Data Protection & Compliance

Last updated: 1 June 2026 — Complies with NDPR 2019 (NDPC) and NDPA 2023

1. Scope & Applicability

This document outlines Second Cure's compliance framework for the Nigeria Data Protection Regulation (NDPR) 2019 as issued by the National Information Technology Development Agency (NITDA) and the Nigeria Data Protection Act (NDPA) 2023. It applies to all personal data processed through Second Cure's platform, including health data collected during medical assessments, treatment monitoring, payment processing, and ongoing care delivery.

Second Cure processes data of data subjects within Nigeria. We are registered with the Nigeria Data Protection Commission (NDPC) and comply with all applicable data protection obligations for healthcare data processors.

2. Data Controller Information

3. Data Processing Register

As required by Section 2.6 of the NDPR, we maintain this register of all personal data processing activities:

Activity	Data Categories	Purpose	Lawful Basis	Retention
Health Assessment	Name, DOB, medical history, BMI, medications, allergies, contraindications	Determine eligibility & safe treatment	Consent Health data	7 years post-assessment
Account & Orders	Email, phone, address, payment records, order history	Fulfilment & customer support	Contract	7 years post-last order
Payment Processing	Transaction refs, amount, payment method (no full card numbers stored)	Payment collection & refunds	Contract Legal obligation	10 years (CAMA)
Treatment Monitoring	Weight logs, side effect reports, dose progression	Clinical safety & outcome tracking	Health data Consent	7 years post-treatment end
Communications	Message history with care team, WhatsApp conversations	Patient support & care coordination	Contract	3 years post-conversation
Marketing & Referrals	Referral codes, UTM parameters, consent preferences	Referral program & growth	Consent	Until consent withdrawn
Analytics	Page views, feature usage, aggregated metrics	Platform improvement	Legitimate interest	2 years

4. Lawful Basis for Processing

We process personal data under the following lawful bases as defined by NDPA 2023 Section 25:

• Consent — Health assessments, treatment monitoring, marketing communications. Explicit consent is obtained via the intake form and consent preference center.
• Contract — Order processing, fulfilment, payment collection, customer support. Processing is necessary for the performance of our service agreement.
• Legal Obligation — Payment records retention (CAMA 2020), applicable regulatory reporting, tax records (FIRS).
• Legitimate Interest — Platform analytics, fraud prevention, service improvement. We balance these against data subject rights and provide opt-out mechanisms.
• Health Data — Special category processing under Section 37 of NDPA 2023, with explicit consent and for the provision of healthcare services.

5. Data Subject Rights

Under the NDPR (Section 3.1) and NDPA 2023 (Part IV), you have the following rights. Each can be exercised from your patient dashboard or by contacting us:

Right	Description	How to Exercise
Right to be Informed	Know what data we collect and why	This policy + privacy policy
Right of Access	Request a copy of all personal data we hold	Dashboard → Data Export or email DPO
Right to Rectification	Correct inaccurate or incomplete data	Dashboard → Account settings or message care team
Right to Erasure	Request deletion of your data (subject to legal retention)	Dashboard → Delete Account
Right to Restrict Processing	Limit how we process your data	Email DPO with specific restrictions
Right to Data Portability	Receive your data in a machine-readable format	Dashboard → Data Export (JSON)
Right to Object	Object to processing (e.g. marketing)	Consent preferences in dashboard or email DPO
Rights re: Automated Decisions	Human review of algorithmic decisions	See Section 10 below

All requests are processed within 30 days as required by the NDPR. Where a request is complex or multiple, we may extend by a further 30 days with notice. There is no fee for exercising your data subject rights.

6. Data Retention Schedule

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by Nigerian law:

Data Category	Retention Period	Legal Basis	Post-Retention Action
Health assessment data	7 years post-assessment	Medical record keeping	Anonymised or deleted
Order & payment records	10 years	CAMA 2020	Anonymised
Weight logs & side effects	7 years post-treatment end	Clinical safety	Deleted
Communication history	3 years	Customer support quality	Deleted
Consent records	Duration of processing + 3 years	Regulatory audit trail	Deleted
Analytics (aggregated)	2 years	Platform improvement	Aggregated (non-personal)
Referral codes & UTM data	Until consent withdrawn	Marketing consent	Deleted
Account credentials	Until account deletion	Service delivery	Deleted

After the retention period, data is either permanently deleted or irreversibly anonymised such that it can no longer be attributed to an identifiable individual.

