OnPoint Privacy Program
Privacy Policy
This document explains how OnPoint handles personal data across account, care, payment, communication, and support workflows. It is written to be readable by users and to align with the Nigeria Data Protection Act 2023 and the GAID 2025 implementation framework.
Who We Are
OnPoint acts as the primary controller for personal data processed through the platform unless a specific service arrangement says otherwise. Our role covers account management, care workflows, bookings, diagnostics, billing, notifications, support, and privacy governance.
For privacy questions, contact Data Protection Officer at privacy@onpointforall.com.
What Data We Collect
We may collect identity and account data such as your name, username, email, phone number, photo, and login/session data.
In care-related workflows we may process sensitive health and clinical data, including medical history, clinical notes, lab results, imaging results, prescriptions, patient movement records, and institution-linked access logs.
We may also process location data when you choose location-assisted features, payment and invoice data when you pay through the platform, and communication data for chats, WhatsApp intake, email, and notifications.
Why We Process Personal Data
- To create and secure your account.
- To deliver requested clinical, booking, support, and billing services.
- To support continuity of care, diagnostics, and patient safety.
- To detect fraud, abuse, service misuse, and security incidents.
- To meet legal, tax, audit, and regulatory obligations.
- To send optional marketing only where you have opted in.
Lawful Bases
OnPoint does not rely on consent for every health-sector workflow. Depending on the activity, we rely on service delivery/contract, medical-care necessity, legitimate interests, legal obligation, or consent where consent is the appropriate lawful basis.
Sharing, Processors, and Cross-Border Transfers
We use third-party processors for AI, messaging, mapping, payments, and notification delivery. Some of these providers may process data outside Nigeria. When we use them, we apply contractual controls, minimization, access control, and purpose limitation.
Retention
We keep data only for as long as necessary for the applicable workflow, safety, finance, audit, and legal requirements. Clinical and payment records may be retained longer than general product data.
Your Rights
Subject to applicable law and health-record obligations, you may request access, portability, rectification, restriction, erasure, objection, or lodge a complaint. Use the authenticated privacy dashboard or see the Data Subject Rights page for details.