A plain-language summary
Medicall is a Nigerian healthcare access and reconciliation platform. Patients use our mobile app to discover verified hospitals and to generate a one-time discount booking code (MED-XXXXXXXX) at a billing counter. Hospitals use our web portal to manage their listing, reconcile booking codes, and pay monthly invoices. Our internal team uses a superadmin tool to onboard hospitals and resolve disputes.
The short version, before the long version:
- We do not require patients to create an account, give their name, or share their phone number to use the mobile app. The app is identified to our servers by a random anonymous identifier generated on the device.
- When a patient requests an appointment by email, we collect only the details they type into the form. We do not save those details to a patient profile.
- Hospitals provide business contact details and verification documents so we can list them and pay them. Their staff log in with email and password.
- Booking codes contain financial information (bill amounts, discount, fee) and are kept as accounting records.
- We never sell personal data. We share it only with the specific service providers required to run the platform, listed in section 09.
- You have the rights granted by the Nigeria Data Protection Act, 2023. Section 12 explains how to use them.
This policy is the full account. If you only have time to read one paragraph, the bullets above are the gist.
Who we are
Medicall ("Medicall", "we", "us", "our") is the trading name of the Medicall platform operated by Usemedicall Ltd, a company providing healthcare access services to patients and verified hospitals in the Federal Republic of Nigeria.
For the purposes of the Nigeria Data Protection Act, 2023 ("NDPA"), Medicall is the data controller for personal data collected through the Medicall mobile app, the hospital portal at usemedicall.com, our marketing site, our internal superadmin tool, and our official WhatsApp business number.
For data that a hospital collects from its own patients in the course of providing medical care at its premises, the hospital is the data controller and we are not. This policy does not cover what happens inside a hospital's own systems.
You can reach our data protection contact at support@usemedicall.com. Postal contact details are in section 16.
What this policy covers
This policy describes how Medicall handles personal data when you:
- Download, install, or use the Medicall mobile app (iOS or Android).
- Browse our marketing site, the hospital portal, or the patient-facing public hospital directory.
- Submit a partner inquiry, contact form, appointment request, or support message.
- Sign in to a hospital portal account or accept a hospital invitation.
- Generate, confirm, or dispute a booking code (
MED-XXXXXXXX). - Receive a WhatsApp message from our nightly reconciliation system, or reply to one.
- Pay an invoice or subscription fee via the Paystack-powered checkout we link to.
- Leave a review or rate a hospital after a logged visit.
Third-party websites, social media pages, and any care delivered at a hospital premises are not covered by this policy. The relevant third party's own policy applies.
Key terms used in this policy
- Personal data
- Any information relating to an identified or identifiable person. Includes names, email addresses, phone numbers, photos, device identifiers, and information that, combined with other data, can identify someone.
- Processing
- Anything we do with personal data: collecting, storing, using, sharing, deleting, anonymising.
- Booking code
- A one-time discount code in the format
MED-XXXXXXXX, generated at the billing counter and tied to a specific hospital, service, and bill amount. - Device identifier
- A random universally-unique identifier (UUID v4) generated by the mobile app on first launch and stored in the device's secure storage. It is not your phone number, your IMEI, your Apple ID, or your Google ID. It is a string we make up to recognise the same install across sessions.
- Device secret
- A separate server-issued token bound to the device identifier on first contact, used to prevent another device from impersonating yours. Stored alongside the device identifier.
- Hospital member
- A staff member at a partner hospital who has been given access to the hospital portal under an "Admin" or "Updater" role.
- Superadmin
- An internal Medicall employee or contractor on the access allowlist, with the ability to manage hospitals, disputes, and platform settings.
The categories of data we collect, by user type
We organise this section by who you are when you use Medicall, because what we collect depends on that.
5.1 Patients using the mobile app
Patient use of the Medicall mobile app is intentionally anonymous. We do not ask for, and the app does not store, your name, phone number, email, date of birth, government ID, photograph, medical history, or any other directly identifying information on the device.
What we do collect from the mobile app:
- Device identifier and device secret. Generated once on first launch, stored in the device's secure key store. Sent with every request to our servers so we can rate-limit abuse, prevent code-generation fraud, and tie a booking code to a single device. Reinstalling the app produces a new identifier and disconnects you from any previous booking history.
- Approximate location. When you allow location access, we read your device's GPS coordinates while the app is in the foreground and use them to (a) sort nearby hospitals by distance, (b) determine which Nigerian state and local government area (LGA) you are in, and (c) show your position on the hospital map. We do not write your raw coordinates to our database. Only the derived state and LGA names may be recorded with analytics events.
