Tracka

Privacy Policy

Last updated: March 1, 2026

1. Introduction

Tracka ("we," "our," or "us") is committed to protecting the privacy of all individuals whose data is processed through our sickle cell patient tracking platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Tracka platform, including the main application, the platform dashboard, and the Data API (collectively, the "Services"). This policy applies to all users including health facility administrators, field agents, external monitors, and API consumers.

2. Information We Collect

2.1 Patient Health Information

Through authorized health facility staff and field agents, we collect patient health information necessary for sickle cell disease management, including: patient demographics (name, date of birth, gender, contact information), clinical data (genotype, visit records, crisis events, laboratory results, treatment plans), immunization records, growth measurements, and consent records. All patient data is collected with explicit consent and in accordance with applicable healthcare data regulations.

2.2 User Account Information

When you create a Tracka account, we collect your name, email address, phone number, organizational affiliation, and role designation. For authentication purposes, we store hashed passwords and two-factor authentication tokens. We do not store plaintext passwords.

2.3 Usage and Technical Data

We automatically collect technical information including device type, browser version, IP address, session duration, pages visited, and features used. For the Data API, we log request timestamps, endpoints accessed, response codes, and API key identifiers for rate limiting and security purposes.

2.4 Geographic Data

We maintain a geographic hierarchy (country, state, LGA, district, ward, facility) to organize patient data and enable regional analytics. This geographic data is associated with facilities and patient records for reporting and analysis purposes.

3. How We Use Information

We use the information we collect for the following purposes:

  • Providing sickle cell patient tracking and clinical management services to authorized health facilities
  • Generating clinical analytics and reports for health programme administrators
  • Enabling field agents to collect and sync patient data, including in offline environments
  • Providing anonymized, aggregated data through the Data API for research and public health purposes
  • Deduplicating patient records across facilities using fingerprint hashing to prevent duplicate entries
  • Managing user accounts, authentication, and role-based access control
  • Maintaining audit trails for compliance and data integrity
  • Improving the platform through usage analytics and performance monitoring
  • Communicating service updates, security notices, and account-related information

4. Data Anonymization and the Data API

The Tracka Data API provides access to anonymized, aggregated sickle cell disease data for research, public health analysis, and policy-making. No individual patient records are ever exposed through the API. All data served through the API is aggregated to the geographic level specified by the consumer's plan tier (country, region, or facility level). External monitors accessing the platform always see anonymized patient data — individual patient identifiers are never visible to external monitor role users.

5. Data Sharing and Disclosure

We do not sell patient data. We share information only in the following circumstances:

  • Within authorized organizations: Patient data is accessible to authorized users within the patient's assigned facility and region, according to role-based permissions.
  • Data API consumers: Anonymized, aggregated data is available to verified API consumers under their plan terms. No individual patient data is shared.
  • Legal requirements: We may disclose information when required by law, court order, or governmental regulation.
  • Service providers: We use infrastructure providers (hosting, database, email) who process data on our behalf under strict data processing agreements.

6. Data Security

We implement comprehensive security measures to protect data at every layer. All data in transit is encrypted using TLS 1.3. Data at rest is encrypted with AES-256. Database access is segregated by role with dedicated database users for application operations, migrations, and read-only reporting. Sessions are managed through Redis with automatic timeout and concurrent session limits. All passwords must meet our strong password policy (12+ characters, mixed case, numbers, and special characters) and are hashed using bcrypt. We maintain immutable, append-only audit trails that record every data modification. Two-factor authentication is available for all users and mandatory for administrative roles.

7. Data Retention

Patient health records are retained for the duration required by applicable healthcare regulations in the jurisdiction where the patient is registered, which is typically a minimum of six years after the last clinical interaction. We use soft deletes throughout the platform — records marked for deletion are retained in the database with a deletion timestamp but are excluded from active queries and reports. Audit trail records are retained indefinitely as they constitute the compliance record of the platform. User account data is retained for the duration of the account plus 90 days after account closure. API usage logs are retained for 12 months.

8. Patient Rights and Consent

Patients whose data is stored in Tracka have the following rights, which can be exercised through their registered health facility:

  • Right to access: Patients may request a copy of their health data held in the system.
  • Right to rectification: Patients may request correction of inaccurate data.
  • Right to withdraw consent: Patients may withdraw consent for data collection at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to data portability: Patients may request their data in a structured, machine-readable format.
  • Right to restriction: Patients may request restriction of processing in certain circumstances.

Consent is managed through the platform's built-in consent management system, which tracks consent scope, collection date, expiration, and withdrawal status per patient.

9. International Data Transfers

Tracka primarily processes data within Nigeria. Where data is transferred to infrastructure providers located outside Nigeria, we ensure that appropriate safeguards are in place, including data processing agreements that comply with the Nigeria Data Protection Regulation (NDPR) and, where applicable, standard contractual clauses recognized by relevant data protection authorities.

10. Children's Data

Sickle cell disease is often diagnosed in childhood, and Tracka processes health data for pediatric patients. This data is collected and managed through authorized health facilities with the consent of the patient's parent or legal guardian. We apply the same security, anonymization, and access controls to pediatric data as to all patient data.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Your continued use of the Services after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact our Data Protection Officer at privacy@tracka.promatics.ng or write to: Tracka Data Protection Officer, 14 Adeola Odeku Street, Victoria Island, Lagos, Nigeria.