7. Third-Party Processors

We engage the following data processors who handle personal data on our behalf. Each processor is vetted and bound by a Data Processing Agreement (DPA) that meets NDPR/NDPA standards:

Processor	Service	Data Shared	Location	Safeguards
Supabase (Supabase Inc)	Database, auth, storage, edge functions	All personal & health data	USA (us-east-1)	SOC 2, GDPR DPA, EU SCCs
Paystack (Paystack Inc)	Payment processing	Transaction refs, amount (no full card numbers)	Nigeria	PCI-DSS Level 1, NDPR compliant
Vercel (Vercel Inc)	Hosting & CDN	IP addresses (temporary logs)	Global (multi-region)	SOC 2, GDPR DPA
Resend (Resend Inc)	Email delivery	Email addresses	USA	SOC 2, DPIA available
Google Fonts / CDN	Web fonts	IP address (transient)	Global	Standard contractual clauses

All processors undergo annual due diligence. DPAs are available on request by contacting the DPO.

8. Security Measures

We implement the following technical and organisational measures to protect personal data as required by NDPR Section 2.6 and NDPA 2023 Section 32:

9. Data Breach Procedure

In accordance with NDPR Section 2.12 and NDPA 2023 Section 40, we maintain the following breach response procedure:

1. Detection & Containment — Automated monitoring + manual review. Suspected breach is immediately escalated to the DPO and technical lead. Affected systems isolated.
2. Assessment — Determine scope: what data, how many data subjects, what type (especially if health data). Risk assessment for data subject rights and freedoms.
3. Notification to NDPC — Report to NDPC within 72 hours of becoming aware, as required by NDPR. Includes: nature of breach, categories of data, estimated number of data subjects, containment measures.
4. Notification to Data Subjects — If breach likely to result in high risk to data subjects (especially for health data), affected individuals are contacted directly via email with: description, potential consequences, mitigation steps.
5. Remediation — Root cause analysis, security improvements, staff retraining if needed. Post-incident report filed and retained for regulatory inspection.
6. Documentation — All breaches documented with: timeline, impact assessment, notification records, remediation actions, and lessons learned.

For breach reporting: dpo@secondcure.ng (internal) or NDPC Breach Portal (regulatory).

10. Automated Decision-Making

Per NDPA 2023 Section 34, data subjects have the right to not be subject to decisions based solely on automated processing where those decisions produce legal effects or similarly significant effects.

Our platform uses algorithmic triage for initial eligibility screening (contraindication checks, BMI thresholds). All screening decisions that result in a "blocked" status or require escalation are reviewed by a human care team member before any final determination is made. Key safeguards:

• Every automated hard-stop is reviewed by a trained care team member before final denial
• Patients can request human review of any automated decision
• All algorithmic decisions are logged with full audit trail
• Regular bias testing and accuracy monitoring of screening logic

11. Cross-Border Data Transfers

As required by NDPR Section 2.11 and NDPA 2023 Section 43, where personal data is transferred outside Nigeria, we ensure:

• Supabase (USA) — Data stored on US servers. Adequate safeguards via EU Standard Contractual Clauses (SCCs) which NDPC recognises as equivalent, plus SOC 2 certification.
• Paystack (Nigeria) — Payment processing within Nigeria. No cross-border transfer for payment data.
• Vercel (Global CDN) — Edge caching for performance. Transient IP data only. Covered by SCCs.
• Other processors — DPAs in place with all non-Nigerian processors, incorporating NDPR-equivalent data protection terms.

Where adequacy decisions have not been made by NDPC, we rely on: (a) data subject's explicit consent after being informed of the transfer risks, (b) contractual necessity for service delivery, and (c) SCCs or binding corporate rules.

12. Consent Management

We maintain a comprehensive consent management framework:

• Explicit consent is obtained at intake for health data processing, with clear explanation of what data is collected and why
• Granular consent options — marketing communications, referral program, treatment follow-ups can be opted into separately
• Consent records — every consent event is logged with timestamp, version, channel, and state (opted_in/opted_out/suppressed)
• Withdrawal — consent can be withdrawn at any time via the patient dashboard or by contacting the DPO. Withdrawal does not affect the lawfulness of prior processing
• Review cycle — consent is reviewed annually or when processing purposes change, whichever is sooner