Legal

Privacy Policy

Last updated: February 2026

1. Introduction

Tojumi Health (“we”, “us”, “our”) is committed to protecting your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable data protection laws. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform.

2. Data Controller

Tojumi Health is the data controller for personal data processed through the Platform. For data protection inquiries, contact us at hello@tojumihealth.com.

3. Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, phone number, password (hashed), role (family/provider/aide).
  • Profile Information: City, state, bio, profile photo, business name (providers), certifications (aides).
  • Identity Verification Data: BVN, NIN, or government ID details processed through our verification partner Verify.me.
  • Care Recipient Data: Names, ages, health conditions, and care needs of dependents added by families.
  • Activity Data: Daily activity logs, photos, vitals readings, and incident reports submitted by care aides.
  • Payment Data: Payment method details processed by Paystack, transaction history, bank account details for payouts.
  • Communications: Messages sent through the platform’s chat feature.
  • Usage Data: IP address, device information, browser type, pages visited, and analytics data collected through PostHog.

4. Legal Basis for Processing

We process your data based on the following legal grounds under the NDPA 2023:

  • Consent: For identity verification and sensitive health data.
  • Contractual Necessity: To provide the Services you have signed up for.
  • Legitimate Interest: For platform security, fraud prevention, and service improvement.
  • Legal Obligation: To comply with Nigerian laws and regulations.

5. How We Use Your Data

  • Provide, maintain, and improve the Platform
  • Verify user identities through KYC checks
  • Process payments and payouts
  • Facilitate communication between users
  • Deliver activity updates and push notifications
  • Prevent fraud and ensure platform safety
  • Send service-related emails and notifications
  • Analyse usage patterns to improve the Services

6. Data Sharing

We share your data only in the following circumstances:

  • Between Users: Families can see provider/aide profiles, ratings, and activity logs for their care contracts.
  • Service Providers: Supabase (database hosting), Paystack (payments), Verify.me (KYC), Resend (email), Firebase (push notifications), Cloudflare (file storage), PostHog (analytics).
  • Legal Requirements: When required by law, court order, or regulatory authority.

We do not sell your personal data to third parties.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row-level security (RLS) policies on all database tables
  • Hashed passwords using bcrypt
  • Regular security audits and vulnerability assessments
  • Access controls with role-based permissions

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide Services. After account deletion, we retain data for up to 12 months for legal and compliance purposes, after which it is securely deleted. Activity logs and care records may be retained longer for audit purposes.

9. Your Rights

Under the NDPA 2023, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Restriction: Request limitation of data processing
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at hello@tojumihealth.com. We will respond within 30 days.

10. International Data Transfers

Your data may be processed by service providers located outside Nigeria (including the EU and US). Where this occurs, we ensure appropriate safeguards are in place in accordance with the NDPA 2023, including contractual data protection clauses.

11. Cookies and Analytics

We use PostHog for analytics to understand how users interact with the Platform. PostHog collects anonymised usage data including page views, feature usage, and session information. You can opt out of analytics tracking through your browser settings.

12. Children’s Privacy

Our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top indicates the most recent revision.

14. Contact

For questions, concerns, or data protection requests, contact us at:

Tojumi Health
Email: hello@tojumihealth.com
Lagos, Nigeria