Westalic LogoWesta Care
Legal

Privacy Policy

Your health data is sacred. This policy explains exactly what we collect, why we collect it, how we protect it, and the rights you hold over it.

Effective: 26 April 2025Last updated: 26 April 2025Version: 1.0
Important: Westa Care is a healthcare platform. Some of the data we handle qualifies as sensitive health information. Please read this policy carefully before using our services.
01

Introduction

Westalic Technologies Limited (“Westa Care”, “we”, “us” or “our”) operates the Westa Care digital healthcare platform, accessible via our website and mobile applications (together, the “Platform”).

This Privacy Policy describes how we collect, use, store, share, and protect information about you when you access or use our Platform. It applies to all users, including patients, doctors, hospitals, pharmacies, laboratories, and medical personnel.

By creating an account, accessing, or using the Platform, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the Platform.

02

Who We Are

Westalic Technologies Limited is a technology company incorporated in the Federal Republic of Nigeria, operating the Westa Care digital health platform. We connect patients with verified doctors, hospitals, pharmacies, and diagnostic laboratories to deliver accessible, convenient, and high-quality healthcare.

For the purposes of applicable data protection legislation, Westalic Technologies Limited is the Data Controller of your personal information.

Our designated Data Protection Officer (“DPO”) can be reached at privacy@westalic.com.

03

Information We Collect

We collect information from and about you in three primary ways: information you provide directly, information generated through your use of the Platform, and information from third parties.

3.1 Account & Identity Information

  • Full name, email address, and password
  • Phone number
  • Date of birth and gender
  • Nationality, state of origin, and local government area
  • Profile photograph
  • Account type (patient, doctor, hospital, pharmacy, lab, medical personnel)

3.2 Patient Health Information

  • Medical history, including past conditions, surgeries, and family history
  • Current medications and known allergies
  • Symptoms, diagnoses, and treatment plans shared during consultations
  • Vital signs (blood pressure, heart rate, temperature, weight, height, oxygen saturation)
  • Prescriptions issued on the Platform
  • Lab test orders and results
  • Hospital referral records and discharge summaries
  • Medical documents and imaging files you upload
  • Emergency contact details
  • Insurance provider and policy number

3.3 Healthcare Provider Information

  • Professional qualifications, specialisation, and years of experience
  • Medical or practitioner licence number and regulatory body
  • Licence expiry date
  • Registration type and employment status
  • Workplace name, address, and department
  • Degree obtained, institution name, and graduation year
  • Availability schedule
  • Consultation rates
  • Professional biography

3.4 Facility & Institutional Information (Hospitals, Pharmacies, Labs)

  • Facility or business name, registration number, and type
  • Accreditation and certification details
  • Contact information, address, and operating hours
  • Owner or director names and licence numbers
  • Services offered, departments, and beds count (hospitals)
  • Tests offered and turnaround times (labs)
  • Delivery radius and insurance acceptance (pharmacies)

3.5 Appointment & Consultation Data

  • Appointment date, time, type (physical, video, audio, chat), status, and reason
  • Consultation notes, diagnoses, and follow-up dates
  • Workflow records linking doctors to labs, pharmacies, and hospitals
  • Referral letters and clinical instructions

3.6 Communications

  • Messages sent through our in-platform messaging system
  • Workflow communications between care teams
  • Support tickets and feedback submitted to us
  • Notification preferences and read status

3.7 Payment & Financial Information

We process payments through regulated third-party payment processors. We do not store your full card number, CVV, or bank account credentials on our servers. We retain:

  • Transaction reference numbers
  • Payment method type (card, bank transfer, USSD, insurance)
  • Transaction amount, date, and status
  • Appointment linked to a payment

3.8 Technical & Usage Data

  • IP address and approximate geographic location
  • Browser type, version, and operating system
  • Device type, model, and unique device identifiers
  • Pages viewed, features used, and session duration
  • Referral source (how you arrived at the Platform)
  • Error logs and crash reports
  • Search queries made within the Platform

3.9 Information from Third Parties

  • Google account profile data when you sign in with Google (name, email, profile picture)
  • Verification status or credential validation from regulatory bodies (where applicable)
04

How We Use Your Information

We use your information only for legitimate purposes and always within the bounds of applicable law.

4.1 Providing Our Services

  • Creating and managing your account
  • Matching patients with appropriate healthcare providers
  • Processing appointment bookings, confirmations, and cancellations
  • Enabling consultations (video, audio, chat, in-person coordination)
  • Generating prescriptions, referrals, and lab orders
  • Facilitating clinical workflows between care team members
  • Displaying your profile to verified parties (patients see doctor profiles; doctors see patient appointment details)
  • Processing payments

4.2 Communications & Notifications

  • Sending appointment reminders, confirmations, and updates
  • Delivering in-app and email notifications
  • Sending your account activation and password-reset emails
  • Alerting care team members to new workflows, results, and messages

4.3 Safety & Trust

  • Verifying the credentials and identity of healthcare providers
  • Detecting and preventing fraud, abuse, and unauthorised access
  • Enforcing our Terms of Service and Community Guidelines
  • Investigating and resolving disputes

4.4 Platform Improvement

  • Analysing anonymised usage patterns to improve features
  • Diagnosing technical problems and bugs
  • Conducting internal research and analytics (using aggregated, de-identified data only)

4.5 Legal & Regulatory Obligations

  • Complying with Nigerian law, court orders, and lawful requests by regulators
  • Maintaining records as required by healthcare regulations
  • Protecting rights, property, and safety of users and the public
05

Sharing Your Information

We do not sell your personal data. We share information only as described below.

5.1 Within the Care Team

Information is shared between care team members to enable treatment. For example:

  • A doctor sees a patient’s appointment reason, medical history, and relevant records to provide care
  • A patient sees their doctor’s profile, specialisation, and availability
  • A laboratory receives a test order and the associated instructions from the referring doctor
  • A pharmacy receives a medication order and dosage instructions
  • A hospital receives a referral with supporting clinical notes

5.2 Service Providers

We engage trusted third-party processors who act on our instructions:

  • Cloud infrastructure and database hosting providers
  • Payment processing partners (who handle transactions under their own regulatory frameworks)
  • Email delivery services (for transactional and notification emails)
  • Analytics tools (using anonymised or aggregated data)
  • Security and fraud prevention vendors

5.3 Legal Requirements

We may disclose information where we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or enforceable government request
  • Protect the health, safety, or rights of any person
  • Detect, investigate, or prevent fraud or criminal activity
  • Defend legal claims brought against us

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, user data may be transferred as a business asset. We will notify you via email or a prominent notice on the Platform prior to your data being transferred and becoming subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you have given us specific consent to do so, for example when connecting with an external health insurance system or sharing records with a provider outside the Platform.

06

Health & Medical Data

Health and medical information is among the most sensitive categories of personal data. We treat it with the highest level of care and apply additional protections beyond what we apply to general personal data.

6.1 Legal Basis for Processing Health Data

We process health data on the following bases:

  • Your explicit consent (given when you register and create a health profile)
  • Provision of medical care and treatment (when you engage with healthcare providers on the Platform)
  • Legitimate interests in operating a safe, functioning healthcare platform
  • Compliance with legal and regulatory obligations applicable to healthcare providers and platforms in Nigeria

6.2 Access Controls

Access to health data is strictly controlled. Doctors only see patient health data pertaining to appointments they are actively involved in. Partner facilities (labs, hospitals, pharmacies) only see the clinical information necessary to fulfil a specific workflow or referral. Patients can view and manage their own records at all times.

6.3 Medical Confidentiality

All healthcare providers using the Platform are bound by their professional obligations of medical confidentiality, as well as our Terms of Service, which incorporate strict obligations regarding patient privacy and professional conduct.

6.4 No Advertising Use of Health Data

We will never use your health or medical data to serve you targeted advertisements, sell to insurance companies to affect your premiums, or share with employers or any third party for non-clinical purposes without your explicit consent.

07

Data Security

We implement industry-standard technical and organisational security measures to protect your information against unauthorised access, alteration, disclosure, or destruction.

  • All data is encrypted in transit using TLS (Transport Layer Security)
  • Passwords are hashed using industry-standard algorithms and are never stored in plaintext
  • Authentication tokens are short-lived and use JWT standards
  • Access to production databases is restricted to authorised personnel only
  • We conduct regular security reviews and vulnerability assessments
  • All API endpoints require authentication except explicitly public discovery endpoints
  • We maintain audit logs of data access for sensitive health records

Despite these measures, no system is completely secure. In the event of a data breach that is likely to pose a high risk to your rights and freedoms, we will notify you and relevant authorities in accordance with applicable law.

