Feel something off? Don’t guess—get instant answers from our Free AI Symptom Checker

Privacy Policy

[Clafiya Limited] (“Clafiya,” “we,” “our,” or “us”) is committed to protecting the privacy, confidentiality, and security of personal data entrusted to us.

This Privacy Notice explains how we collect, use, disclose, transfer, retain, and protect personal data when individuals use or interact with Clafiya’s websites, web applications, Health Savings Account services, care booking services, telemedicine services, WhatsApp or USSD channels, AI-assisted tools, provider marketplace, employer wellness benefits, customer support channels, and related services.

This Privacy Notice applies to users, members, patients, customers, beneficiaries, employers, employees, healthcare providers, wellness providers, vendors, partners, job applicants, website visitors, and other individuals whose personal data we process.

Clafiya processes personal data in line with the Nigeria Data Protection Act 2023, applicable regulations and directives issued by the Nigeria Data Protection Commission, relevant health confidentiality obligations, financial services requirements, contractual obligations, and our internal privacy, security, and data governance policies.

  1. Websites and Platforms Covered

    This Privacy Notice applies to personal data collected through or in connection with:

    • www.clafiya.com
    • my.clafiya.com
    • wallet.clafiya.com
    • Clafiya web applications and customer portals
    • Clafiya Health Savings Account services
    • Clafiya Care Clinic and telemedicine services
    • Clafiya WhatsApp, SMS, chatbot, AI-assisted, and USSD services
    • Clafiya marketplace and provider network
    • Clafiya employer and partner benefit programs
    • Any other Clafiya-operated digital or offline service that links to this Privacy Notice

  2. Personal Data We Collect

    Depending on how you interact with Clafiya, we may collect and process the following categories of personal data:

    1. Identification Data

      Name, date of birth, gender, nationality, identification numbers, photographs, identity verification information, BVN/NIN where required or voluntarily provided, and other information used to verify your identity.

    2. Contact Data

      Phone number, email address, residential address, state, country, emergency contact details, and communication preferences.

    3. Account and Platform Data

      Login details, user profile information, beneficiary information, account status, HSA balance information, savings goals, wallet activity, transaction history, appointment history, service usage, preferences, and customer support records.

    4. Health and Wellness Data

      Information relating to symptoms, medical history, consultations, prescriptions, lab test requests or results, pharmacy orders, referrals, mental health support, wellness services, home care requests, care preferences, and other information necessary to provide or coordinate health and wellness services.

    5. Provider and Practitioner Data

      For doctors, therapists, pharmacists, laboratories, hospitals, gyms, spas, and other health or wellness providers, we may collect professional information including name, license number, qualifications, specialty, availability, work history, service records, payment information, profile picture, compliance documentation, and performance data.

    6. Employer and Employee Benefits Data

      Where Clafiya provides services through an employer, we may collect employee eligibility information, employer-funded benefit allocation, usage records, enrollment information, utilization data, and reports required to administer the employer benefit. Clafiya does not disclose detailed medical consultation notes, diagnosis-related information, prescriptions, lab results, therapy notes, or sensitive health information to employers unless legally required, expressly authorized by the user, or necessary to protect life, safety, or legal rights.

    7. Financial and Payment Data

      Bank account details, wallet funding information, payment references, transaction amounts, payment method, savings activity, interest records, refunds, settlements, invoices, and other financial information necessary to provide HSA, wallet, marketplace, provider, or employer services.

    8. Technical and Digital Data

      IP address, device details, browser type, operating system, access logs, cookies, location signals where enabled, usage data, referral source, security logs, and platform interaction data.

    9. Communications Data

      Messages, emails, calls, WhatsApp conversations, chatbot interactions, support tickets, feedback, survey responses, complaints, and other correspondence with Clafiya.

    10. Sensitive Personal Data

      Because Clafiya operates in health, wellness, and healthcare financing, we may process sensitive personal data, including health information and identity-related information where necessary. We only process sensitive personal data where permitted by law, where necessary to provide services, where required for compliance, where necessary to protect vital interests, where necessary for legal claims, or where we have obtained valid consent.

  3. How We Collect Personal Data

    We may collect personal data through the following means:

    • Directly from you when you create an account, complete a form, fund an HSA, book care, use our platform, contact support, use WhatsApp/USSD, or interact with our services.
    • From healthcare providers, wellness providers, pharmacies, laboratories, insurers, employers, or partners involved in providing services to you.
    • From payment processors, banks, fintech partners, identity verification providers, and transaction service providers.
    • From employers or organizations that sponsor or administer health and wellness benefits through Clafiya.
    • From cookies, analytics tools, device logs, and other automated technologies when you use our websites or digital platforms.
    • From publicly available sources or third parties where lawful and necessary for our services, compliance, fraud prevention, or due diligence.

  4. Purposes of Processing

    We collect and process personal data for the following purposes:

    • To create, verify, administer, and secure user accounts.
    • To provide Health Savings Account services, wallet services, savings features, payments, deposits, withdrawals, and transaction support.
    • To enable users to book, access, pay for, and receive healthcare and wellness services.
    • To connect users with doctors, therapists, pharmacies, laboratories, hospitals, clinics, gyms, spas, and other health or wellness providers.
    • To provide telemedicine, care coordination, prescription support, diagnostics, referrals, follow-up care, and customer support.
    • To administer employer-sponsored health and wellness benefits.
    • To process payments, provider settlements, invoices, refunds, and financial reconciliation.
    • To verify provider credentials, manage provider quality, monitor service delivery, and protect users.
    • To send service messages, reminders, notifications, appointment updates, health education, and account alerts.
    • To operate WhatsApp, chatbot, AI-assisted triage, symptom checker, and digital support features.
    • To improve our products, services, user experience, operational processes, and platform performance.
    • To conduct analytics, reporting, research, product development, fraud detection, risk management, and business planning.
    • To comply with legal, regulatory, tax, accounting, financial, healthcare, audit, and reporting obligations.
    • To protect the rights, safety, security, and integrity of Clafiya, our users, providers, partners, and the public.
    • To investigate complaints, disputes, suspected fraud, misuse, or violations of our terms and policies.
    • To send marketing communications where permitted by law or where consent has been obtained.
    • For any other lawful purpose disclosed to you or authorized by you.

  5. Lawful Bases for Processing

    Clafiya processes personal data based on one or more lawful bases, including:

    • Your consent.
    • Performance of a contract with you or steps taken before entering into a contract.
    • Compliance with legal or regulatory obligations.
    • Protection of your vital interests or the vital interests of another person.
    • Legitimate interests pursued by Clafiya or a third party, provided such interests do not override your rights and freedoms.
    • Public interest, where applicable.
    • Establishment, exercise, or defense of legal claims.

    Where we rely on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect processing carried out before the withdrawal. In some cases, withdrawing consent may limit our ability to provide certain services.

  6. Health Information and Confidentiality

    Clafiya treats health information as sensitive and confidential.

    We use health information to provide, coordinate, support, improve, and administer health and wellness services. This may include sharing necessary information with healthcare providers, pharmacies, laboratories, therapists, wellness providers, care coordinators, and other service partners involved in your care or requested services.

    We do not sell users’ health information.

    We do not disclose detailed medical consultation notes, diagnosis-related information, prescriptions, lab results, therapy notes, or sensitive health information to employers for employment decisions.

    Where employer reports are provided, they are generally limited to administrative, utilization, financial, or aggregated insights, unless a user has expressly authorized a specific disclosure, disclosure is required by law, or disclosure is necessary to protect life, safety, or legal rights.

    We may disclose health information where necessary to protect life, health, safety, or vital interests; comply with legal obligations; respond to lawful requests; investigate fraud or abuse; or establish, exercise, or defend legal claims.

  7. AI, WhatsApp, USSD, and Digital Tools

    Clafiya may provide services through WhatsApp, USSD, SMS, chatbot tools, AI-assisted symptom checkers, digital triage, and other automated or semi-automated tools.

