Privacy Policy

Who We Are

Havilah Strategy Consult Limited is a management consulting firm registered in Nigeria and headquartered in Abuja, Federal Capital Territory. The firm operates across the following entities:

• Havilah Strategy Consult Limited: The parent entity and primary data controller. Provides strategy, public sector modernization, and health systems strengthening services to governments, development partners, and foundations.
• Havilah Initiative for Technology Development: A subsidiary responsible for the development and operation of digital and technology products, including the Frontline AI platform.
• Havilah Initiative for International Development: A subsidiary focused on international development programming, grant management, and implementation of donor-funded health and community initiatives.

Havilah acts as the data controller for personal data collected through its consulting engagements and as the data processor for health information handled on behalf of government clients and development partners.

Scope and Application

This Privacy Statement applies to:

• All individuals who interact with Havilah as clients, partners, beneficiaries, job applicants, or website visitors.
• Healthcare workers, community health extension workers (CHEWs), and primary healthcare (PHC) nurses who use the Frontline AI platform.
• Patients and community members whose anonymized or de-identified health data may be processed in the course of Frontline AI’s clinical decision support functions.
• Employees, consultants, and contractors of Havilah entities who are subject to our internal data governance policies.
• Any third party who transmits data to Havilah or receives data from Havilah in the context of a formal engagement.

This Statement does not apply to third-party websites, services, or applications that may be linked from our platforms or mentioned in our materials.

Data We Collect

Information You Provide Directly

• Full name, job title, organization, and contact details such as email, phone number, and mailing address.
• Credentials, professional registration numbers, and qualifications for healthcare workers onboarded to Frontline AI.
• Communications, forms, proposals, and documents submitted in the course of consulting engagements or procurement processes.
• Employment application materials, including curriculum vitae, references, and supporting documents.

Information Collected Through Frontline AI

Frontline AI is a WhatsApp-based clinical decision support tool deployed at the primary healthcare level. Through its operation, the following data may be collected:

• Healthcare Worker Data: WhatsApp identity (phone number), interaction logs, queries submitted, decision support responses received, timestamps, and facility/LGA identifiers.
• Clinical Interaction Data: Symptom queries, drug dosage inquiries, immunization protocol questions, and other clinical information exchanged via the platform. This data is processed in real time and is not retained in identifiable form beyond the session unless the worker elects to save a summary.
• Aggregate Service Data: Non-identifiable usage metrics, query volumes by protocol area, response accuracy assessments, and system performance indicators used to improve the platform.

Information Collected Automatically

• IP addresses, device type, browser or application version, and session duration when accessing Havilah websites or digital portals.
• Cookies and similar tracking technologies used to maintain session state and improve user experience. You may disable cookies through your browser settings, though this may affect functionality.
• Geolocation data at the facility or ward level where Frontline AI integrates with geospatial health systems, strictly for service delivery routing and program analytics.

How We Use Your Information

We process personal data only for lawful, specific, and legitimate purposes, including:

• Service Delivery: To deliver consulting, advisory, and technology services to clients, government agencies, and development partners.
• Frontline AI Operations: To provide real-time clinical decision support to PHC workers, including query interpretation, protocol matching, and response generation using retrieval-augmented generation (RAG) architecture grounded in FMOH, NPHCDA, and WHO-approved protocols.
• Program Monitoring and Evaluation: To generate aggregate, non-identifiable reports on service utilization, coverage metrics, and platform performance for program oversight and improvement.
• Legal and Contractual Compliance: To fulfill obligations under contracts, grants, and applicable laws, including reporting to donors, regulatory authorities, and institutional review bodies.
• Human Resources: To evaluate, hire, manage, and pay employees and consultants, and to maintain required employment records.
• Security and Fraud Prevention: To protect the integrity of our systems, detect and prevent unauthorized access, and investigate incidents of misuse.
• Research and Knowledge Generation: Where applicable and with appropriate ethical approval, to conduct public health research using de-identified or aggregated datasets that cannot be traced to individuals.

Legal Basis for Processing

Havilah processes personal data on the following legal bases under the Nigeria Data Protection Act 2023 (NDPA) and applicable international standards:

• Consent: Where individuals have explicitly opted in to the use of their data, including healthcare workers onboarded to Frontline AI.
• Contractual Necessity: Where processing is required to perform a contract to which the data subject is a party, including employment and service delivery contracts.
• Legal Obligation: Where processing is necessary to comply with applicable law, including public health regulations, labor law, and donor reporting requirements.
• Legitimate Interests: Where processing serves a legitimate organizational interest that is not overridden by the rights and freedoms of the data subject, including system security, fraud prevention, and service improvement.
• Public Interest / Vital Interests: In the context of health data processed for PHC service delivery, disease surveillance, or emergency health response.