- Hospital and service browsing. Which hospitals you tap into, which services or categories you filter by, which directions or call buttons you press. This is logged as analytics events tied to your device identifier so we can improve search relevance and reporting.
- Booking-code requests. When you generate a discount code, we record the hospital, service, the bill amount you entered, the discount and fee splits, the timestamp, and a server-side cryptographic record of the PIN attempt. We do not record who you are; the code is tied to your device identifier only.
- Patient confirmation of bill amount. When you confirm the bill amount in the app, we record the confirmed figure and the time of confirmation.
- Reviews. If you choose to rate a hospital after a logged visit, we store the star rating and your written review text against the booking code. The review carries no name; the review screen displays "Anonymous patient".
- Push notification token. If you accept notifications, the operating system gives us a push token issued by Apple Push Notification Service or Firebase Cloud Messaging. We use it only to send transactional alerts (mismatch notices, review prompts, code-status updates) and store it against your device identifier.
- Technical metadata. Platform (iOS/Android), OS version, app version, language/locale, and basic IP-derived information from network requests. We use this for diagnostics and abuse prevention.
What we explicitly do not collect from the mobile app:
- Your name, phone number, email address, or government identification.
- Your photo, contacts, calendar, microphone, camera roll, or SMS messages.
- Background-location traces or GPS history while the app is closed.
- Medical history, symptoms, prescriptions, diagnoses, or insurance information.
- Any biometric data.
5.2 People who submit an appointment request
When you request an appointment through the mobile app or the hospital portal, the request form asks for the details the hospital needs to call you back: typically your name, phone number or email, and a short description of what you are coming in for. We pass that request to the hospital and confirm receipt by email or push notification.
Appointment requests are stored separately from the booking-code system. They do not produce a booking code. They are not linked to a patient profile because there is no patient profile. The next time you book an appointment you will type the details again.
5.3 People who submit the partner-inquiry or contact form
When you submit the partner-inquiry form on our landing page or use the contact page, we collect the details you provide: name, role, hospital or organisation, email, phone, and the body of your message. We store this in a contact-submissions table so a state representative can follow up.
5.4 Hospital members using the hospital portal
Hospital staff who log into the portal supply, and we store:
- Email address used to receive the invitation and log in.
- A password, stored as a salted hash via Supabase Auth. We never see your plain-text password.
- A profile photo if you upload one, and your display name.
- Role within the hospital (Admin or Updater), and the hospital you are a member of.
- Records of significant actions you take in the portal (verification, profile updates, resource updates, booking-code confirmations, dispute responses), stored in an audit log.
- Standard server-side technical metadata for every request (IP address, user agent, timestamps).
5.5 Hospitals as institutions
For each verified hospital we store the business information needed to list and pay them:
- Hospital name, address, state, LGA, geocoded coordinates, facility type, operating hours, primary email, primary phone, WhatsApp number.
- KYC documents uploaded by the hospital or the onboarding state representative: Ministry of Health certificate, professional licence document, licence number, signed partnership agreement.
- List of services and resources offered, with quantities and availability statuses.
- Bank or payout details captured during invoicing, where required.
- Discount PIN (stored as a salted hash, never in plain text) used to authenticate booking-code generation.
- Subscription and invoice history, Paystack reference IDs, and reactivation history.
- Operational signals computed by us: ghost rate, demotion windows, suspension/reactivation timestamps.
5.6 State representatives and Medicall employees
Our internal team members and contracted state representatives have profiles in the superadmin system: name, email, state of operation, hire date, role/permissions, and an activity log. Their access is gated by an explicit allowlist.
5.7 WhatsApp interactions
Our nightly reconciliation report is delivered via WhatsApp to each active hospital. We record the message text, the WhatsApp message ID, the sender phone number, and the parsed result of any reply (e.g. an amount correction). This is necessary because the WhatsApp reply is one of the two valid ways a hospital can confirm a booking code.
5.8 Cookies and similar technologies
Our web properties use only the cookies strictly necessary to keep you signed in and to keep the application secure. These include session cookies issued by our authentication provider (Supabase Auth) and CSRF protection cookies. We do not use third-party advertising cookies. We do not use cross-site tracking pixels.
The mobile app uses the device's secure local storage (Expo SecureStore) to hold the device identifier and device secret, and AsyncStorage to cache hospital lists for offline use.
How we use the data, purpose by purpose
For each purpose below, we describe what we use, why, and the legal basis under the NDPA.
Showing you nearby verified hospitals
Data used: Approximate location (state, LGA, distance), hospital catalog data.
Why: Sort and filter the public hospital directory so you see relevant hospitals first.
Legal basis: Performance of a service you have requested by opening the app.
Generating a discount booking code
Data used: Device identifier, device secret, hospital ID, service ID, bill amount, discount PIN attempt, idempotency key.
Why: Issue a one-time MED-XXXXXXXX code, tie it to a single device, and prevent abuse via rate limits and PIN verification.
Legal basis: Performance of a service (the discount) and our legitimate interests in preventing fraud.
Reconciling codes between patient and hospital
Data used: Patient-entered amount, hospital-declared amount, code timestamps, WhatsApp message contents.
Why: Detect amount mismatches, calculate the 5% patient discount and 5% Medicall fee, and notify affected parties.
Legal basis: Performance of our contract with the hospital, and our legitimate interest in operating a financial reconciliation service.
Sending mismatch and review notifications
Data used: Device push token (patient), WhatsApp number (hospital), email (Medicall admin).
Why: Tell each party when a booking code's bill amount doesn't match and ask the patient to rate the hospital after a logged visit.
Legal basis: Performance of a service and legitimate interest. You can revoke push permissions in your device settings.
Daily WhatsApp reconciliation report to hospitals
Data used: Hospital WhatsApp number, list of yesterday's codes for that hospital.
Why: Allow cashiers to confirm codes by replying to the message.
Legal basis: Performance of our contract with the hospital.
Monthly invoicing and payment
Data used: Hospital identifying details, sum of billable amounts, Paystack reference, payment status.
Why: Calculate and issue invoices for the 5% Medicall fee, accept Paystack payment, and reactivate suspended hospitals on receipt.
Legal basis: Performance of our contract with the hospital and compliance with Nigerian tax and accounting law.
Hospital onboarding, verification, and KYC
Data used: Business contact details, MOH certificate, licence document, signed partnership agreement.
Why: Confirm that each listed hospital is a real, licensed facility and is authorised to issue the discount.
Legal basis: Performance of our contract with the hospital, and compliance with our duty of care to patients.
Hospital-portal account management
Data used: Email, password hash, role, invitation token hash, audit log of actions.
Why: Authenticate hospital staff, scope their permissions, and let us investigate disputes after the fact.
Legal basis: Performance of our contract and our legitimate interest in account security.
Following up partner inquiries
Data used: Inquirer name, role, hospital/organisation, email, phone, message body, state.
Why: Route the lead to a state representative for in-person partnership conversations.
Legal basis: Steps taken at your request prior to entering a contract.
Anonymous product analytics
Data used: Device identifier, event name, timestamp, derived location (state/LGA), platform, app version.
Why: Understand which features are used, find broken flows, prioritise development.
Legal basis: Our legitimate interest in improving the platform. Events do not carry name, email, or phone.
Rate limiting and abuse prevention
Data used: Device identifier, IP address (truncated for storage), request type, request timestamp.
Why: Block scripted abuse of booking-code generation, contact forms, and login endpoints.
Legal basis: Our legitimate interest in keeping the platform available for everyone.
Compliance, fraud investigation, and dispute resolution
Data used: Audit logs, booking-code records, WhatsApp message logs, payment records.
Why: Investigate disputes within the 3-day dispute window, resolve mismatches, respond to legal requests, and maintain accounting records.
Legal basis: Legal obligation (accounting, tax, anti-fraud) and legitimate interest.
Sending you operational emails
Data used: Email address (hospital members), invitation token, invoice details, password-reset link.
Why: Account invitations, password resets, invoices, receipts, and service-critical announcements. These are not marketing emails.
Legal basis: Performance of our contract with the hospital.
What we do not do with your data
- We do not sell, rent, or trade personal data to advertisers, data brokers, or any third party for marketing purposes.
- We do not build advertising profiles from your behaviour in the app or on the website.
- We do not share patient device identifiers with hospitals. Hospitals see the booking code, the bill amount, and the booking timestamp. They do not see any unique identifier they could use to recognise you across visits.
- We do not share patient mobile-app activity logs with hospitals beyond what is necessary to operate a single booking code.
- We do not use automated decision-making with legal or similarly significant effects on you. Ghost-rate, search ranking, and suspension logic are administrative rules with human oversight.
- We do not perform secondary research on identifiable patient data without explicit consent.
