KENNEDIA HMO PRIVACY POLICY

Last Updated: November 11, 2025

1. INTRODUCTION AND PURPOSE

This Privacy Policy (“Policy”) explains how Kennedia HMO (“Kennedia HMO,” “Company,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your personal data when you interact with our digital platforms — including our website, mobile application, and other online services (collectively, the “Service”).

It also explains your privacy rights under applicable data protection laws, including

• The General Data Protection Regulation (GDPR) (EU 2016/679);
• The Nigeria Data Protection Regulation (NDPR) 2019 and Nigeria Data Protection Act (NDPA) 2023; and
• Other relevant data protection and privacy laws applicable in jurisdictions where we operate.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.

2. INTERPRETATION AND DEFINITIONS

2.1 Interpretation

Words with initial capital letters have specific meanings. These definitions apply whether the terms appear in singular or plural.

2.2 Definitions

• Account – A unique profile created for you to access our Service.
• Affiliate – Any entity that controls, is controlled by, or under common control with Kennedia HMO.
• Controller – The entity that determines the purposes and means of processing personal data (Kennedia HMO).
• Processor – Any third party that processes personal data on behalf of Kennedia HMO.
• Personal Data – Any information that relates to an identified or identifiable individual.
• Processing – Any operation performed on personal data, including collection, storage, alteration, use, disclosure, or deletion.
• Service – The Kennedia HMO website, app, or related digital platforms.
• You / Your / Data Subject – The individual whose personal data is collected or processed by Kennedia HMO.

3. LEGAL BASIS FOR PROCESSING

We process your personal data only when permitted by applicable law. The legal bases include:

• Contractual necessity: to provide and manage your healthcare plan or Service.
• Legal obligation: to comply with applicable health, tax, and data protection laws.
• Legitimate interests: to improve services, ensure security, and manage business operations.
• Consent: when you voluntarily agree to specific processing (e.g., marketing communications).

Where consent is required, you may withdraw it at any time by contacting us.

4. CATEGORIES OF DATA WE COLLECT

We collect the following categories of data:

4.1 Personal Data

• Identification & Contact Information: name, address, phone number, email address.
• Demographic Information: date of birth, gender, marital status, dependents.
• Health & Benefits Data: insurance plan details, medical services received, claims, and reimbursements.
• Financial Data: bank account or payment card details for premium or claim transactions.
• Government Identifiers: National ID, driver’s license, voter’s card, etc.
• Employment & Academic Details: where relevant to health plan eligibility.

4.2 Usage and Technical Data

• Automatically collected when you use our Service:
• IP address, browser type, device information, pages visited, duration of session;
• Cookies, web beacons, and analytics data;
• Geo-location data (where permitted).

4.3 Third-Party Data

• We may receive your data from:
• Healthcare providers and partner hospitals;
• Claims administrators or payment processors;
• Regulatory authorities or affiliates assisting in service delivery.

5. PURPOSE OF PROCESSING

• We process your personal data to:
• Provide, manage, and administer healthcare and insurance services;
• Verify identity and enrolment eligibility;
• Process premiums, reimbursements, and medical claims;
• Respond to customer inquiries and provide support;
• Send notifications, updates, and policy information;
• Improve service functionality, usability, and performance;
• Detect, prevent, and investigate fraud or unauthorized activity;
• Comply with legal and regulatory obligations; and
• Conduct internal research and analytics.

6. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies, pixel tags, and similar technologies to collect information for analytics, personalization, and security.

Types of Cookies

• Essential Cookies – Required for the website to function properly.
• Performance Cookies – Track how visitors use our site.
• Functional Cookies – Remember your preferences (e.g., language).
• Marketing Cookies – Help us deliver targeted communications (used only with consent).

You can control cookies through your browser settings. Refusing cookies may affect site functionality.

7. DATA SHARING AND DISCLOSURE

We do not sell or rent your personal data.

However, we may share data with trusted entities in these circumstances:

All third parties must maintain adequate security measures and process your data only for authorized purposes.

8. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to servers or processors outside your country.

