FIRSTAI.D PRIVACY POLICY

Name: FirstAI.d
Address: Abuja, FCT, NG
Telephone: +2347031897881
Price range: Free

Last Updated: 28 April 2026

At FirstAI.d, we believe your privacy is a vital part of your safety. This Privacy Policy explains what personal information we collect when you use the FirstAI.d platform (the "Platform"), how we use it, who we share it with, how long we keep it, and what rights you have over it. It applies to all users of the FirstAI.d website, mobile application, and all related services.

This Policy is incorporated by reference into our Terms and Conditions. By using the Platform, you consent to the practices described in this Policy. If you do not agree, you must not use the Platform.

We comply with the Nigeria Data Protection Act 2023 (NDPA 2023), the NDPA General Application and Implementation Directive (NDPA-GAID 2025), and the Nigeria Data Protection Regulation (NDPR). We are committed to the following core data protection principles in all our processing activities: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

1. THE DATA WE COLLECT AND HOW LONG WE KEEP IT

To deliver life-saving guidance and emergency coordination through the Platform, we collect the following categories of personal data. We practise data minimisation. That is, we collect only what is necessary for the specific purpose stated, and we do not retain it beyond that purpose.

The table below sets out each category of data, the specific data points collected, our retention period, and the purpose for collection:

Category	Data Points	Retention Period	Purpose
Identity & Contact	Full name, email address, phone number, emergency contact details.	Duration of account + 6 years post-closure (for audit and legal compliance).	Account management, identity verification, emergency contact.
Health Data	Emergency symptoms, first-aid quiz responses, and medical history (if voluntarily provided).	Duration of triage session + 12 months, unless earlier deletion is requested.	Generating AI-based first aid protocols tailored to reported symptoms.
Real-Time Location (Foreground)	Precise GPS coordinates (lat/long) collected while the app is open and actively in use.	Session duration only. Not retained after session ends unless routing data is needed for quality review (max 30 days).	Hospital identification and ambulance navigation.
Real-Time Location (Background)	Not collected. The Platform does not collect location data when the app is running in the background or when a session is inactive.	N/A (not collected).	N/A.
Wallet & Payment Data	Wallet balance, transaction history, Dispatch Fee payments, funding method metadata (but not full card details).	Transaction records retained for 7 years (tax and financial compliance). Wallet balance data retained for duration of account.	Payment processing, fraud prevention, financial compliance, refund administration.
Usage Data	Device type, OS version, language preference, app interaction patterns, bandwidth performance data.	Aggregated and anonymised within 90 days. Raw usage logs retained for 12 months.	Platform optimisation, voice recognition improvement, low-bandwidth performance.
Communications	Support messages, feedback submissions, in-app communications.	3 years from date of communication, or as required by law.	Customer support, dispute resolution, service improvement.

All retention periods are subject to any overriding legal obligation that requires us to retain data for a longer period, for example, obligations under Nigerian tax law, court orders, or regulatory directives. Where such an obligation applies, we will retain only the minimum data required and will inform you where practicable.

You may request deletion of your data at any time under Section 6. Deletion requests will be honoured within the applicable retention period, subject to any legal hold obligations.

2. LEGAL BASIS FOR PROCESSING

Under the NDPA 2023 and the NDPR, we are required to have a lawful basis for each category of data processing we carry out. Our legal bases are as follows:

Consent: You explicitly consent to our processing of your personal data when you join the waitlist, create an account, or initiate a triage session. You may withdraw consent at any time (see Section 6).
Vital Interests: During an active medical emergency, we may process your data (including location and symptom data) where it is necessary to protect your life or health, or the life or health of another person, and you are not in a position to give or withhold consent in that moment.
Contractual Necessity: We process certain data to fulfil our obligations to you under the Terms and Conditions, including providing the Platform core features and facilitating ambulance dispatch and payment.
Legitimate Interests: We process certain usage and performance data to improve the accuracy, safety, and reliability of our clinical protocols and payment systems, where our interests do not override your fundamental rights and freedoms.
Legal Obligation: We may process and disclose your data where required to do so by Nigerian law, a binding court order, or a directive from a competent regulatory authority.
Public Interest: We may process data where necessary to protect public health or safety, or to support the work of emergency services and public health authorities in Nigeria.

3. HOW WE USE YOUR INFORMATION

We use your personal data strictly to fulfil our mission as your emergency coordination platform. Specifically, your data is used to:

Emergency Triage - Process your reported symptoms and trigger evidence-backed first aid instructions through the AI triage system.
Ambulance Dispatch - Connect you to the closest Partner Hospital and coordinate dispatch of Ambulance Services using your foreground location data.
Payment Processing - Debit Dispatch Fees from your Wallet, process refunds, and maintain transaction records for financial compliance.
Platform Personalisation - Improve voice recognition, response accuracy, and usability based on your device type, language preference, and interaction patterns.
Account Management - Maintain your account credentials, communication preferences, and emergency contact information.
Safety and Fraud Prevention - Detect, investigate, and prevent fraudulent, abusive, or unsafe use of the Platform.
Legal and Regulatory Compliance - Meet our obligations under applicable Nigerian law and respond to lawful requests from courts and regulatory authorities.

