Legal · Data Protection

Privacy Policy

How Medicall collects, uses, stores, shares, and protects information across the Medicall mobile app, the hospital portal at usemedicall.com, and our internal superadmin tooling.

Last updated: June 1, 2026Effective: June 1, 2026
01

A plain-language summary

Medicall is a Nigerian healthcare access and reconciliation platform. Patients use our mobile app to discover verified hospitals and to generate a one-time discount booking code (MED-XXXXXXXX) at a billing counter. Hospitals use our web portal to manage their listing, reconcile booking codes, and pay monthly invoices. Our internal team uses a superadmin tool to onboard hospitals and resolve disputes.

The short version, before the long version:

  • We do not require patients to create an account, give their name, or share their phone number to use the mobile app. The app is identified to our servers by a random anonymous identifier generated on the device.
  • When a patient requests an appointment by email, we collect only the details they type into the form. We do not save those details to a patient profile.
  • Hospitals provide business contact details and verification documents so we can list them and pay them. Their staff log in with email and password.
  • Booking codes contain financial information (bill amounts, discount, fee) and are kept as accounting records.
  • We never sell personal data. We share it only with the specific service providers required to run the platform, listed in section 09.
  • You have the rights granted by the Nigeria Data Protection Act, 2023. Section 12 explains how to use them.

This policy is the full account. If you only have time to read one paragraph, the bullets above are the gist.

02

Who we are

Medicall ("Medicall", "we", "us", "our") is the trading name of the Medicall platform operated by Usemedicall Ltd, a company providing healthcare access services to patients and verified hospitals in the Federal Republic of Nigeria.

For the purposes of the Nigeria Data Protection Act, 2023 ("NDPA"), Medicall is the data controller for personal data collected through the Medicall mobile app, the hospital portal at usemedicall.com, our marketing site, our internal superadmin tool, and our official WhatsApp business number.

For data that a hospital collects from its own patients in the course of providing medical care at its premises, the hospital is the data controller and we are not. This policy does not cover what happens inside a hospital's own systems.

You can reach our data protection contact at support@usemedicall.com. Postal contact details are in section 16.

03

What this policy covers

This policy describes how Medicall handles personal data when you:

  • Download, install, or use the Medicall mobile app (iOS or Android).
  • Browse our marketing site, the hospital portal, or the patient-facing public hospital directory.
  • Submit a partner inquiry, contact form, appointment request, or support message.
  • Sign in to a hospital portal account or accept a hospital invitation.
  • Generate, confirm, or dispute a booking code (MED-XXXXXXXX).
  • Receive a WhatsApp message from our nightly reconciliation system, or reply to one.
  • Pay an invoice or subscription fee via the Paystack-powered checkout we link to.
  • Leave a review or rate a hospital after a logged visit.

Third-party websites, social media pages, and any care delivered at a hospital premises are not covered by this policy. The relevant third party's own policy applies.

04

Key terms used in this policy

Personal data
Any information relating to an identified or identifiable person. Includes names, email addresses, phone numbers, photos, device identifiers, and information that, combined with other data, can identify someone.
Processing
Anything we do with personal data: collecting, storing, using, sharing, deleting, anonymising.
Booking code
A one-time discount code in the format MED-XXXXXXXX, generated at the billing counter and tied to a specific hospital, service, and bill amount.
Device identifier
A random universally-unique identifier (UUID v4) generated by the mobile app on first launch and stored in the device's secure storage. It is not your phone number, your IMEI, your Apple ID, or your Google ID. It is a string we make up to recognise the same install across sessions.
Device secret
A separate server-issued token bound to the device identifier on first contact, used to prevent another device from impersonating yours. Stored alongside the device identifier.
Hospital member
A staff member at a partner hospital who has been given access to the hospital portal under an "Admin" or "Updater" role.
Superadmin
An internal Medicall employee or contractor on the access allowlist, with the ability to manage hospitals, disputes, and platform settings.
05

The categories of data we collect, by user type

We organise this section by who you are when you use Medicall, because what we collect depends on that.

5.1 Patients using the mobile app

Patient use of the Medicall mobile app is intentionally anonymous. We do not ask for, and the app does not store, your name, phone number, email, date of birth, government ID, photograph, medical history, or any other directly identifying information on the device.

