information.