Privacy Notice

1. Introduction and Scope

Rednoxx Limited ("we," "us," or "our") is an EHR/EMR software provider committed to protecting your privacy and personal data. This Privacy Notice explains how we collect, use, and protect your personal data in accordance with the Nigerian Data Protection Regulation (NDPR) and global best practices.

This notice applies to personal data we collect as a Data Controller from:

  • Website Visitors: Individuals who visit our website, contact us, or subscribe to our newsletters.
  • Clients and Partners: Individuals who work for our client organizations or are our business partners.

This notice does not apply to patient data processed through our EHR/EMR software. In those cases, our clients act as the Data Controller, and we act as the Data Processor. Such processing is governed by separate Data Processing Agreements (DPAs).

2. Personal Data We Collect

  • Contact & Identity Data: Full name, email, phone number, job title, and company name.
  • Technical & Usage Data: IP address, browser type, time zone, device information, and usage analytics.
  • Professional Data: Your professional interests, preferences, and feedback.
  • Marketing & Communications Data: Preferences for receiving communications from us.

3. How and Why We Use Your Data

Purpose of Processing Categories of Data Used Legal Basis (NDPR)
To respond to inquiries and provide information Contact, Professional Legitimate Interest
To provide our services and manage contracts Contact, Professional, Marketing Performance of Contract
To send marketing and product communications Contact, Marketing Consent or Legitimate Interest (B2B)
To analyze and improve our website Technical & Usage Legitimate Interest
For security and fraud prevention Technical & Usage Legitimate Interest

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share data with trusted third-party service providers acting as Data Processors, solely to perform specific functions such as cloud hosting or email services. These processors operate under a strict Data Processing Agreement (DPA) that requires them to:

  • Process data only on our documented instructions.
  • Implement appropriate security measures.
  • Maintain strict confidentiality.

We may also disclose personal data if required by law or government request.

5. International Data Transfers

Rednoxx Limited operates in a global digital environment, and as part of providing our services, we may transfer and process personal data in countries outside Nigeria. These transfers typically occur when we use third-party service providers for functions such as cloud hosting, data analytics, customer relationship management, or secure communication services.

We understand that not all countries offer the same level of data protection as Nigeria. To ensure your personal data remains protected wherever it is transferred or processed, we implement one or more of the following safeguards in line with the Nigerian Data Protection Regulation (NDPR) and international best practices:

  1. Adequacy Decisions: When transferring data to countries that have been officially recognized by the Nigerian Data Protection Commission (NDPC) or other relevant authorities as providing an adequate level of protection, we rely on such adequacy determinations.
  2. Standard Contractual Clauses (SCCs): For transfers to jurisdictions without an adequacy decision, we incorporate NDPR-approved or internationally recognized Standard Contractual Clauses (SCCs) into our contracts with service providers and partners. These clauses legally bind the recipient to maintain equivalent data protection standards.
  3. Data Processing Agreements (DPAs): All our processors and international partners operate under a formal Data Processing Agreement that mandates:
    • Confidentiality and restricted data access.
    • Implementation of appropriate technical and organizational measures.
    • Processing data solely on our documented instructions.
    • Compliance with data subject rights and security requirements.
  4. Technical Safeguards: We employ strong encryption (both in transit and at rest), secure access controls, and continuous monitoring of data transfer channels to prevent unauthorized access or interception during cross-border transfers.
  5. Transparency and Accountability: You may request details of the specific safeguards applied to your personal data in relation to international transfers by contacting our Data Protection Officer (DPO). We will provide this information in accordance with applicable data protection laws.

By implementing these measures, Rednoxx ensures that all international transfers of personal data are conducted in a secure, lawful, and transparent manner that preserves your privacy rights under the NDPR.

6. Data Security and Retention

Rednoxx Limited takes data security and confidentiality extremely seriously. We have implemented a multi-layered security framework designed to protect your personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction.

a. Security Measures
  • Encryption: All personal data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and periodic access reviews limit data access to authorized personnel only.
  • Data Segmentation: Logical separation of client data prevents cross-access or leakage across projects and tenants.
  • Monitoring and Incident Response: Continuous system monitoring and a defined Incident Response Plan ensure prompt detection and remediation of any security incident.
  • Physical and Environmental Security: Secure facility access, surveillance, and environmental controls protect physical infrastructure.
  • Employee Awareness: Regular training reinforces compliance, privacy awareness, and secure data-handling practices.
b. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, or enforce our agreements.

  • Customer Account Data: Retained for the duration of the relationship and up to five (5) years thereafter, unless law requires longer.
  • Health and Clinical Data: Retained according to Nigerian Health Records Retention Guidelines and sectoral regulations.
  • Technical Logs and Audit Trails: Maintained for up to twelve (12) months for security and auditing purposes.
  • Marketing Data: Retained only while consent remains valid, then securely deleted or anonymized.

At the end of the retention period, data is securely deleted, anonymized, or pseudonymized using certified destruction methods, ensuring it cannot be reconstructed or linked to any individual.

c. Data Breach Notification

In the unlikely event of a data breach that may affect your rights or freedoms, Rednoxx will promptly notify the affected individuals and the Nigerian Data Protection Commission (NDPC), in line with NDPR requirements, and provide guidance on protective actions taken.

7. Your Data Protection Rights

Under the NDPR, you have the following rights:

  • Right to be Informed
  • Right to Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restrict Processing
  • Right to Object
  • Right to Data Portability
  • Right to Lodge a Complaint with NITDA

To exercise any of these rights, please contact our Data Protection Officer (DPO).

8. Children's Privacy

Our services are not directed at individuals under 18. We do not knowingly collect data from children. If you believe a minor has provided us data, please contact us.

9. Contact Information

Data Protection Officer (DPO)
Rednoxx Limited
No 8 Along AKTH, Kano State
Email: cto@rednoxx.com

10. Updates to this Notice

We may update this Privacy Notice periodically to reflect changes in our practices or legal obligations. When updated, we will revise the “Effective Date” above. We encourage you to review this page regularly.