Privacy Policy

Welcome to Diagknos ("we", "us", "our"), a home diagnostics coordination platform operated by Orivoy Limited, a company incorporated under the laws of the Federal Republic of Nigeria.

Diagknos enables patients to book laboratory tests online, have samples collected at home by certified healthcare professionals, and have those samples delivered to the patient's chosen partner laboratory for processing.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our platform, including our website and web application. It is prepared in compliance with the Nigeria Data Protection Act 2023 ("NDPA"), the General Application and Implementation Directive 2025 ("GAID"), the National Health Act 2014, and other applicable Nigerian laws and regulations.

Important: Diagknos is a logistics coordination platform. We are not a laboratory, diagnostic provider, or healthcare facility. We coordinate the collection and delivery of samples between you and your chosen partner laboratory. Diagnostic testing and interpretation of results are the sole responsibility of the partner laboratory and your healthcare provider.

The data controller responsible for your personal data is:

When your sample is delivered to a partner laboratory, that laboratory becomes an independent data controller for all processing related to diagnostic testing, analysis, and result generation. We encourage you to review your chosen laboratory's own privacy policy.

3.1 Information You Provide Directly

When you create an account, book a test, or interact with our platform, we may collect:

• Account information: full name, email address, phone number, date of birth, gender
• Collection address: the physical location where you wish to have your sample collected
• Test selection: the laboratory tests you choose to book, your preferred partner laboratory, and scheduling preferences
• Payment information: payment details are processed by our third-party payment processor; we do not store full card details on our servers
• Communications: any messages, feedback, or correspondence you send us

3.2 Sensitive Personal Data (Health Data)

Under the NDPA, health-related information is classified as sensitive personal data and receives heightened protection. We may process the following sensitive personal data:

• Test types booked: the diagnostic tests you select, which may indicate health concerns or conditions
• Sample collection records: records confirming sample collection, including timestamps and phlebotomist notes relevant to sample integrity
• Test results: diagnostic results transmitted to you through our platform by the partner laboratory

We process sensitive personal data only with your explicit consent, obtained at the time of booking, or where otherwise permitted under Section 30 of the NDPA (such as for the protection of vital interests or the provision of healthcare).

3.3 Information Collected Automatically

When you use our platform, we automatically collect:

• Device and browser information: IP address, browser type, operating system, device identifiers
• Usage data: pages visited, features used, time spent on the platform, referral sources
• Location data: approximate location derived from your IP address (we do not use GPS tracking)
• Cookies and similar technologies: as described in Section 10 of this policy

3.4 Information from Third Parties

We may receive information about you from:

• Partner laboratories: test results, sample status updates, and processing confirmations
• Phlebotomists: collection confirmations, sample condition notes, and scheduling updates
• Payment processors: transaction confirmations and payment status

We process your personal data for the following purposes and on the following lawful bases under the NDPA:

• To deliver our service: We process your booking, coordinate phlebotomist dispatch, manage sample delivery to your chosen lab, and transmit results. This is necessary to perform the service you have requested.
• To manage your account: We create and maintain your account, authenticate your identity, and manage your preferences. This is necessary to perform our contract with you.
• To process your health data: We store and transmit your test selections, sample records, and diagnostic results. We do this with your explicit consent.
• To communicate with you: We send booking confirmations, phlebotomist arrival updates, result notifications, and service updates via SMS and email. This is necessary to deliver the service and is in our legitimate interest.
• To process payments: We process payments for services, issue receipts, and manage refunds. This is necessary to perform our contract with you.
• To maintain quality and safety: We monitor sample integrity, track collection-to-delivery timelines, manage quality incidents, and oversee phlebotomist performance. This is in our legitimate interest and may be required by law.
• To improve the platform: We analyse usage patterns to improve platform functionality and your experience. This is in our legitimate interest.
• To comply with the law: We comply with applicable laws, regulations, and lawful requests from authorities, as required by our legal obligations.

We share your personal data only as necessary for the purposes described in this policy and with the following categories of recipients:

5.1 Partner Laboratories

When you book a test, we share your name, contact information, test selections, and sample collection details with your chosen partner laboratory. Once the laboratory receives your sample, it becomes an independent data controller for all processing related to diagnostic analysis.

5.2 Phlebotomists

Our phlebotomists are certified healthcare professionals licensed by recognised regulatory bodies (including NMCN, MLSCN, or MDCN). They receive your name, collection address, scheduled time, and test requirements solely for the purpose of performing sample collection.

5.3 Technology Service Providers

We use third-party service providers who process data on our behalf under written data processing agreements. These include cloud hosting and infrastructure providers, SMS and communication providers, payment processors, and media storage providers.

5.4 Legal and Regulatory Disclosures

We may disclose your personal data where required by law, regulation, or court order, or where necessary to protect the vital interests of any person.

5.5 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We do not share your data with advertisers.

Some of our technology service providers operate infrastructure located outside Nigeria, including in the United States and other jurisdictions. Where your personal data is transferred outside Nigeria, we ensure that appropriate safeguards are in place in accordance with the NDPA and the GAID, including:

• Ensuring the receiving jurisdiction provides adequate data protection, or Implementing appropriate contractual safeguards (such as data processing agreements with standard data protection clauses), or
• Obtaining your explicit consent where required

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

• Account information: kept for the duration of your account plus 2 years after you request deletion.
• Booking and transaction records: kept for 6 years from the date of transaction, as required by Nigerian law.
• Health data and test results: remain accessible for the duration of your account and archived for 5 years after account closure.
• Sample collection records: kept for 5 years from the date of collection.
• Communication records: kept for 2 years from the date of communication.
• Automatically collected data: kept for 12 months.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls restricting data access to authorised personnel
• Regular security assessments and vulnerability monitoring
• Secure authentication mechanisms for platform access
• Incident response procedures for prompt detection of data breaches

As a data subject, you have the following rights under the Nigeria Data Protection Act 2023:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data.
• Right to restriction: You may request that we restrict processing of your data.
• Right to data portability: You may request your data in a structured format.
• Right to object: You may object to processing based on legitimate interest.
• Right to withdraw consent: You may withdraw consent at any time.

To exercise any of these rights, please contact us at privacy@diagknos.com.

Our platform uses cookies and similar technologies to ensure functionality and improve your experience. In accordance with Article 19 of the GAID:

• Essential cookies: These are necessary for core platform functions and do not require consent.
• Analytics cookies: These help us understand how users interact with our platform. We obtain opt-in consent before placing these.

Diagknos services may be booked on behalf of minors (persons under 18 years of age) by their parent or legal guardian. Where a booking involves a minor:

• Consent for the processing of the minor's personal and health data must be provided by the parent or legal guardian.
• The parent or legal guardian may exercise the minor's data subject rights on their behalf.

Given the multi-party nature of our service, it is important to understand the data protection roles involved:

• Diagknos: Data controller for all data collected through the platform.
• Partner Laboratory: Independent data controller once it receives your sample.
• Phlebotomist: Data processor under Diagknos's instructions.
• Tech Providers: Data processors under written agreements.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify you via email or through a prominent notice on our platform.