Legal

Privacy Policy

Effective Date: 6 April 2025 Last Updated: 6 April 2025
Contents
  1. Introduction
  2. Data Processing Roles and DPO
  3. Personal Data We Collect
  4. How We Collect Data
  5. How We Use Your Data
  6. Legal Basis for Processing
  7. Data Sharing and Disclosure
  8. Cross-Border Data Transfers
  9. Data Retention
  10. Your Rights
  11. Data Security Measures
  12. Consent Management
  13. Breach Notification
  14. Children's Data
  15. Changes to This Policy
  16. Complaints and Grievances
  17. Contact Us

1. Introduction

Kadara is a clinical operating system operated by uChamp Technologies Limited ("we," "us," "our"), a Nigerian Limited company. For patient clinical data processed through Kadara, the healthcare provider (clinic, hospital, or independent doctor) is the data controller under the Nigeria Data Protection Act 2023 (NDPA), and we act as data processor on the provider's instructions. uChamp Technologies Limited is a subsidiary of uChamp Inc., a Delaware public benefit corporation. This Privacy Policy explains how personal data of patients, healthcare providers, and clinic staff is collected, used, disclosed, and protected in compliance with the NDPA and the General Application and Implementation Directive (GAID) 2025.

2. Data Processing Roles and Data Protection Officer

For the purposes of the NDPA, the following data processing roles apply:

RoleEntity
Data Controller (Patient clinical data)Healthcare provider (clinic, hospital, or independent doctor)
Data Processor (Technical processing of patient clinical data)uChamp Technologies Limited, operating Kadara
Data Controller (Provider account data, billing, and corporate communications)uChamp Technologies Limited, operating Kadara
Joint Controllers (Provider-branded patient communication powered by Kadara)Healthcare provider and uChamp Technologies Limited

uChamp Technologies Limited remains the named legal entity until Kadara Health Technologies Limited is registered.

Data Protection Officer (DPO) Email: dpo@kadara.health  |  Phone: +2349137484007

3. Personal Data We Collect

3.1 Patient Data

Data CategoryExamplesLegal Basis
IdentifiersName, date of birth, NHIN, phone numberConsent, healthcare provision
Health DataMedical history, diagnosis, SOAP notes, prescriptions, lab resultsHealthcare provision, vital interest
Consultation DataAudio recordings (deleted after transcription), consultation summariesConsent
Communication DataWhatsApp messages, appointment remindersLegitimate interest

3.2 Healthcare Provider Data

Data CategoryExamples
Professional DataName, medical license number, practice address, specialty
Account DataEmail address, phone number, login credentials, access logs
Financial DataBilling information, claims submissions, payment records

3.3 Clinic and Hospital Data

Business name, registration number, address, NHIS provider code, financial records.

4. How We Collect Data

Collection MethodDescription
From providers and patients through provider-managed workflowsWhen your provider uses Kadara to deliver visit summaries, reminders, or follow-up communication, or when you respond to those communications with consent
From healthcare providersWhen doctors input patient information or use Kadara during consultations
From audio recordingsWhen a consultation is recorded for transcription (with consent)
From provider communication channelsWhen patients receive or respond to provider-branded communication powered by Kadara, including through channels such as WhatsApp used by the participating clinic or hospital
From connected systemsWhen integrated with clinic EHR systems

5. How We Use Your Data

PurposeDescription
Healthcare provisionGenerate SOAP notes, clinical summaries, prescriptions, and care plans
Billing and claimsSubmit NHIS claims, track payments, reconcile insurance payments
Patient communicationProcess appointment reminders, medication alerts, and visit summaries on behalf of the participating clinic or hospital, with the provider as the visible sender to the patient
Quality improvementAnonymized data to train and improve our AI models (with consent)
Legal complianceMaintain audit trails, respond to lawful requests from regulators
SecurityDetect and prevent unauthorized access or breaches

6. Legal Basis for Processing

We process personal data only where we have a lawful basis under NDPA Sections 24 to 32:

Legal BasisApplication
ConsentPatient opt-in for provider-branded summaries powered by Kadara, audio recording, and messages sent through provider communication channels
Healthcare provisionTreatment, diagnosis, and care coordination
Vital interestEmergency situations where patient cannot provide consent
Legal obligationCompliance with NHIA, MDCN, NDPC, or court orders
Legitimate interestFraud prevention, system security, service improvement

7. Data Sharing and Disclosure

We do not sell your personal data. We may share data in the following circumstances:

RecipientPurposeSafeguards
Healthcare providersTreatment coordination, referralsContractual obligations, NDPA clauses
NHIA / HMOsClaims processing, reimbursementNHIA data sharing agreements, encryption
Government regulatorsCompliance audits, legal requestsNDPC orders, court warrants
Service providersCloud hosting (AWS Nigeria region), AI processingData Processing Agreements (DPAs), encryption
Pharmacies, labsFilling prescriptions, processing testsPatient consent, limited data sharing

8. Cross-Border Data Transfers

Kadara is committed to data sovereignty. By default, all patient data is stored within Nigeria using AWS Nigeria region, with on-premise hosting designed for public hospital deployments.

Where cross-border transfer is necessary (for example, for AI model processing), we implement:

9. Data Retention

Data TypeRetention PeriodRationale
Medical records (SOAP notes)Minimum 10 years post-last visitNHIA requirements, medical liability
Audit logsMinimum 10 yearsNIS ISO 27789:2019 compliance
Audio recordingsDeleted immediately after transcriptionData minimization
Patient consent recordsDuration of care plus 3 yearsLegal proof of consent
WhatsApp communication30 daysOperational purposes
De-identified training dataIndefiniteAI model improvement

10. Your Rights Under the NDPA

RightDescriptionHow to Exercise
Right to be informedKnow what data we collect and whyThis Privacy Policy
Right to accessRequest a copy of your dataEmail dpo@kadara.health
Right to rectificationCorrect inaccurate dataContact your healthcare provider or DPO
Right to erasureRequest deletion of your dataSubject to legal retention requirements
Right to restrict processingLimit how we use your dataSubmit request to DPO
Right to data portabilityReceive your data in portable formatRequest via DPO
Right to objectObject to processing based on legitimate interestSubmit objection to DPO
Automated decision-makingNot be subject to solely automated decisionsHuman review always available

To exercise your rights, contact our DPO at dpo@kadara.health or call +2349137484007. We will respond within 30 days.

11. Data Security Measures

We implement the following security measures in compliance with NIS ISO 14441:2019:

MeasureImplementation
Encryption in transitTLS 1.2 and above for all API traffic
Encryption at restAES-256 for stored data
Access controlRole-based access (RBAC), least privilege principle
AuthenticationOAuth 2.0, biometric or PIN for mobile
Audit trailsImmutable logs of all access and modifications
Session managementAuto-logout after 5 minutes of inactivity
PseudonymizationFor analytics and research data (NIS ISO 25237:2019)

12. Consent Management

For patients receiving provider-branded communication powered by Kadara, the visible sender is the participating clinic or hospital, with Kadara acting as the underlying infrastructure processing data on the provider's behalf:

To receive provider-branded communication powered by Kadara, you must be a patient of a participating clinic or hospital and have provided consent to that provider.

13. Breach Notification

In the event of a personal data breach, we follow NDPA Section 40 requirements:

TimeframeAction
Within 72 hoursNotify the Nigeria Data Protection Commission (NDPC)
Without undue delayNotify affected data subjects if high risk
ImmediatelyImplement containment and remediation measures

14. Children's Data

Kadara may process data of minors as part of pediatric care. Parental or guardian consent is required for children under 18. We do not knowingly collect data from children without appropriate consent.

15. Changes to This Privacy Policy

We will notify users of material changes via email or WhatsApp at least 30 days in advance. The "Last Updated" date at the top of this policy will reflect changes.

16. Complaints and Grievance Mechanism

If you have a complaint about our data processing:

  1. Contact our DPO at dpo@kadara.health or call +2349137484007
  2. We will investigate and respond within 30 days
  3. If unsatisfied, escalate to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, No. 5 Donau Crescent, Off Amazon Street, Maitama, Abuja, FCT, Nigeria

17. Contact Us

Company Details

Data Protection Officer

General Inquiries