Privacy Policy & Patient Data Protection

1. Data Controller

The data controller responsible for your personal and health data is:

Opes Health Systems Sarl operates as a health data intermediary and interoperability platform. We do not provide clinical advice or act as a healthcare provider. We facilitate the secure, consent-governed exchange of patient health records between registered healthcare facilities and patients.

2. Legal Basis for Processing

We process your personal and health data on the following legal grounds, consistent with Cameroon Law No. 2010/012 and internationally recognised data protection principles:

• Explicit Consent (Article 46, Law 2010/012): For all non-emergency access to your clinical records, processing is based on your freely given, specific, informed and unambiguous consent, recorded electronically within the OpesCare platform and timestamped in an immutable audit log.
• Contractual Necessity: Processing necessary to create and maintain your OpesCare Health ID, authenticate your identity, and fulfil obligations under our Terms of Service.
• Vital Interest / Public Health Emergency: In a verified, life-threatening emergency where you are unable to consent, a limited emergency health profile may be accessed by an approved healthcare provider. This constitutes a vital-interest basis as recognised under international health data protection frameworks. Every such access is strictly audited.
• Legal Obligation: Where we are required to process or disclose data to comply with an order of a competent Cameroonian court, the National Agency for Information and Communication Technologies (ANTIC), or a lawful directive from MINSANTE.
• Legitimate Interests (Platform Security & Audit): Processing necessary for fraud prevention, platform security monitoring, and the maintenance of immutable audit logs, provided this does not override your fundamental rights.

3. Categories of Personal Data We Process

3.1 Identity and Demographic Data

• Full legal name, date of birth, sex/gender, nationality
• National Identification Number (CNI/NIC), CNAMGS social security identifier, passport number where applicable
• OpesCare Health ID (unique platform identifier)
• Photograph or biometric identifier (where provided for identity verification)
• Contact information: phone number, email address, postal address
• Emergency contact name, phone, and relationship

3.2 Clinical and Health Data (Special Category)

Note: Health data is a special category of personal data under Cameroon law and international standards. We apply the highest level of protection to all clinical information.

• Medical history, diagnoses, clinical conditions (ICD-10/ICD-11 coded)
• Prescription records, medication lists, dispensing history
• Laboratory results, diagnostic reports, DICOM imaging metadata
• Immunisation and vaccination history
• Allergy records and adverse reaction history
• Blood group and transfusion records
• Clinical encounter and visit records (facility, provider, date, summary)
• Referral records and care plan information
• Insurance policy numbers and coverage data
• Official health documents (discharge summaries, certificates, advance directives)

3.3 Platform Usage and Access Data

• Consent grants, denials, revocations, and modification history
• Access event logs (who accessed, when, from which facility, stated purpose, scope of data retrieved)
• QR code generation and verification timestamps
• Authentication events (login, logout, password changes, 2FA)
• IP address, device type, browser agent (retained for security audit purposes only)

3.4 Data We Do Not Collect

We do not collect financial payment card data, biometric raw data for identification (beyond what is necessary for identity verification), social media profiles, or location tracking data beyond what you explicitly provide as part of your address.

4. Purposes of Processing

Purpose	Legal Basis
Creating and maintaining your OpesCare Health ID	Contract / Legal obligation
Identity verification and patient matching across facilities	Contract / Consent
Enabling consent-based clinical record sharing between authorised providers	Explicit consent
Emergency access to critical health information	Vital interest / Emergency health basis
Medication and blood availability verification	Consent / Public health
Generating immutable audit logs of all access events	Legal obligation / Legitimate interest
Sending notifications about consent requests and access events	Contract / Consent
Platform security monitoring and fraud prevention	Legitimate interest
Anonymised public health reporting (aggregated data only, no individual identifiers)	Public interest / Legal obligation (MINSANTE reporting)
Compliance with court orders or regulatory directives from ANTIC or MINSANTE	Legal obligation
Improving platform reliability and user experience (anonymised analytics only)	Legitimate interest

5. Data Sharing and Disclosure

5.1 Authorised Healthcare Providers

We share your health records only with healthcare facilities and providers you have explicitly authorised through the OpesCare consent system. Each consent grant specifies the facility, the purpose, the scope of data accessible, and the duration. Providers receive only the minimum data necessary for the stated clinical purpose (data minimisation principle).

