Skip to main content

Privacy Policy

Last updated: April 21, 2026

This Privacy Policy explains how Unmask ADHD ("we", "our", "us") collects, uses, and protects your personal and health information when you use our platform at unmaskadhd.com. This policy complies with the Nigeria Data Protection Act 2023 (NDPA) and international best practice.

1. Who We Are

Unmask ADHD is a specialist telehealth platform providing ADHD diagnostic consultations and ongoing care management in Nigeria. We are the data controller for the personal data you provide through this platform.

2. What Data We Collect

We collect the following categories of data:

2.1 Account Data
  • Full name, email address, phone number
  • Password (stored as a one-way cryptographic hash; we cannot recover it)
  • Account creation date and last login
2.2 Health & Clinical Data
  • Screening questionnaire responses (Phase 1)
  • Full assessment responses (Phase 2 Vault): ADHD, depression (PHQ-9), anxiety (GAD-7), mood screening
  • Clinical scores and diagnosis outcomes
  • Clinician notes, medication plans, and clinical reports (PDF)
  • Weekly symptom reports you submit voluntarily
2.3 Payment Data
  • Payment type, amount, and status
  • Stripe Customer ID and session identifiers
  • We do not store card numbers, CVVs, or bank details. All payment processing is handled by Stripe (PCI-DSS Level 1 certified)
2.4 Technical Data
  • IP address (for rate limiting and fraud prevention)
  • Login attempt records
  • Session tokens (stored server-side)

3. How We Use Your Data

PurposeLegal Basis (NDPA)
Providing the diagnostic and clinical services you requestedContract performance
Processing payments via StripeContract performance
Sending appointment confirmations and clinical reportsContract performance
Preventing fraud, brute-force attacks, and abuseLegitimate interests
Improving our clinical protocols and platformLegitimate interests (anonymised)
Sending service updates and health information (with your consent)Consent

4. Health Data: Special Category

Your ADHD assessment results, clinical notes, and diagnostic reports are special category data under the NDPA. We apply the highest level of protection:

  • Health data is only accessible to your assigned clinician and platform administrators under strict need-to-know
  • Clinical reports (PDFs) are served exclusively through an authenticated proxy. Direct URL access is blocked
  • All data is stored on encrypted servers within secured hosting infrastructure
  • We will never sell, rent, or share your health data with third parties for marketing purposes

5. Data Sharing

We share your data only in these limited circumstances:

  • Your Clinician: Your assessment data, symptom reports, and messages are shared with the clinician you are assigned to
  • Stripe: Payment information is shared with Stripe, Inc. for processing. Stripe Privacy Policy
  • Legal requirement: We may disclose data if required by Nigerian law, court order, or to prevent imminent harm

6. Your Rights Under the NDPA

As a data subject in Nigeria, you have the following rights:

  • Right of access: Request a copy of all data we hold about you
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure: Request deletion of your account and personal data (subject to legal retention obligations)
  • Right to data portability: Receive your data in a structured, commonly used format
  • Right to withdraw consent: Opt out of marketing emails at any time via the unsubscribe link
  • Right to object: Object to processing based on legitimate interests

To exercise any right, email info@unmaskadhd.com. We will respond within 30 days.

7. Data Retention

We retain personal data for the following periods:

  • Account data: Until you delete your account, plus 90 days
  • Clinical records and reports: 7 years from last activity, to comply with Nigerian medical record regulations
  • Payment records: 7 years for financial compliance
  • Login attempts / security logs: 90 days

8. Security Measures

We take security seriously. Our measures include:

  • All passwords stored using Argon2id hashing (industry's most secure standard)
  • HTTPS enforced on all connections (HSTS with preload)
  • CSRF protection on all form submissions using cryptographic tokens
  • Rate limiting on login, payment, and API endpoints
  • Brute-force protection (auto-lockout after repeated failed logins)
  • Content Security Policy headers preventing code injection
  • Storage directories blocked from direct web access

9. Cookies

We use the following cookies:

  • Session cookie (PHPSESSID): Essential. Keeps you logged in. Expires when you close your browser.
  • Alert cookie: Essential. Displays flash messages after form submissions. Expires immediately after display.
  • Analytics cookies: Only set after you accept cookies via our consent banner. Used to improve the platform.

See our Cookie Policy for full details.

10. Children

Our platform is designed for adults (18+). We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately.

11. Changes to This Policy

We may update this policy. We will notify you by email and display a prominent notice on the platform. Continued use after 30 days constitutes acceptance.

12. Contact

Unmask ADHD
Email: info@unmaskadhd.com
Website: unmaskadhd.com