Terms of Use

Welcome to Helium EMR, a simple yet robust hospital management information system that covers every aspect of the Patient’s journey through the hospital. Helium EMR is an Electronic Medical Records Platform that empowers hospitals and their administrators with clinical and financial data to run efficiently and deliver quality care (the “Service”).

Helium EMR is a product of One Global Medical Technology Ltd (“Helium Health”), which can be accessed through the Website (www.heliumhealth.com), mobile, tablet or other applications made available by Helium Health.

In these Terms of Use, reference to “User”, “You”, or “Your” shall mean a User of this Service. The Terms of Use, along with any other agreement you have executed with us, each included herein by reference, form a legally binding contract between you and Helium Health regarding your use of this Service. Furthermore, you can also read our Privacy Notice here.

  1. Nature and Applicability of Terms

These Terms of Use (as amended from time to time by Helium Health in its sole discretion) govern the use of the Service and upon your acceptance, constitute a binding agreement between you and Helium Health.  Please read these Terms of Use carefully before accessing or using the Service.

By accessing or using content; services, and materials on the website located at www.heliumhealth.com  (the “Website”), any of the services provided therein (collectively, the “Services”) and the materials which may include logos, text graphics, videos, images, photos, software and other content (collectively, the “Materials”), you agree that you have read, understood, accept and agree to be bound by these Terms.

Each time you access or use this Service, you, and if you are acting on behalf of a third party, such as an employer or a patient, such third party, agrees to be bound by this Terms of Use whether or not you register with us. If you do not agree to be bound by the Terms of Use, you may not access or use our Website or the Service.

If you agree to each of the Terms of Use, check the “I ACCEPT” or “I AGREE” button at the bottom of these Terms of Use.

  • Privacy Notice

Helium Health is committed to managing your personal data in line with global industry best practices. We encourage you to read our Privacy Notice which explains how Helium Health handles your personal data when you access or use our Website or  Service.

  • Eligibility for Our Service

By using this Service, you represent and warrant that you or your authorised representative have attained the age of majority where you reside (18 years of age in most jurisdictions) and are otherwise capable of entering into binding contracts, including this Terms of Use. If you are using the Service on behalf of another party, including, without limitation, a healthcare facility, a healthcare provider, a medical professional, physician, patient or other organisation, you represent and warrant that you have the authority to act on behalf of that party and to bind that party to this Terms of Use. If you are using this Service on behalf of a party under the age of majority, you certify that you have the authority to use this Service on their behalf.  Helium Health shall only permit access to the Services to Users who have executed a separate written services agreement with Helium Health for the Services.

  • Registration of Users

Helium EMR includes the tools, features, functions and systems to provide a unified Electronic Medical Record (EMR) technology platform for healthcare facilities, medical professionals, physicians and patients, allowing them to upload, store, retrieve and transmit health-related information, and otherwise maintain a high-performance, digital-based, healthcare information system.

Health-related information includes, without limitation, any data and information related to a patient’s physical, mental and medical condition, health and treatment, including payment for such treatment.

To use our Platform, you have to create an account through a registration process. To register, you will provide us with certain information that personally identifies you, such as your email, first name, last name, phone number, physical address, phone number, company name or other personal information and other health-related information.  You have the right to refuse to authorise the use and/or disclosure of your Personal Information. However, if you choose to exercise this right, you may not be able to utilise some features of the Services we provide.

Access to this Service is granted to you upon the condition that:

  1. You become a registered User
  2. You accept and agree to this Terms of Use
  3. You have read our Privacy Notice and any other Agreement when and where appropriate or required.

If you provide Your Information to us, then you agree to provide true, current, complete and accurate information and not to misrepresent your identity.  You also agree to keep Your Information current and to update Your Information if any of Your Information changes.  

Our collection and processing of Your Information are governed by this Terms of Use, our Privacy Notice and any applicable law.

You, at all times, remain solely responsible for the use of the Service by your employees or agents where applicable, and you agree to hold Helium Health harmless for any liability or the consequences to you or your employees or agents resulting from your or their use of the Service.

Any modifications and new features added to the Service are also subject to this Terms of Use.

All rights, title and interest in and to the Service and its components (including all software, technology, copyrights and other intellectual property rights) will remain with and belong exclusively to Helium Health unless otherwise agreed under any other agreement signed by the parties.

  • Intellectual Property

Our Content:

All content and materials, including but not limited to images, text, visual interfaces, information, data, and computer code, provided by us through our Services (our “Content”) and all related intellectual property rights are the property of Helium Health and/or its third-party licensors. Our content is protected by Nigerian and international intellectual property laws and treaties. You are permitted to use our content only on our Services. You may not copy, modify, sell, reproduce, distribute, republish, display, post, create derivative or collective works from, or transmit in any form (including in-line linking or mirroring) our content, in whole or in part, without our express prior written consent. You may not reverse engineer or reverse compile any of our Services or the technology used to operate our Services. Nothing in this Terms of Use or our Services grants you, by implication, estoppel, or otherwise, any licence or right to use our content except as expressly stated in this Terms of Use.

Our Partners’ Intellectual Property:

Our Services may also display specific intellectual property, such as company, product, and service name and logos, owned by our partners (our “Partners’ Intellectual Property”). Nothing in this Terms of Use or our Services grants you, by implication, estoppel, or otherwise, any license or right to copy, modify, sell, reproduce, distribute, republish, display, post, create derivative works from or transmit in any form (including in-line linking or mirroring) any of our Partners’ Intellectual Property.

  • Screening Users

Although we retain the right to do so, Helium Health does not screen Users or verify information communicated through the Service. Helium Health also retains the right to monitor all communication and information transmitted using our Services. Helium Health may, at its sole discretion, take steps to verify your identity and credentials as a health service provider at any time. We may use and disclose information, including Personal Data, about you for such purposes, including making inquiry of third parties concerning your identity and professional and practice credentials. You further authorise such third parties to disclose to us such information as we may request for such purposes, and you agree to hold them and us harmless from any claim or liability arising from the request for or disclosure of such information. Unless otherwise agreed under any other agreement signed by the parties, you agree that we may terminate your access to the Service at any time, without liability to us, if we are unable at any time to determine or verify your qualifications or credentials.

You may contact us at support@heliumhealth.com to notify us of inappropriate or illegal conduct or content you encounter on the Service. However, please note that we are not obligated to address any such conduct.

  • Account Management and Security
  1. Keep Your Password Secure. If you have been issued an account by Helium Health in connection with your use of the Services, you are responsible for safeguarding your password and any other credentials used to access that account, even if you authorise other parties in your organisation to access your account. You, and not Helium Health, are responsible for any activity occurring on your account, including but not limited to incidents where your password has been compromised. If you become aware of any unauthorised access to your account, you should notify Helium Health immediately. You shall also conduct internal investigations where it is determined that such an account has been compromised at your instance and shall be solely responsible for the direct losses incurred by Helium Health and others (including patients) due to any unauthorised use of your account.
  1. You acknowledge that by allowing your representatives, including your employees, agents and patients, to access your Helium Health account, you are responsible for ensuring such representatives use the Helium Health Service for the purposes for which it is intended and no other. While the Service has certain technical safeguards against misuse, you acknowledge the Service will rely to a substantial extent on your responsible use. You agree that we will not be responsible for any unlawful access to or use of the Service by any employee or patient to whom you gave access or log-in credentials and agree to hold Helium Health harmless for any liability or the consequences to you or your employees, agents or patients, resulting from your, or their use of the Service.
  1. Keep Your Details Accurate. Helium Health may send notices to the email address or text messages to your mobile phone registered with your account. You must keep your email address, mobile phone number and, where applicable, your contact details and payment details associated with your account current and accurate. In the event that you change any information provided to us at registration, including your address, you agree to notify and update us as promptly as possible of such change. We may be unable to respond to you if you contact us from an address, telephone number, or email account that is not registered with us.
  • Change of Information

The User may at any time and from time to time notify us in writing of a change of any information provided to us at registration, including your address. We may be unable to respond to you if you contact us from an address, telephone number, or email account that is not registered with us.

  • Breach Notification Policy

If you suspect or learn that the security of the Service and the data contained therein has been breached or compromised, you agree to immediately notify us at support@heliumhealth.com. You agree that the User, and not Helium Health, shall be responsible for the legal consequences for failing to comply with Helium Health’s breach notification policy and you shall hold Helium Health free from any liability arising from such failure to provide notification following the breach or compromise of the Service data.

  1. Links to or Connections with Third-Party Sites or Applications

Our Services or communications to you may contain third-party content or links to third-party sites, applications, or services (collectively, “Third Party Content”). Our Services may also include features that allow you to connect your Account with accounts or services provided by third parties (“Third Party Services”). We do not control, maintain, or endorse the Third Party Content or Third Party Services, and we are not liable for any Third Party Content or Third Party Services, including any damages, losses, failures, or problems caused by, related to, or arising from Third Party Content or Third Party Services. Your interactions and business dealings with the Third Party Content or Third Party Services providers, including products or services offered by such third parties, are solely between you and the third party. You should review all of the relevant terms and conditions associated with Third Party Content or Third Party Services, including any privacy notices and terms of service. We are not responsible for any information you agree to share with third parties connected with Third Party Content or Third Party Services. No information on this website is intended to amount to advice, recommendation, or inducement to use any facilities or other health-related products.

  1. Reliance on Information Posted

The information presented on or through the Website is made available solely for general information purposes. We do not warrant the accuracy, completeness or usefulness of this information. Any reliance you place on such information is strictly at your own risk. We disclaim all liability and responsibility arising from any reliance placed on such materials by you, any other visitor to the Website, or anyone who may be informed of any of its contents.

Furthermore, information on the Service may contain typographical errors, inaccuracies, or omissions. We reserve the right to correct or make changes in such information at any time without notice. Provided that such changes shall not affect the User’s ability to access or use the Service.

This Website may include content provided by third parties, including materials provided by other users, bloggers and third-party licensors, syndicators, aggregators and/or reporting services. All statements and/or opinions expressed in these materials, and all articles and responses to questions and other content other than the content provided by Helium Health, are solely the opinions and the responsibility of the person or entity providing those materials. These materials do not necessarily reflect the opinion of Helium Health. We are not responsible or liable to you or any third party for the content or accuracy of any materials provided by any third parties.

  1. Representations and Warranties

You represent and warrant to Helium Health that:

  1. You have full power and authority to enter into, execute, deliver and perform this Agreement;
  2. You will comply with this Agreement and all applicable local, state, national, and international laws, rules, and regulations;
  3. You will not abuse the services offered by Helium Health and/or Partners
  4. You will not use the Website to generate false feedback about any person, product, or service.
  5. Any information you provide to us, both when you register and in the future, is and will be true, accurate, current, and complete;
  6. You will keep all information up-to-date; and
  7. You accept and agree to these Terms.
  1. Responsibilities:

By agreeing to these terms of use, you agree to the following responsibilities:

  1. The usual and customary charges for any services rendered by collaborating providers profiled on the site will apply and will be entirely your responsibility.
  2. You are responsible for all use of the site and for all use of your Credentials, including use by others to whom you have given your credentials.
  3. You agree that you shall not copy, modify, adapt, translate, or reverse engineer any portion of the site, its content or materials, and/or the services.
  4. You agree that you shall not create user accounts by automated means or under false or fraudulent pretences.
  5. It is within your responsibility to refrain from collecting or storing personal data about other users in connection with the prohibited activities contained within this agreement.
  6. You shall not use any means, including software means, to conduct web scraping of any portion of the site, its content or materials, and/or the services.
  7. You shall not access, retrieve, or index any portion of the site and/or the services to construct or populate a searchable database of reviews related to the services provided.
  8. You shall promptly update us with any changes to your account details.
  1. Exporting Information from the Service; Training and Compliance
  2. Users are solely responsible for any applicable compliance with laws governing the privacy and security of personal data, including medical or other sensitive data. As a User of our Service, you acknowledge and agree that you are solely responsible for any health-related information exported from the Helium Health Service by you or if you are a healthcare provider, the employees and patients that you allow access to your account. You represent and warrant that you will export and subsequently use protected health information only in accordance with applicable laws and regulations.
  1. If you are a healthcare facility, you agree to train all employees on the use of the Helium Health Service and any health privacy obligations applicable to you and your patients, and the requirements of these Terms of Use and our Privacy Notice and ensure that they comply with such requirements.
  1. Data Retention and Access to Personal Data
  2. You are responsible for complying with all applicable laws and regulations related to the retention of medical data and records, patient access and the amendment to information, and patient authorisation to release data where applicable.
  1. Upon receipt of a written request from You, for access to Your patients’ personal data (referred to in this clause 15(b) as the “Personal Data”), where such written request is sent within three (3) months of the termination of any agreement you have executed with us, Helium Health shall make the Personal Data available to you at no cost to You. Thereafter, Helium Health may charge a fee as a precondition for providing you with access to the Personal Data, upon your written request for a copy of the Personal Data.
  1. Cancellation and Refund Policy

a.    We shall not be liable, whatsoever, for any refunds to patients that may arise from cancellation or inability to meet an appointment or cancellations through the use of our service with the Hospital/healthcare facility. This shall be the responsibility of the Hospital/healthcare facility to deal with.

  1. Your Licence, Access and Use of our Services
  2. Your right to access and use our Services is personal to you and is not transferable by you to any other person or entity. Access to our Services may not be available in all locations. We may add to or remove the areas in which the Services are or are not available, are partially or fully available, at any time, without notice to you.  You are only entitled to access and use our Services only for lawful purposes and pursuant to the terms and conditions of this Terms of Use and our Privacy notice. Any action by you that i) violates the terms and conditions of this Terms of Use and/or the Privacy notice; (ii) restricts, inhibits or prevents any access, use or enjoyment of our Services; or (iii) through the use of our Services, defames, abuses, harasses, offends or threatens others, shall not be permitted, and may result in your loss of the right to access and use our Services if so determined by any applicable law.
  • The rights granted to you in these Terms are subject to restrictions. You, therefore, agree that you shall not and shall not encourage or authorise any third party to directly or indirectly: (i) copy, publish, distribute, licence, sublicense, sell, resell, rent, lease, transfer, assign, host, or otherwise commercially exploit the Services including as a service bureau or outsourcing offering or otherwise access or use the Service other than as expressly permitted hereunder; (ii) modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Services; (iii) access the Services in order to build a similar or competitive Service; and (iv) except as expressly stated herein, no part of the Services may be copied, reproduced, distributed, republished, downloaded, displayed, posted or transmitted in any form or by any means. Any future release, update, or other addition to functionality of the Services shall be subject to these Terms.
  • Furthermore, you agree that you will not use any robot, spider, scraper, deep link or other similar automated data gathering or extraction tools, program, algorithm, or methodology to access, acquire, copy or monitor our Services or any portion of our Services or for any other purpose, without our prior written permission.  Additionally, you agree that you will not: (i) copy, reproduce, modify, create derivative works from, distribute or publicly display any content (except for your personal information) from our Services without our prior written permission and the appropriate third party, as applicable; (ii) interfere or attempt to interfere with the proper working of our Services or any activities conducted on our Services; (iii) bypass any robot exclusion headers or other measures we may use to prevent or restrict access to our Services, or (iv) interfere or disrupt the Service or servers or networks connected to the Service, including by transmitting any worms, viruses, spyware, malware or any other code of a destructive or disruptive nature.

This list of prohibitions provides examples and is not exhaustive or exclusive. Helium Health reserves the right to terminate your ability to use the Services with or without cause and with or without notice, for any reason or no reason, or any action Helium Health determines is inappropriate or disruptive to the services or any other user of the services. Helium Health may report to law enforcement authorities any actions that may be illegal and any reports it receives of such conduct. When legally required or at Helium Health’s discretion, Helium Health will cooperate with law enforcement agencies and regulatory bodies in any investigation of alleged illegal activity on the services or the internet.

YOU WAIVE AND HOLD HARMLESS HELIUM HEALTH AND ITS AFFILIATES, LICENSEES AND SERVICE PROVIDERS FROM ANY CLAIMS RESULTING FROM ANY ACTION TAKEN BY THE HELIUM HEALTH/ANY OF THE FOREGOING PARTIES DURING OR AS A RESULT OF ITS INVESTIGATIONS AND FROM ANY ACTIONS TAKEN AS A CONSEQUENCE OF INVESTIGATIONS BY EITHER HELIUM HEALTH/SUCH PARTIES OR LAW ENFORCEMENT AUTHORITIES.

  1. Indemnification

You agree to indemnify and hold Helium Health and its officers, directors, employees, consultants, affiliates, agents, licensors, and business partners (collectively, the “Indemnified Entities”) harmless from and against any and all costs, damages, liabilities, and expenses (including attorneys’ fees and costs of defence) Helium Health or any other Indemnified Entity suffers in relation to, arising from, or for the purpose of avoiding, any claim or demand from a third party that your use of the Services or the use of the Services by any person on your behalf, violates any applicable law or regulation, or the copyrights, trademark rights or other rights of any third party.

  1. User Content Rights and Related Responsibilities; Licence
  2. “User Content” means, without limitation, any messages, texts, digital files, images, photos, personal profile, artwork, videos, audio, comments, feedback, suggestions and documents, or any other content you upload, transmit or otherwise make available to Helium Health and its users via the Services. We may, in our sole discretion, permit you to, from time to time, submit, upload, publish or otherwise make available to us through the Services any User Content. You represent and warrant that you own or otherwise control the rights to your User Content and that each and every part thereof is an original work by you, or you have obtained all rights, licences, consents and permissions necessary in order to use those parts at any and all times. You further agree to indemnify Helium Health and its affiliates for all claims arising from or in connection with any claims to any rights in your User Content or any damages arising from your User Content.
  • By submitting User Content on or through the Service, you grant Helium Health a perpetual, irrevocable, transferable, assignable, worldwide, non-exclusive, royalty-free licence (with the right to sublicense through multiple tiers) to access, use, re-use, reproduce, transmit, print, publish, display, exhibit, distribute, re-distribute, copy, host, store, cache, archive, index, categorise, comment on, broadcast, stream, download, edit, alter, modify, adapt, translate, create derivative works based upon and publicly perform such User Content without attribution, and without the requirement of any permission from or payment to you or to any other person or entity, in any manner including, without limitation, for commercial, publicity, trade, marketing, promotional, or advertising purposes, and in any and all media now known or hereafter devised, in accordance with applicable laws.
  • For us to provide the Service to you, we require that you grant us certain rights with respect to User Content, including the ability to manipulate, process, store and copy User Content in order to provide our Services. Your acceptance of these Terms of Use gives us the permission to do so and grants us any such rights necessary to provide the Service to you.
  • Helium Health expressly disclaims any liability for the loss or damage to any User Content or any losses or damages you incur as a result of the loss or damage of any User Content. It is your responsibility to back-up any User Content to prevent its loss.
  • You are solely responsible for your User Content, including, without limitation, comments and feedback.
  • Helium Health may block, remove or return any User Content at any time for any reason whatsoever or for no reason at all. We are not responsible for the authenticity, accuracy, completeness, appropriateness, or legality of User Content.
  • User warrants and agrees not to: (i) publish falsehoods or misrepresentations that could cause injury, loss or damage to Helium Health or any third party; (ii) submit material that is unlawful, obscene, lewd, defamatory, libellous, threatening, pornographic, harassing, hateful, racially or ethnically offensive, violent, or encourages conduct that would be considered a criminal offense, give rise to civil liability, violate any law, or is otherwise inappropriate or objectionable; (iii) post advertisements or solicitations of business; (iv) impersonate another person; or (v) submit material that is copyrighted, protected by trade secret or otherwise subject to third party intellectual property or proprietary rights, including privacy and publicity rights, unless you are the owner of such rights or have permission from their rightful owner to post the material and to grant Helium Health all of the license rights granted herein.
  • Notwithstanding the foregoing, Helium Health assumes no responsibility for monitoring the Service for inappropriate content or modifying or removing such content from the Service.
  •  Interruption of Service

Unless otherwise stated in a separate written agreement, whether a service level agreement or otherwise, between you and Helium Health, your access and use of our Services may be interrupted for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of our Services or other actions that we, may elect to take.

  •  Software
  • Any software made available to you in connection with the Services is provided to you for the sole purpose of enabling you to use and enjoy the benefit of the Services as provided by Helium Health in the manner permitted by these terms. You may not copy, modify, distribute, sell, or lease any part of our Services or software, nor may you reverse engineer or attempt to extract the source code of any such software.
  • Any software we make available to you is subject to applicable export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software.
  •  Disclaimers; No Warranties
  • SAVE AS OTHERWISE AGREED IN WRITING BY PARTIES, THE HELIUM HEALTH PARTIES DO NOT WARRANT THAT THE SERVICES OR THE SERVERS THAT MAKE THE SERVICE AVAILABLE WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR THAT ANY PRODUCT DESCRIPTION OR OTHER CONTENT OFFERED AS PART OF THE SERVICES ARE ACCURATE, RELIABLE, CURRENT OR COMPLETE.
  • YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. IF YOU DOWNLOAD ANY CONTENT ON THE SERVICE, YOU DO SO AT YOUR OWN DISCRETION AND RISK. YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF SUCH CONTENT THROUGH THE SERVICE.
  • Medical Disclaimer

THIS WEBSITE AND THE SERVICES PROVIDED BY HELIUM HEALTH ARE NOT DESIGNED TO, AND DO NOT PROVIDE, MEDICAL ADVICE, PROFESSIONAL MEDICAL DIAGNOSIS OR OPINION, MEDICAL TREATMENT, PSYCHOLOGICAL THERAPY OR MEDICAL SERVICES. YOUR USE OF OUR SERVICES DOES NOT CREATE A PATIENT/PHYSICIAN RELATIONSHIP AND IS NOT A SUBSTITUTE FOR PROFESSIONAL MEDICAL ADVICE, DIAGNOSIS OR TREATMENT BY A PHYSICIAN OR OTHER HEALTHCARE PROVIDER. IF YOU BELIEVE YOU ARE CONFRONTED WITH ANY HEALTH PROBLEM OR MEDICAL CONDITION, YOU SHOULD PROMPTLY CONSULT YOUR PHYSICIAN OR OTHER HEALTHCARE PROVIDER. NEVER DISREGARD MEDICAL OR PROFESSIONAL ADVICE, OR DELAY SEEKING IT, BECAUSE OF INFORMATION YOU HAVE RECEIVED THROUGH OUR SERVICES. IF YOU ARE PRESENTED WITH A MEDICAL EMERGENCY, YOU SHOULD IMMEDIATELY CALL FOR EMERGENCY MEDICAL ASSISTANCE OR YOUR PHYSICIAN.

  • Limitation of Liability
    • EXCEPT AS SET FORTH IN SECTION 24.3, HELIUM HEALTH SHALL NOT BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, SPECIAL, PUNITIVE, MULTIPLE OR OTHER INDIRECT DAMAGES ARISING IN CONNECTION WITH THIS AGREEMENT OR THE DATA, INCLUDING WITHOUT LIMITATION FOR LOSS OF PROFITS, LOSS OF USE, LOSS OF DATA OR LOSS OF OPPORTUNITIES, WHETHER BASED ON WARRANTY, CONTRACT, TORT, STATUTE, STRICT LIABILITY OR OTHERWISE, EVEN IF REASONABLY FORESEEABLE. 
    • EXCEPT AS SET FORTH IN SECTION 24.3, THE MAXIMUM AGGREGATE LIABILITY OF HELIUM HEALTH FOR ALL CLAIMS HEREUNDER, CUMULATIVELY, SHALL BE EQUAL TO THE AMOUNTS PAID TO HELIUM HEALTH BY THE HOSPITAL FOR THE SERVICE OR ANY OTHER MAXIMUM AMOUNT SET FORTH IN A SEPARATE WRITTEN AGREEMENT BETWEEN YOU AND HELIUM HEALTH. 
    • THE EXCLUSIONS AND LIMITATIONS OF THIS SECTION 24  SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
  • Severability

Where any portion of this Terms of Use is deemed invalid or unenforceable either in whole or in part by any court or tribunal, such part shall be severed from the Terms of Use and shall not affect the validity or enforceability of any other part in this Terms of Use.

26.      Applicable Law and Dispute Settlement

You agree that these Terms of Use and any contractual obligation between Helium Health and the User will be governed by the laws of the Federal Republic of Nigeria.

If a dispute or difference arises as to the validity, interpretation, effects or rights and obligations of the Parties under these Terms of Use, the Parties shall use their best endeavour to reach an amicable settlement of the dispute.

If any such dispute is not settled between the Parties within fourteen (14) days, the Parties agree to submit such dispute to Mediation at the Lagos State Multi-Door Courthouse (LMDC) for resolution under the provisions of Lagos State Multi-Door Courthouse (LMDC) Law 2007. Notwithstanding the provisions above, a Party shall be entitled to seek preliminary injunctive relief or interim or conservatory measures from any court of competent jurisdiction pending the outcome of the Mediation.

  • Termination

We  may terminate this Agreement by closing, suspending or restricting your access to your account if:

  • you do not comply with any of the provisions of this Agreement;
  • we are required to do so by Law;
  • where a suspicious or fraudulent transaction occurs.

