Privacy Policy

1. Who we are (data controller)

Quality Healthcare Services (QHS) Consultants Ltd is the data controller for personal data we determine the purposes and means of processing, unless we notify you otherwise (for example, where we act solely as a processor on written instructions of a client under a services agreement).

• Registered / business address: 57B, Hibiscus Street, M.K.O Abiola Gardens, C.B.D, Ikeja, Lagos State, Nigeria
• Website: qhsconsultant.com
• Privacy contact: contact@qhsconsultant.com (subject line: "Privacy Request")
• Telephone: +1 (252) 691 4076

2. Scope

This policy applies to personal data we collect through our website, email, telephone, video conferencing, in-person meetings, proposals, contracts, and other legitimate business channels. It does not govern how third-party platforms (for example, social networks or payment providers) process data; those providers have their own policies.

3. Categories of personal data

Depending on your relationship with us, we may process some or all of the following:

• Identity and contact data: name, title, employer, work email, work phone, postal address, country, and similar identifiers.
• Professional data: role, department, credentials, areas of interest, and information you provide about your organisation or projects.
• Communication data: messages, call logs, meeting notes where permitted, and correspondence metadata.
• Technical and usage data: IP address, device and browser type, approximate location derived from IP, referring URLs, pages viewed, and timestamps (where our hosting or analytics tools collect such data).
• Sensitive / special category data: in the course of consultancy (for example, accreditation, quality, clinical governance, or operational advisory), you or your organisation may voluntarily share health-related or similarly sensitive information about patients, staff, or operations. We process such data only where necessary for the agreed services, with appropriate safeguards, and in line with NDPA and (where applicable) GDPR Article 9 grounds (such as explicit consent, or processing necessary for the provision of health or social care subject to professional secrecy and appropriate safeguards).
• Marketing preferences: subscription status, event attendance, and similar preferences.

4. How and why we use personal data (legal bases)

We process personal data only where we have a valid legal basis under NDPA 2023 and, for individuals in the EEA, UK, or Switzerland, under GDPR / UK GDPR. These typically include:

• Contract and pre-contract steps: responding to enquiries, preparing proposals, delivering services, invoicing, and managing the client relationship.
• Consent: where required for certain marketing communications, non-essential cookies or similar technologies, or where we rely on explicit consent for sensitive processing as described in your engagement. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legal obligation: compliance with applicable law, court orders, regulatory requests, tax, accounting, and corporate record-keeping.
• Legitimate interests: operating and securing our website, fraud prevention, business analytics that do not override your rights, internal reporting, and improving our services, where balanced against your interests and fundamental rights.
• Vital interests: rarely, if processing is necessary to protect someone's life.

5. NDPA 2023 (Nigeria)

We are committed to complying with the NDPA 2023 and applicable NDPC regulations and guidance. This includes applying data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), honouring data subject rights, implementing appropriate technical and organisational security measures, and ensuring lawful cross-border transfers where personal data leaves Nigeria.

Nigerian data subjects may lodge complaints with the Nigeria Data Protection Commission (NDPC) in addition to contacting us first. We will cooperate in good faith with the NDPC as required by law.

6. GDPR and UK GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you benefit from rights described in Section 10. Depending on your location, you may lodge a complaint with your local supervisory authority. We do not intend to establish an establishment in the EU/UK solely through this website; where we offer services to EEA/UK organisations, we will address transfer and processing mechanisms (such as Standard Contractual Clauses or UK Addendum, where applicable) in the relevant contract or supplementary terms.

7. Cookies and similar technologies

Our website may use cookies or similar technologies that are strictly necessary for operation and security. Where we introduce analytics or marketing technologies that are not strictly necessary, we will obtain consent where required by law (including NDPA and ePrivacy-style expectations) and provide granular choices where feasible. For details and to manage optional cookies on this site, see our Cookie Policy. You can control cookies through your browser settings; disabling some cookies may affect site functionality.

