Legal
Privacy Policy
This policy explains what Helm collects, why we collect it, how we protect laboratory and patient data, and how you can exercise your data rights.
Effective date
1 June 2026
Contact
privacy@helmlims.com
At a glance
- Your laboratory data and patient records remain your property.
- Payment card details are handled by Paystack and are not stored on Helm servers.
- We do not sell, rent, trade, or use patient data for advertising.
- You can contact us to exercise privacy rights under Nigerian data protection law.
1. Data Controller
Sampliq Health Technologies Limited ("Sampliq", "we", "us", or "our") operates the Helm laboratory information system at helmlims.com. This Privacy Policy explains how we collect, use, and protect personal data in connection with the service. We are committed to complying with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023.
2. Data We Collect
Account and billing data: When you sign up we collect your name, email address, laboratory name, and payment information. Payment card details are handled exclusively by Paystack and are never stored on our servers.
Laboratory operational data: Data you enter to operate your laboratory, including patient names, dates of birth, contact details, test orders, and laboratory results. This data is entered by you and belongs to you.
Usage data: Log data such as IP addresses, browser type, pages visited, and timestamps, collected automatically to maintain service security and reliability.
Communications: If you contact our support team, we retain those communications to resolve your issue and improve our service.
3. How We Use Your Data
We use personal data only to:
- Provide, operate, and maintain the Helm service.
- Process payments and manage your subscription via Paystack.
- Send transactional emails, including password resets, receipts, and account notices, via Resend.
- Monitor service performance, detect errors, and investigate security incidents.
- Comply with applicable Nigerian law and respond to lawful requests from authorities.
We do not use your data for advertising, profiling, or any purpose unrelated to providing you with the Helm service.
4. Lawful Basis for Processing
Under the NDPA and NDPR, we process personal data on the following bases:
- Contract performance - to provide the service you subscribed to.
- Legitimate interests - for service security, fraud prevention, and product improvement, where those interests are not overridden by your rights.
- Legal obligation - where processing is required by Nigerian law.
- Consent - where you have explicitly provided it, such as optional marketing communications.
5. Data Ownership and Your Rights
All patient records and laboratory data you enter into Helm remain your property at all times. Sampliq processes this data only as a data processor acting on your instructions.
Under the NDPR and NDPA you have the right to:
- Access - request a copy of personal data we hold about you.
- Rectification - correct inaccurate personal data.
- Erasure - request deletion of your data, subject to legal retention obligations.
- Portability - export your laboratory data in a machine-readable format at any time from within the app.
- Objection - object to processing based on legitimate interests.
To exercise any of these rights, email us at privacy@helmlims.com. We will respond within 30 days.
6. Data Storage and Security
Your data is stored on cloud servers (Supabase / PostgreSQL) hosted in the European Union (Frankfurt, Germany) under a data processing agreement that meets NDPR requirements for cross-border data transfers.
We implement industry-standard security measures including TLS encryption in transit, encryption at rest, role-based access controls, and regular security audits. Access to production data is restricted to authorised personnel only.
In the event of a data breach affecting your personal data, we will notify you and the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware, as required by the NDPA.
7. Third-Party Service Providers
We share data with trusted processors only to the extent necessary to provide the service:
- Supabase - database and file storage.
- Paystack - payment processing. Paystack does not receive patient data.
- Resend - transactional email delivery.
- Sentry - error monitoring. Patient identifiers are stripped from error reports before transmission.
We do not sell, rent, or trade your personal data or your patients' data to any third party, ever.
9. Data Retention
We retain account and billing data for as long as your subscription is active and for 7 years thereafter, as required for financial record-keeping under Nigerian law. Patient and laboratory data is retained for the duration of your subscription. Upon account closure, data is available for export for 30 days before being permanently deleted.
10. Children
Helm is not directed at individuals under 18. We do not knowingly collect personal data from minors directly. Patient records for minor patients entered by laboratory professionals are treated with the same protections as all other patient data.
11. Changes to This Policy
We may update this Privacy Policy as our practices or the law changes. We will notify you by email at least 14 days before material changes take effect. The current version is always available at helmlims.com/privacy.
12. Contact and Complaints
For privacy questions or to exercise your data rights, contact our Data Protection Officer at privacy@helmlims.com.
If you believe we have not handled your personal data in accordance with the NDPR or NDPA, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.