If you violate these Terms or any of our User T&Cs on the website, Helium Health reserves the right to issue you a warning regarding the violation or to terminate or suspend your use of the Services immediately. We may also prohibit your use of the website by blocking computers using your IP address from accessing the website or contacting your Internet service provider to request that they block your access to the website and/or bringing court proceedings against you where there has been a violation of these Terms of Use. You agree that Helium Health does not need to provide you notice before terminating or suspending your use of the Services, but it may provide such notice at its sole discretion.

You agree that you will comply fully with these Terms and all applicable domestic and international laws, regulations, statutes, and guidelines that govern your use of the Services. Without limiting the foregoing and in recognition of the global nature of the Internet, you agree to comply with all local and international rules regarding online conduct. You also agree to comply with all applicable laws affecting the transmission of content or the privacy of individuals.

  • Updates, Modifications, and Amendments

As our technology evolves, we may need to update, modify, or amend our Terms of Use, tools, utilities, or general updates. We reserve the right to make changes to this Terms of Use at any time without notice to you.

We advise that you check this page often, referring to the date of the last modification on the page to ensure you are familiar with the current version of the Terms of Use. However, please note that we will give Users the opportunity to opt-out or prohibit new/unrelated uses of their personal information.

  • Contact Information

If a User has any questions concerning Helium Health, the Website or application, this Terms of Use or anything related to any of the foregoing, Helium Health User support can be reached at the following email address: support@heliumhealth.com.

  • Annexures and Appendices

All Annexures and Appendices attached hereto shall form part of this Terms of Use and are hereby incorporated into all our existing and future agreements with You by reference. Particularly, our Data Protection Addendums (“DPA”), annexed hereto as Appendix 1, shall be deemed binding from the date of Your acceptance of these Terms of Use.

Last updated: October  2023

APPENDIX 1

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) dated 1st  day of October 2023 (the “Effective Date”) forms part of the “Main Agreement”.

Between

The User of the HeliumEMR service (hereinafter referred to as the “DataController” or “Controller”) which expression shall, where the context so admits, include its successors-in-title and assigns) of the first part;

And

ONE GLOBAL MEDICAL TECHNOLOGY LTD, a company incorporated under the laws of the Federal Republic of Nigeria with its principal office at Plot 1, Block 22, Babatunde Anjous Ave, Lekki Phase 1, Lagos. (hereinafter referred to as “Helium Health”/ “Processor”) (which expression shall, where the context so admits, include its successors-in-title and assigns) of the other part;

The Controller and Helium Health are hereinafter jointly referred to as the “Parties” and each individually as a “Party”.

BACKGROUND

  1. This Data Processing Addendum (“DPA”) forms part of the Main Agreement entered into between the Controller and Helium Health, pursuant to which the Controller has agreed to use Helium Health’s Services.
  2. The purpose of this DPA is to reflect the Parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Law.
  3. In the course of providing the Services to the Controller pursuant to the Main Agreement, Helium Health and Helium Health Affiliates may process Personal Data on behalf of the Controller, and the Parties agree to comply with the following provisions with respect to an y Personal Data, each acting reasonably and in good faith.
  4. Notwithstanding anything to the contrary in this DPA, to the extent that there is a conflict or inconsistency between the DPA, the Main Agreement, or any other agreement, with respect to the processing of Personal Data, this DPA shall prevail.

1. DEFINITION & INTERPRETATION

1.1. In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

“Controller” shall have the definition under the Nigeria Data Protection Act (NDPA).

“Data Protection Legislation”/“Data Protection Law(s)” means the Nigeria Data Protection Act 2023 (NDPA), Nigeria Data Protection Regulation 2019 (NDPR), the NDPR Implementation Framework, the National Health Act, the Cybercrimes (Prohibition, Prevention Etc) Act and all other applicable laws or regulations relating to the processing of Personal Data, Health Data and privacy, as such legislation shall be amended, revised, or replaced from time to time.

“Data Subject” is an individual who is the subject of Personal Data.

“Health Data” means data related to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about the individual’s health status.

“Helium Health Affiliate(s)” means any entity, including but not limited to subsidiaries, parent companies, or entities under common ownership or control with Helium Health, whether directly or indirectly.

“Personal Data/ Data”/”Controller Data” means any information relating to a Data Subject that is processed by the Processor as a result of, or in connection with, the provision of the Services under the Main Agreement; including but not limited to a name, identification number, location data, an online identifier or  one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject, including Health Data. For the avoidance of doubt, Personal Data/Data/Controller Data shall include only the types of data listed under Annex A of this DPA.

“Processing” means any activity that involves the use of Personal Data or as applicable Data Protection Legislation may otherwise define ‘processing’, ‘processes’ or ‘process’. It includes any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

“Personal Data Breach” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Instructions/Approved Purpose” as defined in Clause 2 below.

“Services” means the services the Processor provides to the Controller pursuant to the Main Agreement

.“Sub-Processor” means any third-party processor appointed by and on behalf of the Processor in connection with this Agreement

“Supervisory Authority” means an independent public authority which is established under any Data Protection Law for the purpose of overseeing compliance with such legislation.

“Main Agreement” means all agreements which the User of HeliumEMR has executed with Helium Health.

“Third Countries” means a country or territory outside Nigeria.

1.2.      In this DPA:

a.       Capitalised terms not otherwise defined in this DPA will have the meaning given to them in the Main Agreement. Except as modified below, the terms of the Main Agreement will remain in full force and effect;

b.       In consideration of the mutual obligations set out in this DPA, the Parties agree that the terms and conditions set out below will be added as an addendum to the Main Agreement. Except where the context otherwise requires, references in this DPA to the Main Agreement are to the Main Agreement as amended by this DPA;

c.       the annexes and appendices to this DPA form part of this DPA and will have the same force and effect as if set out in the body of this DPA and any reference to this DPA will include the annex  and appendices;

d.       the background section and all headings are for ease of reference only and will not affect the construction or interpretation of this DPA;

e.       unless the context otherwise requires, references to the singular include the plural and vice versa;

f.         unless the context otherwise requires, references to a “person” include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, local or municipal authority, governmental or supra-governmental agency or department, state or state agency or any other entity (in each case whether or not having separate legal personality);

g.       references to any statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time;

h.       any words following the words “include”, “includes”, “including”, “in particular” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them;

i.         to the extent only of any conflict or inconsistency regarding the processing of personal data between the provisions of the Main Agreement and this DPA, this DPA will prevail;

j.         references to a Party to this DPA include references to the successors or assigns (immediate or otherwise) of that Party.

2.              SCOPE OF PROCESSING/APPROVED PURPOSE

2.1.           As part of Helium Health providing the Service to the Controller under the Main Agreement, Helium Health shall comply with the obligations imposed upon it under Data Protection Law and agrees and declares as follows:

a.       to process Personal Data in accordance with the  Controller’s documented instructions as set out in the Main Agreement and this DPA for the specific purpose of providing the Service(s) to the Controller;

b.       to retain, use, or disclose Personal Data only for the specific purpose of providing the Service(s) to the Controller as set out in the Main Agreement and this DPA and any other written instructions given by the Controller and acknowledged by Helium Health as constituting instructions under this Addendum (collectively, the “Instructions/Approved Purpose”).

2.2.         Helium Health will comply with the Instructions unless it is otherwise unable to comply with an Instruction or prohibited by applicable Data Protection Law.

3.              PROCESSING OF PERSONAL DATA

3.1.           Helium Health will:

a.       comply with all applicable Data Protection Laws in the Processing of the Controller’s Personal Data on behalf of the Controller and provide such assistance and information as required under Data Protection Legislation in order to assist the Controller to comply with its obligations under Data Protection Laws;

b.       only Process the Controller’s Personal Data and any Personal Data the Controller provides in accordance with the Approved Purpose or on written instructions from the Controller (or, if directed by the Controller) for the purposes of performing the Services (including with respect to transfers of the Controller’s Personal Data to a Third Country, which shall be in compliance with the Data Protection Laws);

c.       not knowingly or negligently do anything or fail to do anything which would cause the Controller to be in breach of its obligations as a Data Controller under Data Protection Laws;

d.       not modify, amend or alter the Controller’s Personal Data or disclose or permit the disclosure of the Controller’s Personal Data to any third party unless it is required for the performance of the Services, for the Approved Purpose or/is specifically authorised to do so in writing by the Controller or permitted by  Data Protection Law;

e.       not disclose nor allow any person to access the Controller’s Personal Data from any Third Country or by any international organisation, other than for the performance of the Services, the Approved Purpose or on the written instructions of the Controller; unless required to do so under any law to which Helium Health is subject. In that event, Helium Health will, to the extent permitted by law, promptly inform the Controller of the legal requirement before Processing the Controller’s Personal Data.

3.2.         Helium Health shall immediately notify the Controller prior to any Processing being carried out, if in Helium Health’s opinion, any instruction from or on behalf of the Controller infringes or is likely to infringe Data Protection Laws.

  • HELIUM HEALTH PERSONNEL

4.1.           Helium Health will:

  1. take all reasonable steps to ensure the reliability of all Helium Health employees, contractors and agents (“Helium Health Personnel”) who have access to Personal Data;
  2. ensure that any access to the Controller’s Personal Data by Helium Health Personnel is provided on a strict “need to know” basis only and that Helium Health Personnel do not Process the Controller’s Personal Data except for the Approved Purpose or in accordance with the written instructions of the Controller, unless required to do so by law;
  3. ensure that all Helium Health Personnel involved in the performance of the Services have undergone appropriate data privacy training in relation to the Processing and security of the Controller’s Personal Data.

4.2.         Without prejudice to the foregoing, Helium Health will ensure that all Helium Health Personnel:

  1. who have access to the Controller’s Personal Data are informed of its confidential nature prior to disclosing any of the Controller’s Personal Data to them; and
  2. are subject to  professional secrecy (whether contractual or statutory) to maintain the Controller’s Personal Data in confidence.
  3. DATA SECURITY AND CONFIDENTIALITY

5.1.          Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Helium Health will in relation to the Controller’s Personal Data, implement and maintain at all times appropriate technical and organisational measures to ensure a level of security appropriate to that risk.                        

5.2.         In assessing the appropriate level of security,  Helium Health will take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

5.3.         Helium Health will ensure that any Sub-Processor implements and maintains appropriate processes to promptly respond to a Personal Data Breach.

5.4.         Helium Health may retain documentation as Helium Health deems reasonably necessary to comply or demonstrate compliance with any law that Helium Health may be subject to.

5.5.         Helium Health shall exercise the same degree of care as it uses with its own data and confidential information, but in no event less than reasonable care, to protect the Personal Data from misuse and unauthorized access or disclosure in accordance with all applicable Data Protection Laws.

  • DATA SUBJECT RIGHTS

6.1.          Taking into account the nature of the Processing, Helium Health, where feasible, will assist the Controller, insofar as this is commercially reasonable for Helium Health,  towards the fulfilment of the Controller’s obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws.

6.2.         Helium Health will:

  1. notify the Controller if Helium Health or a Sub-Processor receives any query, complaint or request from a Data Subject to access, delete, block, or restrict access to their Personal Data, or to receive a machine-readable copy of their Personal Data within five (5) calendar days of Helium Health receipt or notification of such request; and
  2. at the Controller’s request, assist with responding to such queries, complaints, and requests.

6.3.         If either Party receives any correspondence, enquiry or complaint from any individual, Supervisory Authority, other competent regulator or other third party in connection with the Personal Data shared by Controller with Helium Health under the Agreement (collectively, “Correspondence”), then the Parties shall cooperate in good faith as necessary to assist that Party to respond to such Correspondence, where possible, and fulfil their respective obligations under  Data Protection Laws.

  • REQUESTS FROM AUTHORITIES

7.1.           Where it is legally required, Helium Health will use reasonable efforts to promptly inform the Controller if Helium Health or any Sub-Processor receives any request, inquiry, complaint, notice, subpoena or any other communication from a regulatory authority (including a Supervisory Authority) or other competent authorities (“Authority”) relating to the Processing of the Controller’s Personal Data under the Main Agreement or in relation to any other matter under Data Protection Laws, except where Helium Health is prohibited from doing so under any law that it is subject to.

7.2.          The Controller will at Helium Health’s request assist Helium Health to respond to any communication from an Authority and to meet any applicable statutory or regulatory deadlines with regards to its Processing of Controller’s Personal Data.

  • LEGAL REQUESTS

In the event that a national law, court or regulator requires Helium Health or any of its Sub-processors to disclose Personal Data to a third party, Helium Health shall first inform the Controller of such legal or regulatory requirement and provide the Controller with the opportunity to object or challenge the requirement, unless national law prohibits such notice.

  • MANAGING AND REPORTING PERSONAL DATA BREACHES

9.1.          Helium Health shall:

a.       notify the Controller in accordance with applicable Data Protection Law of any Personal Data Breach involving the Controller’s Personal Data, and in any event within forty eight  (48) hours of becoming aware of the Personal Data Breach, and shall take appropriate measures to mitigate its possible adverse effects; and

b.       provide the Controller with sufficient information to permit it to meet any obligations to report the Personal Data Breach to a Supervisory Authority and/or to inform Data Subjects of the Personal Data Breach under Data Protection Laws.

  1. DATA PROTECTION IMPACT ASSESSMENTS

10.1.        Helium Health, upon request, will provide the Controller with commercially reasonable information and assistance, taking into account the nature of the processing and the information available to Helium Health, to help the Controller conduct any data protection impact assessment, data transfer impact assessment or prior consultation it is required to conduct under Data Protection Law;

  1. RETURN, DELETION OR DESTRUCTION OF PERSONAL DATA

11.1.          Unless storage is required by law, Helium Health shall return, delete or destroy Personal Data with a minimum timeframe of one hundred and eighty (180) days:

a.       after the end of the provision of the Services relating to the Processing of the Controller’s Personal Data; or

b.       after termination or expiry of the Main Agreement; or

c.       after a Controller’s request to return, delete or destroy.

11.2.         Neither Helium Health, nor any Sub-Processor or Helium Health personnel will retain copies of any of the Controller’s Personal Data in any form unless required to do so by any law to which they are subject and only to the extent and for such period as required by such law. In that event,  Helium Health shall ensure the confidentiality of all Controller’s Personal Data and shall ensure that Controller’s Personal Data is only Processed as needed for the purpose(s) specified under applicable laws requiring its storage, and for no other purpose. Helium Health’s obligation to protect Controller’s Personal Data in accordance with Data Protection Laws will continue until all Controller’s Personal Data has been returned to the Controller or deleted or destroyed.

  1. AUDIT RIGHTS

12.1.         The Parties acknowledge that Helium Health uses external auditors to verify the adequacy of its security measures and validate the level of compliance of Helium Health with its obligations under this DPA.. These audits:

a.       will be performed at least annually;

b.       will be performed by independent third-party professionals at Helium Health’s selection and expense; and

c.       will result in the generation of certificate(s) and/or an audit report(s) affirming the state of Helium Health’s data protection controls (“Report”).

12.2.       At the Controller’s written request and without charge, Helium Health will provide the Controller with a redacted summary of the Report (“Summary Report”). The Summary Report will constitute Helium Health’s confidential information.

12.3.       To the extent the Controller’s audit obligations under Data Protection Law are not reasonably satisfied through a Summary Report or other documentation Helium Health makes generally available to its Controllers, the Controller may request to conduct an audit of Helium Health under Data Protection Law (“Data Protection Audit”) upon at least thirty (30) calendar days’ advance written notice to Helium Health and at the Controller’s expense.

12.4.       Following receipt by Helium Health of a request under Section 12.3, Helium Health and the Controller will discuss and agree in advance on: the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit. Provided that such Data Protection Audit shall be conducted no more than once in any twelve-month period, during normal business hours with reasonable duration, and shall not interfere with Helium Health’s operations. Only the systems and areas applicable and relevant to the processing of Controller-provided data shall be accessed.

12.5.       The Controller in conducting such Data Protection Audit may use an independent, accredited third-party audit firm subject to an appropriate duty of confidentiality with Helium Health. Helium Health may object in writing to an auditor appointed by the Controller to conduct any audit under this Section,  if the auditor is, in Helium Health’s reasonable opinion, not suitably qualified or independent, a competitor of Helium Health, or otherwise manifestly unsuitable. Any such objection by Helium Health will require the Controller to appoint another auditor or conduct the audit itself.

12.6.       No Data Protection Audit shall involve access to any data relating to any other Helium Health controller or to systems or facilities not involved in the processing of Personal Data for Controller and in no event shall a Data Protection Audit cause Helium Health to violate its confidentiality obligations to any other third party.