Our lawful bases for processing under the NDPA
The Nigeria Data Protection Act, 2023 requires that every act of processing have a lawful basis. We rely on the following bases, matched to the purposes in section 06.
- Contract. Processing necessary to provide the Medicall service that you, or your hospital, are using.
- Legitimate interests. Processing necessary for fraud prevention, platform security, analytics in support of product improvement, and the day-to-day operation of a financial reconciliation service. We have considered and documented the balance between these interests and your rights and freedoms.
- Legal obligation. Processing necessary to meet record-keeping, tax, accounting, anti-money-laundering, and any future healthcare-specific regulatory duties applicable to Medicall.
- Consent. Where consent is the right basis (for example, for push notifications, and for location access) we ask for it in-app through the operating system's standard permission prompts. You can withdraw consent at any time by changing the relevant permission in your device settings.
- Steps prior to a contract. Following up your partner inquiry so we can discuss a potential agreement.
International data transfers
Several of the providers listed above operate primarily outside Nigeria. As a result, personal data we collect in Nigeria is processed in the United States and the European Union. Under section 41 of the NDPA, transfers of personal data outside Nigeria are permitted where appropriate safeguards are in place.
We rely on the following safeguards:
- Written data-processing agreements with each sub-processor that bind them to confidentiality, purpose limitation, security, and the rights of data subjects.
- Reliance on providers that operate under recognised data-protection frameworks (the EU General Data Protection Regulation; the United States Data Privacy Framework where applicable).
- Encryption of personal data in transit (TLS 1.2 or above) and at rest at the storage layer.
- Minimisation: we send overseas only the data each provider needs for its specific function.
If you want a copy of the relevant transfer safeguard, write to us at support@usemedicall.com.
How long we keep your data
We keep personal data for the shortest time that achieves the purpose we collected it for. Specific retention periods:
| Device identifier and device secret (mobile app) | Until you uninstall the app or clear app data. Reinstalling the app generates a new identifier and severs the link to your previous activity. |
| Patient-side push tokens | Refreshed regularly by the operating system. Tokens we cannot deliver to for an extended period are deleted. |
| Booking codes | Retained for at least seven (7) years from the date the code was generated, to satisfy our accounting, tax, and dispute-evidence obligations. Codes may be anonymised at the end of this period. |
| Invoices, payments, receipts | Retained for at least seven (7) years from issue, as required by Nigerian tax law. |
| Audit logs | Retained for at least seven (7) years; required to investigate historical disputes. Audit log rows are protected against modification by database triggers. |
| WhatsApp message logs | Retained for two (2) years from receipt or transmission, then deleted. |
| Appointment requests | Retained for ninety (90) days after the appointment's scheduled date, then deleted. Contact details on appointment requests are not used for marketing. |
| Partner inquiries and contact submissions | Retained for twelve (12) months from receipt unless they convert to an active partnership, in which case they become part of the hospital record. |
| Hospital member accounts | Retained while the member is active. After a hospital terminates or a member is removed, we keep the account record (without active access) for two (2) years so we can investigate past actions. |
| KYC documents (MOH certificate, licence, partnership agreement) | Retained for the active life of the hospital partnership plus six (6) years. |
| Reviews and ratings | Retained for as long as the hospital remains listed. Reviews are anonymous; if you ask us to remove a specific review, we will remove the body text and rating but retain a record that the review existed for fraud prevention. |
| Analytics events | Retained in identifiable form for thirteen (13) months, then aggregated or deleted. |
| Rate-limit records | Retained for thirty (30) days, then deleted. |
| Support tickets | Retained for two (2) years from closure. |
Where the law requires a longer period than we have committed to above, the law prevails. Where you ask us to delete data sooner and we are legally allowed to, we will.
Your rights under the NDPA
The Nigeria Data Protection Act, 2023 gives every data subject the following rights. We will respond to a valid request within thirty (30) days, and we will not charge a fee unless your request is manifestly unfounded or excessive.
- Right to be informed about how we handle your data. This policy is our primary answer.
- Right of access to a copy of the personal data we hold about you.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") in the circumstances permitted by the NDPA. We may refuse erasure where we must keep the data to comply with the law (e.g. revenue records) or to defend a legal claim, but we will tell you which exception applies.
- Right to restrict processing while a dispute about accuracy or legitimacy is resolved.
- Right to data portability for data you provided to us, in a structured machine-readable format.
- Right to object to processing based on legitimate interests, including any direct marketing.
- Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Medicall does not make decisions of this kind without human involvement.
- Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. We would appreciate the chance to address your concern first.
