CAREVILLE PRO PRIVACY POLICY
Effective Date: April 27, 2026
Last Updated: April 27, 2026
1. INTRODUCTION AND SCOPE
This Privacy Policy for Providers ("Pro Privacy Policy") applies to all
healthcare and wellness providers, facilities, and organisations
("Provider", "you", or "your") who register on and use the CareVille Pro
application ("Pro Platform") operated by CareVille Technologies Limited
("CareVille", "we", "us", or "our").
This Policy explains how we collect, use, retain, and protect your
personal and professional data, and sets out your rights. It also
describes CareVille's role as a Data Processor when handling patient
data on your behalf, and your obligations as a Data Controller for that
patient data.
This Policy should be read together with the CareVille Pro Terms of
Service and, where applicable, the Data Processing Agreement (DPA) which
forms part of your agreement with CareVille.
2. DATA CONTROLLER AND PROCESSOR ROLES
2.1 Provider Account and Operational Data
CareVille acts as the Data Controller for all personal and professional
data you provide in connection with your Provider account, including
registration details, professional credentials, payment information, and
communications with CareVille.
2.2 Patient Data
Where patient data is processed through the Pro Platform during the
delivery of healthcare services, CareVille acts as a Data Processor on
your behalf, and you remain the Data Controller for that patient data.
CareVille processes patient data only in accordance with your
instructions as a Provider and as set out in the Data Processing
Agreement.
2.3 Data Processing Agreement (DPA)
As required under the Nigeria Data Protection Regulation (NDPR) and the
Nigeria Data Protection Act 2023, CareVille and each registered Provider
are bound by a Data Processing Agreement that governs CareVille's
processing of patient data as your Processor. The DPA forms part of your
registration agreement with CareVille and sets out:
- The nature, purpose, and duration of processing.
-
The types of personal data and categories of data subjects involved.
- Your instructions to CareVille regarding the processing.
- The technical and organisational security measures in place.
- Sub-processor arrangements.
- Data breach notification obligations.
If you have not received or wish to review the DPA, please contact
care@carevilleapp.com.
2.4 Data Protection Officer
CareVille has designated a Data Protection Officer (DPO) responsible for
overseeing compliance with data protection obligations. Contact details:
Data Protection Officer, CareVille Technologies Limited
Address: 1 O.G Street Behind St Fidelis Catholic Church, Aduwawa, Benin
City, Edo State, Nigeria
Email: care@carevilleapp.com
3. INFORMATION WE COLLECT ABOUT PROVIDERS
3.1 Professional and Identity Data
- Full name and professional title
-
Medical or professional licence number and issuing body (e.g., MDCN,
NMCN, PCN, MRTBN)
- Copies of licences, certificates, and registration documents
- Specialisation(s), qualifications, and years of experience
- Professional photograph
3.2 Facility and Practice Data (for institutional providers)
-
Business name and corporate registration details (CAC registration
number)
- Physical address and operating hours
- Services offered and pricing
- Facility accreditation details
3.3 Contact and Account Data
- Email address and phone number
- Encrypted login credentials and authentication tokens
- Bank account details for payment remittances
3.4 Technical and Usage Data
- Device type, operating system, and application version
- IP address
- Login activity, session data, and in-app usage logs
-
Consultation activity data (excluding clinical content, which you
control)
3.5 Background Verification Data
With your consent, we may collect and process the results of background
checks, regulatory verification queries, and professional reference
checks conducted as part of the onboarding process.
3.6 Patient Data Processed on Your Behalf
Through the Pro Platform, you may process patient data (including names,
contact details, medical histories, consultation notes, and
prescriptions). As noted above, CareVille processes this data as your
Processor, strictly in accordance with the DPA and your instructions.
You are responsible for ensuring you have a valid legal basis for
processing each patient's data.
4. LEGAL BASIS FOR PROCESSING PROVIDER DATA
-
Contractual Necessity: Registering and managing your Provider account;
processing payment remittances; verifying your professional
credentials; enabling service delivery.