Sharing and Disclosure of Data

We do not sell, rent, or trade personal data. We may share data in the following limited circumstances:

• Government and Regulatory Clients: De-identified or aggregated health data is shared with relevant government ministries, departments, and agencies (MDAs) as required under program agreements or public health law.
• Development Partners and Donors: Program performance data, including usage metrics and health outcome indicators, is reported to institutional donors such as the Bill & Melinda Gates Foundation, WHO, UNICEF, and USAID, strictly in aggregate and non-identifiable form unless otherwise required by law.
• Technology and Service Providers: We engage vetted third-party vendors to support platform operations, including cloud infrastructure providers and AI model services. These vendors are bound by data processing agreements that restrict the use of data to specified purposes.
• Research Partners: Where ethical approval has been obtained, de-identified data may be shared with academic or public health research institutions.
• Legal and Regulatory Authorities: Where required by a valid court order, regulatory directive, or applicable law, we will disclose data to the extent necessary to comply with the legal obligation.
• Institutional Partners: Data may be shared with formal institutional partners such as universities or research bodies under signed memoranda of understanding (MOUs) that include data governance provisions.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or contractual obligation. Specific retention periods include:

• Consulting engagement records: retained for a minimum of seven (7) years following project close, consistent with standard financial and professional audit requirements.
• Frontline AI interaction logs: session-level clinical query data is retained for no more than ninety (90) days in identifiable form, after which it is permanently anonymized or deleted. Aggregate analytics data may be retained indefinitely.
• Employment records: retained for the duration of employment and for a minimum of five (5) years following separation, in line with applicable labor law.
• Website and platform analytics: retained for no more than twenty-four (24) months, after which they are aggregated or purged.

Data Security

Havilah employs appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:

• End-to-end encryption for health data transmitted via the Frontline AI WhatsApp interface.
• Access controls, role-based permissions, and multi-factor authentication for internal systems.
• Regular security assessments, vulnerability scans, and incident response protocols.
• Data minimization practices that ensure only data necessary for the stated purpose is collected and retained.
• Employee and contractor training on data protection obligations and secure handling procedures.
• Vendor due diligence to ensure third-party processors meet equivalent security standards.

In the event of a data breach that poses a risk to the rights and freedoms of data subjects, we will notify relevant authorities and affected individuals in accordance with the timelines specified under the NDPA and any applicable institutional notification requirements.

Your Rights as a Data Subject

Subject to applicable law and any overriding public health or legal obligations, individuals whose data we process have the following rights:

• Right of Access: You may request confirmation of whether we hold personal data about you and, if so, obtain a copy of that data.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data where there is no lawful basis for its continued retention.
• Right to Restriction of Processing: You may request that we limit the processing of your data pending resolution of a dispute or complaint.
• Right to Data Portability: Where applicable, you may request a machine-readable copy of personal data you have provided to us.
• Right to Object: You may object to processing based on legitimate interests or where data is used for direct marketing or profiling.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please submit a written request to the contact details provided below. We will respond within thirty (30) days unless the complexity of the request warrants an extension, which we will communicate to you.

Special Considerations for Health Data

Havilah recognizes that health data carries heightened sensitivity and deserves a higher standard of care. In the context of Frontline AI and our health systems work, we observe the following additional safeguards:

• Clinical queries processed by Frontline AI are used solely to generate decision support responses and are not shared with third parties for marketing, insurance underwriting, or any commercial purpose.
• Patient-level data is processed only in anonymized or de-identified form. No individually identifiable patient information is collected, stored, or transmitted through Frontline AI.
• AI-generated clinical recommendations on Frontline AI are grounded in evidence-based protocols endorsed by FMOH, NPHCDA, and WHO. Healthcare workers retain full professional responsibility for all clinical decisions.
• Where health data is collected for research, appropriate ethical approvals from an institutional review board or research ethics committee are obtained prior to data collection.
• Health data processed in the context of donor-funded programs is subject to additional confidentiality obligations specified in the relevant grant agreement.

International Data Transfers

Havilah is a Nigerian entity and processes data primarily within Nigeria. However, the nature of our work with international development partners and our use of cloud-based technology infrastructure means that some data may be processed or stored on servers located outside Nigeria.

Where such transfers occur, we ensure that:

• The receiving jurisdiction provides an adequate level of data protection, or
• Appropriate safeguards are in place, such as contractual clauses, binding corporate rules, or equivalent mechanisms recognized under Nigerian or applicable international law.

Updates to This Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our services, legal obligations, or data processing practices. The effective date at the top of this document will be revised accordingly. Where changes are material, we will notify affected users or data subjects through appropriate channels.

Continued use of Havilah services after a revised Privacy Statement has been posted constitutes acceptance of the updated terms.

Contact Us

For questions, requests, or complaints relating to this Privacy Statement or the processing of your personal data, please contact:

Data Protection Officer
Havilah Strategy Consult Limited
Abuja, Federal Capital Territory, Nigeria
Email: privacy@havilahstrategy.com

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data rights have been violated.

Effective Date: April 29, 2025
Last Updated: April 29, 2025