WE DO NOT SELL, RENT, OR LICENCE YOUR PERSONAL OR HEALTH DATA TO ADVERTISERS, DATA BROKERS, OR ANY THIRD PARTY FOR COMMERCIAL PURPOSES.

4. AUTOMATED PROCESSING

4.1 How This Works

A core feature of the Platform is an AI-driven clinical protocol system that analyses your reported symptoms and generates first aid instructions in real time. When you initiate a triage session, the system processes the following inputs to generate a first aid response:

The symptoms and emergency description you report (either by voice or by manual entry);
Any relevant medical history you have voluntarily provided to the Platform; and
Your real-time location, used to identify the nearest Partner Hospital.

Based on these inputs, the automated system applies pre-programmed clinical protocols to generate a step-by-step first aid response. The response is generated automatically, without human review at the point of delivery.

You should treat all AI system outputs as general guidance only and not as a clinical diagnosis or professional medical opinion.

4.2 Limitations You Must Know

Because the AI triage system is an automated system:

It may produce instructions that are inaccurate, incomplete, or not appropriate for your specific condition or circumstances.
It cannot account for factors it is not told about, including pre-existing conditions, allergies, or the physical state of the injured person.
It operates on protocols that may not have been updated to reflect the most recent medical guidance.

FirstAI.d is a Pilot Build. No automated output from the Platform should be treated as a substitute for professional emergency medical care. Always call your local Emergency Services in a life-threatening situation.

4.3 Your Right to Contest Automated Outputs

You have the right to object to any decision that has been made solely on the basis of automated processing where that decision significantly affects you. If you believe an automated output was incorrect or harmful, you may:

Contact our support team immediately at admin@firstai-d.org;
Request that a human member of the FirstAI.d team review the protocol that was triggered; and
Provide feedback through the Platform so we can improve the AI system accuracy.

We take all such reports seriously and use them to refine our clinical protocols.

5. DATA SHARING AND DISCLOSURE

We share your personal data only in the following circumstances, and only to the minimum extent necessary for the stated purpose:

Partner Hospitals - If you initiate ambulance dispatch, we share your real-time location and relevant symptom data with the receiving Partner Hospital to enable immediate care.
Technology Partners - We share data with carefully selected technology partners (including Leaflet, OpenStreetMap, payment processors, and cloud hosting providers) solely to keep the Platform operational. All such partners are bound by written data processing agreements that require them to protect your data and prohibit use for any other purpose.
Legal Obligations - We may disclose your data where required by Nigerian law, in response to a valid court order, or to protect the safety, rights, or property of FirstAI.d, its users, or the public.
Business Transfers - In the event of a merger, acquisition, or sale of assets involving FirstAI.d, your data may be transferred to the successor entity, subject to equivalent privacy protections. We will notify you before any such transfer takes effect and give you the opportunity to request deletion of your data before the transfer.

We do not share your health data with any party not listed above without your explicit, informed, and specific consent.

6. YOUR RIGHTS AS A DATA SUBJECT

Under the NDPA 2023, the NDPA-GAID 2025, and the NDPR, you have the following rights. You may exercise any of them by contacting our Data Protection Officer using the details in Section 11. We will acknowledge your request within 72 hours and aim to resolve it fully within 30 days.

Right of Access - You may request a copy of the personal data we hold about you, together with information about how and why it is being processed.
Right to Rectification - You may ask us to correct any inaccurate or incomplete personal data we hold about you. We may require verification of the corrected information before updating our records.
Right to Erasure - You may request the deletion of your account and all associated personal data at any time. We will comply unless we are required by law to retain certain records (e.g. for tax, legal reporting, or audit purposes). We will tell you if a legal hold applies.
Right to Data Portability - You may request that your personal data be provided to you in a structured, commonly used, and machine-readable format, suitable for transfer to another service.
Right to Withdraw Consent - Where our processing is based on your consent, you may withdraw that consent at any time by contacting us or updating your in-app settings. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, but may affect your ability to use certain features.
Right to Object - You may object to processing carried out on the basis of legitimate interests or public interest, particularly where it affects your fundamental rights and freedoms. You may also object to any processing used for direct marketing purposes.
Right to Object to Automated Decisions - You have the right to object to decisions made solely on the basis of automated processing that significantly affect you. See Section 4.3 for how to exercise this right.
Right to Lodge a Complaint - If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at: services.ndpc.gov.ng/breach.

7. INTERNATIONAL DATA TRANSFERS

The Platform integrates with global infrastructure providers, including OpenStreetMap and payment processors, whose servers may be located outside Nigeria. Where your data is transferred to or processed in a jurisdiction outside Nigeria, we ensure that appropriate safeguards are in place to protect your data to a standard that meets or exceeds the requirements of the NDPA 2023, the NDPA-GAID 2025, and the NDPR.