Whenever we transfer data internationally, we ensure:

• Adequate data protection levels in the recipient jurisdiction;
• Standard contractual clauses or other legal transfer mechanisms; and
• Compliance with NDPA 2023 and GDPR cross-border transfer rules.

9. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Legal, regulatory, or contractual obligations;
• Accounting or reporting requirements; and
• Security and fraud prevention purposes.

After the retention period, data will be securely deleted or anonymized.

10. DATA SECURITY

We adopt industry-standard administrative, technical, and physical safeguards to protect personal data, including:

• Data encryption in transit and at rest;
• Access control and authentication measures;
• Firewalls and intrusion detection systems;
• Employee confidentiality agreements and training;
• Regular security audits and incident-response protocols.

If a data breach occurs that poses a risk to your rights and freedoms, we will notify you and the appropriate authority (e.g., NITDA or an EU supervisory authority) within statutory time limits.

11. YOUR DATA PROTECTION RIGHTS

Depending on your jurisdiction, you have the following rights:

To exercise any right, contact us using the details in Section 15. We may request verification of your identity before fulfilling requests.

12. CHILDREN’S AND DEPENDENTS’ PRIVACY

We understand the importance of protecting children’s data.

• We collect dependent data (ages 0–21 years) only under the authorization of the parent, guardian, or principal enrollee.
• We do not knowingly collect personal information directly from children under 13 years without verified parental consent.
• Parents who believe a child’s data was collected improperly may contact us for prompt deletion.

13. AUTOMATED DECISION-MAKING AND PROFILING

Kennedia HMO does not use automated decision-making that produces legal or similarly significant effects without human involvement.

If such processes are introduced (e.g., automated claims scoring), we will ensure transparency and the ability to request human review.

14. ACCOUNTABILITY AND DATA PROTECTION GOVERNANCE

Kennedia HMO maintains a Data Protection Compliance Program consistent with NDPR Implementation Framework (2020) and GDPR Articles 5 and 24, including:

• Appointment of a Data Protection Officer (DPO);
• Regular privacy impact assessments (PIAs);
• Mandatory employee data protection training;
• Annual NDPR audit filings with the National Information Technology Development Agency (NITDA);
• Vendor and processor due diligence.

Our DPO monitors compliance, manages incidents, and serves as liaison with regulators and data subjects.

15. YOUR CHOICES AND COMMUNICATION PREFERENCES

You can manage your communication preferences (marketing emails, notifications) at any time through your account settings or by contacting us.

We may still send essential communications (e.g., claim confirmations, policy updates) even if you opt out of marketing messages.

16. LINKS TO THIRD-PARTY WEBSITES

Our Service may contain links to other websites.

We are not responsible for the privacy practices or content of such third-party sites. We encourage you to review their privacy policies before providing personal data.

17. POLICY UPDATES

We may update this Policy periodically to reflect regulatory, technical, or operational changes.

Updates will be posted on our website with a new “Last Updated” date.

Significant changes will be communicated via email or notification prior to taking effect.

Continued use of our Service after changes signifies acceptance of the revised Policy.

18. GOVERNING LAW AND JURISDICTION

This Policy is governed by the laws of the Federal Republic of Nigeria, including the NDPR (2019) and NDPA (2023).

Where applicable, cross-border users within the European Economic Area (EEA) are also protected under the GDPR.

Disputes shall be subject to the exclusive jurisdiction of the competent courts in Lagos State, Nigeria, unless otherwise required by law.

19. CONTACT INFORMATION

If you have any questions, requests, or complaints about this Privacy Policy or our data protection practices, please contact:

Data Protection Officer

Kennedia HMO

14B Kingsley Emu Street, Off Chris Efuyemi Onanuga Street, Lekki Phase 1, Lagos State, Nigeria

Email: info@kennediahmo.com

Website: https://www.kennediahmo.com

You may also lodge a complaint with:

• The National Information Technology Development Agency (NITDA) — www.nitda.gov.ng; or
• Your local supervisory authority within the EEA (if applicable).