Data Policy
Effective Date: March 1, 2026
Last Updated: March 1, 2026
1. Overview
This Data Policy explains what data Lafia collects, where it is stored, how it is processed, and how long it is retained. This supplements our Privacy Policy with technical details about our data practices.
2. Data Storage
Platform Data: Stored in Supabase (PostgreSQL) with encryption at rest. Infrastructure hosted in the United States.
Health Records: Stored in our FHIR-compliant health data system (Medplum) using the HL7 FHIR R4 standard. All health records are encrypted and access-controlled.
Files and Attachments: Stored in encrypted cloud storage with access controls.
3. Data Processing
AI Processing: Health data may be processed by AI models (Google Gemini, Anthropic Claude) to generate personalized health insights. AI processing is:
- Performed in real-time and not stored by AI providers beyond the request lifecycle
- Subject to data processing agreements with each AI provider
- Used only to improve your personal health experience, not for model training
Analytics: Anonymized and aggregated data may be used for platform improvement and population health insights.
4. Data Transfers
Your data may be processed by service providers in different jurisdictions. All transfers are protected by:
- Data Processing Agreements (DPAs)
- Standard Contractual Clauses where applicable
- Encryption in transit (TLS 1.3)
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days |
| Health records | Minimum 7 years (per medical records law) |
| Audit logs | 7 years |
| Chat history | Duration of account |
| Payment records | 7 years (per tax law) |
| Analytics data | Anonymized, retained indefinitely |
6. Data Deletion
When you delete your account:
- Personal profile data is deleted within 30 days
- Health records are retained per medical records retention laws
- Audit logs are retained per compliance requirements
- Anonymized analytics data is retained
7. Cookies and Tracking
We use essential cookies for authentication and session management. We do not use third-party advertising trackers. Analytics cookies (if any) are anonymized and can be opted out of.
8. Third-Party Services
- Supabase: Database and authentication
- Medplum: FHIR health data management
- Stripe: Payment processing (US)
- Paystack: Payment processing (Africa)
- Resend: Transactional email
- Sentry: Error monitoring (no PHI transmitted)
- Daily.co: Telehealth video calls
- Vercel: Application hosting
9. Contact
Data inquiries: privacy@lafia.io
Lafia Health Technologies
Dallas, TX, United States
Last updated: March 30, 2026