Such safeguards may include contractual data protection clauses, adequacy assessments, or equivalent mechanisms recognised by the Nigeria Data Protection Commission (NDPC). We will not transfer your data to a third country without ensuring an adequate level of protection is in place, and we will document the basis for each international transfer in accordance with our NDPC compliance obligations.

We prioritise hosting and processing your data on servers located within Nigeria, in support of digital sovereignty principles, where this is technically and commercially feasible.

8. DATA SECURITY

We take the security of your personal and health data seriously. The following safeguards are in place:

All personal data is encrypted both at rest and in transit using industry-standard encryption protocols (including SSL/TLS for data in transit).
The Platform is designed to minimise cloud transmission of health data. Where possible, first aid protocol logic is executed locally on your device to maximise both speed and privacy, particularly in low-bandwidth environments.
Access to personal data within FirstAI.d is restricted to personnel who require it to carry out their responsibilities, and is governed by strict internal access control policies and confidentiality obligations.
We operate security monitoring processes to detect and respond to potential threats or unauthorised access to the Platform or user data.
Payment data is processed through PCI-DSS compliant payment processors. We do not store full credit card details on our servers.

No method of electronic transmission or storage is 100 per cent secure. While we employ all reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that poses a risk to your rights or freedoms, we will notify you and the NDPC as required by the NDPA 2023 - within 72 hours of becoming aware of the breach where required, and without undue delay in all cases.

9. ADDITIONAL MATTERS

9.1 Children Privacy

The Platform is not directed at, and is not intended to be used by, children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you are under 18, you must not use the Platform or submit any personal information to us.

If we become aware that we have inadvertently collected personal data from a child under 18, we will delete it promptly. If you believe we have collected such data, please contact our Data Protection Officer using the details in Section 11.

9.2 Cookies and Tracking Technologies

We use the following categories of cookies and similar tracking technologies on the Platform:

Essential Cookies - Necessary for the Platform to function. They enable core features such as session management and security. These cannot be disabled without affecting Platform functionality.
Analytics Cookies - Help us understand how users interact with the Platform, such as which features are used most frequently, so that we can improve performance and user experience. These cookies do not identify you personally.

You may manage or disable non-essential cookies at any time through your browser or device settings. Disabling certain cookies may affect the performance or availability of some Platform features.

We do not use advertising cookies or tracking pixels that share data with third-party advertisers.

9.3 Changes to This Policy

As FirstAI.d grows from pilot mode to wider rollout across Nigeria and beyond, we may update this Privacy Policy to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify you in advance, through the Platform, via email, or both, with no less than 7 days notice before the changes take effect.

The date of the most recent update is always displayed at the top of this Policy. Your continued use of the Platform after any updated Policy takes effect constitutes your acceptance of the changes. If you do not agree, you must stop using the Platform and may request deletion of your data under Section 6.

10. JURISDICTION-SPECIFIC INFORMATION

FirstAI.d currently operates as an Abuja-based pilot, with plans to expand across Nigeria and eventually other African jurisdictions. The table below sets out the applicable data protection frameworks and any jurisdiction-specific notes relevant to our users:

Jurisdiction	Applicable Framework and Notes
Nigeria (all users)	Nigeria Data Protection Act 2023 (NDPA 2023), the NDPA General Application and Implementation Directive (NDPA-GAID 2025), and the Nigeria Data Protection Regulation (NDPR). Supervisory authority: Nigeria Data Protection Commission (NDPC).
Other African jurisdictions (future rollout)	FirstAI.d will conduct a jurisdiction-specific compliance assessment prior to expanding to any new country. Users in those jurisdictions will be notified of applicable local frameworks and any additional rights before the service launches in their region.
International infrastructure partners	Where data is processed outside Nigeria by infrastructure providers (e.g. OpenStreetMap, payment processors), appropriate safeguards are in place. See Section 7.

If you use the Platform from a jurisdiction not listed above, or if you have questions about how local data protection law applies to your use of the Platform, please contact our Data Protection Officer using the details in Section 11.

11. GRIEVANCE REDRESS AND CONTACT

We are committed to resolving all privacy concerns promptly and fairly. Our grievance redress process works as follows:

We will acknowledge all privacy complaints and data subject requests within 72 hours of receipt.
We aim to fully resolve all matters within 30 days. Where the complexity of a request requires more time, we will inform you of the extension and the reasons for it within the initial 30-day period.
If you are not satisfied with our response, you have the right to escalate your complaint to the Nigeria Data Protection Commission (NDPC) at services.ndpc.gov.ng/breach.

To exercise any of your data subject rights, raise a concern, or make a general privacy enquiry, please contact us at:

Email: admin@firstai-d.org

Data Protection Officer: admin@firstai-d.org

Registered Office: Abuja, Federal Capital Territory, Nigeria

By using the FirstAI.d Platform, you confirm that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.