Privacy Policy

ORTHOSPORT CLINICS

PRIVACY POLICY

Effective Date: January 29, 2026

Orthosport Clinics (“we”, “us”, “our”, or “the Clinic”) is dedicated to protecting the privacy, confidentiality, integrity, and security of all personal data and sensitive personal data (including health information) collected from patients, users, and visitors (“you”, “your”, or “data subject”).

This Privacy Policy explains our practices regarding the collection, use, disclosure, retention, security, and protection of your personal data when you:

  • Register an account on our website, mobile applications, patient portal, or any integrated digital interfaces (the “Platform”)
  • Choose a service, including:
    • Book a Consultation (virtual or in-person)
    • Get a Second Opinion
    • Join Membership
  • Submit medical information, upload documents, book appointments, participate in consultations, or otherwise use any of our Services

Legal & Regulatory Compliance

We process your data in full compliance with:

  • Nigeria Data Protection Act, 2023 (NDPA)
  • Nigeria Data Protection Regulation, 2019 (NDPR) (to the extent consistent with the NDPA)
  • National Health Act, 2014 (NHA) — particularly provisions on confidentiality of health records (Section 26), maintenance of records, and restrictions on disclosure
  • Relevant telemedicine guidelines, professional standards of the Medical and Dental Council of Nigeria (MDCN), and other applicable healthcare and data protection laws

We act as the data controller (and, in some cases, jointly with compliant data processors).

By accessing the Platform, registering, or using our Services, you consent to the practices described in this Privacy Policy.
If you do not agree, do not provide any personal data or use our Services.

We recommend that you read this Policy carefully and retain a copy for your records.

1. Scope and Application

This Privacy Policy applies to all personal data processed by Orthosport Clinics, including:

  • Data collected during registration (non-medical at the initial stage)
  • Health and medical data submitted for consultations, second opinions, or membership services
  • Data generated during virtual or in-person interactions
  • Automatically collected technical and usage data

This Policy is incorporated into and consistent with our Terms and Conditions, particularly sections addressing consent, data security, patient responsibilities, and limitations of liability.

2. Categories of Personal Data Collected

We collect only data that is adequate, relevant, and limited to what is necessary, in line with the data minimization principle under NDPA Section 24(1)(c).

2.1 Registration / Account Creation

(Minimal Non-Medical Data)

  • Full legal name
  • Valid email address
  • Phone number
  • Password (securely hashed)
  • Date of birth (for age and legal capacity verification)

2.2 Service-Specific Health & Medical Data

(Sensitive Personal Data)

Book a Consultation (Virtual or In-Person)

  • Symptoms and duration
  • Condition-specific details
  • Prior treatments, surgeries, medications, and allergies
  • Uploaded medical scans, reports, or documents (PDF, JPG, PNG, DICOM)

Get a Second Opinion

  • Primary medical concern (free-text description)
  • Affected body area (Knee, Hip, Spine, Shoulder, or Other)
  • Duration of symptoms:
    • Less than 6 weeks
    • 6 weeks to 6 months
    • Greater than 6 months
  • Whether surgery or treatment was advised (Yes/No)
  • Previous surgery (Yes/No, with details)
  • Uploaded medical files (MRI, CT, X-ray images, reports)

Join Membership / Ongoing Use

  • Appointment history
  • Usage patterns
  • Preferences related to care and services

2.3 Automatically Collected / Technical Data

  • IP address
  • Device and browser information
  • Login and activity timestamps
  • Payment metadata (note: full card details are never stored by Orthosport Clinics)

We do not collect special categories of personal data beyond what is strictly necessary for healthcare delivery, nor do we process data for unrelated purposes.