Two practical notes for the mobile app:
- Because patient use of the app is anonymous, we can only locate data tied to your specific device identifier. We will ask you to provide it from the app's Account screen so we can find the records to act on.
- Erasure of historical booking codes is constrained by accounting law. In those cases we will anonymise the records (strip the device identifier and any free-text fields) rather than delete them entirely. The financial fields remain in our books.
To exercise any right, write to support@usemedicall.com.
How we keep your data safe
We take security seriously and design the platform with the assumption that an attacker is always trying.
- Encryption in transit. All connections to our APIs, the hospital portal, the superadmin tool, and the public site use TLS 1.2 or higher. The mobile app refuses connections that fall below that threshold.
- Encryption at rest. Database storage, file storage, and backups are encrypted at rest by our infrastructure providers.
- Row-level security (RLS). Our database enforces fine-grained access rules so that a hospital member can only read their own hospital's data, a patient can only see public listings, and only the service role can perform privileged writes.
- Service-role gating. Sensitive endpoints (booking-code generation, the Paystack webhook, the WhatsApp webhook) run on the server with elevated privileges only after we verify webhook signatures, idempotency keys, device secrets, or cron secrets.
- Audit logs. Significant state changes (verification, code confirmation, dispute resolution, payment receipt) are written to an immutable audit log.
- Authentication. Hospital staff sign in with email and password via Supabase Auth, which stores only salted password hashes. We support invitation-link onboarding so no one shares a password by email.
- Rate limiting. Every public endpoint is rate-limited per device or per IP. The booking-code endpoint has additional PIN-attempt lockouts.
- Webhook signatures. Paystack and WhatsApp callbacks are validated with timing-safe HMAC comparison before any side effect.
- Principle of least privilege. Internal access to the superadmin tool is gated by an explicit allowlist and limited to people whose role requires it.
- Vendor due diligence. Each sub-processor is reviewed before use and re-reviewed periodically.
- Incident response. If a personal-data breach occurs that is likely to result in risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within seventy-two (72) hours of becoming aware, and we will notify affected data subjects without undue delay, in line with the NDPA.
No system is perfectly secure. If you believe you have found a security issue with Medicall, please email support@usemedicall.com. We will acknowledge promptly and we will not pursue good-faith researchers who follow responsible disclosure.
Children and young people
Medicall is built for adults responsible for their own healthcare decisions. We do not knowingly collect personal data from anyone under the age of eighteen (18). Children may, in practice, be the patient whose bill is being paid; in those cases the relevant data is supplied by the accompanying adult (who is the user of our app, the holder of the booking code, and the data subject in our records).
If you believe a person under 18 has provided us with personal data without parental or guardian consent, write to support@usemedicall.com and we will delete the relevant information.
Changes to this policy
We will update this policy as our service changes. The "Last updated" date at the top is always the version's effective date. When the change is material (for example, adding a new sub-processor, changing how we use a category of data, or changing retention periods) we will notify hospital members by email and patients via in-app notice ahead of the change.
Older versions of this policy are kept on file and are available on request.
Contacting us
The fastest way to reach us about anything in this policy (privacy questions, data-subject requests, security disclosures, or general help) is by email. One inbox handles all of it:
Please put a clear subject line on your message, for example "Data access request", "Security disclosure", or "Privacy question", so we can route it to the right person internally.
For postal correspondence, the registered address of Medicall (Usemedicall Ltd) is available on request from support@usemedicall.com.
You also have the right to complain to the supervisory authority: the Nigeria Data Protection Commission (NDPC), ndpc.gov.ng.
A note for hospitals as data controllers
When a hospital lists itself on Medicall, accepts an invitation, and starts confirming booking codes, the hospital remains the data controller for its own patient records inside its own clinical systems. The hospital is the controller of:
- Patient names, contact details, and clinical records held inside the hospital's billing or electronic medical-record system.
- Any photographs, identity documents, or insurance information collected at the front desk.
- Any local CCTV recordings, queue management systems, and similar.
Medicall is the controller of the records produced by the booking-code, reconciliation, and invoicing system that runs on our platform. Where a single booking code carries fields supplied by both us and the hospital, we treat the hospital and Medicall as joint controllers for that booking code, and the responsibilities are allocated by our partnership agreement.
Hospitals should publish their own privacy notice for the data they hold internally and should ensure that any data shared with us complies with their own legal obligations.
This policy was last reviewed and updated on June 1, 2026. Comments and corrections are welcome at support@usemedicall.com.