Privacy Policy

1. Who we are and how to contact us

Qeysia Labs Ltd (RC 9613649), based in Lagos, Nigeria, is responsible for the personal data described in this policy. For any privacy question or to exercise your rights, contact us at support@pharmtraq.app or write to us at Lagos, Nigeria (Remote onboarding available).

2. Our two roles: controller and processor

We handle personal data in two distinct capacities, and your rights and our responsibilities differ accordingly:

• As a data controller — for the personal data of our account holders and their staff (for example, names, email addresses, login details, and billing information). This policy governs that data.
• As a data processor— for the personal data that a subscribing pharmacy (the “Subscriber”) enters into the Service about its own customers or patients (for example, prescription and dispensing records). For that data the Subscriber is the data controller and decides why and how it is processed; we process it only on the Subscriber’s documented instructions to provide the Service. If you are a patient or customer of a pharmacy, please direct your privacy requests to that pharmacy.

3. Personal data we collect

As a controller, we collect:

• Account and identity data — name, email address, phone number, pharmacy/business name, role, and login credentials.
• Billing data — subscription plan, transaction references, and payment status. Card and bank details are collected and processed directly by our payment provider, Paystack; we do not store full card numbers.
• Usage and device data — log data, device and browser information, IP address, and actions taken in the Service, used for security, troubleshooting, and improving the product.
• Support and assistant data — messages you send to support and prompts you submit to our in-app AI assistant.

As a processor, on behalf of Subscribers we store the Subscriber Data they enter, which may include patient and prescription information that constitutes sensitive personal data (such as health data) under the NDPA. Subscribers are responsible for the lawful basis and any consent required for that data.

4. Lawful bases for processing

Under the NDPA we rely on one or more of the following lawful bases when we process personal data as a controller:

• Performance of a contract — to create your account, provide the Service, and manage your Subscription.
• Legitimate interests — to secure, maintain, and improve the Service and prevent fraud and abuse, where these interests are not overridden by your rights.
• Consent — for optional communications such as product marketing, which you can withdraw at any time.
• Legal obligation — to comply with applicable laws, tax requirements, and lawful requests from authorities.

Where we process sensitive personal data, we do so only with explicit consent or another specific ground permitted by the NDPA.

5. How we use personal data

• to provide, operate, secure, and support the Service;
• to process subscriptions, payments, and renewals through Paystack;
• to communicate with you about your account, security, and service updates;
• to provide in-app help and assistant features you choose to use;
• to detect, prevent, and investigate fraud, abuse, and security incidents; and
• to comply with our legal and regulatory obligations.

6. Who we share personal data with

We do not sell personal data. We share it with trusted service providers (“processors”) who help us run the Service, only to the extent needed and under appropriate confidentiality and data-protection obligations. These currently include:

• Paystack — payment processing and subscription billing;
• Resend — sending transactional and account emails;
• Cloud hosting and database providers — to host the application and store data;
• Sentry — error monitoring and diagnostics;
• AI assistant providers — to process prompts you submit to the in-app assistant; and
• Authentication and content providers — for secure sign-in and to deliver our website and blog.

We may also disclose personal data where required by law or to protect our rights, users, or the public.

7. International data transfers

Some of our service providers are located outside Nigeria, which means your personal data may be transferred to and processed in other countries. Where we transfer personal data outside Nigeria, we do so in accordance with the NDPA — for example, where the destination provides an adequate level of protection, under appropriate contractual safeguards, or on the basis of your consent or contractual necessity — and we record the basis for the transfer.

8. Your rights under the NDPA

Subject to the conditions and exceptions in the NDPA, you have the right to:

• be informed about how your personal data is processed;
• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• erase your data where there is no lawful reason to keep it;
• restrict processing in certain circumstances;
• withdraw consent at any time, as easily as it was given, where processing is based on consent;
• object to processing, including for direct marketing; and
• not be subject to a decision based solely on automated processing that significantly affects you, and to request human review.

To exercise any of these rights, email support@pharmtraq.app. We will respond without undue delay and within the timeframes required by the NDPA. If you are a patient or customer of a pharmacy that uses PharmTraq, please contact that pharmacy, as it is the controller of your data.

9. Your right to complain to the NDPC

If you believe we have not handled your personal data in accordance with the NDPA, we encourage you to contact us first so we can address your concern. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

10. How long we keep personal data

We retain personal data only for as long as necessary for the purposes described in this policy, including to provide the Service, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When data is no longer needed we delete or anonymise it. Subscriber Data is retained per our agreement with the Subscriber and may be deleted after the account is closed, subject to the data export window described in our Refund & Cancellation Policy.

11. How we protect personal data

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls and role-based permissions, and monitoring. No method of transmission or storage is completely secure, but we work to protect your data and to continuously improve our safeguards.

12. Data breaches

We maintain procedures to detect and respond to personal-data breaches. Where a breach is likely to result in a high risk to individuals’ rights and freedoms, we will notify the NDPC within 72 hours of becoming aware of it where required, and we will inform affected individuals without undue delay. We keep a record of breaches as required by the NDPA.

13. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and to secure your session, and limited cookies or similar technologies for analytics and error monitoring that help us keep the Service reliable. You can control cookies through your browser settings; disabling strictly necessary cookies may prevent you from signing in.

14. Children’s data

The Service is intended for use by pharmacy businesses and their staff, not by children. We do not knowingly collect personal data directly from children. Where a Subscriber processes data about patients who are children (under 18) through the Service, the Subscriber is responsible for obtaining any parental or guardian consent and for any age-verification required under the NDPA.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes we will provide reasonable notice and update the “Last updated” date above. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact us

For any question about this Privacy Policy or your personal data, contact Qeysia Labs Ltd at support@pharmtraq.app or write to us at Lagos, Nigeria (Remote onboarding available).