Legal

Data Privacy & Protection

Last updated: June 2026

1. Our Commitment to Data Protection

Neurona Health Ltd. (“Neurona”) is committed to protecting your personal data wherever you are in the world. We comply with the Nigeria Data Protection Act 2023 (NDPA), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws in the jurisdictions where we operate.

As a healthtech platform processing health-related data, we recognize our heightened responsibilities as a data controller. This page outlines your data protection rights, our compliance measures, and how we meet our obligations across all regions we serve.

2. Data Controller & Data Protection Officer

Data Controller: Neurona Health Ltd.

Registered Address: 20 Babatunde Kuboye Street, Lekki Phase 1, Lagos, Nigeria

Data Protection Officer: Appointed in accordance with applicable data protection laws

DPO Contact: dpo@neuronahealth.com

Our Data Protection Officer is responsible for overseeing our data protection strategy, ensuring compliance across all jurisdictions, handling data subject requests, and acting as the point of contact with data protection authorities.

3. Lawful Basis for Processing

We process personal data only when we have a lawful basis, in accordance with applicable data protection legislation including the NDPA and GDPR:

  • Consent: Where you have given clear, specific, and informed consent for specific data processing activities (e.g., marketing communications, referral program participation).
  • Contract performance: Where processing is necessary for the performance of a contract to which you are a party (e.g., providing emergency coordination services).
  • Legal obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.
  • Vital interests: Where processing is necessary to protect your life or safety, particularly in emergency medical coordination scenarios.
  • Legitimate interests: Where processing is necessary for our legitimate interests, provided such interests are not overridden by your rights and freedoms.

4. Special Category Data — Health Data

As a healthtech platform, we process special category data (health data) as defined under applicable data protection laws, including GDPR Article 9 and NDPA Section 30. We recognize the heightened protections required and process health data only under the following conditions:

  • Explicit consent: You have given explicit consent for specific health data processing purposes.
  • Vital interests: Processing is necessary to protect your vital interests in emergency medical situations where you are unable to give consent.
  • Substantial public interest: Processing is necessary for reasons of substantial public interest in the area of public health.

We conduct Data Protection Impact Assessments (DPIAs) for all processing activities involving health data.

5. Your Data Protection Rights

Applicable data protection laws grant you the following rights. We will respond to all requests within 30 days and at no cost:

Right of Access

You have the right to obtain confirmation of whether your personal data is being processed, and to access that data along with details of the processing activities.

Right of Rectification

You have the right to request the correction of inaccurate or incomplete personal data. We must respond within 30 days.

Right of Erasure

You have the right to request the deletion of your personal data where: processing is no longer necessary; you withdraw consent; data was unlawfully processed; or erasure is required by law. Erasure requests are subject to legal retention requirements (e.g., healthcare records under applicable law).

Right of Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller without hindrance.

Right to Restrict Processing

You have the right to request restriction of processing where: you contest the accuracy of data; processing is unlawful but you prefer restriction over erasure; we no longer need the data but you need it for legal claims; or you have objected to processing pending verification.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We must cease processing unless we demonstrate compelling legitimate grounds.

To exercise any right, contact our Data Protection Officer at dpo@neuronahealth.com.

6. Data Protection Impact Assessments

We conduct DPIAs for processing activities that are likely to result in a high risk to your rights and freedoms, including:

  • Processing of health and emergency medical data
  • Large-scale processing of personal data
  • Automated decision-making and profiling
  • Cross-border data transfers
  • Use of new technologies for data processing

DPIAs are conducted before the start of processing activities and are reviewed annually or when there are significant changes to the processing.

7. Cross-Border Data Transfers

As a global platform, we may transfer personal data internationally. Where we transfer personal data, we ensure one of the following safeguards is in place:

  • Adequacy decision: The receiving country has been recognized as providing an adequate level of data protection (e.g., EU adequacy decisions under GDPR Article 45).
  • Standard contractual clauses: Approved contractual clauses binding the recipient to equivalent data protection standards (e.g., EU SCCs, NDPC-approved clauses).
  • Binding corporate rules: For intra-group transfers, approved rules that ensure equivalent protection.
  • Explicit consent: You have explicitly consented to the transfer after being informed of the risks.

We maintain a record of all cross-border data transfers and make this available to relevant data protection authorities upon request.

8. Data Breach Notification

In the event of a personal data breach, we comply with applicable notification requirements:

  • Authority notification: Within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, we notify the relevant data protection authority (e.g., NDPC in Nigeria, supervisory authorities under GDPR).
  • Data subject notification: Without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
  • Content of notification: Description of the breach, likely consequences, and measures taken or proposed to address the breach.

9. Data Processing Records

We maintain comprehensive records of our data processing activities as required by applicable data protection laws, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Technical and organizational security measures

These records are available for inspection by relevant data protection authorities upon request.

10. Regulatory Registration & Compliance

Neurona is registered with the Nigeria Data Protection Commission (NDPC) as a data controller. We comply with the NDPA, and where applicable, with GDPR requirements for organizations offering services to individuals in the European Economic Area. We file annual data protection audit reports and maintain compliance with all applicable data protection requirements in the jurisdictions where we operate.

11. Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

Nigeria Data Protection Commission (NDPC)

Address: NITDA Building, No. 28, Port Harcourt Crescent, Off Gimbiya Street, Area 11, Garki, Abuja

Website: ndpc.gov.ng

EU/EEA Supervisory Authority

You may also lodge a complaint with the supervisory authority in the EU/EEA member state where you reside or work.

You may also contact our Data Protection Officer directly at dpo@neuronahealth.com before or instead of filing a formal complaint.

12. Review & Updates

This Data Privacy & Protection page is reviewed at least annually or whenever there are significant changes to our data processing activities or to applicable data protection laws. Material changes will be communicated through the Platform and by email.

13. Contact

For all data protection inquiries, requests, and complaints:

Data Protection Officer

Neurona Health Ltd.

20 Babatunde Kuboye Street, Lekki Phase 1, Lagos, Nigeria

Email: dpo@neuronahealth.com

General inquiries: info@neuronahealth.com

We use essential cookies to run the platform and analytics cookies (like Microsoft Clarity) to improve your experience. Privacy Policy · Data Protection