-
Legal Obligation: Complying with NDPR, NAFDAC, MDCN, and other
applicable Nigerian regulations; responding to lawful regulatory or
judicial requests; maintaining records required by law.
-
Legitimate Interests: Fraud prevention and platform security; quality
assurance and performance monitoring; improving the Pro Platform,
subject to your data protection rights.
-
Consent: Background checks and reference verifications; marketing
communications about CareVille Pro services (you may opt out at any
time).
5. HOW WE USE PROVIDER DATA
- Create, verify, and manage your Provider account.
-
Display your professional profile to users seeking healthcare
services.
-
Facilitate appointment bookings, scheduling, and consultation
delivery.
- Process and remit payment for completed consultations.
-
Communicate operational updates, policy changes, and service
notifications.
- Conduct credential verification and background checks.
- Monitor compliance with the CareVille Pro Terms of Service.
-
Improve and develop the Pro Platform through anonymised usage
analytics.
-
Detect and investigate fraud, security incidents, and Terms
violations.
6. YOUR OBLIGATIONS AS DATA CONTROLLER FOR PATIENT DATA
-
Obtain valid informed consent from each patient before collecting and
processing their personal health information through the Platform.
-
Maintain a lawful basis for all patient data processing activities.
-
Provide patients with a clear privacy notice covering your own
processing of their data.
-
Respond to patient data subject access requests within the timeframes
required by applicable law.
-
Maintain appropriate security measures for any patient data you
download, store, or process outside the Platform (e.g., on personal
devices or in your own systems).
-
Notify CareVille at care@carevilleapp.com within twenty-four (24)
hours of becoming aware of any data breach involving patient data
processed through the Platform.
7. DATA SHARING
-
With Platform Users: Your name, professional title, specialisation,
qualifications, photo, and ratings are displayed to users who are
seeking or have booked your services.
-
With Payment Processors: Bank account and transaction details are
shared with licensed payment processors for remittance purposes.
-
With Technology Service Providers: We engage reputable cloud hosting,
security, and analytics providers who process data only on our
instructions under Data Processing Agreements. A list of our current
sub-processors is available on request.
-
With Regulatory Authorities: We may disclose data where required by
law, court order, or lawful request from NITDA, NAFDAC, MDCN, or other
competent Nigerian authorities.
-
In Business Transfers: In the event of a merger, acquisition, or asset
sale, Provider data may be transferred to the acquiring entity under
equivalent data protection obligations. You will be notified before
any such transfer.
8. SUB-PROCESSORS
- Cloud infrastructure and hosting providers
- Payment processing providers
- Identity verification and background check providers
- Communication and notification services (SMS, email)
- Analytics and performance monitoring tools
A current list of named sub-processors is available upon written request
to care@carevilleapp.com.
9. DATA SECURITY
- TLS 1.2 or higher encryption for all data in transit.
-
Encryption at rest for sensitive data, including health records.
-
Role-based access controls limiting data access to authorised
personnel.
-
Multi-factor authentication for administrative and system access.
-
Regular security audits, penetration testing, and vulnerability
assessments.
- Continuous monitoring and incident response procedures.
10. DATA RETENTION
-
Active account data: Retained for the duration of your active
registration on the Pro Platform.
-
Account data following termination: Retained for three (3) years after
the date of account closure or termination.
-
Patient data processed on your behalf: Retained in accordance with
Nigerian medical records standards.
- Payment and financial records: Retained for seven (7) years.
-
Credential and verification records: Retained for the duration of your
registration and for three (3) years thereafter.
11. INTERNATIONAL DATA TRANSFERS
Provider data and patient data may be stored or processed outside
Nigeria with safeguards.
12. YOUR DATA PROTECTION RIGHTS AS A PROVIDER
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Restriction
- Right to Object
- Right to Data Portability
- Right to Withdraw Consent
13. CHANGES TO THIS POLICY
We may update this policy periodically.
14. CONTACT INFORMATION
Data Protection Officer, CareVille Technologies Limited
Address: 1 O.G Street Behind St Fidelis Catholic Church, Aduwawa, Benin
City, Edo State, Nigeria
Email: care@carevilleapp.com