Privacy Policy

Last updated: April 9, 2026 | Effective: April 9, 2026

            Nigeria Data Protection Act (NDPA) 2023 & GAID 2025 Compliance: MyTurn Data Ltd is filing for registration with the Nigeria Data Protection Commission (NDPC) as a Data Controller of Major Importance (DCMI). Filing is in progress; the acknowledgment reference will be published here once received from NDPC. All personal data is stored exclusively on company-controlled servers physically located in Lagos, Nigeria. Data never leaves Nigerian soil.
        

1. Who We Are

MyTurn Health ("we", "us", "our") operates a closed-loop pharmaceutical ecosystem comprising MyTurn Pharma-OS, MyTurn Clinic, MyTurn PMS, MyTurn Academy, MyTurn Pay, MyTurn Financing, MyTurn Data, MyTurn Pharma, and MyTurnDrugApp. Our registered office is in Lagos, Nigeria.

General enquiries: contact@myturnhealth.com
Data Protection Officer: dpo@myturnhealth.com — a named DPO will be appointed via a retained DPCO firm before public launch.
Privacy enquiries: privacy@myturnhealth.com

2. Data We Collect

For Pharmacy & Clinic Customers (B2B):

Business name, PCN license number, CAC registration
Contact person name, email, phone number
Business address, delivery locations
Order history, transaction records, payment information
Staff IDs and role assignments within our platform

For Patients (MyTurnDrugApp):

We collect NO patient personal data during drug verification scans
Scan data records WHAT was scanned, never WHO scanned it
GPS data is stripped at the API gateway level before processing
No names, NINs, phone numbers, or identifiable information is stored

For Clinical Data (MyTurn Clinic):

Patient health information (PHI) is encrypted with AES-256-GCM at rest
All PHI is stored in encrypted clinical storage within Nigeria — never in plain text
NIN numbers are stored as SHA-256 hashes only — raw NIN is never persisted

3. How We Use Your Data

Processing wholesale drug orders and deliveries
Verifying pharmacist and doctor licenses (PCN/MDCN)
Processing payments via Interswitch, NIBSS, and partner payment rails
Generating compliance reports for NAFDAC, PCN, CBN, and NDPC auditors
Disease surveillance and health intelligence (anonymized aggregate data only)
Preventing drug counterfeiting via GS1 serial verification

4. Data Storage & Security

            Data Residency: ALL data is stored exclusively on company-controlled servers physically located in Lagos, Nigeria — on-soil, no foreign cloud. No data is transferred, mirrored, or replicated to any server outside Nigeria. This complies with NDPA 2023 Section 41 (Cross-Border Transfer Restrictions) and GAID 2025.
        

Encryption at rest: AES-256-GCM for all patient/clinical data
Encryption in transit: TLS 1.3 for all API communications
Field-level encryption: Fernet encryption for sensitive PII fields
Access control: ABAC (Attribute-Based Access Control) with short-lived JWTs (15 minutes)
Audit trail: Immutable SHA-256 hash-chained audit log for all data access
Financial data: PCI-DSS compliant — zero raw card numbers stored

5. Your Rights (NDPA 2023)

Under the Nigeria Data Protection Act 2023, you have the right to:

Access: Request a copy of all personal data we hold about you (FHIR R4 JSON export available)
Rectification: Correct inaccurate personal data
Erasure: Request deletion of your personal data ("Right to be Forgotten")
Portability: Receive your data in a structured, machine-readable format
Objection: Object to processing of your personal data
Withdraw consent: Withdraw previously given consent at any time

To exercise any of these rights, contact our Data Protection Officer at dpo@myturnhealth.com (privacy enquiries: privacy@myturnhealth.com). A named DPO will be appointed via a retained DPCO firm before public launch; until then, requests are triaged by the compliance team.

We will respond to all data subject access requests (DSARs) within 30 seconds for automated exports, or 72 hours for manual review.

6. Data Breach Notification

In the event of a data breach, we will notify the NDPC within 72 hours and affected data subjects without undue delay, in compliance with NDPA 2023 Section 40. We conduct quarterly breach notification drills.

7. Third-Party Sharing

We share data with the following categories of recipients, strictly on a need-to-know basis:

Payment processors: Interswitch, NIBSS (transaction IDs and amounts only — no patient data)
Regulatory authorities: NAFDAC, PCN, NDLEA, CBN, NDPC (as required by law)
Insurance providers: NHIA/HMO (claims data only, with patient consent)

We NEVER sell personal data. We NEVER share clinical data with pharmaceutical companies for marketing.

8. Cookies

Our platform uses essential cookies only for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. You can manage cookies through your browser settings.

9. Contact

Data Protection Officer: dpo@myturnhealth.com — a named DPO will be appointed via a retained DPCO firm before public launch. For general enquiries: privacy@myturnhealth.com.
NDPC DCMI Registration: Filing in progress — reference to be published upon acknowledgment
Data Controller: MyTurn Data Ltd, Lagos, Nigeria
Parent Company: MyTurn Health Holdings, Inc.