NkwaPlus Privacy Statement

This Privacy Statement applies to hypertension/ diabetes patients using the Digital Remote Care Application, NkwaPlus as provided by your healthcare institution in collaboration with PharmAccess Ghana through an app developed by Afrifanom Limited (Afrifanom). This Privacy Statement will explain how your personal data is collected, used, stored, shared and how it is protected when using the app. Your personal data will be processed in a fair, reasonable and lawful manner.

Your healthcare institution is the controller for the data processed in NkwaPlus. Your healthcare institution processes your data for the purpose of providing you the remote care services. In addition, your healthcare institution will analyze your pseudonymized data for reporting, research, and quality improvement in non-communicable diseases, provided that any publication will only include anonymized data.

PharmAccess Ghana is an international non-governmental organization with an office in Ghana and its head office located in the Netherlands (together: PharmAccess). PharmAccess is a processor of the personal data used in NkwaPlus.

In order to measure, improve, and determine the impact of the services provided, PharmAccess will process pseudonymised personal data received through NkwaPlus.

PharmAccess will store the data on secured servers located in the Netherland. The data is analysed on behalf of your healthcare institution to ensure and improve the healthcare services provided on NkwaPlus.

PharmAccess may ask you to participate in a qualitative endline survey about your experiences under NkwaPlus and to understand what influences patients to insert frequent, limited or no measurements.

In addition, your healthcare institution and PharmAccess will analyse pseudonymized data for research purposes to gain insights into how to better monitor and treat non-communicable diseases.

Afrifanom Limited is a processor in the digital remote care patient monitoring service. Afrifanom processes your personal data through the app in order to offer your measurement results to your medical team at your healthcare institution. Afrifanom is certified under ISO 27001. Their systems and processes are designed in line with industry best practices for data security, privacy, and infrastructure management. You can read more on how Afrifanom deals and protects your privacy below in this document.

NkwaPlus processes the following types of personal data:

Contact details: name, address, gender, email address, telephone number and other necessary contact information.

Demographic and identification data such as date of birth, patient identification numbers and health insurance information where applicable.

Medical information including diagnoses, medications, relevant medical history and allergies where necessary for the provision of care.

Medical vital statistics such as blood pressure readings, heart rate and fasting blood sugar.

Lifestyle information such as alcohol intake, smoking behaviour, physical activity, walking and sleep patterns.

Measurement information such as the date and time of measurements, frequency of measurements and device used to capture the measurement.

Communication data generated through the platform such as messages between patients and healthcare providers.

Technical information related to the use of the application such as device type, operating system and application usage data.

Patient feedback and survey responses collected to evaluate and improve the services provided through NkwaPlus.

The information you provide via the NwkaPlus app is medical information. Please make sure that you adequately protect your device from unauthorized access to the information in the app. We recommend that you at least protect the device which you use to access the app with a strong password.

The data you enter in the NwkaPlus app can, if necessary, be transferred to your patient file. This may then include all responses to the questions that the NwkaPlus app asks including your weight, steps counted by your device (optional), heartrate, blood pressure, need for telephone contact and all your comments in the NkwaPlus app. Your personal data may be accessed by:

Technical service providers who support the operation of the application under strict confidentiality agreements.

Third parties we make use of such as the National Information Technology Agency Data Center in Ghana for cloud infrastructure and Bluehost and Amazon Simple Email Service for email services, all under strict data processing agreements.

NkwaPlus also processes personal data for the following purposes:

• To provide you with information on our services, either directly (by telephone or email, text messages) or via our website.
• To contact you for evaluation of the services.

You have the right to withdraw your consent at any time. In this case you will not be able to make use of the NkwaPlus services anymore. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

Afrifanom has taken the following security measures to ensure secure data processing:

• Infrastructure Access Control:

Access to servers and infrastructure is restricted and secured via VPN, with role-based access control. Only authorized personnel with specific responsibilities can access production systems.

• Database Security:

Database access is strictly limited to necessary personnel based on roles. Authentication and access controls are enforced, and credentials are securely managed.

• Encryption:

Data is encrypted both in transit and at rest. Transport Layer Security (TLS) is used, provided by (DigiCert) for all communications, and sensitive data is protected using strong encryption standards (e.g., AES-256 where applicable). Passwords are hashed and salted.

• Authentication & Authorization:

Strong password policies are enforced. Two-factor authentication (2FA) is supported for administrative and sensitive access points. Login attempts are rate-limited to prevent brute-force attacks.

• Application Security:

Input validation and sanitization are implemented to prevent malicious data injection. Secure coding practices and regularly review of the codebase is followed.

• Environment Separation:

Separate environments (development, staging, production) is maintained to reduce risk and ensure controlled deployments.

• Monitoring & Logging:

System activities, access logs, and anomalies are continuously monitored. Alerts are triggered for suspicious behavior.

• Backup & Recovery:

Regular automated backups are performed, with restricted access to backup systems to prevent unauthorized use or deletion.

• Updates & Vulnerability Management:

Security patches and updates are applied continuously. Vulnerabilities are actively monitored and addressed as part of an ongoing process.

• Session & Cookie Security:

Session durations are limited, and sensitive data is not stored in cookies. Any necessary cookie data is encrypted and cleared upon logout.

• Malware Protection:

Systems are monitored for malicious activity, and protective mechanisms are in place to detect and mitigate threats.

• Testing & Improvements:

Systems are periodically reviewed for potential weaknesses.

• Employee Awareness:

Team members are guided on data protection and security best practices as part of internal processes.

PharmAccess will store your data on secured servers located in Ghana. Additionally, the data will be sent for analysis to PharmAccess' head office in the Netherlands, a country with an adequate level of security under European General Data Protection Regulation. Such transfer will take place using appropriate safeguards in accordance with the Ghana Data Protection Agency guidelines and other applicable data protection laws.

We will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, in accordance with the Ghana Data Protection Act, 2012 (Act 843), applicable healthcare regulations, and professional guidelines. When personal data is no longer required for the purposes for which it was collected, or when the applicable retention period expires, it will be securely deleted, anonymised, or archived in accordance with our data retention policies and the requirements of the Data Protection Act.

If you want your data to be removed from NkwaPlus, please send an email to info@nkwaplus.com. This also applies to requests for access, rectification, addition, limitation or any objections. Contact and complaints If you believe that the data processing for NkwaPlus is not in accordance with applicable laws and regulations, you can report this to your healthcare institution.

The Data Protection Commission is the independent supervisor with regard to compliance with privacy legislation in Ghana. You can find a lot of information on the website of the Data Protection Commission, including information on privacy regulations and data processing in healthcare.

This Privacy Policy was last updated in May 2026. This Privacy Policy may be amended from time to time. Your healthcare institution and PharmAccess will inform you about such changes in a timely manner via a message on the NkwaPlus Application.The most recent version of the Privacy Policy can be found on the website nkwaplus.com.