12.7.        The Controller shall be responsible for all costs and expenses relating to a Data Protection Audit conducted under this Section 12. Any report generated in connection with such a Data Protection Audit shall be considered Helium Health’s confidential information and shall be promptly provided to Helium Health.

  1. SUB-PROCESSING

13.1.        The Controller authorises Helium Health to engage third-party Sub-Processors. Helium Health agrees to maintain an up-to-date list of these Sub-Processors and shall promptly provide the Controller with access to this list upon request. The Controller may request this information at any time during the term of this Agreement to ensure transparency and compliance with data protection requirements.

13.2.       Helium Health shall ensure that:

a.       before any Sub-Processor Processes the Controller’s Personal Data, Helium Health carries out appropriate due diligence to ensure that the Sub-Processor can provide the level of protection for the Controller’s Personal Data required by this DPA;

b.       Helium Health and each Sub-Processor have signed an agreement including terms which contain the same (or equivalent) obligations in relation to the Controller’s Personal Data as those set out in this DPA and meet the requirements of Data Protection Laws, (“Sub-Processing Agreement”) prior to any Processing of the Controller’s Personal Data being carried out;

d.       Helium Health has complied with its obligations in respect of Sub-Processors and any transfer of the Controller’s Personal Data in accordance with this DPA; and

e.       each Sub-Processor complies with the terms imposed on them under the relevant Sub-Processing Agreement with  Helium Health.

  1. Helium Health will remain fully liable to the Controller for the performance of any Sub-Processor’s obligations, and for any acts or omissions of any Sub-Processor.

13.4.       Helium Health shall have the authority to appoint new Sub-processors for Processing Controller Personal Data, provided that Helium Health provides the Controller with a written notice regarding such Sub-processor. The Controller shall have the opportunity to object to the appointment of each Sub-processor within thirty (30) calendar days of receiving such notice. In the event of an objection, Helium Health shall engage in good faith discussions with the Controller to address concerns. All terms of this Clause 13 shall apply to any new Sub-processor appointment.

  1. CONTROLLER OBLIGATIONS

14.1.         As part of the Controller receiving the Services under the Main Agreement, the Controller agrees to abide by its obligations under Data Protection Laws between the Parties.

14.2.       Where applicable and in the context of Health Data, the Controller shall take all necessary measures to ensure that it has a lawful basis for processing data and for sharing such data with the Processor.

14.3.       Where applicable, the Controller shall ensure that it has legal capacity in utilising Helium Health’s Services to process Personal Data of a Data subject.

14.4.       Without prejudice to Helium Health’s obligations under Clause 5 (Data Security) and 9 (Data Breach), and elsewhere in the Agreement, Controller is responsible for its use of the Services and its storage of any copies of Controller Personal Data outside Helium Health’s or Helium Health’s Sub-processors’ systems, including:

a.       using the Services and additional security controls to ensure a level of security appropriate to the risk to the Controller’s Data;

b.       credentials, systems and devices the Controller uses to access the Services; and backing up or retaining copies of its Personal Data as appropriate.

14.5.       The Controller agrees that the Services, security measures implemented and maintained by Helium Health, and Helium Health’s commitments under Clause 5 (Data Security) provide a level of security appropriate to the risk to the Controller’s Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Controller’s Personal Data as well as the risks to individuals).

14.6.       The Controller shall cooperate with Helium Health’s reasonable periodic requests for information regarding Controller’s privacy and security practices and compliance with this DPA,including information Helium Health deems reasonably necessary to comply or demonstrate compliance with applicable Data Protection Law.

  1. INDEMNITY

The Controller acknowledges that Helium Health is reliant on the Controller for direction as to the extent to which it is entitled to use and process the Personal Data. Consequently, Helium Health shall not be liable for any claim arising from any action or omission by Helium Health to the extent that such action or omission resulted from the Controller’s express instructions.

  1. GOVERNING LAW AND JURISDICTION
    1. The parties to this DPA submit to the choice of jurisdiction stipulated in the Main Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

16.2.       This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Main Agreement.

  1. COUNTERPARTS

 This DPA may not be amended or modified except in writing and signed by both Parties. This DPA may be signed in any number of counterparts, (including a PDF file), each of which will be an original, but which together will constitute one and the same document. Each Party’s rights and obligations concerning assignment and delegation under this DPA shall be as described in the Main Agreement. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This DPA, along with the Main Agreement, constitutes the entire understanding between the Parties with respect to the processing of Personal Data, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.

  1. SEVERANCE

18.1.        If any provision of this DPA is held to be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either:

18.2.       amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;

18.3.       construed in a manner as if the invalid or unenforceable part had never been included.

EXECUTED AS AN AGREEMENT the day and year first above written.

Annex A

Details of the Processing of Controller’s Personal Data

Subject Matter 
Duration of the Processing 
Nature and Purpose of the Processing 
Categories of Data 
Data Subjects 
Location 

DATA PROCESSING ADDENDUM

 This Data Processing Addendum (“DPA”) dated 1st day of October 2023 (the “Effective Date”) forms part of the “Main Agreement”.

BETWEEN

ONE GLOBAL MEDICAL TECHNOLOGY LTD a company incorporated under the laws of the Federal Republic of Nigeria with its principal office at Plot 1, Block 22, Babatunde Anjous Ave, Lekki Phase 1, Lagos. (hereinafter referred to as “Helium Health”/ “Controller”) ( which expression shall, where the context so admits, include its successors-in-title and assigns) of the first part;

 AND

The Data “Processor” ( which expression shall, where the context so admits, include its successors-in-title and assigns) of the other part;

The Controller and the Processor shall individually be referred to as “Party” and jointly as “Parties”.

BACKGROUND

  1. This Data Processing Addendum (“DPA”) forms part of the Main Agreement entered into between Helium Health and the Processor, pursuant to which Helium Health has agreed to use the Processor’s Services.
  • The purpose of this DPA is to reflect the Parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Legislation.
  • In the course of providing the Services to Helium Health pursuant to the Main Agreement, the Processor may process Personal Data on behalf of the Controller, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
  • Notwithstanding anything to the contrary in this DPA, to the extent that there is a conflict or inconsistency between the DPA, the Main Agreement, or any other agreement, with respect to the processing of Personal Data, this DPA shall prevail.

The Parties hereby agree to the terms as reproduced below:

  1. Definitions

1.1.           In this DPA, unless the context otherwise requires, the following expressions have the following meanings:

 “Data Controller”  shall mean the User of this Service, as defined in the above Terms of Use.

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Data Subject” is an individual who is the subject of Personal Data.

 “Data Protection Legislation” means the Nigeria Data Protection Act 2023 (NDPA), Nigeria Data Protection Regulation 2019 (NDPR), the NDPR Implementation Framework, the National Health Act, the Cybercrimes (Prohibition, Prevention Etc) Act and all other applicable laws or regulations relating to the processing of Personal Data, Health Data and privacy, as such legislation shall be amended, revised, or replaced from time to time.

Health Data” means data related to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about the individual’s health status.

 “Helium Health Affiliate(s)” means any entity, including but not limited to subsidiaries, parent companies, or entities under common ownership or control with Helium Health, whether directly or indirectly.

 “Instruction” means any written instruction from the Controller to the Processor detailing specific action regarding the Personal Data disclosed to the Processor.

 “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the Services under the Main Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In the context of this DPA, Personal Data encompasses Health Data unless stated otherwise. For the avoidance of doubt, Personal Data shall include only the types of personal data listed under Annex A this DPA.

Processing” means any activity that involves the use of Personal Data or as applicable Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

Services” means the services the Processor provides to the Controller pursuant to the Main Agreement.

Sub-Processor’’ means any third-party processor appointed by and on behalf of the Processor in connection with this DPA.

Supervisory Authority” means an independent public authority which is established under any Data Protection Legislation for the purpose of overseeing compliance with such legislation.

Main Agreement” means all agreement(s) which Data Processor has executed with Helium Health.

 

1.2.          In this DPA:

  1. Capitalised terms not otherwise defined in this DPA will have the meaning given to them in the Main Agreement. Except as modified below, the terms of the Main Agreement will remain in full force and effect;
    1. In consideration of the mutual obligations set out in this DPA, the Parties agree that the terms and conditions set out below will be added as an addendum to the Main Agreement. Except where the context otherwise requires, references in this DPA to the Main Agreement are to the Main Agreement as amended by this DPA;
      1. the schedule to this DPA form part of this DPA and will have the same force and effect as if set out in the body of this DPA and any reference to this DPA will include the schedules;
      1. the background section and all headings are for ease of reference only and will not affect the construction or interpretation of this DPA;
    1. unless the context otherwise requires, references to the singular include the plural and vice versa;
    1. unless the context otherwise requires, references to a “person” include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, local or municipal authority, governmental or supra-governmental agency or department, state or state agency or any other entity (in each case whether or not having separate legal personality);
    1. references to any statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time;
    1. any words following the words “include”, “includes”, “including”, “in particular” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them;
    1. to the extent only of any conflict or inconsistency regarding the processing of personal data between the provisions of the Main Agreement and this DPA, this DPA will prevail;
    1. references to a Party to this DPA include references to the successors or assigns (immediate or otherwise) of that Party.

