Privacy Policy

eHealth Africa (eHA) Privacy Policy

Last Updated: Apr 21, 2026

1. General Information

eHealth Africa (hereinafter referred to as “eHA” or “we”). We are a non-profit organization active in development cooperation and global public health, specifically in developing IT solutions for health systems strengthening. Our mission is to build stronger health systems through data-driven solutions, including Public Health Emergency Management, Disease Surveillance, and Laboratory Systems. 

Within the scope of our business activities, we may collect, process, or use your personal data when you use our website, subscribe to our newsletter, or become a business partner of ours. Personal data, according to the GDPR and NDPA, is all information that relates to you as a person or with which you can be identified as a person. 

This policy constitutes a strategic compliance framework that synthesizes the requirements of the Nigeria Data Protection Act (NDPA) 2023 and the EU General Data Protection Regulation (GDPR). eHealth Africa (eHA) operates as a Data Controller of Major Importance (specifically classified as Ultra-High Level under Article 8 of the GAID 2025) given its critical mandate in processing health-related data across multiple jurisdictions. The following sections detail the data collected to fulfill eHA’s and system-strengthening mandates.

This mission is carried out through three primary offices:

  • Nigeria: 4-6 Independence Road, Kano, and 28 Osun Crescent, Maitama, Abuja
  • United States: 1200 G Street NW, Suite 800, Washington, DC 20005
  • Germany: Prenzlauer Allee 186, 10405, Berlin

2. Purpose for Processing

Guided by the principle of Purpose Limitation and the statutory requirement for Data Minimization (NDPA Section 24(1)(c)), eHA ensures that data processing is relevant, adequate, and limited to the necessity of its health system strengthening goals. This framework prevents “function creep” by strictly aligning data collection with eHA’s core functions in disease surveillance and laboratory diagnostic systems.

Data Subject Categories and Data Points:

  • Website Visitors:
    • IP address, access date/time, and pages visited.
    • Technical metadata: Browser type/version and operating system.
    • Referrer URL (source of access).
  • Newsletter Subscribers:
    • First and last name; E-mail address.
    • Statistical tracking (anonymous clicks per link).
  • Business Partners & Vendors:
    • Identity data: Full names, business/personal addresses, and principal’s name.
    • Contact data: Email, telephone, and fax numbers.
    • Transaction data: Communication records and order information.
    • Financial data: Bank account details, tax IDs, and payment information.

Strategic Impact of Processing Technical visitor data is processed to ensure the security and functionality of eHA’s infrastructure. Business data is processed to fulfill contractual mandates and facilitate collaboration with international health partners. All processing is subject to the duty of care established under Section 24(3) of the NDPA.

3. Legal Basis for Processing

A defined legal basis is mandatory to ensure that processing is not arbitrary or unlawful. eHA maps all activities to the specific justifications provided in NDPA Section 25 and GDPR Article 6.

Processing Activity Legal Basis (GDPR Art. 6) Legal Basis (NDPA 2023)
Newsletter & Marketing Art. 6(1)(a) Consent Section 25(1)(a)
Contractual Performance Art. 6(1)(b) Contract Section 25(1)(b)(i)
Regulatory & Tax Reporting Art. 6(1)(c) Legal Obligation Section 25(1)(b)(ii)
Emergency Health Response Art. 6(1)(d) Vital Interest Section 25(1)(b)(iii)
Public Health Mandates Art. 6(1)(e) Public Interest Section 25(1)(b)(iv)
IT & Network Security Art. 6(1)(f) Legitimate Interest Section 25(1)(b)(v)

Legitimate Interest Assessment (LIA) Where eHA relies on Legitimate Interest, we conduct a formal LIA utilizing the template prescribed in Schedule 8 of the GAID 2025. This ensures that eHA’s operational interests do not override the data subject’s fundamental rights, freedoms, and privacy expectations.

4. Location and Storage of Personal Data

eHA prioritizes Storage Limitation and jurisdictional security to mitigate risks of unauthorized access.

  • Hosting Architecture: Our web infrastructure is hosted via DreamHost with datacenters in the US regions.
  • Cross-Border Transfer Basis: In compliance with NDPA Section 41 and GDPR Article 45, eHA maintains a comprehensive Record of Processing Activities (ROPA). While historically relying on the EU-U.S. Privacy Shield, eHA has transitioned toward a “Global Adequacy” model, ensuring that transfers are governed by standard contractual clauses or adequacy decisions recognized by the NDPC and the European Commission.