What we do collect from the mobile app:

  • Device identifier and device secret. Generated once on first launch, stored in the device's secure key store. Sent with every request to our servers so we can rate-limit abuse, prevent code-generation fraud, and tie a booking code to a single device. Reinstalling the app produces a new identifier and disconnects you from any previous booking history.
  • Approximate location. When you allow location access, we read your device's GPS coordinates while the app is in the foreground and use them to (a) sort nearby hospitals by distance, (b) determine which Nigerian state and local government area (LGA) you are in, and (c) show your position on the hospital map. We do not write your raw coordinates to our database. Only the derived state and LGA names may be recorded with analytics events.
  • Hospital and service browsing. Which hospitals you tap into, which services or categories you filter by, which directions or call buttons you press. This is logged as analytics events tied to your device identifier so we can improve search relevance and reporting.
  • Booking-code requests. When you generate a discount code, we record the hospital, service, the bill amount you entered, the discount and fee splits, the timestamp, and a server-side cryptographic record of the PIN attempt. We do not record who you are; the code is tied to your device identifier only.
  • Patient confirmation of bill amount. When you confirm the bill amount in the app, we record the confirmed figure and the time of confirmation.
  • Reviews. If you choose to rate a hospital after a logged visit, we store the star rating and your written review text against the booking code. The review carries no name; the review screen displays "Anonymous patient".
  • Push notification token. If you accept notifications, the operating system gives us a push token issued by Apple Push Notification Service or Firebase Cloud Messaging. We use it only to send transactional alerts (mismatch notices, review prompts, code-status updates) and store it against your device identifier.
  • Technical metadata. Platform (iOS/Android), OS version, app version, language/locale, and basic IP-derived information from network requests. We use this for diagnostics and abuse prevention.

What we explicitly do not collect from the mobile app:

  • Your name, phone number, email address, or government identification.
  • Your photo, contacts, calendar, microphone, camera roll, or SMS messages.
  • Background-location traces or GPS history while the app is closed.
  • Medical history, symptoms, prescriptions, diagnoses, or insurance information.
  • Any biometric data.

5.2 People who submit an appointment request

When you request an appointment through the mobile app or the hospital portal, the request form asks for the details the hospital needs to call you back: typically your name, phone number or email, and a short description of what you are coming in for. We pass that request to the hospital and confirm receipt by email or push notification.

Appointment requests are stored separately from the booking-code system. They do not produce a booking code. They are not linked to a patient profile because there is no patient profile. The next time you book an appointment you will type the details again.

5.3 People who submit the partner-inquiry or contact form

When you submit the partner-inquiry form on our landing page or use the contact page, we collect the details you provide: name, role, hospital or organisation, email, phone, and the body of your message. We store this in a contact-submissions table so a state representative can follow up.

5.4 Hospital members using the hospital portal

Hospital staff who log into the portal supply, and we store:

  • Email address used to receive the invitation and log in.
  • A password, stored as a salted hash via Supabase Auth. We never see your plain-text password.
  • A profile photo if you upload one, and your display name.
  • Role within the hospital (Admin or Updater), and the hospital you are a member of.
  • Records of significant actions you take in the portal (verification, profile updates, resource updates, booking-code confirmations, dispute responses), stored in an audit log.
  • Standard server-side technical metadata for every request (IP address, user agent, timestamps).

5.5 Hospitals as institutions

For each verified hospital we store the business information needed to list and pay them:

  • Hospital name, address, state, LGA, geocoded coordinates, facility type, operating hours, primary email, primary phone, WhatsApp number.
  • KYC documents uploaded by the hospital or the onboarding state representative: Ministry of Health certificate, professional licence document, licence number, signed partnership agreement.
  • List of services and resources offered, with quantities and availability statuses.
  • Bank or payout details captured during invoicing, where required.
  • Discount PIN (stored as a salted hash, never in plain text) used to authenticate booking-code generation.
  • Subscription and invoice history, Paystack reference IDs, and reactivation history.
  • Operational signals computed by us: ghost rate, demotion windows, suspension/reactivation timestamps.

5.6 State representatives and Medicall employees

Our internal team members and contracted state representatives have profiles in the superadmin system: name, email, state of operation, hire date, role/permissions, and an activity log. Their access is gated by an explicit allowlist.

5.7 WhatsApp interactions

Our nightly reconciliation report is delivered via WhatsApp to each active hospital. We record the message text, the WhatsApp message ID, the sender phone number, and the parsed result of any reply (e.g. an amount correction). This is necessary because the WhatsApp reply is one of the two valid ways a hospital can confirm a booking code.

5.8 Cookies and similar technologies

Our web properties use only the cookies strictly necessary to keep you signed in and to keep the application secure. These include session cookies issued by our authentication provider (Supabase Auth) and CSRF protection cookies. We do not use third-party advertising cookies. We do not use cross-site tracking pixels.

The mobile app uses the device's secure local storage (Expo SecureStore) to hold the device identifier and device secret, and AsyncStorage to cache hospital lists for offline use.

06

How we use the data, purpose by purpose

For each purpose below, we describe what we use, why, and the legal basis under the NDPA.

Showing you nearby verified hospitals

Data used: Approximate location (state, LGA, distance), hospital catalog data.

Why: Sort and filter the public hospital directory so you see relevant hospitals first.

Legal basis: Performance of a service you have requested by opening the app.

Generating a discount booking code

Data used: Device identifier, device secret, hospital ID, service ID, bill amount, discount PIN attempt, idempotency key.

Why: Issue a one-time MED-XXXXXXXX code, tie it to a single device, and prevent abuse via rate limits and PIN verification.

Legal basis: Performance of a service (the discount) and our legitimate interests in preventing fraud.

Reconciling codes between patient and hospital

Data used: Patient-entered amount, hospital-declared amount, code timestamps, WhatsApp message contents.

Why: Detect amount mismatches, calculate the 5% patient discount and 5% Medicall fee, and notify affected parties.

Legal basis: Performance of our contract with the hospital, and our legitimate interest in operating a financial reconciliation service.

Sending mismatch and review notifications

Data used: Device push token (patient), WhatsApp number (hospital), email (Medicall admin).

Why: Tell each party when a booking code's bill amount doesn't match and ask the patient to rate the hospital after a logged visit.

Legal basis: Performance of a service and legitimate interest. You can revoke push permissions in your device settings.

Daily WhatsApp reconciliation report to hospitals

Data used: Hospital WhatsApp number, list of yesterday's codes for that hospital.

Why: Allow cashiers to confirm codes by replying to the message.

Legal basis: Performance of our contract with the hospital.

Monthly invoicing and payment

Data used: Hospital identifying details, sum of billable amounts, Paystack reference, payment status.

Why: Calculate and issue invoices for the 5% Medicall fee, accept Paystack payment, and reactivate suspended hospitals on receipt.

Legal basis: Performance of our contract with the hospital and compliance with Nigerian tax and accounting law.

Hospital onboarding, verification, and KYC

Data used: Business contact details, MOH certificate, licence document, signed partnership agreement.

Why: Confirm that each listed hospital is a real, licensed facility and is authorised to issue the discount.

Legal basis: Performance of our contract with the hospital, and compliance with our duty of care to patients.

Hospital-portal account management

Data used: Email, password hash, role, invitation token hash, audit log of actions.

Why: Authenticate hospital staff, scope their permissions, and let us investigate disputes after the fact.

Legal basis: Performance of our contract and our legitimate interest in account security.

Following up partner inquiries

Data used: Inquirer name, role, hospital/organisation, email, phone, message body, state.

Why: Route the lead to a state representative for in-person partnership conversations.

Legal basis: Steps taken at your request prior to entering a contract.

Anonymous product analytics

Data used: Device identifier, event name, timestamp, derived location (state/LGA), platform, app version.

Why: Understand which features are used, find broken flows, prioritise development.

Legal basis: Our legitimate interest in improving the platform. Events do not carry name, email, or phone.

Rate limiting and abuse prevention

Data used: Device identifier, IP address (truncated for storage), request type, request timestamp.

Why: Block scripted abuse of booking-code generation, contact forms, and login endpoints.

Legal basis: Our legitimate interest in keeping the platform available for everyone.

Compliance, fraud investigation, and dispute resolution

Data used: Audit logs, booking-code records, WhatsApp message logs, payment records.

Why: Investigate disputes within the 3-day dispute window, resolve mismatches, respond to legal requests, and maintain accounting records.

Legal basis: Legal obligation (accounting, tax, anti-fraud) and legitimate interest.

Sending you operational emails

Data used: Email address (hospital members), invitation token, invoice details, password-reset link.

Why: Account invitations, password resets, invoices, receipts, and service-critical announcements. These are not marketing emails.

Legal basis: Performance of our contract with the hospital.

07

What we do not do with your data

  • We do not sell, rent, or trade personal data to advertisers, data brokers, or any third party for marketing purposes.
  • We do not build advertising profiles from your behaviour in the app or on the website.
  • We do not share patient device identifiers with hospitals. Hospitals see the booking code, the bill amount, and the booking timestamp. They do not see any unique identifier they could use to recognise you across visits.
  • We do not share patient mobile-app activity logs with hospitals beyond what is necessary to operate a single booking code.
  • We do not use automated decision-making with legal or similarly significant effects on you. Ghost-rate, search ranking, and suspension logic are administrative rules with human oversight.
  • We do not perform secondary research on identifiable patient data without explicit consent.
09

The service providers we share data with

Running Medicall requires us to use specialised infrastructure providers. We share the minimum personal data each provider needs to do its job. We do not share data with any party for their own independent purposes. Every provider listed below is bound by a data-processing agreement.

Supabase

Purpose: Database, authentication, file storage, and serverless functions.

Data shared: Everything we store. Hospitals, hospital members (including password hashes), booking codes, reviews, audit logs, KYC documents.

Location: United States (primary region). Backups in the same region.

Vercel

Purpose: Hosting of the hospital portal, the superadmin tool, and our public marketing site.

Data shared: HTTP request metadata and any payload we send between the client and our server-side functions. Function logs (with PII minimised where possible).

Location: Global edge network with primary regions in the United States and European Union.

Expo / EAS (Expo Application Services)

Purpose: Mobile app build pipeline and over-the-air updates.

Data shared: Build configuration. Push tokens are routed through Expo Push to Apple and Google.

Location: United States.

Apple Push Notification Service / Firebase Cloud Messaging

Purpose: Deliver push notifications to iOS and Android devices.

Data shared: Push token, notification payload.

Location: United States (Apple), Google global infrastructure (Firebase).

Paystack

Purpose: Process invoice payments and reactivate hospital subscriptions.

Data shared: Hospital name, invoice amount, hospital email, Paystack reference identifier. Payment-card details are entered on Paystack's own page; we never see them.

Location: Nigeria, with parent infrastructure managed by Stripe.

Meta WhatsApp Business Platform

Purpose: Send nightly reconciliation reports and receive cashier replies.

Data shared: Hospital WhatsApp phone number, message body, message identifiers.

Location: United States (Meta). Subject to Meta's own data-handling policies.

Resend

Purpose: Send transactional email (invitations, invoices, password resets, mismatch notices to administrators).

Data shared: Recipient email address, message body.

Location: United States.

Apple App Store and Google Play

Purpose: Distribute the Medicall mobile app and collect crash diagnostics.

Data shared: Aggregated install, crash, and review data attributed to your app store account, governed by each store's own policy.

Location: Global infrastructure.

OpenStreetMap (Nominatim) and Google Geocoding

Purpose: Convert addresses and coordinates into states, LGAs, and place identifiers.

Data shared: Search query text (address fragments) or coordinates. We do not send your device identifier.

Location: Global infrastructure.

GitLab and GitHub

Purpose: Source control and CI for our own engineering team. Used to build and deploy the platform, not to process user data in production paths.

Data shared: No customer data is sent to these systems in normal operation.

Location: Global.

Sentry or equivalent error-reporting service

Purpose: Receive crash reports and unhandled exceptions so we can fix bugs.

Data shared: Stack traces, the device's platform and OS version. PII is scrubbed from event payloads where reasonable.

