mr3-logo

    Privacy Policy

    ON THIS PAGE

    Introduction

    Welcome to MR3 ("MR3", "we", "our", or "us"), a platform designed to help patients securely aggregate, manage, and share their medical and health records. MR3 operates through web and mobile channels and is committed to protecting your privacy and the security of your personal data.

    This Privacy Policy outlines how we collect, use, disclose, and protect your data in compliance with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Nigeria Data Protection Regulation (NDPR).

    By accessing or using MR3, you confirm that you have read, understood, and agreed to the terms of this Privacy Policy.

    Data We Collect

    We collect the following categories of data:

    a) Personal Identification Data

    • Full name

    • Date of birth

    • Gender

    • Contact details (email, phone number, address)

    • Identification documents (e.g., NIN, Passport, Driver"s License)

    b) Health & Medical Information

    • Health conditions, medical history, lab results, prescriptions, immunizations, surgeries, vitals

    • Data entered manually or pulled from EHR/EMR integrations

    • Allergies, social history, physical activity, smoking/alcohol usage

    c) Device & Usage Data

    • IP address, browser type, device ID

    • Operating system and interaction logs

    • Audit logs of system usage

    d) Communication Data

    • Messages sent to support

    • Emails and SMS sent to/from the platform

    e) Financial & Payment Data

    • Subscription plan details

    • Payment method and transaction history

    (Note: We do not store full card details; these are handled by PCI-DSS-compliant processors)

    Use of Cookies and Tracking Technologies

    We use cookies and similar technologies to:

    • Enable secure logins and session management

    • Monitor usage analytics

    • Improve the performance and user experience

    You can manage your cookie preferences via your browser settings.

    Lawful Basis for Processing Data

    We process your data on the following lawful grounds:

    Legal BasisJustification
    ConsentUsers give explicit consent when registering and checking the Terms of Use
    Contractual NecessityTo provide access to your health records and manage your account
    Legal ObligationTo comply with NDPR, GDPR, HIPAA, and other laws
    Legitimate InterestTo improve our service, analytics, and engage in anonymized public health reporting

    Your Rights as a Data Subject

    Depending on your location and applicable laws, you have the following rights:

    Right to Access – Request a copy of your personal data

    Right to Rectification – Request correction of inaccurate data

    Right to Deletion – Request deletion of your data (unless required for legal compliance)

    Account Deletion Process

    You have the right to delete your MR3 account at any time. Deleting your account will permanently remove your personal data, health records, and all associated content from our systems, subject to applicable legal retention requirements.

    Steps to Delete Your MR3 Account (Mobile App):

    1. Open the MR3 Mobile App
    2. Go to Settings (found in the navigation menu or profile section)
    3. Select "Account & Security"
    4. Tap on "Delete My Account"
    5. Review the Account Deletion Notice and implications
    6. Confirm your identity (password or OTP)
    7. Tap "Confirm Deletion"

    Once your deletion request is confirmed:

    • Your account will be permanently deactivated within 7 days
    • You will receive a confirmation email/SMS once deletion is completed
    • Shared or anonymized data already used for reporting or analysis may remain, as it is no longer linked to your identity

    Right to Restrict Processing – Limit how your data is used

    Right to Data Portability – Obtain your data in a portable format

    Right to Withdraw Consent – Withdraw any consent given (e.g., marketing, data sharing)

    Right to Lodge a Complaint – Contact NDPC (Nigeria), your national DPA (EU), or the relevant authority

    To exercise your rights, contact us via the details in the "Contact Us" section.

    Sharing of Data

    We may share your data under the following conditions:

    a) With Your Consent (Explicit or Implied)

    • Healthcare professionals or family proxies you authorize

    • When you use the "Share Record" feature or participate in health financing programs

    b) Anonymous or Aggregated Data (Non-Personal)

    We may share de-identified, anonymized data with:

    • Government health bodies

    • Research institutions

    • Multilateral health agencies and NGOs

    • For reporting, policy planning, or epidemiological studies

    Note: Currently, there is no opt-out for anonymized data sharing. We may include this option in future versions.

    Third-Party Integrations

    We use the following third-party providers who may process limited personal data:

    Amazon Web Services (AWS) – Cloud infrastructure (EU-hosted)

    Termii – SMS delivery

    Brevo (formerly Sendinblue) – Email communication

    Paystack – For secure transactions (PCI-compliant)

    These partners are under binding agreements to process your data only per our instructions and with appropriate safeguards.

    Data Retention

    We retain your personal data:

    • For as long as your MR3 account is active

    • As needed to provide you services or comply with legal obligations

    • Medical and financial records are retained in accordance with local and industry-specific regulations

    When data is no longer required, it will be securely deleted or anonymized.

    Data Security

    We apply robust safeguards including:

    • Encryption of data at rest and in transit

    • Two-factor authentication (2FA)

    • Security question policies

    • Password reuse and strength enforcement

    • Role-based access control for MR3 staff

    • Audit logs for all platform activity

    We regularly monitor our systems for vulnerabilities and apply patches as needed.

    International Data Transfers

    Your data may be stored or processed in countries outside your own, including in the European Union via AWS. These transfers are subject to:

    • Standard Contractual Clauses (SCCs)

    • Appropriate technical and organizational safeguards

    • Compliance with NDPR for Nigerian users

    Complaints

    If you have concerns about how we handle your data, you can:

    • Email us: support@mr3.digital

    • Submit a complaint to:

    - Nigeria Data Protection Commission (NDPC)

    - Your national data protection authority (if in the EU or other jurisdictions)

    Changes to this Privacy Policy

    We may revise this Privacy Policy periodically. When we do, we will update the "Effective Date" and notify you via:

    • Email

    • App notifications

    • Website banners

    We encourage you to review this Policy regularly.

    Contact Us

    For any questions, feedback, or data requests, contact us at:

    MR3 Digital

    D5, Vista Estate, Jakande, Lekki

    📧 Email: support@mr3.digital

    📞 Phone: 07085749707

    🌐 Website: https://mr3.digital