5.2 Emergency Access

In a documented life-threatening emergency, an approved healthcare provider may access your emergency health profile (identity, blood group, critical allergies, active chronic conditions) without prior consent. This access is automatically logged, an alert is sent to compliance officers, and you or your emergency contact are notified at the earliest opportunity. See Section 10 for the full emergency access protocol.

5.3 Sub-Processors

We engage third-party sub-processors for hosting, backup, and security monitoring. All sub-processors are bound by data processing agreements (DPAs) requiring equivalent data protection standards. We do not use sub-processors established in jurisdictions that do not provide adequate data protection without implementing appropriate safeguards (Standard Contractual Clauses or equivalent). Our sub-processors are reviewed annually.

5.4 Public Health and Government Authorities

We may share aggregated, de-identified data with MINSANTE, the World Health Organisation (WHO), and other public health bodies for disease surveillance, epidemiological reporting, health system planning, and to support the objectives of Cameroon's National Digital Health Strategy 2026–2030. No individual patient record is shared for this purpose.

5.5 Legal Compliance

We will disclose personal data where required by a binding and lawful order of a Cameroonian court, ANTIC, MINSANTE, or other competent regulatory authority. We will, where permitted by law, notify you of any such request prior to disclosure.

5.6 What We Will Never Do

• Sell, rent, or trade your personal or health data to any third party for commercial purposes.
• Use your identifiable health data for advertising, profiling, or marketing purposes.
• Share your data with insurers, employers, or government agencies outside lawful clinical and regulatory channels without your explicit consent.
• Transfer your data outside the Central African Economic and Monetary Community (CEMAC) region or the African Union without appropriate safeguards in place.

6. Data Retention

We retain personal and health data in accordance with Cameroon health legislation, WHO guidance on health record retention, and the requirements of MINSANTE:

• Clinical health records: Minimum 10 years from the date of last clinical encounter, consistent with Cameroon health legislation and WHO recommendations. Records relating to minors are retained until the patient reaches 28 years of age, or 10 years from last encounter, whichever is later.
• Audit and access logs: Minimum 10 years. Audit logs are immutable and cannot be deleted even at the patient's request, as they form part of the legally required accountability framework.
• Consent records: For the full duration of the data subject's registration and at least 5 years thereafter, or as required by applicable law.
• Identity data: For the duration of platform registration and up to 7 years after account closure to satisfy legal obligations.
• Platform usage / authentication logs: 2 years, for security purposes.

Upon expiry of these periods, or upon lawful erasure request, data is securely destroyed using cryptographic erasure and/or physical deletion from all storage systems, including backups.

7. Security Measures

We implement institutional-grade technical and organisational security measures including, but not limited to:

• AES-256 encryption for all health data at rest
• TLS 1.3 for all data in transit; older protocol versions are rejected
• Zero-trust network architecture with role-based access control (RBAC)
• Multi-factor authentication (MFA) for all staff and healthcare provider accounts
• Regular independent penetration testing and vulnerability assessments
• Immutable, append-only audit log infrastructure
• 24/7 automated threat detection and incident response
• Secure data centre infrastructure with physical access controls, CCTV, and fire suppression
• Annual security awareness training for all staff with access to patient data
• Data breach response plan with a maximum 72-hour notification obligation to ANTIC and affected data subjects

Full details are available on our Security Architecture page.

