ChartChronicle HealthEMR · HMIS

Legal

Privacy Policy

Last updated 6 June 2026

This policy explains how ChartChronicle Health Technologies Limited handles personal data. For the patient and clinical data entered by health facilities, the facility is the data controller and we act as its processor - the binding terms of that processing are in our Data Processing Agreement. It is built for Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR).

1. Roles: who controls what

Patient & clinical data. When a hospital, clinic, laboratory, pharmacy or health programme uses ChartChronicle Health to record patient and clinical information, that organisation is the data controller and decides why and how the data is processed; we are the data processor and process it only on the controller's documented instructions to provide the service. Patients should direct requests about their records to the facility that holds them; we will support the facility in responding.

Account, billing & website data. For the data of the staff who administer accounts, of billing contacts, and of visitors to our website and contact form, ChartChronicle Health Technologies Limited is the controller. This policy governs that data.

2. Data we process

  • Account & identity: name, work email, phone, username, role, organisation and facility assignment, and authentication data (passwords are stored only as salted hashes; MFA secrets are encrypted).
  • Billing: plan, billing contact, currency, country, and payment-transaction references (card details are handled by our payment processors, not stored by us).
  • Patient & clinical (as processor, on behalf of the controller): demographics, identifiers, encounters, diagnoses, prescriptions, results, and related clinical records - which may include sensitive categories of data.
  • Technical & usage: log data, request IDs, device/sync identifiers, IP address and a tamper-evident audit trail of access to clinical records (who accessed what, when, and why).
  • Enquiries: what you send us via the contact form (please do not include patient names or clinical details in that form).

3. Lawful basis and purposes

For account, billing and website data we rely on the lawful bases of contract (to provide and bill the service), legitimate interests (to secure, support and improve the platform), legal obligation, and consent where required (for example, optional marketing). For patient and clinical data, the lawful basis and any required consent are determined and obtained by the controller (the facility); we process such data solely to deliver the service, to secure it, to provide support at the controller's request, and to meet legal obligations.

4. Sharing and sub-processors

We do not sell personal data. We share data only with vetted sub-processors that help us run the service (for example hosting, communications and payment processing), each bound by data-protection obligations no less protective than those we accept. The current list is on our Sub-processors page. We may disclose data where required by law or to protect the platform, our customers and patients.

5. International transfers

The platform is built to keep data within the regions our customers require and to respect data-localisation rules. Where a transfer outside the country of origin is necessary (for example to a sub-processor), we put in place an appropriate safeguard and legal basis for that transfer as required by Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR).

6. Security

Data is encrypted in transit and at rest. Access is governed by role-based access control with facility/organisation scoping and database-level tenant isolation; elevated roles require multi-factor authentication; and every access to a clinical record is recorded in a tamper-evident audit trail. More detail is on our Security page. No system is perfectly secure, but we work continuously to protect the data entrusted to us.

7. Retention

We keep account and billing data for as long as you have an account and as long as needed for legal, accounting and audit purposes. Patient and clinical data is retained for the period the controller (the facility) instructs and for the minimum periods required by applicable health-records law; on termination it is exported, then deleted or anonymised per the DPA.

8. Your rights

Subject to Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), you may request access to, correction of, deletion or restriction of, and portability of your personal data, and you may object to certain processing or withdraw consent. To exercise these rights over data for which we are the controller, contact hello@chartchronicle.com. For patient/clinical data, please contact the facility (the controller); the platform also provides patients with a portal to view their own records, a record of who accessed them, and tools to request corrections and manage consent.

9. Children's data

Health records may include data about minors. Such data is processed on behalf of the controller, with guardian/proxy access governed by a configurable age-of-majority and the controller's consent rules. The platform is not directed at children as end users.

10. Personal-data breaches

We maintain a breach-response process and, acting as processor, will notify the affected controller without undue delay after becoming aware of a personal-data breach. Where we are the controller, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours where the law requires, and affected individuals where there is a high risk to their rights.

11. Cookies

We use only the cookies strictly necessary to run the service (for example to keep you signed in). See our Cookie Policy for detail.

12. Data Protection Officer and complaints

You can reach our Data Protection Officer at hello@chartchronicle.com. If you believe your data has been mishandled, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) (or your local data-protection authority), though we encourage you to contact us first so we can help.

13. Changes

We may update this policy to reflect changes to the service or the law. Material changes are communicated in-product or by email; the version current at the time of use governs that use.

14. Controller identity and contact

ChartChronicle Health Technologies Limited (“ChartChronicle Health”, “we”, “us”, “our”) is a private company limited by shares incorporated in Nigeria and registered with the Corporate Affairs Commission (CAC), Nigeria under registration number RC 9585931 on 2 June 2026. Our registered office is Kilometer 10, Plot 6, Amugbekun Street, Apata, Ibadan, Oyo State, Nigeria. These terms are governed by the laws of the Federal Republic of Nigeria, and the parties submit to the exclusive jurisdiction of the courts of the Federal Republic of Nigeria.