NkwaPlus Privacy Statement

This Privacy Statement applies to individual health care professionals using the Digital Remote Care Application, NkwaPlus when providing telehealth services.

NkwaPlus is developed by Afrifanom Limited (Afrifanom) and provided in collaboration with PharmAccess Ghana. This Privacy Statement will explain how your personal data is collected, used, stored, shared and how it is protected when using the app. Your personal data will be processed in a fair, reasonable and lawful manner.

Your employer healthcare institution is the controller for the data processed in NkwaPlus.

PharmAccess Ghana is an international non-governmental organization with an office in Ghana and its head office located in the Netherlands (together: PharmAccess). PharmAccess is a processor of the personal data used in NkwaPlus.

Afrifanom Limited is the processor for the data processed in NkwaPlus. It processes your personal data through the app to provide you with a user account, allowing you access to the measurements provided by your patients.

Afrifanom is certified under ISO 27001. Their systems and processes are designed in line with industry best practices for data security, privacy, and infrastructure management. You can read more on how Afrifanom deals and protects your privacy below in this document.

NkwaPlus processes the following types of personal data:

Contact details: name, address, gender, email address, telephone number and other necessary contact information.

Demographic and identification data such as date of birth where applicable.

Communication data generated through the platform such as messages between patients and healthcare providers.

Technical information related to the use of the application such as device type, operating system and application usage data.

Patient feedback and survey responses collected to evaluate and improve the services provided through NkwaPlus.

Please make sure that you adequately protect your device from unauthorized access to the information in the app. We recommend that you at least protect the device which you use to access the app with a strong password.

Your personal data may be accessed by:

Technical service providers who support the operation of the application under strict confidentiality agreements.

Third parties we make use of, such as the National Information Technology Agency Data Center in Ghana for cloud infrastructure and Bluehost and Amazon Simple Email Service for email services, all under strict data processing agreements.

Afrifanom has taken the following security measures to ensure secure data processing:

• Infrastructure Access Control:

Access to servers and infrastructure is restricted and secured via VPN, with role-based access control. Only authorized personnel with specific responsibilities can access production systems.

• Database Security:

Database access is strictly limited to necessary personnel based on roles. Authentication and access controls are enforced, and credentials are securely managed.

• Encryption:

Data is encrypted both in transit and at rest. Transport Layer Security (TLS)is used, provided by (DigiCert) for all communications, and sensitive data is protected using strong encryption standards (e.g., AES-256 where applicable). Passwords are hashed and salted.

• Authentication & Authorization:

Strong password policies are enforced. Two-factor authentication (2FA) is supported for administrative and sensitive access points. Login attempts are rate-limited to prevent brute-force attacks.

• Application Security:

Input validation and sanitization are implemented to prevent malicious data injection. Secure coding practices and regularly review of the codebase is followed.

• Environment Separation:

Separate environments (development, staging, production) is maintained to reduce risk and ensure controlled deployments.

• Monitoring & Logging:

System activities, access logs, and anomalies are continuously monitored. Alerts are triggered for suspicious behavior.

• Backup & Recovery:

Regular automated backups are performed, with restricted access to backup systems to prevent unauthorized use or deletion.

• Updates & Vulnerability Management:

Security patches and updates are applied continuously. Vulnerabilities are actively monitored and addressed as part of an ongoing process.

• Session & Cookie Security:

Session durations are limited, and sensitive data is not stored in cookies. Any necessary cookie data is encrypted and cleared upon logout.

• Malware Protection:

Systems are monitored for malicious activity, and protective mechanisms are in place to detect and mitigate threats.

• Testing & Improvements:

Systems are periodically reviewed for potential weaknesses.

• Employee Awareness:

Team members are guided on data protection and security best practices as part of internal processes.

Pharm Access will store your data on secured servers located in Ghana. Additionally, the data will be sent for analysis to PharmAccess' head office in the Netherlands, a country with an adequate level of security under European General Data Protection Regulation. Such transfer will take place using appropriate safeguards in accordance with the Ghana Data Protection Agency guidelines and other applicable data protection laws.

We will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, in accordance with the Ghana Data Protection Act, 2012 (Act 843), applicable healthcare regulations, and professional guidelines. When personal data is no longer required for the purposes for which it was collected, or when the applicable retention period expires, it will be securely deleted, anonymised, or archived in accordance with our data retention policies and the requirements of the Data Protection Act.

If you want your data to be removed from NkwaPlus, please contact your employer healthcare institution. This also applies to requests for access, rectification, addition, limitation or any objections. Contact and complaints If you believe that the data processing for NkwaPlus is not in accordance with applicable laws and regulations, you can report this to your employer healthcare institution.

The Data Protection Commission is the independent supervisor with regard to compliance with privacy legislation in Ghana. You can find a lot of information on the website of the Data Protection Commission, including information on privacy regulations and data processing in healthcare.

This Privacy Policy was last updated onin May 2026. This Privacy Policy may be amended from time to time. Your healthcare institution and PharmAccess will inform you about such changes in a timely manner via a message on the NkwaPlus Application.