Privacy Policy

Last revised: 9 June 2026

Mascot Healthcare Clinic Limited (referred to as the "Company", "we", "us", or "our") operates this website, the MyDoctor mobile application, and related services, including online registration for health promotion, online consultations with licensed healthcare professionals, medical product and service advice, and an online community for health education, awareness, and promotion (collectively, the "Services").

This Privacy Policy explains how we collect, use, store, share, and protect your personal data, and the rights you have over it. We process personal data in accordance with the Nigeria Data Protection Act (NDPA) 2023, the NDPC General Application and Implementation Directive (GAID) 2025, the National Health Act 2014, and other applicable Nigerian laws and regulatory guidance issued by the Nigeria Data Protection Commission (NDPC).

By using our Services, you acknowledge that you have read and understood this Policy. Where we rely on your consent to process your data, we will ask for it separately and you may withdraw it at any time. If you do not agree with this Policy, please do not use our Services.

For any privacy question, request, or complaint, you may contact our Data Protection Officer (DPO) at [email protected] or [email protected].

Summary of Key Points

What personal data do we process? – Information you provide when registering and using the Services (such as your name, contact details, and health-related information), together with limited technical data needed to operate and secure the platform.
Do we process sensitive personal data? – Yes. Because we provide healthcare services, we process health-related data, which the NDPA classifies as sensitive personal data. We do so on a lawful basis (your explicit consent and/or the provision of healthcare), and we apply enhanced safeguards.
Do we receive data from third parties? – We may receive data from referring health professionals or partners you have authorised; we do not buy personal data from external marketing databases.
How do we use your data? – To deliver and manage healthcare services, operate and improve the platform, keep it secure, and meet legal and regulatory obligations.
Do we share your data? – We do not sell your data. We share it only with healthcare professionals and service providers necessary to deliver the Services, where required by law, or with your consent.
Your rights under the NDPA: – Access, rectification, erasure, restriction, data portability, objection, withdrawal of consent, and the right not to be subject to certain solely automated decisions.
How to exercise your rights? – Contact our DPO by email or use your account dashboard. You may also complain to the NDPC.

📑 Table of Contents

1. What information do we collect?
2. Sensitive (health) data
3. How and why we process your data (lawful bases)
4. When and with whom we share data
5. Cookies and tracking technologies
6. Social logins
7. International transfers
8. How we secure your data
9. Data breach notification
10. Automated decision-making
11. Data retention
12. Information from minors
13. Your rights under the NDPA
14. Do-Not-Track
15. Updates to this notice
16. Contact us & complaints
17. Review, update, or delete data

1. What information do we collect?

Information you provide to us. When you register, use our consultation services, participate in health education forums, or contact us, we may collect:

Identity and contact data — full name, email address, phone number, date of birth, and limited demographic information.
Account data — login credentials and account settings.
Health-related data — information you share for the purpose of a consultation or health query (see Section 2).
Communications — messages, queries, and feedback you send us.

Information we collect automatically. When you visit our website or use the MyDoctor app, our systems and hosting providers may automatically collect limited technical data necessary to operate and secure the Services, which may include your IP address, device and browser type, app version, log and diagnostic data, and session identifiers. We use this primarily for security, fraud prevention, and to keep the Services working correctly.

⚠ We do not use Google Analytics or use any 3rd party users or visitors analytics platform..

2. Sensitive (health) personal data

The NDPA treats data relating to a person's health, medical history, or treatment as sensitive personal data, which attracts stricter protection. Because we provide healthcare-related services, we may process such data — for example, symptoms or health concerns you submit, information shared during a consultation, and records arising from advice given to you.

We process sensitive personal data only where a lawful basis applies, in particular:

your explicit consent; or
where processing is necessary for the provision of healthcare or medical advice you have requested; or
where necessary to protect your vital interests or those of another person; or
where required or permitted by law.

We apply enhanced safeguards to sensitive data, restrict access to authorised personnel and the healthcare professionals involved in your care, and retain it in line with medical record-keeping requirements.

3. How and why we process your data

We have a lawful basis for each processing purpose. The table below sets out the main purposes and the basis we rely on.

Purpose	Lawful basis under the NDPA
Creating and managing your account and registration	Performance of a contract; consent
Facilitating online consultations and providing health/medical advice	Provision of healthcare; explicit consent (sensitive data)
Offering tailored product and service information you request	Consent; legitimate interests
Securing the platform and preventing fraud or abuse	Legitimate interests; legal obligation
Meeting legal, regulatory, and record-keeping obligations	Legal obligation
Sending service or marketing communications	Consent (you may opt out at any time)

4. When and with whom do we share your data?

We do not sell, rent, or trade your personal data. We share it only in these circumstances:

Healthcare professionals involved in your care or to whom you are referred (with your consent).
Service providers and data processors who help us operate the Services (for example, hosting, communications, or IT support) under a written data processing agreement that requires them to protect your data and use it only on our instructions.
Legal and regulatory disclosures — where required by law, court order, or a competent authority (such as the NDPC or relevant health regulators).
To protect rights and safety — where necessary to establish, exercise, or defend legal claims, or to prevent fraud or harm.