    These tools may collect information you provide, including symptoms, care needs, preferences, account details, and communication history. We use this information to support triage, booking, health education, customer support, service recommendations, and platform improvement.

    AI-assisted tools are designed to support access to information and care coordination. They do not replace professional medical advice, diagnosis, treatment, or emergency care.

    Users should seek immediate medical attention for emergencies or urgent symptoms.

  8. Cookies and Website Analytics

    Clafiya’s websites and digital platforms may use cookies, pixels, analytics tools, and similar technologies to operate our services, improve user experience, secure our platforms, measure performance, and understand how users interact with our websites.

    Where required by law, we will request consent before using non-essential cookies or tracking technologies.

    Users may manage cookie preferences through browser settings or any cookie consent tool provided on our websites.

    Disabling cookies may affect certain website or platform features.

  9. Marketing Communications

    We may send service-related messages, health reminders, account alerts, appointment notifications, transaction updates, security notices, and other operational communications.

    We may send marketing communications where permitted by law or where you have consented to receive them.

    You may opt out of marketing communications at any time. Opting out of marketing does not prevent us from sending important service, account, security, appointment, care, or transaction-related messages.

  10. Sharing and Disclosure of Personal Data

    We may disclose personal data to the following categories of recipients where lawful and necessary:

    1. Healthcare and Wellness Providers

      Doctors, therapists, pharmacies, laboratories, hospitals, clinics, gyms, spas, home care providers, insurers, and other health or wellness providers involved in delivering services requested by users.

    2. Financial and Payment Partners

      Banks, payment processors, wallet providers, savings partners, card processors, fintech partners, and settlement service providers that support HSA, wallet, deposit, payment, withdrawal, and transaction services.

    3. Employers and Corporate Clients

      Where services are provided through an employer or organization, we may share limited administrative, eligibility, benefit allocation, transaction, utilization, and reporting information necessary to administer the benefit. We do not share detailed medical records, clinical notes, prescriptions, lab results, therapy notes, diagnosis-related information, or consultation notes with employers except where permitted by law, expressly authorized by the user, or necessary to protect vital interests or legal rights.

    4. Service Providers and Data Processors

      Technology providers, cloud hosting providers, customer support tools, analytics providers, communication platforms, identity verification providers, security vendors, auditors, consultants, legal advisors, accountants, and other service providers acting on our behalf.

    5. Regulators, Government Agencies, Courts, and Law Enforcement

      Where required by law, regulation, court order, lawful request, audit, investigation, or regulatory obligation.

    6. Business Transfers

      In connection with a merger, acquisition, financing, restructuring, investment, sale of assets, or similar business transaction, subject to appropriate confidentiality and data protection safeguards.

    7. With Your Consent or Direction

      Where you request, authorize, or consent to the sharing of your personal data.

  11. Cross-Border Transfers

    Clafiya may transfer, store, or process personal data outside Nigeria where necessary for service delivery, technology hosting, communication tools, payment processing, provider support, analytics, security, or business operations.

    Where personal data is transferred outside Nigeria, Clafiya will take reasonable steps to ensure appropriate safeguards are in place in line with applicable data protection laws. These safeguards may include adequacy decisions, contractual protections, technical security controls, due diligence on service providers, and other lawful transfer mechanisms.

  12. Data Security

    Clafiya applies appropriate technical, administrative, organizational, and physical safeguards to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

    These safeguards may include access controls, password protection, encryption where appropriate, audit logs, staff training, confidentiality obligations, secure hosting, vendor due diligence, incident response procedures, and periodic review of our privacy and security practices.

    No system is completely secure. However, Clafiya takes reasonable steps to protect personal data and continuously improve our security controls.

  13. Data Retention

    Clafiya retains personal data only for as long as necessary to fulfil the purposes for which it was collected, provide services, comply with legal and regulatory obligations, resolve disputes, maintain business records, enforce agreements, support audits, prevent fraud, protect users, and preserve care continuity.

    Retention periods may vary depending on the type of data, the purpose of processing, legal requirements, contractual obligations, operational needs, and sensitivity of the data.

