Last updated: May 17, 2026 · Sutrahen ModFin Ltd
SutraCare is a hospital management platform operated by Sutrahen ModFin Ltd ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect personal data when hospitals and patients use our platform. By using SutraCare, you agree to the terms of this policy. We are committed to complying with the Nigeria Data Protection Act (NDPA) 2023 and all applicable data protection regulations.
Sutrahen ModFin Ltd is the data controller and data processor for SutraCare. We are registered in Nigeria and operate the SutraCare platform for hospitals across Nigeria. For data protection enquiries, contact us at: privacy@sutrahenaccounting.com
We collect and process the following categories of personal data: • Patient Data: Full name, email address, phone number, date of birth, gender, blood group, genotype, address, allergies, emergency contact details, health plan type, wallet balance, and medical records (consultations, lab results, prescriptions, bills). • Staff Data: Full name, email address, phone number, role, specialty, qualification, license number, date of birth, gender, and employment type. • Hospital Data: Hospital name, address, contact details, bank account details, and Paystack subaccount information. • Usage Data: Login timestamps, session activity, audit logs of key actions performed on the platform.
We use personal data for the following purposes: • To provide and operate the SutraCare hospital management platform • To process payments and manage billing between hospitals and patients • To send transactional emails (bills, payment confirmations, welcome emails, appointment reminders) • To generate reports and analytics for hospital administrators • To maintain audit logs for security and compliance • To comply with legal and regulatory obligations under Nigerian law
We process personal data on the following legal bases under the NDPA 2023: • Consent: Patients provide explicit consent at the point of registration for their health data to be stored and processed. • Contract: Processing is necessary to provide services to hospitals under our Data Processing Agreement. • Legal Obligation: We may process data to comply with applicable Nigerian laws and regulations. • Legitimate Interests: We process usage data to maintain platform security and improve our services.
We do not sell personal data to third parties. We share data only with: • Paystack: For payment processing and subaccount settlements. Paystack is PCI-DSS compliant. • Supabase: Our database and authentication infrastructure provider. Data is stored on secure servers. • Resend: For transactional email delivery only. All third-party processors are bound by data processing agreements and are required to maintain appropriate security standards.
We retain personal data for as long as necessary to provide our services and comply with legal obligations: • Patient medical records: Retained for a minimum of 6 years in accordance with Nigerian health regulations. • Staff records: Retained for the duration of employment plus 3 years. • Billing records: Retained for 7 years for financial compliance. • Audit logs: Retained for 2 years. Hospitals may request deletion of their data upon termination of their SutraCare subscription, subject to legal retention requirements.
We implement appropriate technical and organisational measures to protect personal data, including: • Row-Level Security (RLS) on all database tables ensuring each hospital can only access their own data • Encrypted connections (HTTPS) on all platform routes • Role-based access control limiting staff access to only relevant data • Service role keys stored server-side only, never exposed to the client • Session timeouts and authentication guards on all protected routes • Audit logging of key actions including wallet credits and bill creation
As a data subject, you have the following rights: • Right to access your personal data • Right to correct inaccurate data • Right to erasure ("right to be forgotten") subject to legal retention requirements • Right to restrict processing • Right to data portability • Right to withdraw consent at any time • Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) To exercise any of these rights, contact us at: privacy@sutrahenaccounting.com
Hospitals using SutraCare are independent data controllers for the patient and staff data they upload and manage on the platform. By onboarding to SutraCare, hospitals agree to our Data Processing Agreement and confirm they have obtained appropriate consent from their patients and staff to process their data on the platform. Sutrahen ModFin Ltd acts as a data processor on behalf of hospitals for this data.
SutraCare uses only essential session cookies required for authentication and platform functionality. We do not use advertising cookies or third-party tracking cookies.
We may update this Privacy Policy from time to time. We will notify hospitals of any material changes via email. Continued use of the platform after changes constitutes acceptance of the updated policy. The date of the last update is shown at the top of this page.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data: Subrahen ModFin Ltd Email: privacy@sutrahenaccounting.com Website: care.sutrahenaccounting.com You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng
Questions about your data?
Contact our data protection team at privacy@sutrahenaccounting.com