Retention Lifecycle Personal data is retained only as long as necessary to achieve the lawful bases identified in Section 3. Visitor data is automatically purged once its functional purpose is met. Data subjects may request erasure at any time, subject to statutory retention requirements for tax and audit purposes.

5. Transfer of Personal Data

Under the Accountability principle, eHA remains liable for data protection even when information is handled by external contractors.

  • Third-Party Processors: eHA utilizes external processors for cloud services and professional advising. All processors are subject to Article 34 of the GAID 2025, which mandates a formal Data Processing Agreement (DPA) including specific terms for insurance, indemnity, and force majeure.
  • Foreign Transfers: Transfers to jurisdictions without a formal “Adequacy” decision are strictly governed by NDPA Section 43, requiring explicit informed consent or the implementation of specific safeguards recognized by the Commission.

6. Cookies

Transparency in automated tracking is vital for user autonomy. eHA uses cookies to enhance functionality while maintaining compliance with GAID 2025 visibility standards.

  • Types of Cookies: We primarily use “Session Cookies,” which are erased upon session termination.
  • Placement and Obstruction: In accordance with GAID 2025 Article 19(4), eHA’s cookie banner is designed to significantly obstruct the middle, left, or right side of the page upon entry. This ensures the notice is not ignored at the bottom of the page and that users provide affirmative action.
  • User Control: Users can manage settings across all modern browsers (e.g., Chrome, Edge) and legacy systems like Internet Explorer (via “Internet Options” > “Privacy”).

7. Disclosure of Information

In accordance with the metric of “Transparency,” eHA discloses interactions with the following entities:

  1. Google Inc. (U.S.): For web analytics. Users may exercise their GDPR Art. 21 right to object via the Google Opt-Out Link.
  2. Rocket Science Group/MailChimp (U.S.): For email marketing and subscriber tracking.
  3. Regulatory & Law Enforcement Agencies: Disclosures made only where mandated by a competent legal obligation.
  4. eHA Parent Organization: For unified global oversight.

8. Consent and Withdrawal

Data subject Autonomy is central to our framework. Under GAID Article 17, eHA ensures that consent is obtained via clear “affirmative action.”

  • Ease of Withdrawal: Withdrawing consent is as easy as granting it. Users may use “Unsubscribe” links or contact info@ehealthafrica.org.
  • Impact: Withdrawal does not affect the lawfulness of processing prior to the request. eHA ensures that a refusal to provide consent is not detrimental to the subject’s rights or interests.

9. Your Rights

Data Subject Rights are the primary mechanisms for holding eHA accountable under Part VI of the NDPA and Chapter III of the GDPR.

  1. Access & Information: Confirmation of processing and copies of data.
  2. Rectification: Correction of inaccurate or incomplete records.
  3. Erasure (“Right to be Forgotten”): Deletion of data no longer required for its original purpose.
  4. Portability: The right to receive data in a structured, machine-readable format (CSV or JSON).
  5. Objection & Restriction: Halting processing based on legitimate interests.
  6. Right to Human Intervention: Under NDPA Section 37, the right to object to decisions based solely on automated processing.
  7. Right to Lodge a Complaint:
    • Nigeria: The Nigeria Data Protection Commission (NDPC) via the Standard Notice to Address Grievance (SNAG) portal (GAID Art 40).
    • Germany: The Berlin Data Protection Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

10. Disclaimer

eHA’s legal responsibility is limited to data processed under its direct control. Our website contains links to external third-party sites. eHA has no influence over, and accepts no responsibility for, the content or privacy practices of these external entities.

Users are encouraged to review external privacy notices. If you identify a privacy violation on a linked page, please report it to info@ehealthafrica.org for immediate review and potential removal of the link.

Online Donation

Your donation helps us to continue to use the power of technology to make an impact in health systems and provide underserved communities with the tools they need to lead healthier lives.

paypal logo Donate now

Subscribe to our Newsletter

Sign up for our newsletter and get all the inside scoop on what’s happening at ehealth Africa.

    subscribe@2x