8. Recipients and processors

We may share personal data with:

• Service providers (processors): for example, hosting, email, productivity suites, customer relationship tools, and professional advisers, under written agreements that require confidentiality and appropriate security.
• Professional advisers: lawyers, accountants, and insurers, where necessary and subject to professional obligations.
• Authorities: where required by applicable law of Nigeria, Lagos State, or another competent jurisdiction, or to protect rights, safety, or the security of our business and clients.
• Business transfers: in connection with a merger, acquisition, or asset sale, subject to confidentiality and continued protection of personal data as required by law.

We do not sell your personal data.

9. International transfers

We are based in Nigeria and may use service providers or infrastructure in other countries, including countries that may not be deemed to provide an adequate level of protection. Where required by NDPA 2023, GDPR, or UK GDPR, we implement appropriate safeguards (such as approved transfer mechanisms, contractual clauses, or other lawful grounds) and conduct assessments where appropriate before transferring personal data.

10. Your rights

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate or incomplete data;
• Request erasure where applicable ("right to be forgotten");
• Restrict processing in certain circumstances;
• Object to processing based on legitimate interests or for direct marketing;
• Data portability, where processing is automated and based on consent or contract;
• Withdraw consent where processing is based on consent;
• Not be subject to solely automated decisions with legal or similarly significant effects (we do not use such processing as a default);
• Lodge a complaint with the NDPC or, where applicable, another supervisory authority.

To exercise rights, email contact@qhsconsultant.com with "Privacy Request" in the subject line. We may need to verify your identity. We will respond within timelines required by NDPA, GDPR, or UK GDPR, or explain any extension permitted by law.

11. Retention

We retain personal data only as long as necessary for the purposes collected, including satisfying legal, regulatory, tax, accounting, or reporting requirements, and resolving disputes or enforcing agreements. Retention periods vary by data category; client files may be retained for the duration of the engagement plus a statutory or professionally appropriate period unless a longer period is required by law or agreed in writing.

12. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, commensurate with the risk and nature of the data. No system is completely secure; we encourage you to use secure channels when sharing sensitive information and to avoid sending unnecessary special-category data by unsecured email.

13. Data breach notification

In the event of a personal data breach likely to result in risk to data subjects, we will assess the incident and comply with notification, remediation, record-keeping, and co-operation obligations under the NDPA 2023, regulations and guidance issued by the NDPC, and other applicable laws in force in Nigeria and Lagos State (including requirements relevant to data controllers operating from Lagos State). Where affected individuals benefit from GDPR, UK GDPR, or other non-Nigerian frameworks, we will also meet any additional requirements those laws impose. Notifications to supervisory authorities and affected individuals will be made without undue delay, in line with the applicable statutory and regulatory timelines.

14. Children

Our website and services are directed at organisations and professionals in healthcare and related sectors. We do not knowingly collect personal data from children under the age of 16 (or higher age where the laws of Nigeria or Lagos State require) without appropriate parental or guardian authority. If you believe we have collected such data, contact us and we will take steps to delete it.

15. Processor engagements (client data)

When we process personal data on behalf of a healthcare client under a written agreement, we act as a processor (or sub-processor) and process such data only on documented instructions, unless required otherwise by law. The client remains responsible for the lawfulness of the processing and for providing any required notices to its own data subjects.

16. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or business changes. The "Last updated" date will be revised, and where changes are material we will provide additional notice as appropriate (for example, a notice on our website or email where we have your contact details).

17. Applicable law (Lagos State, Nigeria)

This Privacy Policy and our processing practices described here are governed primarily by Nigerian law, including the NDPA 2023 and NDPC requirements, with particular reference to our registration and principal operations in Lagos State, Nigeria. Where state or local rules in Lagos State apply to our activities, we will comply with them alongside federal requirements. This section does not limit mandatory protections for data subjects in other countries (for example, EEA or UK rights described elsewhere in this policy).

18. Contact

For privacy questions or requests: contact@qhsconsultant.com, or +1 (252) 691 4076. You may also review our Terms of Service.