Privacy Policy

Physela Technologies Ltd. (“Physela”, “we”, “our”) is the data controller for personal data processed through this platform. We are registered in Nigeria and operate under the Nigeria Data Protection Regulation (NDPR) 2019 and, where applicable, the EU General Data Protection Regulation (GDPR).

Contact: privacy@physela.com

We collect the following categories of personal data:

• Identity data: name, date of birth, government ID (optional)
• Contact data: email address, phone number
• Health data: blood type, allergies, chronic conditions, vaccination records, appointment notes, prescriptions, lab results
• Financial data: payment method tokens (we do not store full card numbers), transaction history
• Usage data: login timestamps, feature interactions, device/browser type
• Insurance data: HMO provider, policy number, copay rate

We process your data under the following legal bases (GDPR Art. 6 / NDPR Para. 2.1):

• Contract performance — to book and manage appointments you have requested
• Legal obligation — to comply with healthcare regulations and tax laws
• Legitimate interests — to prevent fraud and improve platform security
• Consent — for marketing communications (you may withdraw at any time)

Health data (special category under GDPR Art. 9) is processed under Art. 9(2)(h) — provision of health care — and with your explicit consent at account creation.

We share your data only with:

• Partner hospitals and physicians — to deliver the appointment and care you booked
• Payment processors — Paystack (Nigeria) and Stripe (international), each certified PCI-DSS Level 1
• Communication providers — Twilio (SMS/WhatsApp), Resend (email), for appointment reminders and notifications
• Cloud infrastructure — Supabase (Postgres database, EU/US data centres), Vercel (hosting)

We do not sell your personal data to third parties.

We retain personal data for as long as your account is active, plus 7 years to meet healthcare record-keeping obligations under Nigerian law. You may request deletion of your account data at any time via Account settings → Right to be forgotten. We will anonymise your profile within 30 days of a verified request, subject to legal holds.

Under GDPR and NDPR you have the right to:

• Access — download a copy of your data (Account settings → Download your data)
• Rectification — correct inaccurate data via your profile page
• Erasure — request deletion (Account settings → Right to be forgotten)
• Restriction — ask us to pause processing while a dispute is resolved
• Portability — receive your data in a machine-readable format (JSON export)
• Object — opt out of direct marketing at any time

To exercise any right, email privacy@physela.com. We respond within 30 days.

We use session cookies (strictly necessary) and first-party analytics cookies. No third-party advertising cookies are set. You can delete cookies via your browser settings at any time; doing so will sign you out.

Material changes to this policy will be communicated by email at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.