We do not share your data with third-party advertisers or marketing platforms.

5. Do we use cookies and tracking technologies?

We use cookies and similar technologies to operate and secure the Services. Strictly necessary cookies (for example, session management and security) are used without consent because the Services cannot function without them. For any non-essential cookies (such as analytics or preferences), we will request your consent through a cookie banner before they are set, and you can change your choice at any time. You can also manage cookies in your browser settings, though some features may not work properly if disabled.

Some pages load fonts and icons from external providers (Google Fonts and the Cloudflare CDN). These do not place advertising cookies, but they may receive your IP address in order to deliver the content. Our online assistant feature also sends the messages you type to a third-party AI provider so it can generate a response — please do not enter personal medical details into the assistant (see Section 4 on processors).

If we ever introduce non-essential cookies (for example, analytics or preference cookies), we will first ask for your consent through a clear cookie banner, with no pre-ticked boxes, and you will be able to accept, decline, or withdraw consent at any time. You can also block or delete cookies through your browser settings, though some features may stop working.

6. How do we handle social logins?

We do not require or support social login features (for example, "Login with Facebook/Google"). All accounts are created directly with us using your email and a secure password.

7. Is your data transferred internationally?

We aim to store and process personal data within Nigeria. However, some of our service providers (for example, cloud, email, or content-delivery providers) may process limited data outside Nigeria. Where this happens, we transfer data only in line with the NDPA — that is, to a country, organisation, or arrangement that provides an adequate level of protection, or under appropriate safeguards or another lawful transfer mechanism. You may contact our DPO for more information about these safeguards.

8. How do we secure your data?

We implement appropriate technical and organisational measures designed to protect your personal data against unauthorised access, loss, misuse, or alteration. These include access controls and role-based permissions, encryption of data in transit, secure authentication, regular review of our systems, and staff confidentiality obligations. No system can be guaranteed to be completely secure, but we work to protect your data and to respond promptly to any security incident.

9. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of it, where required. Where the breach is likely to result in a high risk to you, we will also inform you without undue delay and explain the steps you can take. We maintain an internal record of breaches and the actions taken.

10. Automated decision-making and profiling

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement. If we ever introduce such processing, we will inform you, explain the logic involved, and give you the right to obtain human review, express your view, and contest the decision, as provided under the NDPA.

11. How long do we keep your data?

We keep personal data only for as long as necessary for the purposes set out in this Policy or as required by Nigerian law. Health and medical records are retained in line with the National Health Act 2014 and applicable medical record-keeping requirements. When data is no longer needed, we securely delete or anonymise it. You may request earlier deletion, subject to any legal obligation that requires us to retain certain records (for example, billing or regulatory audit).

12. Do we collect information from minors?

Our Services are intended for users aged 18 and above. We do not knowingly collect data from a child (a person under 18) without the consent of a parent or legal guardian, as required by the law. If we learn that we have collected a child's data without the required consent, we will delete it. A parent or guardian who believes their child has provided us data may contact us at [email protected].

13. Your rights under the law

As a data subject in Nigeria, you have the right to:

Be informed – about how your data is collected and used (this Policy).
Access – request confirmation of, and a copy of, the personal data we hold about you.
Rectification – correct inaccurate or incomplete data.
Erasure – request deletion of your data where there is no lawful ground to keep it.
Restriction – ask us to limit how we process your data in certain circumstances.
Data portability – receive your data in a structured, commonly used, machine-readable format.
Object – object to processing based on legitimate interests or to direct marketing.
Withdraw consent – where processing relies on consent, withdraw it at any time, as easily as it was given.
Lodge a complaint – with us and with the NDPC (see Section 16).

To exercise any right, contact our DPO at [email protected] or use your dashboard settings. We will respond within the timeframe required by the law. We will not discriminate against you for exercising your rights.

14. Do-Not-Track (DNT) controls

Because there is no agreed industry standard for Do-Not-Track signals, our systems do not currently respond to them. We do, however, honour the cookie choices you make through our cookie banner and browser settings, and we do not track you across third-party websites for advertising.

15. Updates to this Privacy Notice

We may update this Policy from time to time. The "Last revised" date at the top shows when it was last changed. Where changes are material, we will notify you by email or through a prominent notice on our website or app. Your continued use of the Services after an update takes effect indicates your awareness of the revised Policy; where the law requires fresh consent, we will ask for it.

16. How to contact us & how to complain

For any privacy question, request, or complaint:

Data Protection Officer (DPO): Dr Kehinde Lawal
Email: [email protected] / [email protected]
Company: Mascot Healthcare Clinic Limited
Registered address: No 52, Sholanke Street, Akoka, Lagos

If you are not satisfied with how we handle your request or complaint, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) via its official channels at ndpc.gov.ng.

17. How to review, update, or delete your data

You can manage much of your personal data directly:

Via your dashboard: log in to your account on the website or the MyDoctor app and use "Account Options" to view or update your profile, or to request account deletion.
Via email: send a request to [email protected] with "Data Request" in the subject line.

On account deletion, we will remove your data from our active systems within a reasonable period (and no later than 30 days where practicable), subject to any legal obligation to retain certain records, such as medical, billing, or regulatory-audit records.