08

Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

  • Account data: retained for the lifetime of your account plus 7 years after closure (in line with standard financial and legal record-keeping obligations)
  • Medical records and consultation data: retained for a minimum of 7 years from the date of the consultation, or longer where required by Nigerian medical regulations
  • Payment transaction records: retained for 7 years in accordance with Nigerian financial regulations
  • Communication logs (messages): retained for 3 years or the duration of the clinical relationship, whichever is longer
  • Technical & usage logs: retained for up to 12 months
  • Anonymised and aggregated analytics data: may be retained indefinitely

When data is no longer needed, we securely delete or anonymise it. You may request earlier deletion of non-medically-mandated data by contacting us (see Section 16).

09

Your Rights

Under the Nigeria Data Protection Regulation (NDPR) and other applicable laws, you have the following rights regarding your personal data:

Right to Access

You may request a copy of the personal data we hold about you at any time.

Right to Rectification

If any information we hold about you is inaccurate or incomplete, you have the right to have it corrected. Most account and profile data can be updated directly within the Platform.

Right to Erasure (“Right to be Forgotten”)

You may request deletion of your personal data. Note that we may be required to retain certain data (particularly medical records) for legally mandated periods. We will always tell you what we can and cannot delete and why.

Right to Restriction of Processing

In certain circumstances, you may ask us to restrict the processing of your data (e.g., while a dispute is being resolved).

Right to Data Portability

You may request your personal data in a structured, commonly used, machine-readable format so you can transfer it to another service.

Right to Object

You may object to the processing of your data where we rely on legitimate interests as our legal basis.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

To exercise any of these rights, contact us at privacy@westalic.com. We will respond within 30 days.

10

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Platform.

Types of Cookies We Use

  • Strictly Necessary: Required for the Platform to function (e.g., session cookies, authentication tokens). Cannot be disabled.
  • Functional: Remember your preferences and settings (e.g., language, theme).
  • Analytics: Help us understand how users interact with the Platform (using anonymised data). These can be disabled.
  • Security: Used to detect and prevent fraudulent activity.

We do not use advertising or tracking cookies from third-party ad networks. You can manage cookies through your browser settings. Disabling strictly necessary cookies will impair Platform functionality.

11

Minors

The Westa Care Platform is not directed to children under 18 years of age. We do not knowingly collect personal data from children under 18 without verified parental or guardian consent.

If a healthcare provider needs to create an appointment record for a minor patient, this must be done with the explicit consent of a parent or legal guardian, who must also have an account on the Platform or provide written consent through a verified process.

If we discover that we have collected data from a child under 18 without appropriate consent, we will delete it promptly. Parents or guardians who believe their child’s data has been collected should contact us immediately at privacy@westalic.com.

12

NDPR & Regulatory Compliance

We are committed to compliance with the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), and any successor legislation including the Nigeria Data Protection Act (NDPA) 2023.

  • We have appointed a Data Protection Officer (DPO)
  • We maintain a record of processing activities
  • We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities
  • We train staff on data protection obligations
  • We will notify NITDA and affected users of reportable data breaches within the timeframes required by law
  • We use Data Processing Agreements with all third-party processors

We also operate in accordance with the guidelines of the Federal Ministry of Health, the Medical and Dental Council of Nigeria (MDCN), the Pharmacy Council of Nigeria (PCN), the Medical Laboratory Science Council of Nigeria (MLSCN), and other relevant regulatory bodies.

13

International Data Transfers

Our primary data processing occurs within Nigeria. However, some of our third-party service providers (such as cloud infrastructure and email services) may process data outside Nigeria.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Data Processing Agreements with standard contractual clauses
  • Transfers only to countries or processors with adequate data protection standards
  • Your explicit consent where required by law
14

Third-Party Services & Links

The Platform may contain links to third-party websites or services (e.g., partner health information resources). These third parties have their own privacy policies, and we have no responsibility or liability for their practices.

Third-party services we may use include:

  • Google Sign-In (governed by Google’s Privacy Policy)
  • Payment processors such as Paystack or Flutterwave (governed by their own policies)
  • Cloud hosting providers
  • Email service providers
15

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Send an email notification to all registered users
  • Display a prominent in-app banner for at least 14 days

Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes.

16

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Westalic Technologies Limited

Data Protection Officer: privacy@westalic.com

General enquiries: hello@westalic.com

We aim to respond to all data protection enquiries within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the National Information Technology Development Agency (NITDA) at nitda.gov.ng.

Also see our Community Guidelines

Our Community Guidelines set out the standards of conduct we expect from all users of the Platform.