Location: United States.

If a hospital member or a patient asks for the most current list of our sub-processors, we will provide it on request.

10

International data transfers

Several of the providers listed above operate primarily outside Nigeria. As a result, personal data we collect in Nigeria is processed in the United States and the European Union. Under section 41 of the NDPA, transfers of personal data outside Nigeria are permitted where appropriate safeguards are in place.

We rely on the following safeguards:

  • Written data-processing agreements with each sub-processor that bind them to confidentiality, purpose limitation, security, and the rights of data subjects.
  • Reliance on providers that operate under recognised data-protection frameworks (the EU General Data Protection Regulation; the United States Data Privacy Framework where applicable).
  • Encryption of personal data in transit (TLS 1.2 or above) and at rest at the storage layer.
  • Minimisation: we send overseas only the data each provider needs for its specific function.

If you want a copy of the relevant transfer safeguard, write to us at support@usemedicall.com.

11

How long we keep your data

We keep personal data for the shortest time that achieves the purpose we collected it for. Specific retention periods:

Device identifier and device secret (mobile app)Until you uninstall the app or clear app data. Reinstalling the app generates a new identifier and severs the link to your previous activity.
Patient-side push tokensRefreshed regularly by the operating system. Tokens we cannot deliver to for an extended period are deleted.
Booking codesRetained for at least seven (7) years from the date the code was generated, to satisfy our accounting, tax, and dispute-evidence obligations. Codes may be anonymised at the end of this period.
Invoices, payments, receiptsRetained for at least seven (7) years from issue, as required by Nigerian tax law.
Audit logsRetained for at least seven (7) years; required to investigate historical disputes. Audit log rows are protected against modification by database triggers.
WhatsApp message logsRetained for two (2) years from receipt or transmission, then deleted.
Appointment requestsRetained for ninety (90) days after the appointment's scheduled date, then deleted. Contact details on appointment requests are not used for marketing.
Partner inquiries and contact submissionsRetained for twelve (12) months from receipt unless they convert to an active partnership, in which case they become part of the hospital record.
Hospital member accountsRetained while the member is active. After a hospital terminates or a member is removed, we keep the account record (without active access) for two (2) years so we can investigate past actions.
KYC documents (MOH certificate, licence, partnership agreement)Retained for the active life of the hospital partnership plus six (6) years.
Reviews and ratingsRetained for as long as the hospital remains listed. Reviews are anonymous; if you ask us to remove a specific review, we will remove the body text and rating but retain a record that the review existed for fraud prevention.
Analytics eventsRetained in identifiable form for thirteen (13) months, then aggregated or deleted.
Rate-limit recordsRetained for thirty (30) days, then deleted.
Support ticketsRetained for two (2) years from closure.

Where the law requires a longer period than we have committed to above, the law prevails. Where you ask us to delete data sooner and we are legally allowed to, we will.

12

Your rights under the NDPA

The Nigeria Data Protection Act, 2023 gives every data subject the following rights. We will respond to a valid request within thirty (30) days, and we will not charge a fee unless your request is manifestly unfounded or excessive.

  • Right to be informed about how we handle your data. This policy is our primary answer.
  • Right of access to a copy of the personal data we hold about you.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") in the circumstances permitted by the NDPA. We may refuse erasure where we must keep the data to comply with the law (e.g. revenue records) or to defend a legal claim, but we will tell you which exception applies.
  • Right to restrict processing while a dispute about accuracy or legitimacy is resolved.
  • Right to data portability for data you provided to us, in a structured machine-readable format.
  • Right to object to processing based on legitimate interests, including any direct marketing.
  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Medicall does not make decisions of this kind without human involvement.
  • Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. We would appreciate the chance to address your concern first.

Two practical notes for the mobile app:

  • Because patient use of the app is anonymous, we can only locate data tied to your specific device identifier. We will ask you to provide it from the app's Account screen so we can find the records to act on.
  • Erasure of historical booking codes is constrained by accounting law. In those cases we will anonymise the records (strip the device identifier and any free-text fields) rather than delete them entirely. The financial fields remain in our books.

To exercise any right, write to support@usemedicall.com.

13

How we keep your data safe

We take security seriously and design the platform with the assumption that an attacker is always trying.

  • Encryption in transit. All connections to our APIs, the hospital portal, the superadmin tool, and the public site use TLS 1.2 or higher. The mobile app refuses connections that fall below that threshold.
  • Encryption at rest. Database storage, file storage, and backups are encrypted at rest by our infrastructure providers.
  • Row-level security (RLS). Our database enforces fine-grained access rules so that a hospital member can only read their own hospital's data, a patient can only see public listings, and only the service role can perform privileged writes.
  • Service-role gating. Sensitive endpoints (booking-code generation, the Paystack webhook, the WhatsApp webhook) run on the server with elevated privileges only after we verify webhook signatures, idempotency keys, device secrets, or cron secrets.
  • Audit logs. Significant state changes (verification, code confirmation, dispute resolution, payment receipt) are written to an immutable audit log.
  • Authentication. Hospital staff sign in with email and password via Supabase Auth, which stores only salted password hashes. We support invitation-link onboarding so no one shares a password by email.
  • Rate limiting. Every public endpoint is rate-limited per device or per IP. The booking-code endpoint has additional PIN-attempt lockouts.
  • Webhook signatures. Paystack and WhatsApp callbacks are validated with timing-safe HMAC comparison before any side effect.
  • Principle of least privilege. Internal access to the superadmin tool is gated by an explicit allowlist and limited to people whose role requires it.
  • Vendor due diligence. Each sub-processor is reviewed before use and re-reviewed periodically.
  • Incident response. If a personal-data breach occurs that is likely to result in risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within seventy-two (72) hours of becoming aware, and we will notify affected data subjects without undue delay, in line with the NDPA.

No system is perfectly secure. If you believe you have found a security issue with Medicall, please email support@usemedicall.com. We will acknowledge promptly and we will not pursue good-faith researchers who follow responsible disclosure.

14

Children and young people

Medicall is built for adults responsible for their own healthcare decisions. We do not knowingly collect personal data from anyone under the age of eighteen (18). Children may, in practice, be the patient whose bill is being paid; in those cases the relevant data is supplied by the accompanying adult (who is the user of our app, the holder of the booking code, and the data subject in our records).

If you believe a person under 18 has provided us with personal data without parental or guardian consent, write to support@usemedicall.com and we will delete the relevant information.

15

Changes to this policy

We will update this policy as our service changes. The "Last updated" date at the top is always the version's effective date. When the change is material (for example, adding a new sub-processor, changing how we use a category of data, or changing retention periods) we will notify hospital members by email and patients via in-app notice ahead of the change.

Older versions of this policy are kept on file and are available on request.

16

Contacting us

The fastest way to reach us about anything in this policy (privacy questions, data-subject requests, security disclosures, or general help) is by email. One inbox handles all of it:

Please put a clear subject line on your message, for example "Data access request", "Security disclosure", or "Privacy question", so we can route it to the right person internally.

For postal correspondence, the registered address of Medicall (Usemedicall Ltd) is available on request from support@usemedicall.com.

You also have the right to complain to the supervisory authority: the Nigeria Data Protection Commission (NDPC), ndpc.gov.ng.

17

A note for hospitals as data controllers

When a hospital lists itself on Medicall, accepts an invitation, and starts confirming booking codes, the hospital remains the data controller for its own patient records inside its own clinical systems. The hospital is the controller of:

  • Patient names, contact details, and clinical records held inside the hospital's billing or electronic medical-record system.
  • Any photographs, identity documents, or insurance information collected at the front desk.
  • Any local CCTV recordings, queue management systems, and similar.

Medicall is the controller of the records produced by the booking-code, reconciliation, and invoicing system that runs on our platform. Where a single booking code carries fields supplied by both us and the hospital, we treat the hospital and Medicall as joint controllers for that booking code, and the responsibilities are allocated by our partnership agreement.

Hospitals should publish their own privacy notice for the data they hold internally and should ensure that any data shared with us complies with their own legal obligations.

This policy was last reviewed and updated on June 1, 2026. Comments and corrections are welcome at support@usemedicall.com.

Return to the homepage · Contact us · FAQ