Privacy Policy

Who We Are

TRACKMOND is operated by two registered entities working together to deliver this service.

Basmarbies Limited is registered in Nigeria under RC number 8759141, with its registered office at Farm Road Eliowhani, Rumudara, Port Harcourt, Rivers State, Nigeria.

Trackmond Health LTD is registered in England and Wales under Companies House number 17060070, with its registered office at 3 Bowring Close, Bristol, BS13 0DH, United Kingdom.

Together these entities are referred to in this policy as "TRACKMOND", "we", "us", or "our". Both entities act as joint data controllers for the personal data processed through the TRACKMOND mobile application, website at trackmond.com, and hospital dashboard.

This policy is written to comply with the Nigeria Data Protection Regulation (NDPR) 2019 and the UK General Data Protection Regulation (UK GDPR) as retained in domestic law under the Data Protection Act 2018.

For all data protection enquiries, please contact support@trackmond.com.

Data We Collect

We collect only the data that is necessary to provide and improve the service. The categories of personal data we process are as follows.

Account and identity information. This includes your full name, phone number, email address derived from your phone number, date of birth, gender, and the hospital or doctor you are linked to.

Health and clinical data. This includes your blood pressure readings, blood glucose readings, medication names and dosages, medication adherence records, symptom notes, and any health history you enter into the app. This constitutes special category data under UK GDPR and sensitive personal data under NDPR, and is handled with enhanced protections.

Caregiver information. If you choose to add an emergency contact or caregiver, we collect their name, phone number, and their relationship to you.

Payment information. We collect records of your subscription tier, payment dates, and payment status. Card details are not stored by TRACKMOND. All payment processing is handled directly by Paystack.

Device and technical data. This includes your device model, operating system version, push notification token, app version, and IP address when you access our website or services.

Usage data. We collect information about how you interact with the app, including when you log readings, which features you use, and how frequently you engage with the AI coaching feature.

We do not use advertising trackers. We do not collect data from social media profiles. We collect only what you deliberately provide.

Why We Collect It

Every category of data we collect serves a specific, documented purpose. We do not process personal data beyond what is described here.

• To provide the monitoring service. Your health readings are stored, displayed to you, and shared with your linked doctor or hospital so they can monitor your condition in real time.
• To send health alerts. When a reading is classified as critically high or low, we send an immediate notification to your linked doctor, hospital, or caregiver by push notification and SMS.
• To power the AI health coach. Your recent readings, medications, and basic profile are sent to Anthropic's API to generate personalised health coaching responses. No conversation history is retained between sessions.
• To generate health reports. Weekly trend summaries and clinical reports are generated from your readings to give you and your care team a clearer picture of your health over time.
• To process your subscription. We use your payment records to verify your access tier and maintain your subscription through Paystack.
• To communicate with you. We send push notifications and SMS messages for medication reminders, reading alerts, and important account updates.
• To improve the service. We analyse aggregated, anonymised usage data to identify bugs, improve features, and understand how the platform is being used.
• To respond to support requests. When you contact us, we use the information you provide to resolve your query.

Our legal basis for processing under NDPR and UK GDPR is performance of a contract for core service delivery, explicit consent for processing health and special category data, and legitimate interests for platform improvement and fraud prevention.

Cookies and Analytics

The TRACKMOND website at trackmond.com uses cookies and analytics to understand how visitors use the site and to improve performance. The mobile app does not use cookies.

Essential cookies. These are required for the website to function correctly, including page load optimisation and security. They cannot be disabled.

Analytics cookies (Google Analytics 4). We use Google Analytics to collect anonymous data about website traffic, such as which pages are visited, how long visitors stay, and what country they are visiting from. This data is aggregated and does not identify you personally. Google may transfer this data to servers in the United States under their standard contractual clauses.

You can opt out of Google Analytics at any time by visiting tools.google.com/dlpage/gaoptout or by adjusting your browser cookie settings.

By continuing to use the TRACKMOND website, you consent to the use of cookies as described in this policy. You may withdraw consent at any time by clearing cookies from your browser settings.

Who We Share Data With

We do not sell, rent, or trade your personal data. We share it only with the parties listed below, each of which has been selected for their security standards and bound by appropriate data processing agreements.

We may disclose your personal data where required to do so by Nigerian or UK law, a court order, or a regulatory authority. We may also disclose information where necessary to protect the safety, rights, or property of TRACKMOND, our users, or the public.

If TRACKMOND is involved in a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, and you will be notified in advance.

How Long We Keep It

We retain personal data only for as long as it is necessary for the purposes described in this policy, or as required by law.

• Active accounts. Your personal data is retained for the full duration that your account remains active.
• Health readings and clinical data. Retained for the lifetime of your account to support long-term trend analysis. Deleted alongside your account upon a verified deletion request.
• Payment records. Retained for seven years from the date of the transaction, as required under Nigerian financial regulations.
• Deleted accounts. Following a deletion request, personal data is removed within 30 days, subject to the legal retention requirements above.
• AI session data. No conversation history is retained by TRACKMOND between sessions. Context sent to Anthropic per session is governed by Anthropic's own data retention policy.
• Anonymised data. Aggregated, non-identifiable data may be retained indefinitely for platform research and improvement.

Security

We apply technical and organisational measures proportionate to the sensitivity of health data.

• All data in transit is encrypted using HTTPS with TLS.
• Health data at rest is stored in Supabase with row-level security policies. Each user can access only their own records. Hospital staff can access only patients linked to their institution.
• Authentication is managed through Supabase Auth with securely hashed and salted passwords. Passwords are never stored in plain text.
• Payment card details are never stored by TRACKMOND. All card processing is handled by Paystack on their PCI-DSS compliant infrastructure.
• Edge functions that handle sensitive operations use server-side API keys that are never exposed to client code.
• Access to the admin dashboard is restricted to authenticated hospital staff only, with role-based permissions separating patients, nurses, doctors, and administrators.

No system is completely invulnerable. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by NDPR and UK GDPR.

If you believe your account has been compromised, contact us immediately at support@trackmond.com or +234 806 492 0918.

Your Rights

Under the NDPR and UK GDPR, you have the following rights in relation to your personal data.

• Right of access. You may request a copy of all personal data we hold about you, free of charge.
• Right to rectification. You may ask us to correct any inaccurate or incomplete information.
• Right to erasure. You may request that we delete your account and all associated personal data. We will comply within 30 days, subject to any legal retention obligations.
• Right to restriction. You may request that we limit how we process your data in certain circumstances, for example while a dispute is being resolved.
• Right to data portability. You may request your data in a structured, machine-readable format so you can transfer it to another service.
• Right to withdraw consent. Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Right to object. You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

To exercise any of these rights, email support@trackmond.com with the subject line "Data Request". We will respond within 30 days. Where requests are complex or numerous, we may extend this by a further 60 days with notice.

If you are based in Nigeria, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB) at ndpb.gov.ng. If you are based in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Children

TRACKMOND is intended for individuals aged 18 and above. We do not knowingly collect or process personal data relating to children under the age of 18. If you are a parent or guardian and believe that your child has registered an account without your consent, please contact us at support@trackmond.com and we will delete the account and associated data promptly.

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by push notification or email at least 14 days before the change takes effect, and update the date at the top of this document.

Your continued use of the TRACKMOND service after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree with the changes, you may delete your account before the effective date.

Contact Us

For all privacy and data protection enquiries, please reach us through any of the channels below. We aim to respond to all requests within 30 days.