8. Your Rights

As a data subject under Cameroon Law No. 2010/012 and in alignment with internationally recognised data protection standards, you have the following rights:

To exercise any of the above rights, submit a written request to privacy@opeshealthsystems.com. We will respond within 30 calendar days. We may request proof of identity before processing your request. The exercise of rights is free of charge; however, for manifestly unfounded or excessive requests, we reserve the right to charge a reasonable administrative fee.

9. Special Category Health Data

Health data is recognised as a special category of personal data requiring heightened protection under Cameroon law and international frameworks. In addition to our standard safeguards:

• Clinical records are accessible only to verified healthcare providers with a confirmed and documented clinical purpose.
• Sensitive diagnostic categories (including HIV status, mental health records, reproductive health, and substance dependency) are subject to additional access controls and are not included in emergency profiles unless clinically critical.
• We implement the principle of least privilege: each provider role receives access only to the data categories relevant to their clinical function.
• All special category data processing is documented in our Article 30-equivalent Record of Processing Activities (ROPA), available to ANTIC upon request.

10. Children and Minors

OpesCare may process health records for minors (persons under 18 years of age in the Republic of Cameroon). The following safeguards apply:

• Consent for the registration and health data processing of a minor must be provided by a parent or lawfully appointed guardian.
• Access to a minor's health record requires explicit authorisation from the parent/guardian, except in verified medical emergencies.
• Guardians may designate a transition date for patient majority, after which the patient gains full independent control of their Health ID and consent management.
• Records for minors are retained until the patient reaches 28 years of age or 10 years from the date of last clinical encounter, whichever is later, consistent with Cameroon health documentation standards.
• We do not knowingly register minors on the patient-facing portal without verified parental or guardian consent.

11. Emergency Access Protocol

In life-threatening clinical emergencies, where a patient is unconscious or unable to provide informed consent, an approved healthcare provider registered on the OpesCare platform may access a strictly limited Emergency Health Profile. This profile contains:

• Full legal name and date of birth
• Blood group and Rh factor
• Active critical allergies and contraindications
• Current chronic conditions material to emergency treatment
• Active critical medications
• Emergency contact name and phone number

Every emergency access event:

• Requires the accessing provider to document a clinical reason before the profile is displayed
• Generates an immediate high-priority audit alert visible to facility compliance officers and platform administrators
• Is logged with the provider's authenticated identity, facility, timestamp, and device
• Triggers an automatic notification to the patient's registered contact at the earliest safe opportunity
• Is subject to post-event review by the relevant facility's clinical governance team

Emergency access does not grant access to the patient's full clinical history, mental health records, reproductive health data, or consent logs.

12. Supervisory Authority

The competent supervisory authority for personal data protection in the Republic of Cameroon is:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with ANTIC at any time. We encourage you to contact us first at privacy@opeshealthsystems.com so that we may address your concern directly.

13. Cross-Border Data Transfers

OpesCare primarily processes and stores patient data within secure infrastructure within the Central Africa region. Where any component of our infrastructure or sub-processor is located outside Cameroon, we ensure that equivalent data protection safeguards are in place, including:

• Data processing agreements (DPAs) requiring compliance with Cameroon Law 2010/012 and the Malabo Convention
• Data localisation for clinical records in CEMAC-region-compliant storage where technically and commercially feasible
• Annual review of all sub-processor locations and data transfer mechanisms

14. Cookies and Tracking Technologies

The OpesCare public website and patient portal use the following types of cookies:

• Essential / Functional cookies: Required for authentication session management, CSRF protection, and platform security. Cannot be disabled without impairing platform functionality.
• Analytics cookies: Anonymous, aggregated page-view analytics used to improve the platform. No personal or health data is transmitted to analytics providers.
• No advertising or tracking cookies are used on any OpesCare platform.

You may manage non-essential cookies via your browser settings at any time.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our processing activities, or platform features. We will notify registered users of material changes via email and in-platform notification at least 30 days before changes take effect. The current version will always be available at this URL with its effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

16. Contact — Data Protection Officer

For all data protection enquiries, rights requests, or complaints: