Legal
NDPR & Data Protection
Last updated: June 2026
1. Our Commitment to Data Protection
Neurona Health Technologies Ltd. (“NeuronaHealth”) is committed to full compliance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA) and overseen by the Nigeria Data Protection Commission (NDPC).
As a healthtech platform processing health-related data, we recognize our heightened responsibilities as a data controller under Nigerian data protection law. This page outlines our specific NDPR/NDPA compliance measures, your rights, and how we meet our obligations.
2. Data Controller & Data Protection Officer
Data Controller: Neurona Health Technologies Ltd.
Registered Address: 20 Babatunde Kuboye Street, Lekki Phase 1, Lagos, Nigeria
Data Protection Officer: Appointed in accordance with Section 24 of the NDPA
DPO Contact: dpo@neuronahealth.com
Our Data Protection Officer is responsible for overseeing our data protection strategy, ensuring NDPA compliance, handling data subject requests, and acting as the point of contact with the Nigeria Data Protection Commission.
3. Lawful Basis for Processing (NDPA Section 26)
We process personal data only when we have a lawful basis, as required by Section 26 of the NDPA:
- Consent (Section 26(1)(a)): Where you have given clear, specific, and informed consent for specific data processing activities (e.g., marketing communications, referral program participation).
- Contract performance (Section 26(1)(b)): Where processing is necessary for the performance of a contract to which you are a party (e.g., providing emergency coordination services).
- Legal obligation (Section 26(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject.
- Vital interests (Section 26(1)(d)): Where processing is necessary to protect your life or safety, particularly in emergency medical coordination scenarios.
- Legitimate interests (Section 26(1)(e)): Where processing is necessary for our legitimate interests, provided such interests are not overridden by your rights and freedoms.
4. Special Category Data — Health Data (NDPA Section 30)
As a healthtech platform, we process special category data (health data) as defined under Section 30 of the NDPA. We recognize the heightened protections required and process health data only under the following conditions:
- Explicit consent: You have given explicit consent for specific health data processing purposes.
- Vital interests: Processing is necessary to protect your vital interests in emergency medical situations where you are unable to give consent.
- Substantial public interest: Processing is necessary for reasons of substantial public interest in the area of public health.
We conduct Data Protection Impact Assessments (DPIAs) for all processing activities involving health data, as required by Section 27 of the NDPA.
5. Data Subject Rights (NDPA Section 34–42)
The NDPA grants you the following rights. We will respond to all requests within 30 days and at no cost:
Right of Access (Section 34)
You have the right to obtain confirmation of whether your personal data is being processed, and to access that data along with details of the processing activities.
Right of Rectification (Section 35)
You have the right to request the correction of inaccurate or incomplete personal data. We must respond within 30 days.
Right of Erasure (Section 36)
You have the right to request the deletion of your personal data where: processing is no longer necessary; you withdraw consent; data was unlawfully processed; or erasure is required by law. Erasure requests are subject to legal retention requirements (e.g., healthcare records under Nigerian law).
Right of Data Portability (Section 37)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller without hindrance.
Right to Restrict Processing (Section 38)
You have the right to request restriction of processing where: you contest the accuracy of data; processing is unlawful but you prefer restriction over erasure; we no longer need the data but you need it for legal claims; or you have objected to processing pending verification.
Right to Object (Section 39)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We must cease processing unless we demonstrate compelling legitimate grounds.
To exercise any right, contact our Data Protection Officer at dpo@neuronahealth.com.
6. Data Protection Impact Assessments (NDPA Section 27)
We conduct DPIAs for processing activities that are likely to result in a high risk to your rights and freedoms, including:
- Processing of health and emergency medical data
- Large-scale processing of personal data
- Automated decision-making and profiling
- Cross-border data transfers
- Use of new technologies for data processing
DPIAs are conducted before the start of processing activities and are reviewed annually or when there are significant changes to the processing.
7. Cross-Border Data Transfers (NDPA Section 44)
The NDPA restricts the transfer of personal data outside Nigeria. Where we transfer personal data internationally, we ensure one of the following safeguards is in place:
- Adequacy decision: The receiving country has been recognized as providing an adequate level of data protection.
- Standard contractual clauses: NDPC-approved contractual clauses binding the recipient to NDPA-equivalent protections.
- Binding corporate rules: For intra-group transfers, approved rules that ensure NDPA-level protection.
- Explicit consent: You have explicitly consented to the transfer after being informed of the risks.
We maintain a record of all cross-border data transfers and make this available to the NDPC upon request.
8. Data Breach Notification (NDPA Section 46)
In the event of a personal data breach, we comply with Section 46 of the NDPA:
- Notification to the NDPC: Within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms.
- Notification to data subjects: Without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
- Content of notification: Description of the breach, likely consequences, and measures taken or proposed to address the breach.
9. Data Processing Records (NDPA Section 28)
We maintain comprehensive records of our data processing activities as required by Section 28 of the NDPA, including:
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers and safeguards
- Retention periods
- Technical and organizational security measures
These records are available for inspection by the NDPC upon request.
10. NDPC Registration & Audit
NeuronaHealth is registered with the Nigeria Data Protection Commission as a data controller. We file annual data protection audit reports with the NDPC as required by the NDPA, and our most recent filing demonstrates our compliance with all applicable data protection requirements.
11. Complaints
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with:
Nigeria Data Protection Commission (NDPC)
Address: NITDA Building, No. 28, Port Harcourt Crescent, Off Gimbiya Street, Area 11, Garki, Abuja
Website: ndpc.gov.ng
You may also contact our Data Protection Officer directly at dpo@neuronahealth.com before or instead of filing a formal complaint.
12. Review & Updates
This NDPR compliance page is reviewed at least annually or whenever there are significant changes to our data processing activities or to Nigerian data protection law. Material changes will be communicated through the Platform and by email.
13. Contact
For all data protection inquiries, requests, and complaints:
Data Protection Officer
Neurona Health Technologies Ltd.
20 Babatunde Kuboye Street, Lekki Phase 1, Lagos, Nigeria
Email: dpo@neuronahealth.com
General inquiries: info@neuronahealth.com