2.              Personal data types and processing purposes

  • The Controller and the Processor acknowledge that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under applicable Data Protection Legislation, including providing any required notices and obtaining any required lawful basis, and for the processing instructions it gives to the Processor.
  • Personal Data shared by Helium Health shall be processed by the Processor in order to supply the Services and only for the duration of the Main Agreement and this DPA, or for such further time as the Parties shall both agree in writing.
  • Obligations of the Processor
    • The Processor shall ensure full compliance with applicable Data Protection Legislation in processing the Personal Data disclosed by the Controller or collected on behalf of the Controller.
  • The Processor shall ensure that Personal Data is only processed and stored as necessary for the purpose(s) specified in the Main Agreement and this DPA and in accordance with applicable Data Protection Legislation. Furthermore, the Processor shall make no copies of Personal Data provided by Helium Health or received through Helium Health or any Helium Health Affiliate.
  • The Processor shall only process Personal Data in accordance with the Controller’s Instruction and ensure limited processing strictly related to the Services. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or applicable Data Protection Legislation. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instruction would not comply with Data Protection Legislation. If required by law to process data outside of the Controller’s instructions, the Processor shall inform Helium Health of such legal requirement before processing.
  • The Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller, including but not limited to, the access control and security of the Personal Data, approved Sub-Processors, subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures. At the Controller’s request, the Processor will provide the records to the Controller within 7 business days of receiving the request.
  • At no additional cost, the Processor shall provide such information (as detailed in clause 3.4) to any Helium Health Affiliate as Helium Health may reasonably require, and within the timescales reasonably specified by Helium Health, to allow the Helium Health Affiliate to comply with its obligations under applicable Data Protection Legislation.
  • The Processor shall maintain adequate physical, technical, and administrative security measures to safeguard and ensure the protection and security of all Personal Data and Health Data (if applicable), transferred and disclosed to it by the Controller against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage. The details of adequate security measures adopted should be provided in Annex B.
  • Confidentiality
  • The Processor will ensure that anyone who has access to the Personal Data disclosed by the Controller is subject to a duty of confidentiality by putting in place a confidentiality agreement and acceptable use policies. The undertaking to confidentiality shall continue after the termination of the Main Agreement and this DPA.
  • Where the Processor processes Health Data, the Processor shall ensure that all personnel involved in the processing of Health Data receive adequate training in data protection and security measures. This training shall cover the importance of data confidentiality, access controls, incident reporting, and compliance with relevant data protection laws. The Processor shall maintain records of staff training and periodically assess the effectiveness of the training programme.
  • The Processor shall not disclose Personal Data to a third party except:

    • the prior authorisation of the Controller has been sought and obtained; or
    • the disclosure is required by law; or
    • the relevant information is already available in the public domain.
  • Personal Data Breaches
  • Any suspected, actual, threatened or potential Data Breaches must be reported as soon as identified by the Processor to the Controller, and in any event no later than 24 hours of the Processor becoming aware of the Data Breach in accordance with Annex C. The Processor shall provide sufficient information to allow the Controller to meet any required obligation to report the Data Breach to the Supervisory Authority or inform the affected Data Subjects of the Data Breach under applicable Data Protection Legislation.
  • Without undue delay, the Processor shall provide the Controller with the following information:

    • description of the nature of the Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
    • the likely consequences; and
    • description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

5.3.       The Processor shall assist the Controller and take reasonable and commercial steps as directed by the Controller, in the investigation and take steps to manage, mitigate and remediate the Data Breach.

5.4.      Immediately following any unauthorised or unlawful Personal Data processing or Data Breach, the Parties will coordinate with each other to investigate the matter. The Processor will reasonably cooperate with the Controller in the Controller’s handling of the matter, by:

  1. assisting with any investigation and completing a risk assessment;
    1. providing the Controller with physical access to any facilities and operations affected;
    1. facilitating interviews with the Processor’s employees, former employees and others involved in the matter;
    1. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Controller; and
    1. taking reasonable and prompt steps to mitigate the effects and to minimise any resulting damage.

5.5.     The Processor will not inform any third party of any Data Breach affecting the Personal Data without first obtaining the Controller’s prior written consent, unless when required to do so by law.

