Privacy Policy â€” MALUEL

Section 01

Identity of the Data Controller

Maluel Limited (formerly Rova HealthTech Limited) is the data controller responsible for your personal data. We are a deep-technology healthcare company incorporated in the Federal Republic of Nigeria, with operational and commercial presence in the United Kingdom.

Registered Trading Name: Maluel Limited

Former Name: Rova HealthTech Limited

Primary Business Address: Lagos, Federal Republic of Nigeria

UK Correspondence Address: United Kingdom (available upon request)

Official Website: rovatechltd.co.uk

Data Controller Email: info@rovatechltd.co.uk

Data Protection Enquiries: info@rovatechltd.co.uk

Where we refer to "Maluel," "we," "us," or "our" in this Policy, we mean Maluel Limited, including all affiliated subsidiaries and related entities operating under the SafeGuard product umbrella. Where we refer to "you," "user," "caregiver," or "data subject," we mean any natural person whose personal data we process in connection with our products and services.

Section 02

Scope and Application

This Privacy Policy applies to all personal data we collect, process, store, or transfer in connection with:

The SafeGuard autonomous infant monitoring platform, including all hardware components (the Sensor Coin, Guardian Hub), associated firmware, the SafeGuard mobile application and web platform, and cloud infrastructure;
The Maluel Limited corporate website and all web-based interfaces operated by us;
Clinical research, product evaluation, and pilot programmes conducted in partnership with healthcare institutions, hospitals, clinics, and research organisations;
Communications, enquiries, investor relations, and commercial partnerships;
Employment applications, contractor agreements, and supplier relationships.

This Policy does not apply to third-party websites, applications, or services that may be linked from our platforms. We are not responsible for the privacy practices of those third parties and encourage you to review their policies independently.

Section 03

Categories of Personal Data We Collect

3.1 Caregiver and Account Data

When you register for a SafeGuard account or interact with our services, we may collect:

Full name, email address, telephone number, and postal address;
Account credentials (processed in encrypted form; we do not store plaintext passwords);
Device identifiers, IP addresses, and session data;
Billing information (processed exclusively through certified third-party payment processors; we do not store raw card data);
Communication preferences and consent records.

3.2 Infant Physiological and Health Data

WARNING: The data described in this section constitutes Special Category Data under Article 9 of the UK GDPR and sensitive personal data under the NDPA 2023. It is processed exclusively for the purposes of infant safety monitoring and, where applicable, clinical research. We apply the highest available standard of protection to this data.

The SafeGuard Sensor Coin and associated platform are designed to collect, process, and transmit the following physiological parameters from monitored infants:

Blood oxygen saturation (SpO2), including melanin-compensated optical measurements;
Heart rate, heart rate variability (HRV), and cardiac rhythm indicators;
Respiratory rate, breathing pattern, and apnoea event data;
Skin temperature and core temperature estimates;
Body position, movement, and orientation via inertial measurement;
Ambient environmental parameters including temperature, humidity, and carbon dioxide (CO2) concentration;
Alert trigger records, threshold breach events, and caregiver response timestamps;
Device diagnostics, battery state, signal integrity metrics, and firmware event logs.

A critical design principle of the SafeGuard system is that primary safety logic and alert generation execute locally on the device. We do not transfer real-time physiological data to external servers as a prerequisite for safety functionality. Server-side data processing occurs for trend analysis, account synchronisation, clinical reporting, and product improvement purposes only.

3.3 Clinical Research and Institutional Data

Where our products are deployed in clinical settings, research institutions, or hospital environments, we may additionally process:

Clinical site identifiers, investigator credentials, and institutional affiliations;
Anonymised or pseudonymised cohort data for research and validation purposes;
Informed consent records and ethics committee approval references;
Adverse event and device performance reports submitted to regulatory bodies.

3.4 Data We Do Not Collect

Maluel Limited does not collect or require:

Racial, ethnic, or national origin data as a condition of product use;
Religious or philosophical beliefs;
Sexual orientation or gender identity (beyond what caregivers may voluntarily provide in profile fields);
Biometric data not directly associated with infant health monitoring functionality;
Financial account credentials or banking passwords.

Section 04

Legal Bases for Processing

We process your personal data only where we have a lawful basis to do so. Depending on the category of data and purpose of processing, our legal bases are as follows:

Contractual Necessity

Processing required to deliver SafeGuard products and services you have subscribed to, including real-time monitoring, alert delivery, and account management.

Legitimate Interests

Processing necessary for fraud prevention, network and information security, product improvement, and the protection of the vital interests of the infant being monitored. We retain records of Legitimate Interest Assessments (LIAs) for each applicable purpose.

Explicit Consent

Processing of special category infant health data where consent is required. We obtain explicit, informed, and freely given consent from caregivers prior to any physiological data collection. Consent may be withdrawn at any time without detriment to core safety features.

Vital Interests

Where processing is necessary to protect the life or physical safety of an infant or other person, particularly in emergency alert escalation scenarios.

