Kadara is a clinical operating system operated by uChamp Technologies Limited ("we," "us," "our"), a Nigerian Limited company. For patient clinical data processed through Kadara, the healthcare provider (clinic, hospital, or independent doctor) is the data controller under the Nigeria Data Protection Act 2023 (NDPA), and we act as data processor on the provider's instructions. uChamp Technologies Limited is a subsidiary of uChamp Inc., a Delaware public benefit corporation. This Privacy Policy explains how personal data of patients, healthcare providers, and clinic staff is collected, used, disclosed, and protected in compliance with the NDPA and the General Application and Implementation Directive (GAID) 2025.
For the purposes of the NDPA, the following data processing roles apply:
| Role | Entity |
|---|---|
| Data Controller (Patient clinical data) | Healthcare provider (clinic, hospital, or independent doctor) |
| Data Processor (Technical processing of patient clinical data) | uChamp Technologies Limited, operating Kadara |
| Data Controller (Provider account data, billing, and corporate communications) | uChamp Technologies Limited, operating Kadara |
| Joint Controllers (Provider-branded patient communication powered by Kadara) | Healthcare provider and uChamp Technologies Limited |
uChamp Technologies Limited remains the named legal entity until Kadara Health Technologies Limited is registered.
| Data Category | Examples | Legal Basis |
|---|---|---|
| Identifiers | Name, date of birth, NHIN, phone number | Consent, healthcare provision |
| Health Data | Medical history, diagnosis, SOAP notes, prescriptions, lab results | Healthcare provision, vital interest |
| Consultation Data | Audio recordings (deleted after transcription), consultation summaries | Consent |
| Communication Data | WhatsApp messages, appointment reminders | Legitimate interest |
| Data Category | Examples |
|---|---|
| Professional Data | Name, medical license number, practice address, specialty |
| Account Data | Email address, phone number, login credentials, access logs |
| Financial Data | Billing information, claims submissions, payment records |
Business name, registration number, address, NHIS provider code, financial records.
| Collection Method | Description |
|---|---|
| From providers and patients through provider-managed workflows | When your provider uses Kadara to deliver visit summaries, reminders, or follow-up communication, or when you respond to those communications with consent |
| From healthcare providers | When doctors input patient information or use Kadara during consultations |
| From audio recordings | When a consultation is recorded for transcription (with consent) |
| From provider communication channels | When patients receive or respond to provider-branded communication powered by Kadara, including through channels such as WhatsApp used by the participating clinic or hospital |
| From connected systems | When integrated with clinic EHR systems |
| Purpose | Description |
|---|---|
| Healthcare provision | Generate SOAP notes, clinical summaries, prescriptions, and care plans |
| Billing and claims | Submit NHIS claims, track payments, reconcile insurance payments |
| Patient communication | Process appointment reminders, medication alerts, and visit summaries on behalf of the participating clinic or hospital, with the provider as the visible sender to the patient |
| Quality improvement | Anonymized data to train and improve our AI models (with consent) |
| Legal compliance | Maintain audit trails, respond to lawful requests from regulators |
| Security | Detect and prevent unauthorized access or breaches |
We process personal data only where we have a lawful basis under NDPA Sections 24 to 32:
| Legal Basis | Application |
|---|---|
| Consent | Patient opt-in for provider-branded summaries powered by Kadara, audio recording, and messages sent through provider communication channels |
| Healthcare provision | Treatment, diagnosis, and care coordination |
| Vital interest | Emergency situations where patient cannot provide consent |
| Legal obligation | Compliance with NHIA, MDCN, NDPC, or court orders |
| Legitimate interest | Fraud prevention, system security, service improvement |
We do not sell your personal data. We may share data in the following circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Healthcare providers | Treatment coordination, referrals | Contractual obligations, NDPA clauses |
| NHIA / HMOs | Claims processing, reimbursement | NHIA data sharing agreements, encryption |
| Government regulators | Compliance audits, legal requests | NDPC orders, court warrants |
| Service providers | Cloud hosting (AWS Nigeria region), AI processing | Data Processing Agreements (DPAs), encryption |
| Pharmacies, labs | Filling prescriptions, processing tests | Patient consent, limited data sharing |
Kadara is committed to data sovereignty. By default, all patient data is stored within Nigeria using AWS Nigeria region, with on-premise hosting designed for public hospital deployments.
Where cross-border transfer is necessary (for example, for AI model processing), we implement:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Medical records (SOAP notes) | Minimum 10 years post-last visit | NHIA requirements, medical liability |
| Audit logs | Minimum 10 years | NIS ISO 27789:2019 compliance |
| Audio recordings | Deleted immediately after transcription | Data minimization |
| Patient consent records | Duration of care plus 3 years | Legal proof of consent |
| WhatsApp communication | 30 days | Operational purposes |
| De-identified training data | Indefinite | AI model improvement |
| Right | Description | How to Exercise |
|---|---|---|
| Right to be informed | Know what data we collect and why | This Privacy Policy |
| Right to access | Request a copy of your data | Email dpo@kadara.health |
| Right to rectification | Correct inaccurate data | Contact your healthcare provider or DPO |
| Right to erasure | Request deletion of your data | Subject to legal retention requirements |
| Right to restrict processing | Limit how we use your data | Submit request to DPO |
| Right to data portability | Receive your data in portable format | Request via DPO |
| Right to object | Object to processing based on legitimate interest | Submit objection to DPO |
| Automated decision-making | Not be subject to solely automated decisions | Human review always available |
To exercise your rights, contact our DPO at dpo@kadara.health or call +2349137484007. We will respond within 30 days.
We implement the following security measures in compliance with NIS ISO 14441:2019:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 and above for all API traffic |
| Encryption at rest | AES-256 for stored data |
| Access control | Role-based access (RBAC), least privilege principle |
| Authentication | OAuth 2.0, biometric or PIN for mobile |
| Audit trails | Immutable logs of all access and modifications |
| Session management | Auto-logout after 5 minutes of inactivity |
| Pseudonymization | For analytics and research data (NIS ISO 25237:2019) |
For patients receiving provider-branded communication powered by Kadara, the visible sender is the participating clinic or hospital, with Kadara acting as the underlying infrastructure processing data on the provider's behalf:
To receive provider-branded communication powered by Kadara, you must be a patient of a participating clinic or hospital and have provided consent to that provider.
In the event of a personal data breach, we follow NDPA Section 40 requirements:
| Timeframe | Action |
|---|---|
| Within 72 hours | Notify the Nigeria Data Protection Commission (NDPC) |
| Without undue delay | Notify affected data subjects if high risk |
| Immediately | Implement containment and remediation measures |
Kadara may process data of minors as part of pediatric care. Parental or guardian consent is required for children under 18. We do not knowingly collect data from children without appropriate consent.
We will notify users of material changes via email or WhatsApp at least 30 days in advance. The "Last Updated" date at the top of this policy will reflect changes.
If you have a complaint about our data processing: