My Lifeline Privacy Policy

PRIVACY POLICY

Last Updated: 02 May 2026

TABLE OF CONTENTS

• INTRODUCTION AND IDENTITY OF THE DATA CONTROLLER 1

• DATA PRIVACY IMPACT ASSESSMENT (DPIA) 2

• PERSONAL DATA WE COLLECT 2

• LAWFUL BASIS FOR PROCESSING 2

• PURPOSES OF DATA PROCESSING 2

• SHARING OF YOUR DATA 2

• ABSOLUTE PROHIBITION ON COMMERCIAL SALE 3

• DATA BACKUP 3

• PAYMENT SECURITY 3

• DATA SECURITY MEASURES 3

• YOUR RIGHTS AS A DATA SUBJECT 4

• DATA RETENTION 4

• CROSS-BORDER DATA TRANSFER 4

• DATA BREACH NOTIFICATION 4

• DATA ETHICS AND HUMAN DIGNITY 4

• COOKIES AND TRACKING TOOLS 5

• UPDATES TO THIS POLICY 5

• CONTACT OUR DATA PROTECTION OFFICER (DPO) 5

INTRODUCTION AND IDENTITY OF THE DATA CONTROLLER

The Mylifeline App and its mother company Zynova Ltd are data controllers within the meaning of the Nigeria Data Protection Act 2023 ("NDP Act"). We are committed to protecting the privacy and dignity of every person whose data we process, in full compliance with the NDP Act, the Nigeria Data Protection Act, General Application and Implementation Directive ("GAID 2025") issued by the Nigeria Data Protection Commission (NDPC), and Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.

This Privacy Policy explains, in a clear and transparent manner, what personal data we collect from you, on what lawful basis we collect it, how we use and protect it, with whom it may be shared, how long we keep it, and what rights you are entitled to exercise under the NDP Act.

By registering for and using My Lifeline, you acknowledge that you have read and understood this Privacy Policy. Where your consent is required, we will separately and explicitly request it. This Policy alone does not constitute consent.

DATA PRIVACY IMPACT ASSESSMENT (DPIA)

In accordance with Section 28 of the NDP Act and Article 28 of the GAID 2025, Zynova Ltd has conducted and will continue to maintain a Data Privacy Impact Assessment (DPIA) for all processing activities that may pose a high risk to the rights and freedoms of data subjects. A DPIA is mandatory for our platform because we process sensitive personal data and provide healthcare-related services at scale.  A summary is available upon written request to our DPO.

PERSONAL DATA WE COLLECT

We collect only data that is adequate, relevant, and limited to what is necessary for our stated purposes. The categories of personal data we collect are:

Identity Data: We recommend that you use an Alias name and not your full legal name in order to protect your identity.

Contact Data: Contact information that are required include the following: Emergency contact details (Phone numbers or Emergency IDs), HMO number and Preferred hospital.

Medical Information: These include Allergies, Bloodtype, Emergency Directives, Medications, Devices and Implants, etc.

Technical Data: App usage statistics and session logs, collected solely for security monitoring and service improvement.

LAWFUL BASIS FOR PROCESSING

In accordance with Section 25 of the NDP Act and Articles 16 to 26 of the GAID 2025, we process your personal data on the following lawful bases:

Explicit Consent (Primary Basis for Sensitive Data): We obtain your freely given, specific, informed, and unambiguous opt-in consent before processing your sensitive health data and before activating public-facing features such as the Emergency Beacons System. Your consent is recorded with a timestamp and method of collection. You may withdraw your consent at any time through disengaging from cloud settings. Withdrawing consent for sensitive data will not deactivate your account but stops it from being used. You are to manually delete your data by login in and deleting it.

Contractual Necessity: Identity data and contact data are processed to the extent necessary to deliver the services you have registered for, as governed by our Terms of Service.

Legitimate Interest: Technical data may be processed on the basis of our legitimate interest in maintaining the security, integrity, and performance of the platform. We have conducted a Legitimate Interest Assessment (LIA) in accordance with Article 26 of the GAID 2025, which confirms that our interests do not override your fundamental rights and freedoms. A summary of the LIA is available on request.

PURPOSES OF DATA PROCESSING

Consistent with the principle of purpose limitation under Section 24 of the NDP Act, we collect and process your data only for the following specified, explicit, and legitimate purposes:

• Enabling your emergency contacts access to your location and information about your well being in cases of an emergency.

• Enabling medical personnel to access critical health information and updating your medical database.

SHARING OF YOUR DATA

In accordance with Article 27 of the GAID 2025, we disclose your personal data to third parties only in the following circumstances and only to the extent necessary for the stated purpose:

Emergency Contacts

Your emergency contacts may access your location and a recording of your physical environment as enabled by the Emergency Beacons system feature of the App. Mylifeline holds no liability with regards to the use of this information. We urge you to utilize this feature wisely.

Medical Institutions

MyLifeline App acts as a storage for secondary medical information and you may grant medical institutions access to your data for the sole purpose of providing you with medical treatment, locating your emergency contacts and updating your medical records. We require such entities to maintain confidentiality of your data consistent with their professional and legal obligations. Such consent granted to medical institutions is at your discretion and the use of data by these institutions is not covered by this Privacy Policy.

Service Providers (Data Processors)

We engage carefully vetted third-party service providers (e.g., cloud hosting) who process data strictly on our instructions, under written Data Processing Agreements (DPAs) compliant with Section 29 of the NDP Act and Article 34 of the GAID 2025. These processors will not process your data for any purpose other than those we specify.

ABSOLUTE PROHIBITION ON COMMERCIAL SALE

We will never sell, rent, or transfer your personal data to insurance companies, advertisers, data brokers, or any commercial third party for commercial purposes. This prohibition is absolute and unconditional.

DATA BACKUP

Your user data is backed up locally to your device and if by your consent - online to Mylifeline Cloud. To store and access your backed up data, you will create a passphrase. This passphrase is permanent and unchangeable and is used to encrypt and decrypt your data. The passphrase exists only in your device and can be shared securely with trusted contacts. You are advised to use the sharing feature as it is safe and encrypted on their devices and cannot be accessed by them either. Mylifeline is not liable for the loss of your passphrase.

PAYMENT SECURITY

We recommend that when paying for services on MyLifeline App, you use a secure payment platform such as PayStack and not bank transfers. This protects you from reverse mapping through payment protocols and secures your data on MyLifeline.

DATA SECURITY MEASURES

In accordance with the principles of data confidentiality, integrity, and availability under Section 24 of the NDP Act and Article 29 of the GAID 2025, we maintain a documented schedule for monitoring, evaluation, and maintenance of our data security systems. Our technical and organisational security measures include:

• End-to-End Encryption: All data that are encrypted in transit are done using TLS/SSL protocols, whereas Medical data and all sensitive data are encrypted at rest using Military Grade Encryption, Argon and are only accessible by you via password or biometric password.

• Password Protection: Password-protected access to editing or deleting your user information. Aggressive incremental rate-limiting software is utilized to restrict password vulnerability.

• Biometric Protection: Access to the Mylifeline App is only viable through the Biometric Password or an Alphanumeric password. Mylifeline is not responsible for the loss of password or the resultant loss of user data.

• Passphrase System: In a situation where you intend to transfer data to a new device, you are granted a passphrase. This passphrase is permanent and unchangeable and must be used when transferring data. If passphrase is lost, all user data is considered destroyed. Mylifeline is not responsible for the loss of passphrase or the resultant loss of backed up data.

• Access Controls and Privilege Management: Strict role-based access controls ensure that only authorised personnel can access backend databases, with access logs maintained and regularly audited.

• Anonymisation and Pseudonymisation: All internal analytics and product improvement activities are conducted using data stripped of personal identifiers, consistent with the principle of annonymity by design and by default.

• Routine Vulnerability Testing: We conduct periodic vulnerability assessments and penetration testing of our systems.

• Staff Training: All personnel with access to personal data receive mandatory training on data protection obligations under the NDP Act at least once every six (6) months.

YOUR RIGHTS AS A DATA SUBJECT

In accordance with Part VI of the NDP Act and Articles 36-40 of the GAID 2025, you have the following rights, all of which you may exercise free of charge:

• Right of Access and Data Portability: You may request a copy of the personal data we hold about you in a structured, commonly used, machine-readable format. However, due to anonymity, you have to prove beyond all reasonable doubt that you own the said account.

• Right to Rectification: You may correct any inaccurate or incomplete data at any time. Where an error is attributable to us, rectification shall be made at no cost to you.

• Right to Erasure (Right to be Forgotten): You may request the deletion of your account and all associated records, subject to any overriding legal obligation or legitimate interest as provided in Article 38 of the GAID 2025 provided you are the legitimate owner of said data..

• Right to Withdraw Consent: You may withdraw any consent you have previously provided at any time through the app settings. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.

• Right to Object: You may object to the processing of your data where we rely on legitimate interest as our lawful basis.

• Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at any time. Contact details for the Commission are available at www.ndpc.gov.ng. You may also issue a Standard Notice to Address Grievance (SNAG) to us as provided under Article 40 of the GAID 2025 before or instead of filing a complaint with the Commission.

To exercise any of the above rights, please contact our Data Protection Officer at the bottom of the page. We will respond to all verifiable requests within a reasonable time and in any event within the period prescribed by the NDP Act.

DATA RETENTION

In accordance with the principle of storage limitation under Section 24 of the NDP Act, we retain your personal data only for as long as your account remains active and as is necessary to fulfil the purposes described in this Policy.

Where an account has been inactive for a continuous period of three (3) years, we will notify you on the connected device and provide you with a period of thirty (30) days to reactivate your account or request portability of your data before we permanently delete or irreversibly anonymize all associated records.

Certain limited data (such as records of data subject requests or breach notifications) may be retained for longer periods where required by a specific legal obligation or where necessary to defend or establish a legal claim, consistent with Article 38(2) of the GAID 2025.

CROSS-BORDER DATA TRANSFER

We principally process and store your data within the Federal Republic of Nigeria. Where it becomes necessary to transfer personal data to a country outside Nigeria, for example, to cloud infrastructure located abroad. We will do so only in accordance with Article 45 of the GAID 2025 and Section 43 of the NDP Act. Specifically:

• We will only transfer data to a country in respect of which the Commission has made an adequacy decision, OR

• Where no adequacy decision exists, we will first obtain your explicit consent and put in place appropriate safeguards such as Standard Contractual Clauses (SCC) approved by the Commission.

We will always inform you of any proposed cross-border transfer before it takes place.

DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will act in accordance with Section 40 of the NDP Act and Article 33 of the GAID 2025:

• Notification to the Commission: We will notify the NDPC within seventy-two (72) hours of becoming aware of the breach.

• Notification to Affected Data Subjects: We will notify you without undue delay after we become aware of a breach that may pose a high risk to your privacy, particularly where it could expose your sensitive health data or result in identity theft. The notification will describe the nature of the breach, the data affected, the steps we have taken or propose to take, and how you can protect yourself.

DATA ETHICS AND HUMAN DIGNITY

Consistent with Article 41 of the GAID 2025, My Lifeline is committed to the principles of data ethics. We acknowledge that your personal data belongs fundamentally to you as a natural person. We will process it only in ways that are transparent, fair, and consistent with your reasonable expectations. We prohibit the use of your data in any manner that could lead to discrimination, profiling for commercial advantage, or any outcome that compromises your autonomy, dignity, or fundamental rights.

We are committed to educating our users about their digital rights. We do not process your data in a way designed to create dependency, and we will never use algorithmic profiling in a manner that produces prejudiced or discriminatory outcomes.

UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance from the Commission. Where a material change is made, we will notify you via an in-app notification at least fourteen (14) days before the change takes effect. Your continued use of My Lifeline after the effective date of any update will constitute your acknowledgement of the revised Policy. Where the update requires new consent, we will separately and explicitly request it.

CONTACT OUR DATA PROTECTION OFFICER (DPO)

In accordance with Section 32 of the NDP Act and Article 11 of the GAID 2025, we have designated a Data Protection Officer. If you have any questions about this Privacy Policy, wish to exercise any of your data subject rights, wish to submit a Standard Notice to Address Grievance (SNAG), or need to report a data breach, please contact our DPO:

Email: riverone477@gmail.com

Response Time: We will acknowledge your request within five (5) business days and endeavour to resolve it within the timeframe prescribed by the NDP Act.

REGULATORY REFERENCE

This Privacy Policy has been prepared in compliance with:

Section 37, 1999 Constitution of the Federal Republic of Nigeria

Nigeria Data Protection Act 2023 (NDP Act)

NDP Act – General Application and Implementation Directive (GAID 2025), NDPC/NDP ACT-GAID/01/2025