Legal Obligation

Processing required to comply with applicable law, regulatory requirements, or lawful orders from competent authorities, including the Nigeria Data Protection Commission (NDPC) and the UK Information Commissioner's Office (ICO).

Scientific Research

Where clinical or academic institutions deploy SafeGuard in approved research settings, processing is conducted under conditions compliant with applicable research ethics frameworks, NDPA Section 2.17, and UK GDPR Article 9(2)(j).

Section 05

Purposes of Processing

We process personal data for the following specific, explicit, and legitimate purposes:

Providing, operating, and improving the SafeGuard monitoring platform and associated applications;
Delivering real-time safety alerts, escalation notifications, and caregiver communications;
Managing user accounts, authentication, and platform access;
Conducting product validation, safety testing, and firmware update delivery;
Supporting clinical evaluations, institutional pilots, and academic research partnerships;
Complying with medical device regulatory obligations under applicable law;
Responding to support queries, incident reports, and complaints;
Conducting internal analytics for platform safety improvement (on anonymised or aggregated data only, wherever possible);
Meeting our obligations to investors, regulatory bodies, and professional advisors under strict confidentiality constraints;
Pursuing legal claims or defending against legal proceedings where necessary.

We do not use your personal data or infant health data for advertising, targeted marketing profiling, sale to third parties, or any purpose incompatible with the purposes listed above. We do not sell personal data. We never have and we never will.

Section 06

Special Protections for Children's Data

The SafeGuard platform is designed exclusively for the monitoring of infants and young children. All physiological data collected relates to minors. We treat this data with the maximum level of protection available under applicable law and our own internal governance standards, which exceed statutory minimums in several respects.

In processing infant health data, we observe the following mandatory protections:

Infant physiological data is never processed or stored in identifiable form unless strictly necessary for clinical continuity, caregiver service delivery, or emergency response;
Aggregated and anonymised infant data used for research or product improvement cannot be re-linked to any individual infant through our systems by design;
Caregiver consent is the sole authorised gateway to infant data collection. No data collection commences without verified, explicit caregiver consent;
Infant data is not shared with commercial third parties for any purpose whatsoever;
Any request by a government authority or law enforcement body to access infant health data will be resisted to the full extent permitted by law. We will notify affected caregivers of such requests wherever legally permissible;
Retention of individually identifiable infant health data does not extend beyond the period necessary for the care relationship or research engagement, subject to the retention schedule in Section 10.

Section 07

Data Sharing and Disclosure

7.1 Authorised Recipients

We do not sell, rent, or trade personal data. We may share data only with the following categories of authorised recipients, and only to the extent necessary:

Certified cloud infrastructure providers operating under data processing agreements compliant with UK GDPR Article 28 and NDPA data processor obligations;
Healthcare professionals and clinical institutions where the caregiver has explicitly enrolled the infant in a monitored clinical programme;
Regulatory bodies including the Nigeria Data Protection Commission (NDPC), the UK Information Commissioner's Office (ICO), NAFDAC, and the MHRA, as required by law;
Professional legal and financial advisors bound by professional secrecy obligations;
Research partners operating under executed Data Sharing Agreements with appropriate ethical oversight;
Emergency services, where disclosure is necessary to protect the immediate life or safety of an infant.

7.2 What We Will Never Do

Regardless of commercial pressure, regulatory climate, or third-party request, Maluel Limited will not:

Sell, license, or otherwise transfer personal data or infant health data to advertising networks, data brokers, or commercial analytics companies;
Share data with any party not subject to binding data protection obligations equivalent to those we impose on ourselves;
Grant law enforcement or government agencies access to user data without a lawful, properly issued court order or statutory notice, which we will scrutinise rigorously;
Disclose data in response to informal requests, threats, or coercion of any kind.

Section 08

International Data Transfers

Maluel Limited operates across Nigeria and the United Kingdom and may utilise cloud infrastructure providers whose servers are located in other jurisdictions. Where personal data is transferred outside the country of collection, we ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the UK ICO or the European Commission, as applicable;
Adequacy decisions recognising the destination country as providing equivalent data protection;
Data processing agreements incorporating obligations no less stringent than those imposed on us by applicable law;
Transfer Impact Assessments (TIAs) conducted and documented for each transfer mechanism.

No infant physiological data is transferred to any jurisdiction that has not satisfied our internal transfer risk assessment, irrespective of the availability of standard contractual clauses. Where no adequate safeguard can be established, the transfer will not proceed.

Section 09

Data Security

We implement technical and organisational security measures proportionate to the sensitivity of the data we process and consistent with the state of the art in medical-grade data security. These measures include:

End-to-end encryption for all physiological data in transit, using TLS 1.3 or equivalent;
Encryption of infant health data at rest using AES-256 or equivalent standards;
Role-based access controls ensuring that only authorised personnel access identifiable personal data;
Multi-factor authentication for all administrative and clinical access to data systems;
Regular penetration testing and vulnerability assessments by independent security specialists;
Formal incident response procedures with mandatory notification timelines compliant with NDPA Section 40 and UK GDPR Article 33;
Physical security controls for all on-premise infrastructure;
Mandatory data protection training for all personnel with access to personal data.

Despite these measures, no system of data transmission or storage is completely immune to security risks. We will promptly notify affected data subjects of any breach that is likely to result in high risk to their rights and freedoms, in accordance with our statutory obligations and in advance of statutory deadlines wherever operationally feasible.

Section 10

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to the following minimum retention periods:

Active Account Data

Retained for the duration of the active service relationship plus 5 years following account closure, for legal and audit purposes.

Infant Physiological Data

Retained for the duration of the monitoring relationship. Identifiable data is deleted or anonymised within 90 days of account closure, unless the caregiver has consented to extended retention for research purposes, or applicable law requires longer retention.

Clinical Research Data

Retained in accordance with the applicable ethics committee approval and governing research regulations, typically 10 to 15 years following conclusion of the research programme.

Device Diagnostic & Safety Log Data

Retained for 7 years for regulatory compliance, medical device post-market surveillance, and product liability purposes.

Marketing Communications Data

Retained until consent is withdrawn or until 3 years of inactivity, whichever is earlier.

Upon expiry of applicable retention periods, data is securely and irreversibly deleted or anonymised in accordance with our Data Destruction Standard (available upon request).

Section 11

Your Rights as a Data Subject

Subject to applicable law, you have the following rights in relation to your personal data:

Right of Access

You may request a copy of the personal data we hold about you, together with information about how we process it.

Right to Rectification

You may request correction of inaccurate or incomplete personal data.

Right to Erasure

You may request deletion of your personal data where we no longer have a lawful basis to retain it, subject to legal and regulatory obligations.

Right to Restriction

You may request that we limit how we use your data in certain circumstances.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

Automated Decision-Making

We do not make decisions solely by automated means that produce significant legal effects, and we maintain human clinical oversight in all alert escalation pathways.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing or the continued availability of core safety functionality.

To exercise any of these rights, or to raise a concern, please contact us at info@rovatechltd.co.uk. We will respond within 30 days and within the statutory timeframes prescribed by applicable law.

If you are not satisfied with our response, you have the right to lodge a complaint with:

The Nigeria Data Protection Commission (NDPC): ndpc.gov.ng
The UK Information Commissioner's Office (ICO): ico.org.uk

Section 12

Regulatory and Clinical Compliance

The SafeGuard ecosystem is designed and is being developed for regulatory submission as a medical device. Our data processing activities are structured to be compatible with the following regulatory frameworks:

ISO 13485: Quality Management Systems for Medical Devices;
IEC 62304: Medical Device Software Lifecycle;
ISO 14971: Risk Management for Medical Devices;
Nigeria's Medical Devices Regulation under NAFDAC;
UK Medical Devices Regulations 2002 (as amended) and MHRA guidance;
EU MDR 2017/745 (applicable to any EU market activity);
ICH E6 (R2) Good Clinical Practice for any clinical investigations in which SafeGuard data is used as a research instrument.

Where clinical investigations or post-market surveillance activities require access to identified or identifiable patient data, we will obtain appropriate ethics committee approval and will conduct such activities subject to additional Data Sharing Agreements with the relevant institutional partners.

Section 13

Cookies and Tracking Technologies

Our websites and web applications may use cookies and similar tracking technologies for the following purposes:

Strictly necessary cookies: Required for platform functionality, authentication, and security. These cannot be disabled without preventing core service delivery.
Performance and analytics cookies: Used to understand how users interact with our platform, on an aggregated basis. We use privacy-respecting analytics configurations that minimise data collection.
Functional cookies: Used to remember your preferences and settings.

We do not use advertising cookies, behavioural tracking technologies, or third-party marketing pixels on platforms that process infant health data. Users may manage non-essential cookie preferences through our consent management interface. Withdrawal of consent for non-essential cookies will not affect platform safety functionality.

Section 14

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or data processing practices. Where we make material changes, we will notify registered users by email to the address on record and will post an updated Policy on our website with a revised effective date.

We will not apply material changes retrospectively to data collected under a prior version of this Policy without obtaining fresh consent where required. Your continued use of our services following notification of material changes constitutes your acceptance of the updated Policy.

The version history of this Policy is maintained in our document management system and is available upon request for regulatory or audit purposes.

Section 15

Contact and Data Protection Enquiries

All data protection queries, subject access requests, consent withdrawals, and regulatory correspondence should be directed to:

Company: Maluel Limited

Email: info@rovatechltd.co.uk

Website: rovatechltd.co.uk

Data Protection Lead: Raphael G.U. Eriemo, Founder and Director

Effective Date: 16 May 2025

Document Reference: MAL-LEG-PP-001 Version 1.0

This Privacy Policy is a legally binding document of Maluel Limited. It has been drafted to satisfy the requirements of the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation 2019, the UK General Data Protection Regulation, and the Data Protection Act 2018. Nothing in this document constitutes a waiver of any right, remedy, or protection available to Maluel Limited under applicable law.