Privacy Policy

Plain-language summary: ConsultDrFat collects only what is necessary to provide you with a safe, private medical consultation. We do not sell your data. We do not share your health information with third parties except where required to operate the service (e.g. payment processing) or comply with Nigerian law. You have the right to access, correct, or delete your information at any time.

Who We Are
Information We Collect
How We Use Your Information
Legal Basis for Processing (NDPR)
Data Sharing & Third Parties
Security & Encryption
Data Retention
Your Rights
Cookies & Local Storage
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

ConsultDrFat (“we”, “us”, “our”) is an online telemedicine platform operated by the practitioner known as Dr. Fat, a medical doctor registered with the Medical and Dental Council of Nigeria (MDCN). Our platform enables patients in Nigeria to book and attend private, paid medical consultations via the internet.

We operate under Nigerian law, including the Nigeria Data Protection Regulation (NDPR) 2019 issued by the National Information Technology Development Agency (NITDA), and the relevant provisions of the Nigerian Data Protection Act 2023 (NDPA).

For the purposes of this policy, ConsultDrFat is the data controllerof your personal information.

2. Information We Collect

2.1 Information you provide directly

Google account information: When you sign in with Google, we receive your name, email address, and Google account profile photo.
Consultation topic: A brief description of what you wish to discuss during your session (entered during booking).
Payment information: We collect your name and email as entered during Paystack checkout. We do not receive or store your card number, CVV, or bank account details — these are handled exclusively by Paystack (PCI-DSS Level 1 certified).

2.2 Information collected automatically

Session data: Chat messages sent during a consultation, session timestamps (start time, end time, any extensions).
Technical data: Browser type, device type, IP address, and connection quality data used to establish the WebRTC voice connection.
Usage data: Pages visited and actions taken on our platform (booking flow, session room interactions).

2.3 Information we do NOT collect

We do not record voice calls. Voice is transmitted peer-to-peer (WebRTC), encrypted in transit, and is not stored on our servers.
We do not collect government ID numbers, NIN, BVN, or any biometric data.
We do not use tracking pixels or third-party advertising technologies.

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide the service: Authenticate your identity, create and manage your booking, facilitate payment, and connect you to your consultation room.
To communicate with you: Send booking confirmation emails, appointment reminders (24h and 1h before), and post-session summaries.
To improve the platform: Understand how the platform is used in aggregate and fix technical issues.
To comply with legal obligations: Respond to lawful requests from Nigerian regulatory authorities or courts.
For financial records: Maintain payment transaction records as required by Nigerian tax and financial regulations.

We will never use your medical consultation topics, chat messages, or health-related information for marketing, advertising, or profiling purposes.

4. Legal Basis for Processing (NDPR)

Under the Nigeria Data Protection Regulation 2019, we process your data on the following bases:

Performance of a contract: Processing your booking, facilitating payment, and running the consultation room — necessary to deliver the service you have requested.
Consent: Sending appointment reminder emails. You may withdraw this consent at any time by contacting us.
Legitimate interests: Fraud prevention, platform security, and aggregate usage analytics (where these do not override your rights).
Legal obligation: Retaining financial transaction records as required by Nigerian law.

Because consultations involve health-related topics (a special category of data under the NDPR), we take additional precautions: health information is not stored beyond what is necessary, chat logs are only accessible to the practitioner and the specific client involved, and no health data is shared with any advertising, marketing, or analytics third party.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data with the following trusted third parties only to the extent necessary to operate the platform:

Google (Firebase & Google Auth): We use Google Firebase for authentication, real-time database (Firestore), and cloud infrastructure. Data is processed under Google's Privacy Policy and Data Processing Addendum. Firebase is hosted in Google's cloud infrastructure.
Paystack: Payment processing. Paystack receives your name, email, and payment method details. They are PCI-DSS Level 1 certified. See Paystack's Privacy Policy at paystack.com/privacy.
Cloudflare: Content delivery, DDoS protection, and TURN relay servers for voice call NAT traversal (only IP addresses and encrypted audio data pass through their relay servers). See Cloudflare's Privacy Policy at cloudflare.com/privacypolicy.
Email provider (Brevo/Sendinblue): We use Brevo to send transactional emails (booking confirmation, reminders). Brevo receives your name and email address only.

We may disclose personal information if required to do so by law, a court order, or a lawful request from a Nigerian regulatory authority (such as NITDA or the NDPB).

6. Security & Encryption

Voice calls: All WebRTC voice communication is encrypted end-to-end using DTLS-SRTP. Cloudflare's TURN relay servers only see encrypted ciphertext — they cannot decode your conversation.
Data in transit: All platform traffic uses HTTPS (TLS 1.2+). Firestore communication is encrypted in transit.
Data at rest: Firebase Firestore encrypts data at rest by default.
Access controls: Firestore Security Rules ensure that each client can only access their own booking and session data. The practitioner can access all bookings. No public read access is permitted.
Payment security: Card data is processed exclusively by Paystack and never touches our servers. We are not in the card data flow.

While we employ industry-standard security measures, no internet-based system is 100% secure. If you believe your account has been compromised, contact us immediately.

7. Data Retention

Booking records: Retained for 7 years from the date of the booking, as required for financial and tax compliance under Nigerian law.
Session chat messages: Retained for 90 days from the session date, then automatically deleted. You may request earlier deletion.
Account data (Google profile info): Retained while you have an account or have made a booking. Deleted upon request (subject to legal retention requirements).
Payment transaction records: Retained for 7 years as required by Nigerian financial regulations.

8. Your Rights

Under the NDPR and NDPA, you have the following rights regarding your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data (subject to legal retention requirements).
Right to object: Object to processing based on legitimate interests.
Right to data portability: Request your data in a structured, machine-readable format.
Right to withdraw consent: Where processing is based on consent (e.g. reminder emails), withdraw at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at the address in Section 12. We will respond within 30 days. We may need to verify your identity before processing the request.

If you are not satisfied with how we handle a request or complaint, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB) at ndpb.gov.ng.

9. Cookies & Local Storage

ConsultDrFat uses the following technologies to maintain your session and improve performance:

Firebase Authentication cookies/tokens: Used to keep you signed in during and between sessions. These are essential to the service — without them you cannot sign in or access your booking.
Browser local storage: Used by the Progressive Web App (PWA) service worker to enable offline loading of static assets (the app shell). No personal data is stored in local storage.
No advertising or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking technology.

10. Children's Privacy

Our platform is intended for adults (18 years and older) seeking medical consultations. We do not knowingly collect personal data from individuals under 18. If a parent or guardian wishes to use the platform on behalf of a minor for paediatric consultation purposes, they must be present and acting as the account holder.

If you believe a person under 18 has created an account without parental consent, please contact us immediately and we will delete the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this document and, where appropriate, notify you by email.

Your continued use of ConsultDrFat after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a privacy concern, please contact us:

✉️

ConsultDrFat — Data Privacy

Email: privacy@consultdrfat.com

For urgent session-related matters: hello@consultdrfat.com

🏛️

Nigeria Data Protection Bureau (NDPB)

If you wish to file a complaint with the supervisory authority:

ndpb.gov.ng · No. 28 Port Harcourt Crescent, Abuja, Nigeria

← Back to Home Terms of Service →📅 Book a Consultation

Table of Contents