Introduction
This Privacy Policy explains how sureCova collects, uses, stores, and protects your personal and health data. We take data protection seriously. Your health data is among the most sensitive information in existence, and we treat it accordingly.
This Policy is designed to comply with applicable data protection laws, including the Nigeria Data Protection Act 2023, the EU General Data Protection Regulation (GDPR), and the UK GDPR, where applicable.
Your information may be processed or stored in countries other than your country of residence. Where required by law, sureCova implements appropriate safeguards to protect personal data transferred across borders.
1. Data We Collect
We collect registration, health, transactional, and technical data needed to provide and protect the Service.
- Registration data: full name, date of birth, gender, phone number, email address, country of residence, and optional profile photo.
- Health data: declared medical conditions, symptoms, complaints, consultation information, vitals, doctor consultation notes, prescriptions, lab test orders and results, allergies, and medications on record.
- Transactional data: subscription payment records, including amounts, dates, and payment method. Card numbers are held by our payment processor.
- Technical data: IP address, device type, browser, operating system, session logs, access times, unique user ID, device ID, and push notification tokens.
2. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Providing the telehealth service | Contract performance |
| Storing your medical records | Contract performance + legal obligation |
| Sharing records with your doctor and prescribing doctor | Contract performance + your consent at onboarding |
| Processing subscription payments | Contract performance |
| Sending appointment and prescription reminders | Legitimate interest |
| Improving the platform | Legitimate interest (anonymised data only) |
| Complying with regulatory requests | Legal obligation |
| Responding to complaints | Legal obligation + legitimate interest |
4. Data Security
If a personal data breach occurs that is likely to result in a risk to your rights or freedoms, sureCova will investigate the incident and notify affected individuals and relevant regulatory authorities where required by applicable law.
sureCova may use artificial intelligence to assist with functions such as clinical documentation, health education, appointment reminders, and other support services. AI-generated outputs are intended to support healthcare delivery and do not replace the independent professional judgment of licensed healthcare practitioners.
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Clinical records are cryptographically hashed on creation, so any tampering is detectable.
- Access to patient records is logged in a tamper-evident audit trail.
- Doctors can only access records of their own subscribed patients.
- Prescribing doctors can only access records of patients whose prescriptions are routed to them.
- sureCova staff access to production data requires multi-factor authentication and is logged.
5. Your Rights
Under applicable data protection law, you have the right to access, rectify, erase, port, restrict, and object to certain processing of your personal data. Clinical records may only be amended through your doctor, and deletion is subject to legal retention requirements.
You also have the right to lodge a complaint with the relevant data protection authority in your country if you believe your personal data has been processed unlawfully.
To exercise any right, email privacy@surecova.com. We will respond within 30 days.
6. Data Retention
- Active account data is retained for the duration of the subscription.
- Post-cancellation medical records remain accessible in read-only mode for 12 months.
- Prescriptions and other records are retained for the period required under applicable healthcare, tax, and data protection laws.
- Payment records are retained for 7 years for tax compliance.
- Deleted account personal data is anonymised within 90 days, except where legal retention applies.
7. Consent
At registration, you provide explicit consent for sureCova to process your health data for the purposes described in this Policy. You may withdraw consent at any time by cancelling your subscription and requesting data deletion. Withdrawal of consent does not affect the lawfulness of prior processing.
9. Updates to This Policy
We will notify you by email and in-app notification at least 30 days before making material changes to this Policy. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
