Legal

Privacy Policy

Effective: 1 June 2026 Last updated: 1 June 2026

This is a health data platform. The information you provide about your body, pain, and health history is sensitive personal data and is treated as such throughout this policy. Please read it carefully before using the Service.

Introduction

Fesera Health Technologies ("Fesera," "we," "us," or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, why we collect it, how we use it, who we share it with, and what rights you have over your data.

By creating an account and using the Service, you agree to the practices described here.

1. Data Controller

The data controller responsible for your personal information is:

Fesera Health Technologies
Email: privacy@fesera.com
Website: fesera.com

For all privacy questions, requests, or complaints, contact us at the address above.

2. Legal Basis for Processing

We process your personal data under the following legal bases, as defined by the Nigeria Data Protection Act (NDPA) 2023 and its predecessor NDPR 2019:

Purpose	Legal Basis
Creating and managing your account	Contract performance
Delivering the assessment and programme	Contract performance
Processing payments	Contract performance
Platform safety and fraud prevention	Legitimate interest
Transactional communications	Contract performance
Research using anonymised, aggregated data	Legitimate interest (anonymised data)
Research involving your identifiable data	Explicit, separate consent (opt-in only)
Marketing communications	Explicit consent
Legal compliance	Legal obligation

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

3. Information We Collect

3.1 Account and Identity Information

Email address — authentication, communications, account recovery
Password — stored in hashed form; never stored in plaintext
First and last name (optional) — to personalise your experience
Display name (optional)
Profile photo (optional)
Timezone and locale preferences — to schedule sessions correctly

3.2 Health and Clinical Assessment Data

This is the most sensitive category of data we collect. It is treated as special category personal data under applicable data protection law and is subject to heightened protections.

Pain duration — how long you have had back pain
Pain intensity — rated 0–10 on the Numeric Rating Scale
Pain trajectory — worsening, stable, or improving
Red flag screening responses — yes/no answers to identify serious pathology risk
Back pain subtype classification — e.g., Extension-Biased, Flexion-Biased, Radicular, Central Sensitisation, Non-Specific/Motor Control
Psychosocial risk level — derived from the STarT Back Tool (low, medium, or high)
STarT Back risk score and percentage
Daily pain check-in scores (0–10) throughout the 12-week programme
Unusual symptom flags recorded during check-ins
Pre- and post-session pain scores
Pain response classifications — how your pain responds to exercise sessions
Reassessment measurements at weeks 2, 6, and 12

3.3 Programme and Activity Data

Session completion data — exercises completed, sets, repetitions, hold times
Session status — planned, started, completed, skipped, or aborted
Phase progression data — readiness reviews and phase-unlock events
Offline activity logs — sessions completed offline, synced upon reconnection

3.4 Device and Technical Information

Device type and name, operating platform
Browser type and version, app version
IP address
Log data — timestamps, pages accessed, errors encountered

3.5 Payment Information

Paystack transaction reference and payment status
Payment amount and currency
Raw Paystack webhook payload — stored for audit and fraud detection

We do not collect or store your card number, CVV, expiry date, or bank account details. All card data is processed directly by Paystack under their PCI-DSS compliance programme.

4. How We Use Your Information

4.1 Delivering the Service

Authenticating your identity and managing your account
Processing and classifying your assessment results
Delivering your personalised 12-week programme
Adapting daily sessions based on your pain check-in responses
Tracking your progress through phases
Syncing offline activity when you reconnect

4.2 Safety and Clinical Safeguards

Applying red flag rules to prompt you to seek medical care when indicated
Monitoring pain response data to modify session intensity
Applying clinical safety thresholds — e.g., locking sessions when pain scores indicate risk

4.3 Communications

Transactional emails — account confirmation, payment receipts, password reset
Service notices — programme updates, policy changes
Marketing communications — only with your explicit consent; you may unsubscribe at any time

5. Research Use of Your Data

5.1 Anonymised Research (Default)

Fesera intends to use de-identified, aggregated data from the platform for health outcomes research, programme effectiveness evaluation, and the development of future rehabilitation programmes.

"De-identified" means all direct identifiers — your name, email, and any data that could reasonably identify you — have been removed or irreversibly transformed. Data of this kind does not constitute personal data under the NDPA.

This research may include: analysis of treatment response rates across clinical subtypes; evaluation of 12-week programme efficacy; research informing future Fesera programmes for other MSK conditions and women's health.

You may object to even anonymised research use of your data by contacting privacy@fesera.com. We will exclude your data from research datasets upon request.

5.2 Identifiable Research (Opt-In Only)

If we ever wish to conduct research involving your identifiable personal or health data, we will:

Contact you separately with a full description of the study and how your data would be used
Obtain your explicit, written, informed consent before using your identifiable data
Allow you to withdraw consent at any time without consequence
Never make access to the Service conditional on participation in identifiable research

5.3 Future Programme Development

Anonymised, aggregated data from the current programme may inform the design of future Fesera programmes, including programmes for other musculoskeletal conditions and women's health-related conditions. Identifiable data will never be used for this purpose without separate consent.

6. Data Sharing and Third Parties

We do not sell your personal data to any third party.