5.6.           In addition, the Processor shall:

  1. take action at the Processor’s own expense to investigate the Data Breach;
    1. not publish or release any filing, communication, notice, press release or report concerning the Data Breach, or communicate directly with Data Subjects, without Helium Health’s prior written consent;
    1. continue to promptly provide Helium Health all assistance requested to investigate the cause of and implement mitigation and remedial measures in respect of the Data Breach; and
    1. notify Helium Health without undue delay in writing if it receives from any Data Subject whose personal data forms part of the Helium Health Personal Data, or any applicable Supervisory Authority any communication and/or complaint or claim for compensation arising from or relating to the processing of Helium Health’s Personal Data.
  • Deletion and Return of Personal Data
  • The Processor shall at the end of the data processing activities or upon the written request of the Controller promptly and in any event, within 20 business days, delete all Personal Data in line with applicable Data Protection Legislation and remove any access to Personal Data.
    • The Controller may require the Processor to return all Personal Data in its possession to the Controller in the format and on the media reasonably specified by the Controller.
  • The Processor shall within 20 business days of the cessation of the Main Agreement or the DPA provide written confirmation to the Controller that it has complied with the deletion or return of Personal Data and it will not process the relevant Personal Data further.
  • Data Transfer to Foreign Jurisdiction
  • The Processor may not transfer, disclose or authorise the transfer of Personal Data to a third country without the prior authorisation  of the Controller.
  • Where Personal Data processed is transferred to a third country upon the written consent of the Controller, the Processor shall ensure that the Personal Data is adequately protected and the requirements set by applicable Data Protection Legislation is adhered to.
  • The transfer of Personal Data to a third country not in compliance with Data Protection Legislation constitutes a breach of this DPA and the Processor shall indemnify the Controller pursuant to the terms and conditions of this DPA.
  • Data Subject Right Requests
  • The Parties acknowledge that the Data Protection Legislation provides different Data Subject rights.
  • The Processor must, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly assist the Controller, where relevant and applicable, to enable the Controller to comply with:
    • the rights of Data Subjects under Data Protection Legislation, including the right to access, rectification, restrict processing and delete data; and
    • information or assessment notices served on the Controller by any Supervisory Authority under the Data Protection Legislation.
  • Where a Data Subject makes a Data Subject right request to the Processor, the Processor must:
    • advise the Data Subject to submit their request to the Controller;
    • immediately notify the Controller of the request; and
    • obtain prior authorisation from the Controller before responding to the Data Subject.
  • Where the Controller makes a Data Subject right request to the Processor, the Processor shall within 2 working days take appropriate measures to respond to the request or meet any required obligations.
  • The Processor must notify the Controller immediately if it receives any complaint, notice or communication that relates directly or indirectly to either Party’s compliance with Data Protection Legislation.
  • Audit
  • The Controller has the right to carry out or appoint a third-party representative to carry out an audit on the processing operations of the Processor to determine the Processor’s compliance with its obligations under this Agreement and Data Protection Legislation.
  • The Processor will be given 30 days’ written notice in advance for the audit.
  • The Processor undertakes to give the Controller or its third-party representative the necessary support and information during the audit, in particular, to demonstrate the implementation of the organisational and technical measures put in place by the Processor. The assistance may include, but is not limited to:
  1. physical and/or remote electronic access to the Personal Data records and any other Helium Health information held at the Processor’s premises or on systems storing Personal Data;
    1. access to and meetings with any of the Processor’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
    1. inspection of all records and the infrastructure, electronic data or systems, facilities, equipment, or application software used to store, process, or transport Personal Data.
  • The Processor shall notify the Controller of any inability to disclose such information if precluded by any law or any other obligation under Data Protection Legislation. The Processor’s submission to audit also applies to the Sub-Processor under this DPA.
  • Without prejudice to the right of the Controller to conduct an audit of the Processor’s data processing activities, the Processor shall carry out any mandatory data protection and compliance audit under any Data Protection Law.
  • The notice requirement in clause 9.2 will not apply where the Controller has been notified that a Data Breach occurred or is occurring, or the Processor is in breach of any of its obligations under any Data Protection Legislation.
  • Where the Processor has conducted an information security audit, the Processor shall upon the Controller’s written request, provide the Controller with a copy of the audit report with detailed plans to remedy any security deficiencies identified. In addition, the copy of a similar audit by the Sub-processor shall be made available to the Controller, where available.
  1. Sub-Processor(s)
    1. The Processor shall not transfer or disclose the Personal Data to a Sub-Processor unless required and shall seek the prior written approval of the Controller to do so. This obligation shall continue even upon termination/cessation of this DPA.
  1. Where the Processor engages a Sub-Processor with the Controller’s consent, the Processor will enter into a data processing agreement with the Sub-Processor that imposes on the Sub-Processor substantially the same obligations that apply to the Processor under this DPA, in particular, the appropriate technical and organisational data security measures.
  1. The Sub-Processor shall only access and use Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the DPA.
  1. Upon the Controller’s written request, the Processor shall provide the Controller with copies of such contracts with Sub-Processors.
  1. The Processor shall ensure the Sub-Processor fulfils its data protection obligations. Provided always that the Processor will remain liable to the Controller for all acts and/or omissions of the Sub-Processors as if those acts or omissions were that of the Processor.
  1. Those Sub-Processors approved as at the commencement of this DPA are as set out in Annex C. The Processor must list all approved Sub-Processor in Annex Cand include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.
  1. When any new Sub-processor is engaged during the term of this DPA, The Processor will, at least 30 days before the new Sub-processor starts processing any Personal Data, notify the Controller of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform). The Controller may, within 90 days after being notified of the engagement of a new Sub-processor, object by immediately terminating the Main Agreement and this DPA by notifying the Processor of same.
  1. Term and Termination
  1. This Agreement will remain in full force and effect so long as:
    1. the Services are being rendered and thereby this Agreement remains in effect; or
    1. the Processor retains any Personal Data related to this Agreement in its possession or control (the “Term”).
  1. The Processor’s failure to comply with the terms of this Agreement is a material breach of the Services. In such an event, the Controller may terminate the Agreement or withdraw its authorisation of the processing of Personal Data effective immediately on written notice to the Processor without further liability or obligation.
  1. If a change in Data Protection Legislation prevents either Party from fulfilling all or part of its Agreement obligations, the Parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the Parties are unable to bring the Personal Data processing into compliance with Data Protection Legislation within 90 days, they may terminate the Agreement on written notice to the other Party.
  1. Liability and Indemnity
  1. The Processor shall indemnify Helium Health against any and all claims, actions, liabilities, losses, fines, penalties, damages and expenses (including legal expenses) incurred or suffered by or made against any of them which arise directly or indirectly out of, or in connection with, any breach by the Processor and/ or its personnel, agents, contractors or Sub-Processors of the obligations contained in this  DPA, whether or not such claims, actions, liabilities, losses, fines, damages and expenses were foreseeable at the date of entering into the Main Agreement.
  1. If a Supervisory Authority imposes a measure or penalty on the Controller on account of a culpable breach by the Processor or its Sub-Processors in fulfilling the obligations under this  DPA or on account of a violation of the Data Protection Legislation which is applicable to the Processor, the Controller may recover the costs for this measure and the penalty from the Processor, insofar as these are applicable to the Processor. This will not affect the Controller’s other rights.
  1. The Processor shall also indemnify Helium Health Affiliates and hold its directors, employees, officers and its affiliates harmless from any third party claims arising from or in connection with any breach of the provisions of this DPA or the provisions of applicable Data Protection Legislation.
  1. Data Protection Impact Assessment (DPIA)

The Processor will (taking into account the nature of the processing and the information available to the Processor) assist the Controller in ensuring compliance with its data protection impact obligations under the Data Protection Legislation by providing the Controller with the following information as soon as possible:

  1. A systemic description of the envisaged processing operations;
  2. An assessment of the necessity and proportionality of the processing operations;
  3. An assessment of the risk to the rights and freedoms of the data subject; and
  4. The measure envisaged addressing the risks, including safeguards, security measures, and mechanisms to ensure personal data protection and to demonstrate compliance with the Data Protection Legislation. This shall consider the rights and legitimate interests of the data subject(s) and other persons concerned.
  5. Notice
  1. Any notice or other communication given to a Party under or in connection with this Agreement must be in writing and delivered to:
  1. For the Controller:

One Global Medical Technology Limited

           Address:

Plot 1, Block 22

Babatunde Anjous Ave

Lekki Phase 1, Lagos

  1. Severability

If any provision of this  DPA is declared by any judicial or other competent authority to be void or otherwise unenforceable, that provision shall be severed from this DPA and the remaining provisions shall remain in force and effect.

  1. GOVERNING LAW AND JURISDICTION

16.1.        The parties to this DPA submit to the choice of jurisdiction stipulated in the Main Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

16.2.       This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Main Agreement.

Annex A

Subject matter and details of data processing
 (To be filled in by the Processor)

 Subject Matter 
Duration of the Processing 
Nature and Purpose of the Processing 
Categories of Data 
Data Subjects 
Location 

Annex B

Details of Technical and Organisational Measures

The Processor should provide a description of the technical and organisational measures implemented (including any relevant certifications and standards) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Examples of possible measures:

  1. Measures of pseudonymisation and encryption of personal data
  2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  5. Measures for user identification and authorisation
  6.  Measures for the protection of data during transmission
  7. Measures for the protection of data during storage
  8. Measures for ensuring the physical security of locations at which personal data are processed
  9. Measures for ensuring events logging
  10. Measures for ensuring system configuration, including default configuration
  11. Measures for internal IT and IT security governance and management
  12. Measures for certification/assurance of processes and products
  13. Measures for ensuring data minimisation
  14. Measures for ensuring data quality
  15. Measures for ensuring limited data retention
  16. Measures for ensuring accountability
  17. Measures for allowing data portability and ensuring erasure

Annex C

Data Breach Management

Under clause 5.1, the Processor must report any incidents to the Controller within 24 hours after they are discovered. This applies to both incidents suffered by the Processor or any Sub-Processor. The following persons may be contacted in connection with reporting incidents:

Primary contact personSecondary contact person
(name) 
(designation) 
(address) 
(contact) 

Table B.1: Incident management contact information for Controller

In reporting each incident to the Controller, the Processor will use the following format or at least provide the information referred to in the table below.

Reporting party’s contact information
Name 
Title 
E-mail address 
Telephone number 
Information about the incident
Summary of the incident [What happened (theft or loss of data, malware/hack/DDoS, accidental publication of data and so forth) and in which way [through, for instance, the internet, e-mail, external attack and so on), and how the incident was discovered]
Nature of the incident [For example, inspection by unauthorised persons, data copied/downloaded, changes made, date deleted or destroyed, theft of data, or not known yet]
Date and time of the incident [When or during which period the incident occurred]
Date and time of discovery [When the incident was discovered]
Data subjects [The persons whose data was involved in the incident]
Number of data subjects [If appropriate, an estimate of the minimum/maximum number of people]
Which types of personal data (tick) YesNo
Name, address, city/town (business and/or private)  
Contact information (telephone number, e-mail address and so on)  
Date and place of birth (hence, nationality, too)  
Gender  
Identification information (log-in, password)  
Financial or Human Resources Management data  
Personal numbers (citizen service number, student number or the like)  
Criminal information (convictions, reprimands and so forth)  
Copy of passport  
Photograph  
Medical information or sexuality  
Religion, political preference, trade union membership  
Other, specifically:
Potential consequences (tick) YesNo
Stigmatisation or exclusion  
Harm to health  
Exposure to identity or other fraud  
Exposure to spam or phishing  
Other, specifically:
Which actions have been taken [Description of which actions have been taken to address the incident and to prevent further incidents]
Which measures have been taken [Description and explanation of which security measures apply to the personal data in question; has this data, for instance, been encrypted, hashed, pseudonymised or otherwise made inaccessible?]
International aspects [Does the incident relate to persons in other countries?]

Table B.2: Information which must be furnished when an incident is reported

Annex D

List of Approved Sub-processors

 [Processor to list out any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.]

 Name of Sub-processorServices (Brief desciption of services provided)Loacation/Country (Processing location)Details (e.g. brief description about security)