    For clarity:

    • Medical records, clinical notes, consultation records, prescriptions, lab results, diagnostic records, therapy records, and other clinical records created or stored by Clafiya are generally retained for 20 years.
    • HSA wallet records, deposits, withdrawals, transaction history, payment records, interest records, settlement records, and financial records are generally retained for 7 years.
    • User account/profile records are generally retained for the duration of the active account plus 6 years after account closure, unless deletion is requested and legally permitted.
    • Employer benefit administration records are generally retained for the duration of the employer relationship plus 6 years, while financial records connected to employer funding or invoices are generally retained for 7 years.
    • Provider onboarding, credentialing, and compliance records are generally retained for the duration of the provider relationship plus 6 years.
    • Customer support records, complaints, and service requests are generally retained for 6 years after resolution.
    • Website analytics, marketing, and cookie-related records are retained for shorter periods based on tool settings, business need, consent status, and legal requirements.
    • Backups are retained in accordance with Clafiya’s backup cycle and are generally deleted or overwritten within 6 months unless a legal hold, investigation, audit, security review, or regulatory obligation applies.

    Where more than one retention period applies to the same record, Clafiya will apply the longer retention period where necessary to comply with legal, regulatory, audit, contractual, healthcare, financial, dispute-resolution, fraud-prevention, or legitimate business obligations.

    When personal data is no longer required, it will be securely deleted, anonymized, archived, or otherwise handled in line with Clafiya’s Data Retention Policy.

  14. Your Rights

    Subject to applicable law, you may have the right to:

    • Request access to your personal data.
    • Request information about how your personal data is processed.
    • Request correction of inaccurate or incomplete personal data.
    • Request deletion of your personal data in certain circumstances.
    • Restrict or object to certain processing.
    • Request data portability.
    • Withdraw consent where processing is based on consent.
    • Object to direct marketing.
    • Lodge a complaint with the Nigeria Data Protection Commission or another competent authority.

    To exercise your rights, please contact Clafiya using the contact details below. We may need to verify your identity before responding to your request.

  15. Children’s Data

    Clafiya’s services may be used by or on behalf of children, minors, or dependents where a parent, guardian, employer, sponsor, or authorized person creates or manages access for them.

    Where we process children’s personal data, we will take additional care and process such data only where permitted by law, where consent or authorization has been obtained where required, or where processing is necessary to provide health, safety, benefit, or care-related services.

  16. Third-Party Links and Services

    Our websites or platforms may contain links to third-party websites, services, or platforms. Clafiya is not responsible for the privacy practices, content, or security of third-party platforms that we do not control.

    Where you interact directly with a third party, their privacy notice and terms may apply.

  17. Accountability and Governance

    Clafiya is responsible for demonstrating compliance with applicable data protection obligations.

    We maintain internal privacy and security policies, document relevant processing activities, train staff and authorized personnel, conduct vendor and partner due diligence, review data protection risks, and take steps to ensure that personal data is processed lawfully, fairly, transparently, securely, and for legitimate purposes.

    Clafiya has appointed or designated a Data Protection Officer or privacy contact responsible for overseeing privacy compliance and handling data subject requests.

  18. Personal Data Breach Management

    Where Clafiya becomes aware of a personal data breach, we will assess the nature and impact of the breach and take appropriate steps to contain, investigate, remediate, and document the incident.

    Where required by applicable law, Clafiya will notify the Nigeria Data Protection Commission and/or affected individuals.

  19. Updates to this Privacy Notice

    We may update this Privacy Notice from time to time to reflect changes in our services, legal requirements, technology, or data processing practices.

    Where changes are material, we may notify users through our website, platform, email, WhatsApp, or other appropriate channels.

  20. Contact Information

    If you have questions, concerns, complaints, or requests regarding your personal data, please contact:

    Data Protection Officer / Privacy Contact

    Clafiya Limited

    No 9 Ayo Babatunde Crescent Oniru Lagos Nigeria

    Email: hi@clafiya.com

    Phone: +234 912 292 0339

    Website: www.clafiya.com

    You may also lodge a complaint with the Nigeria Data Protection Commission where you believe your data protection rights have been violated.