Effective Date: 22 February 2023
This Privacy Policy explains how Pay for Med ("PayForMed", "we", "us" or "our") collects, uses, shares and protects your personal information when you use our website, mobile application and related services (the "Services"). PayForMed is a healthcare payments and medical fundraising platform operated in Nigeria. We process your personal information in accordance with the Nigeria Data Protection Act 2023 (the "NDPA") and the directives of the Nigeria Data Protection Commission (the "NDPC").
PayForMed is the data controller responsible for the personal information processed through the Services. We determine why and how your personal information is processed, and we are accountable for it under the NDPA. You provide personal information to us in order to use the Services, and we process only the information you provide and the information generated by your use of the Services.
We have appointed a Data Protection Officer (DPO) who oversees our compliance with data protection law. You can contact our DPO desk at Data Protection Officer (Chigozie Duru) — [email protected]. Please use the DPO contact above for all privacy-related requests and enquiries.
We collect the following categories of personal information. We collect only what we need to provide the Services (see the Data Security and Minimisation section).
The NDPA requires us to have a specific lawful basis for each way we use your personal information. We do not rely on broad, catch-all justifications. The table below states each processing activity, its purpose, and the single lawful basis we rely on.
| Processing activity | Purpose | Legal basis under the NDPA |
|---|---|---|
| Account registration & authentication | Create and secure your PayForMed account | Performance of a contract |
| Identity & KYC verification — BVN, NIN, date of birth (via Mono) | Verify your identity and meet CBN/AML obligations before wallet activation | Compliance with a legal obligation |
| Wallet creation & banking operations (via VFD) | Create and operate your wallet; execute transfers | Performance of a contract |
| Processing donations & payments (via Flutterwave, Paystack) | Process donations and payments to campaigns and facilities | Performance of a contract |
| Publishing a medical campaign | Display the campaign publicly so it can receive donations | Explicit consent of the data subject |
| Processing health data (medical invoices, condition details) | Facilitate medical fundraising and direct-to-facility payment | Explicit consent of the data subject |
| Transactional communications (via Resend) | Send receipts, account, transaction and security notifications | Performance of a contract |
| Fraud prevention, security & audit logging | Protect users and the platform and detect or prevent fraud | Legal obligation and legitimate interest |
| Aggregated, de-identified analytics (age, gender, location) | Understand usage trends and improve our Services | Legitimate interest (data no longer identifies you) |
Because PayForMed exists to help fund medical needs, we process health data — including medical invoices and details of a medical condition. Under the NDPA, health data is sensitive personal information and requires a higher standard of protection. We process it only on the basis of your explicit consent, given at the point you provide it or create a campaign, and we do not use it for any purpose other than facilitating medical fundraising and payment to healthcare facilities.
When a campaign is created on PayForMed, the patient's health information and story become publicly visible so that the campaign can receive donations. Before any such information is published, we require the explicit consent of the data subject (the patient, or their authorised representative) to make that information public.
The person who creates a campaign confirms that they have obtained this consent, and agrees to indemnify and hold PayForMed harmless against any claim, loss or liability arising from the publication of the patient's information where the required consent was not validly obtained. A data subject may withdraw consent and request that their campaign be taken down at any time by contacting our DPO desk.
Some of our processors store or process personal information outside Nigeria — for example, document storage in the European Union (Ireland) and certain hosting and email services in the United States. Where we transfer your personal information outside Nigeria, we do so only in accordance with the NDPA: to a jurisdiction or recipient that provides an adequate level of protection, under contractual safeguards that require the recipient to protect your information to NDPA standards, or on the basis of your consent. Contact our DPO desk for more information about these safeguards.
We keep your account, identity and banking information for as long as your account is active. When you delete your account, we delete your personal and account information — except records that we are required by law to retain, such as financial and KYC records that must be kept for the statutory period under CBN and anti-money-laundering rules. After that period those records are securely deleted.
We also retain aggregated, de-identified information (such as age range, gender and general location) to understand usage trends and improve our Services. Because this information no longer identifies you, it is not subject to the deletion described above.
We implement appropriate technical and organisational measures to protect your personal information, including encryption of sensitive fields, access controls, secured storage and audit logging. Sensitive identifiers such as your BVN are stored in encrypted form. No method of transmission or storage is completely secure, so while we protect your information diligently we cannot guarantee absolute security.
We also practise data minimisation: we collect and retain only the personal information that is necessary for the specific purpose for which it is processed, and no more.
Data protection rights are the same for every data subject, wherever you are located. Under the NDPA you have the following rights in relation to your personal information:
To exercise any of these rights, contact our DPO desk at [email protected]. We will respond within the timeframe required by the NDPA. Exercising your rights is free of charge.
The Services are intended for persons aged 18 and above, and BVN-based wallet activation is restricted to adults. We do not knowingly collect personal information from a person under 18 without the consent of a parent or guardian. Where a campaign concerns a minor, it must be created and consented to by the minor's parent or legal guardian. If you believe we hold information about a minor without appropriate consent, contact our DPO desk and we will delete it.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the NDPC within 72 hours of becoming aware of it, and will inform affected data subjects where the NDPA requires us to do so.
We review this Privacy Policy on a scheduled basis and whenever there is a significant change to our Services or to the law. When we make a material change, we will update the effective date and, where appropriate, notify you.
For any question about this Privacy Policy or about how we handle your personal information, contact our Data Protection Officer at [email protected]. You also have the right to contact the Nigeria Data Protection Commission (NDPC) directly if you have a concern about our processing of your personal information.