LoniaSign in

Privacy Policy

Version 1.0 · Effective 26 May 2026

This Privacy Policy explains how Lonia Clinic & Maternity, operating the Lonia (Lonia Telemedicine) service ("Lonia", "we", "us"), collects, uses, shares, and protects your personal data when you use the Lonia / Lonia Telemedicine platform (the "Platform"). It is written to meet the Nigeria Data Protection Act 2023 (NDPA) and the National Health Act 2014, and to align with the EU General Data Protection Regulation (GDPR) for users who access the Platform from the EU/EEA.

Lonia is the data controller for the personal data described here. For data-protection matters, contact us at hello@lonia.ng.

1. The data we collect

You give us:

  • Identity & contact data — name, email, phone/WhatsApp number, date of birth, gender, location (city/state), profile photo.
  • Account & security data — password (stored only as a salted hash), verification codes, device identifiers.
  • Health data (sensitive personal data) — symptoms, medical history, consultation notes, diagnoses, prescriptions, lab requests/results, medication orders, and any documents you upload. This category receives heightened protection.
  • Payment data — amounts and transaction references. Card details are handled by our payment provider (Paystack); we do not store full card numbers.
  • For professionals/health workers — professional registration/licence numbers, qualifications, bank-payout details, and verification documents.

We collect automatically:

  • Usage & technical data — IP address, device and browser type, app version, pages/ screens used, and timestamps, including the record of your acceptance of our Terms and this Policy (document version, date/time, IP and user-agent).

From others:

  • our pharmacy partners (order/fulfilment status), our payment provider (payment status), and our video provider (call connection data).

2. The lawful bases on which we process your data

Under the NDPA we rely on:

  • Your explicit consent — given by the affirmative tick-box at registration — for processing your health data to provide telemedicine, pharmacy, lab and home-care services.
  • Performance of a contract — to operate your account and deliver the services you request.
  • Legal obligation — to keep health records and meet regulatory, tax and reporting duties (e.g. National Health Act record-keeping).
  • Legitimate interests / vital interests — to secure the Platform, prevent fraud and abuse, and, where necessary, protect someone's life or health.

You can withdraw your consent at any time (section 7). Withdrawal does not affect processing already carried out lawfully, and may limit our ability to provide some services.

3. How we use your data

  • to create and manage your account and verify your identity;
  • to enable consultations, prescriptions, medication orders, lab tests and home services, and to share the necessary information with the professional or partner delivering them;
  • to process payments and provider payouts (escrow);
  • to send service messages, reminders, OTPs and (where you opted in) WhatsApp/marketing communications;
  • to provide support, handle complaints, and improve and secure the Platform;
  • to comply with law, respond to lawful requests, and enforce our Terms.

We do not sell your personal data.

4. When we disclose your data

Consistent with section 26 of the National Health Act, we disclose health information only:

  • with your consent, to the healthcare professional, pharmacy, laboratory or health worker providing your care;
  • to service providers (processors) acting on our instructions under a data-processing agreement — for example our payment provider (Paystack), video-consultation provider, hosting/database providers, messaging providers, and our pharmacy partners for fulfilment;
  • where required by law, court order, or a regulator (e.g. MDCN, PCN, NDPC);
  • to protect vital interests — to prevent serious harm to you or others; and
  • in a business transfer (merger/acquisition), subject to this Policy.

Each processor is bound to protect your data and use it only for the purpose we specify.

5. International transfers

Some processors may store or process data outside Nigeria. Where we transfer personal data abroad, we do so only to jurisdictions with adequate protection or under appropriate safeguards (such as contractual data-protection clauses), as required by the NDPA and, for EU/EEA data, the GDPR.

6. How long we keep your data

  • We keep health and medical records for as long as required by Nigerian law and sound clinical-governance practice, and thereafter for the period needed to meet legal, regulatory, and defence-of-claims obligations.
  • Other account data is kept while your account is active and for a reasonable period afterwards, then deleted or anonymised.
  • Consent audit records are retained as evidence of compliance for the period required by law.

7. Your rights

Subject to legal limits (some health records must be retained by law), you may:

  • access the personal data we hold about you and request a copy;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten") where there is no overriding legal basis to keep it;
  • restrict or object to certain processing;
  • request portability of data you provided to us;
  • withdraw consent at any time; and
  • lodge a complaint with the Nigeria Data Protection Commission (NDPC).

To exercise any right, email hello@lonia.ng. We will respond within the timeframe required by law. We may need to verify your identity first.

8. Security

We use technical and organisational measures appropriate to the sensitivity of health data, including encryption in transit, hashed passwords, access controls, audit logging of access to medical data, and least-privilege staff access. No system is perfectly secure, but we work to protect your data and continuously improve our safeguards.

9. Data breaches

If a breach is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission and, where required, affected users without undue delay (and, for EU/EEA data under the GDPR, within 72 hours of becoming aware where feasible).

10. Children

The Platform is intended for users aged 18 and over. A parent or guardian may manage a dependant's care through a dependant profile and is responsible for that data. We do not knowingly collect data directly from children without guardian involvement.

11. Cookies and similar technologies

The web Platform uses strictly-necessary cookies for authentication and security, and may use limited analytics to improve the service. You can control non-essential cookies through your browser settings where applicable.

12. Changes to this Policy

We may update this Policy. We will post the new version with an updated version number and effective date and, where the change is material, ask you to review and accept it.

13. Contact

Lonia Clinic & Maternity · 143 DSC Express Way, Udu, Delta State, Nigeria · +2348034712143

Data-protection & privacy matters: hello@lonia.ng · General support: support@lonia.ng