DentaCueDentaCue
NGBook a demoGet the app
Privacy · Nigeria (NDPC)

Plain-English privacy.

How we collect, process, and protect your data. Aligned to NDPC under the Nigeria Data Protection Act 2023.

Last updated Version 1.0

Counsel review pending. This document is the engineering scaffold; final language is subject to NG counsel sign-off before launch (Sprint 4).

Who we are

DentaCue is a product of Cue Dental Solutions Ltd, the data controller for the personal data this policy describes. Registered in Nigeria, with its data-authority registration filed with NDPC under the Nigeria Data Protection Act 2023.

Our Data Protection Officer is contactable at dpo@dentacue.com.

What we collect

We collect only what we need to operate the service. Categories:

  • Account — name, phone, email, locale.
  • Health — allergies, treatment plan, x-rays, visit notes (only when a verified clinic adds them at your appointment).
  • Bookings & payments — appointment metadata, receipts. Card details never reach our servers — they are tokenised by our payment processor.
  • Device & usage — coarse session telemetry to keep the app working. Strictly-necessary only by default; analytics + marketing only with your consent.

Lawful basis

We process under the lawful bases set out in the Nigeria Data Protection Act 2023: contract for account, booking, and payment data; consent for analytics and marketing cookies, and for any health-data sharing beyond your verified clinic; legal obligation for tax and regulator-mandated record retention.

Who sees your data

We share data with:

  • The verified clinic you book with — only what they need to treat you.
  • Payment processors (Paystack, Flutterwave, MTN MoMo) — to take your payment.
  • SMS and WhatsApp gateways — to deliver reminders.
  • Sub-processors who keep our infrastructure running, listed on request.

We never sell your data. Period.

Your rights

You have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectify — correct inaccurate or incomplete data.
  • Erase — delete data subject to legal retention obligations.
  • Port — receive your data in a machine-readable format.
  • Object — restrict or object to specific processing.
  • Withdraw consent — for analytics and marketing, anytime.

Submit any of the above via the data-rights form. We respond inside 30 days.

Retention

Account and booking data are retained for as long as your account is open, plus a 7-year tail for tax and audit obligations. Health records are retained per MDCN clinical-record-keeping rules. Marketing analytics retained 13 months from last interaction, per the NDPC cookie guidance.

Security

Encryption in transit (TLS 1.2+) and at rest (AES-256). X-rays are stored in a separate object store with per-clinic KMS keys. Audit logs are tamper-evident and replicated cross-region. Access to production data is least-privilege, MFA-enforced, and reviewed quarterly.

International transfers

Primary data region is the EU until AWS Africa cert lands. Cross-border transfers rely on NDPC-recognised mechanisms: standard contractual clauses and adequacy where available. We will move to local-region storage once the AWS Africa cert process completes.

Complaints

Email dpo@dentacue.com. If we cannot resolve a complaint, you can escalate to NDPC directly. We will not retaliate for a complaint.

Changes to this policy

We post material changes here at least 30 days before they take effect, and email you. The version and last-updated date at the top of this page bump on every change.