3. Purposes of Processing & Lawful Bases

(NDPA Sections 24–30)

We process personal data, including sensitive health data, only for explicit, specified, and legitimate purposes, including:

Key Purposes and Lawful Bases

  • Account registration and authentication
    • Lawful basis: Consent and contractual necessity
  • Scheduling, delivering, and following up consultations and appointments
    • Lawful basis: Medical diagnosis, treatment, healthcare management (NDPA s.30(2)(b)) and contract
  • Providing second opinion reviews
    • Lawful basis: Medical diagnosis/treatment and explicit consent
  • Membership services and ongoing care
    • Lawful basis: Contractual necessity and consent
  • Clinical assessment, diagnosis, treatment planning, and follow-up
    • Lawful basis: Medical diagnosis and treatment
  • Communications (appointment reminders, results, clinical advice)
    • Lawful basis: Legitimate interests and/or consent
  • Legal and regulatory compliance
    • Lawful basis: Legal obligation (NDPA, NHA)
  • Security, fraud prevention, audits, and service improvement
    • Lawful basis: Legitimate interests not overridden by your rights

Explicit consent is obtained through mandatory checkboxes before any clinical processing, including submission of second opinion cases or participation in virtual consultations.

4. Mandatory Consents & Patient Acknowledgements

Before accessing clinical Services, you must affirmatively agree to the following:

  • Consent to Data Processing

I consent to the secure collection, storage, processing, sharing (where necessary for care), and clinical use of my personal and sensitive health information by Orthosport Clinics for medical consultation, second opinion review, treatment, follow-up care, membership services, and quality improvement, in accordance with this Privacy Policy, the NDPA, NDPR, and NHA.

  • Telemedicine Acknowledgement

I understand and accept that virtual consultations and telemedicine are not substitutes for emergency care, physical examination where clinically required, or hospital treatment, and I consent to receiving care via telemedicine where appropriate.

  • Accuracy of Information

I confirm that all information I provide is accurate, complete, and current to the best of my knowledge, and I accept responsibility for consequences arising from inaccuracies.

Footer displayed on relevant forms:

All personal data is encrypted in transit and at rest and processed in compliance with Nigerian data protection (NDPA/NDPR) and healthcare laws (NHA). Withdrawal of consent may prevent continued access to Services.

5. Sharing and Disclosure of Personal Data

We share personal data strictly on a need-to-know basis, including:

  • Authorized clinicians and staff, using role-based and least-privilege access
  • Trusted processors (e.g., secure cloud hosting, video consultation tools, payment gateways) under NDPA-compliant agreements
  • Regulatory or legal authorities where required by law or court order
  • Emergency situations to protect vital interests
  • Other parties only with your explicit consent

We do not sell personal data or share it for marketing without separate, explicit consent.

International data transfers (where unavoidable) are protected using NDPA-approved safeguards, including adequacy decisions or standard contractual clauses (NDPA Sections 41–43).

6. Data Security and Integrity

(NDPA Section 39)

We implement robust technical and organizational measures, including:

  • Encryption in transit (TLS 1.3+) and at rest (AES-256)
  • Secure password hashing and session management
  • Role-based access controls
  • Encrypted document uploads and storage
  • Regular audits, vulnerability testing, and breach detection
  • Incident response plans with mandatory notification to affected users and the Nigeria Data Protection Commission (NDPC)

7. Data Retention and Deletion

  • Health records: Retained in line with the NHA and professional guidelines (minimum of 10 years after last interaction, or longer where legally required)
  • Account data: Retained until deletion is requested, subject to statutory limitation periods
  • Anonymised data: May be retained indefinitely for analytics, research, and service improvement

Data is securely deleted or anonymised when no longer required.

8. Your Rights as a Data Subject

(NDPA Sections 32–38)

You have the right to:

  • Be informed about data processing
  • Access your personal data
  • Request rectification of inaccurate or incomplete data
  • Request erasure (subject to legal and health record retention requirements)
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC)

Requests:
E: support@orthosportclinics.com

We verify identity and respond within 30 days, extendable as permitted by law.

9. Telemedicine and Service Limitations

Virtual services are for non-emergency use only.
Seek immediate emergency or in-person care when advised. Telemedicine does not replace physical examination where clinically necessary.

10. Amendments to This Policy

We may update this Privacy Policy periodically.
Material changes will be communicated via the Platform or email. Continued use of our Services constitutes acceptance of the updated Policy.

11. Contact Information & Data Protection Officer

Privacy / Data Protection Officer
E: support@orthosportclinics.com

Thank you for entrusting Orthosport Clinics with your care.
We uphold the highest standards of privacy, confidentiality, and data protection.