6.1 Infrastructure Providers

Provider	Purpose	Data Shared
Supabase	Database, authentication, file storage	All user data stored on platform
Paystack	Payment processing	Payment transaction data only

Both providers act as data processors under our instructions. Fesera applies Row-Level Security (RLS) policies ensuring your data is only accessible to authenticated requests from your own account.

6.2 Legal Disclosures

We may disclose your information if required by law, court order, or a request from a regulatory authority with jurisdiction over Fesera, including the Nigeria Data Protection Commission (NDPC).

6.3 Business Transfers

In the event of a merger, acquisition, or sale of Fesera's assets, your data may be transferred to a successor entity. We will notify you before your data is transferred and subject to a different privacy policy.

6.4 Aggregated or De-identified Data

We may share aggregated, de-identified data with research partners or academic institutions for health research. This data cannot be used to identify you.

7. International Data Transfers

Your data may be stored and processed in data centres outside Nigeria, as Supabase operates infrastructure across multiple global regions. Where data is transferred internationally, Fesera ensures adequate safeguards are in place consistent with the NDPA, including standard contractual protections where applicable.

8. Data Retention

Data Category	Retention Period
Account data (name, email)	Duration of account + 2 years
Health and assessment data	Duration of account + 5 years
Programme and activity data	Duration of account + 5 years
Payment records	7 years (accounting/legal obligation)
Technical logs	90 days
Research datasets (anonymised)	Indefinitely

When you delete your account, we will permanently delete all personal and health data identifiable to you within 30 days, except where legally required to retain it or where data has been irreversibly anonymised.

9. Data Security

Our security measures include:

Encryption in transit — all data uses TLS (HTTPS)
Encryption at rest — database storage is encrypted at rest by Supabase
Row-Level Security (RLS) — database policies ensure authenticated queries can only access the requesting user's own data
Hashed passwords — passwords are never stored in plaintext
HMAC verification — payment webhook payloads are cryptographically verified before processing
Access controls — internal access to user data is restricted on a need-to-know basis

In the event of a data breach likely to risk your rights and freedoms, we will notify you and the Nigeria Data Protection Commission (NDPC) as required by law.

10. Your Privacy Rights

Fesera provides the same core set of privacy rights to all users, regardless of location.

10.1 Universal Rights (All Users)

Right	What It Means
Access	Request a copy of the personal data we hold about you
Rectification	Request correction of inaccurate or incomplete data
Erasure	Request deletion where data is no longer necessary or processing was unlawful
Restriction	Request we limit processing while a dispute is resolved
Portability	Receive your data in a machine-readable format (e.g., JSON)
Object	Object to processing based on legitimate interests, including research use
Withdraw Consent	Withdraw any consent-based processing at any time

To exercise any of these rights, email privacy@fesera.com with the subject line "Data Subject Request." We respond within 30 days and may verify your identity first.

10.2 Nigeria (NDPA 2023)

Nigerian users have the rights above under the Nigeria Data Protection Act 2023. You may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpb.gov.ng.

10.3 European Union (GDPR)

EU residents have additional rights under GDPR 2016/679, including the right not to be subject to solely automated decision-making. You may request human review of any automated classification by contacting privacy@fesera.com. You may also lodge a complaint with your national supervisory authority. For EU data transfers, Fesera relies on Standard Contractual Clauses (SCCs) where required.

10.4 United Kingdom (UK GDPR)

UK residents have equivalent rights under the UK GDPR and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10.5 California, USA (CCPA / CPRA)

California residents have additional rights including the right to know, right to delete, right to correct, and the right to limit use of sensitive personal information. Health data is sensitive personal information under CPRA. Fesera does not sell or share personal information for cross-context behavioural advertising. To exercise CCPA/CPRA rights, email privacy@fesera.com with the subject "California Privacy Request."

10.6 Other Jurisdictions

As Fesera expands, we will publish jurisdiction-specific addenda for markets with distinct privacy law requirements. Users in all jurisdictions are entitled to the universal rights in Section 10.1.

11. Children's Privacy

The Fesera Service is intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware a minor has used the Service, we will delete that account and associated data promptly. Contact privacy@fesera.com if you believe a minor has registered.

12. Cookies and Tracking

12.1 Essential Cookies

Fesera uses essential session cookies to maintain your authenticated session. These are necessary for the Service to function and cannot be disabled without logging you out.

12.2 Analytics

We may use privacy-respecting, anonymised analytics to understand platform navigation and identify improvements. Where analytics tools set cookies, we will seek your consent before doing so.

12.3 No Advertising Tracking

Fesera does not use advertising cookies, does not participate in ad networks, and does not track your activity across third-party websites.

13. Health Data: Special Handling Commitment

In addition to the security measures above, Fesera commits that your health data will never be shared with insurers, employers, financial institutions, or government bodies except as required by law. Your health data will never be sold, licensed, or shared with third parties for commercial or advertising purposes.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will notify you by email or in-app notification and update the "Last Updated" date above. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

15. Contact

Matter	Contact
Privacy requests & data subject rights	privacy@fesera.com
General support	support@fesera.com

This Privacy Policy was drafted with reference to the Nigeria Data Protection Act (NDPA) 2023, the NDPR 2019 and its Implementation Framework, the EU GDPR 2016/679, the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and international best practices in health data protection.