Patient privacy

Privacy Policy

This Privacy Policy explains how sureCova collects, uses, stores, and protects your personal and health data.

Version 1.0 - April 2026

Introduction

This Privacy Policy explains how sureCova collects, uses, stores, and protects your personal and health data. We take data protection seriously. Your health data is among the most sensitive information in existence, and we treat it accordingly.

This Policy is designed to comply with applicable data protection laws, including the Nigeria Data Protection Act 2023, the EU General Data Protection Regulation (GDPR), and the UK GDPR, where applicable.

Your information may be processed or stored in countries other than your country of residence. Where required by law, sureCova implements appropriate safeguards to protect personal data transferred across borders.

1. Data We Collect

We collect registration, health, transactional, and technical data needed to provide and protect the Service.

  • Registration data: full name, date of birth, gender, phone number, email address, country of residence, and optional profile photo.
  • Health data: declared medical conditions, symptoms, complaints, consultation information, vitals, doctor consultation notes, prescriptions, lab test orders and results, allergies, and medications on record.
  • Transactional data: subscription payment records, including amounts, dates, and payment method. Card numbers are held by our payment processor.
  • Technical data: IP address, device type, browser, operating system, session logs, access times, unique user ID, device ID, and push notification tokens.

2. How We Use Your Data

PurposeLegal basis
Providing the telehealth serviceContract performance
Storing your medical recordsContract performance + legal obligation
Sharing records with your doctor and prescribing doctorContract performance + your consent at onboarding
Processing subscription paymentsContract performance
Sending appointment and prescription remindersLegitimate interest
Improving the platformLegitimate interest (anonymised data only)
Complying with regulatory requestsLegal obligation
Responding to complaintsLegal obligation + legitimate interest

3. Who We Share Your Data With

We may disclose information where required by law, court order, or lawful requests from regulatory or public authorities.

We do not sell your health data. We do not share your health data with advertisers, ad networks, or third-party analytics services.

  • Your personal doctor: your full medical record is accessible to the doctor you subscribe to.
  • Your prescribing doctor: when a prescription is requested, they receive access to your medical record scoped to what is clinically relevant. Every access is logged.
  • Paystack / Stripe: payment processing only. They do not receive your health data.
  • AWS: secure cloud storage of your encrypted records.
  • Firebase: push notification delivery. Notification content is minimal and does not include clinical information.

4. Data Security

If a personal data breach occurs that is likely to result in a risk to your rights or freedoms, sureCova will investigate the incident and notify affected individuals and relevant regulatory authorities where required by applicable law.

sureCova may use artificial intelligence to assist with functions such as clinical documentation, health education, appointment reminders, and other support services. AI-generated outputs are intended to support healthcare delivery and do not replace the independent professional judgment of licensed healthcare practitioners.

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Clinical records are cryptographically hashed on creation, so any tampering is detectable.
  • Access to patient records is logged in a tamper-evident audit trail.
  • Doctors can only access records of their own subscribed patients.
  • Prescribing doctors can only access records of patients whose prescriptions are routed to them.
  • sureCova staff access to production data requires multi-factor authentication and is logged.

5. Your Rights

Under applicable data protection law, you have the right to access, rectify, erase, port, restrict, and object to certain processing of your personal data. Clinical records may only be amended through your doctor, and deletion is subject to legal retention requirements.

You also have the right to lodge a complaint with the relevant data protection authority in your country if you believe your personal data has been processed unlawfully.

To exercise any right, email privacy@surecova.com. We will respond within 30 days.

6. Data Retention

  • Active account data is retained for the duration of the subscription.
  • Post-cancellation medical records remain accessible in read-only mode for 12 months.
  • Prescriptions and other records are retained for the period required under applicable healthcare, tax, and data protection laws.
  • Payment records are retained for 7 years for tax compliance.
  • Deleted account personal data is anonymised within 90 days, except where legal retention applies.

8. Cookies

The sureCova website uses essential cookies for session management and security. We do not use advertising or tracking cookies. Cookie preferences can be managed from your browser settings.

9. Updates to This Policy

We will notify you by email and in-app notification at least 30 days before making material changes to this Policy. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.