Privacy Policy

AXA One Health – Privacy Policy

Introduction

AXA One Health Limited (“AXA One Health”) is a hospital and healthcare provider under the AXA Group. We take your privacy very seriously. This Privacy Policy explains the basis on which we collect, use, disclose and protect your Personal Data in line with applicable data protection laws, including the Nigeria Data Protection Act (NDPA 2023).

Personal Data refers to information that can identify you directly or indirectly such as your name, contact details, address, email, phone number, identity numbers, financial details, health records, medical history, telemedicine interactions, insurance details, and any other sensitive information relating to your care.

With this policy, we ensure that your data is gathered, stored, and handled fairly, transparently, and with respect for your rights.

Our Privacy Principles

  • We process your Personal Data fairly, lawfully, and transparently.
  • We collect data only for specific, explicit purposes and do not use it for incompatible purposes.
  • We ensure your Personal Data is adequate, relevant, and limited to what is necessary.
  • We keep your Personal Data accurate and up to date.
  • We retain your Personal Data only as long as necessary.
  • We take appropriate steps to keep your data secure.
  • Your Personal Data is processed in line with your rights.
  • We do not sell your Personal Data.

How We Collect Your Personal Data

We may collect data directly from you when you:

  • Register or book appointments at the hospital.
  • Access our telemedicine services via the AXA One Health app or AXA Mansard platforms.
  • Fill in forms (enquiry, consent, diagnosis, treatment, billing).
  • Participate in surveys, provide feedback, or use chatbots/live chat.
  • Call our service lines (calls may be recorded).
  • Provide information during insurance or HMO claims processing.

We may also collect data indirectly from:

  • Your insurer or employer (if covered under a health plan).
  • Healthcare professionals and diagnostic partners.
  • Family members or proxies where you are unable to provide information yourself.
  • Regulatory agencies and government authorities.

What Personal Data We Collect

Depending on your interaction with us, we may collect:

  • Contact details (name, email, phone, address).
  • Identification details (date of birth, gender, ID numbers, BVN, passport).
  • Medical and health data (diagnosis, treatment history, prescriptions, test results, telemedicine consultations, lifestyle information relevant to care).
  • Insurance and HMO details.
  • Financial and billing details.
  • Technical data (device ID, IP address, browsing behaviour, cookies).
  • Any other information relevant to your care

Privacy of Children

We respect the privacy of minors. We do not knowingly collect data from children under 18 except where it is required for treatment, registration as patients, or coverage as dependents under health plans. Consent in such cases must be provided by a parent/guardian.

How We Use Your Personal Data

We use your Personal Data to:

  • Provide hospital services, diagnosis, treatment, and follow-up care.
  • We may use Cloud storage solutions within or outside Nigeria which are chosen to ensure efficiency and improved performance through up-to-date technology.
  • Offer telemedicine services via app, phone, or video consultations.
  • Manage billing, insurance claims, and payments.
  • Where we have a legal or regulatory obligation to use your Personal Data , for example, when our regulators such as the Federal Ministry of Health (FMoH), the Health Facility Monitoring and Accreditation Agency (HEFAMAA), the Medical and Dental Council of Nigeria (MDCN), the National Health Insurance Authority (NHIA), and our data protection regulator, the Nigeria Data Protection Commission (NDPC), require us to maintain certain records of any dealings with you.
  • To comply with: local or foreign laws, regulations, voluntary codes, directives, judgments or court orders, agreements between any member of AXA OneHealth, and any authority, regulator, or enforcement agency;
  • Where we need to use your Personal Data to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves;
  • Prevent fraud, abuse, or criminal activity.
  • Improve patient experience, hospital operations, and service delivery.
  • Conduct research and health analytics.
  • Communicate with you on your care, appointments, and hospital updates.
  • With consent, provide information on related healthcare products and services.
  • Where we need to use your health data because it is necessary for your vital interests, this being a life or death matter.

Who We Share Your Personal Data With

We may share your Personal Data with:

  • Healthcare professionals within AXA One Health.
  • Where you have named an alternative contact (such as a relative) to speak with us on your behalf.
  • Your relatives or, guardians (on your behalf where you are incapacitated or unable) or other people or organisations associated with you and in cases of emergency, with your nominated next of kin, proxy, or caregiver.
  • AXA Mansard HMO or other insurers managing your plan.
  • Our third-party services providers such as partner hospitals, labs, pharmacies, and diagnostic centres.
  • We may also disclose your personal information to other third parties where required or permitted to do so by law or by regulatory bodies such as where there is a court order, statutory obligation or Prudential Regulatory Authority / Financial Conduct Authority; or we believe that such disclosure is necessary in order to assist in the prevention or detection of any criminal action (including fraud) or is otherwise in the overriding public interest; or exemptions under the data protection legislation allow us to do so
  • IT service providers, auditors, legal advisors, and technical partners supporting hospital systems.

We will only share data with third parties bound by confidentiality and data protection obligations.

Disclosures with our Parent Company
We share data with our parent company in the course of providing and improving our services. As part of this arrangement, please note that our servers are located in Egypt, and data is stored and processed there.

International Data Transfer

Where your data is hosted or processed outside Nigeria, we will ensure that appropriate safeguards are in place in line with the NDPA, NDPR and other related guidance. Patients will be informed transparently where cross-border data hosting occurs.

Data Retention

We will keep your Personal Data for as long as is necessary for medical, legal, or regulatory purposes. This may include:

  • Medical records as required under Nigerian healthcare regulations.

  • Insurance/claims data for statutory retention periods.

  • Telemedicine data for periods agreed in line with patient consent.

Your Rights Regarding Your Personal Data

As a patient, you have certain rights over the Personal Data we hold about you. At any time, you may request a copy of your medical or personal information, ask us to correct inaccuracies, change the way we use your information, or request that we delete it. We will act on your request where possible or explain why we cannot, usually because of medical, legal, or regulatory requirements that require us to retain certain data.

  1. Right of Access

You are entitled to receive a copy of the Personal Data we hold about you, along with information on how we use it. Unless you request otherwise, this information will usually be provided to you in writing. In some cases, we may charge a reasonable fee to cover administrative costs.

  1. Right to Rectification

We take steps to keep your Personal Data accurate and complete. If you believe that the information we hold about you is incorrect or incomplete, you may contact us to request that it be updated or amended.

  1. Right to Erasure (“Right to be Forgotten”)

In certain situations, you can ask us to erase your Personal Data, for example, where it is no longer necessary for the purpose for which it was collected, or where you withdraw your consent. However, because hospitals are required to maintain medical records for legal, regulatory, or clinical reasons, we may not always be able to delete all of your data.

  1. Right to Restrict Processing

In some circumstances, you may request that we stop using your Personal Data. This may apply, for example, if you believe the data is inaccurate or no longer required for the purpose of your treatment or hospital administration.

  1. Right to Data Portability

You may request that we transfer certain Personal Data you have provided to us to another healthcare provider or third party of your choice. Once transferred, the recipient will become responsible for protecting your information.

  1. Right to Withdraw Consent

Where we rely on your consent to process your Personal Data (for example, for certain telemedicine services or health research), you may withdraw that consent at any time. Please note that withdrawing consent may affect the availability of some services, but it will not impact the care or treatment that we are legally or medically obliged to provide.

Data Security

We take reasonable measures to protect Personal Data from unauthorized access, disclosure, alteration, or destruction to ensure that Personal Data is accurate and up to date as appropriate because:

  • We have put in place strict measures and technologies to prevent fraud and intrusion.
  • Our employees are trained in data protection and security to respect and preserve confidentiality, integrity and availability of information held by us.

Breach Notification

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information, AXA OneHealth shall within 72 (seventy-two) hours of having knowledge of such breach report the details of the breach to NDPC. Furthermore, AXA OneHealth shall within 7 (seven) days of having knowledge of the occurrence of such breach take steps to inform the Data Subject of the breach incident, the risk to the rights and freedoms of the Data Subject resulting from such breach and any course of action to remedy said breach.

Marketing

We may contact you with information about AXA One Health or AXA Mansard services relevant to your care. You may opt-out of such communications at any time.

Changes to this Privacy Policy

AXA OneHealth reserves the right to modify this Privacy Policy at any time in accordance with this provision. We may update this Privacy Policy from time to time in line with regulatory requirements or service changes. Updated versions will be published on our website and app.

Our Contact Information

If you would like any more information about the way we use your information, or if you wish to exercise the rights listed above, please contact us using the details below:

 

The Data Protection Officer
AXA OneHealth Limited.
(Input Addresses)
Customer Care Hotline: 09088999233
General Enquiries: 09088999233
Email: dpo.ng@one-health.com

 

You have a right to complain to the Information Regulator if you think that your information has been misused. The contact details are:

Nigeria Data Protection Commission

Tel: +234929220263, +2348168401851, +2347052420189

Email: +234 (0) 9160615551

Website: www.ndpc.gov.ng