Metaphor Laboratory Partners LLC Data Privacy Policy

 

Metaphor Laboratory Partners LLC and its subsidiaries—collectively referred to in this policy as “Metaphor Laboratory” “Metaphor,” “we,” “us,” or “our”—are committed to safeguarding personal data, as it is integral to ethical research and healthcare innovation.

This policy outlines how Metaphor handles, stores and protects personal information collected through our research, digital health initiatives and professional engagements.

 

We have certified our adherence to the Nigerian Data Protection Regulation (NDPR) and observe other internationally recognized data protection laws to ensure lawful, secure and transparent processing of personal data—from collection to disposal. Our approach prioritizes confidentiality, regulatory compliance and respect for individual rights.

 

This policy provides a clear overview of how we manage personal data. It should be read in conjunction with any other data privacy notices we may provide in specific situations where additional information is necessary. This policy does not override such notices but serves as a guiding framework for Metaphor’s broader data protection practices.

 

To maintain data accuracy and relevance, we encourage anyone interacting with us to update their personal information as necessary. If your details change during your relationship with us, please refer to the “Contact Us” section below for the appropriate steps to update your records.

 

Metaphor reserves the right to modify this policy as needed. Updates will be made available on our website, and where necessary, we may notify affected persons via email and/or text.

 

Scope of Data We Collect

At Metaphor, we collect different types of personal data based on the nature of our interactions with individuals, including patients, clients, employees, contractors and website visitors. Personal data refers to any information that identifies or can be used to identify an individual, directly or indirectly. 

 

Anonymous or de-identified data, where it is not possible to determine to whom the data relates, is not considered personal data under this policy.

 

We collect and process the following categories of data:

 

A. Healthcare and Research-Related Data

  • Demographic Information (including but not limited to): Name, address, contact details, gender, date of birth and state of origin. 

 

  • Medical and Health Data (including but not limited to): Patient history, medical conditions, diagnoses, test results, prescriptions, clinical trial participation and biometric data.

 

  • Treatment and Consultation Records (including but not limited to): Appointment history, physician interactions and prescribed medical regimens.

 

  • Clinical Research Data (including but not limited to): Pseudonymized and non-pseudonymized data from clinical research participants, including genetic information and biological sample details.

 

More in-depth types of personal data could be collected, subject to stricter conditions for its collection and use. These may include information related to an individual’s race or ethnicity, political opinions, religious, spiritual or philosophical beliefs, trade union membership, physical or mental health, biometric data used for unique identification, genetic data and details about a person’s sex life or sexual orientation, as defined by international data protection laws such as the General Data Protection Regulation (GDPR).

 

B. Business and Administrative Data

  • Client and Vendor Data (including but not limited to): Business contact details, company information, service usage history and contractual obligations.

 

  • Financial Data (including but not limited to): Payment details, invoicing history, tax identification numbers and billing information.

 

  • Employment and HR Data (including but not limited to): Employee records, work history, performance evaluations, payroll details and emergency contact information.

 

C. Website and Digital Interaction Data

  • Technical Data: IP addresses, browser type, operating system, device identifiers and cookies for site analytics.

 

  • Usage Data: Information about user interactions with our digital services, page visits, time spent on the site and referral sources.
  • Marketing and Communication Preferences: Opt-ins for newsletters, promotional materials, and engagement with social media campaigns.

 

D. Third-party and Publicly Available Data

  • Data from External Sources: Information obtained from healthcare professionals, regulatory authorities, business partners or publicly available sources such as LinkedIn or company websites.

 

  • Professional Contact Information: Names, positions and work-related details of individuals affiliated with organizations we engage with.

 

How We Collect Data

Metaphor collects data through multiple channels, including but not limited to direct interactions, automated technologies and third-party providers.

 

Direct interactions may involve forms completed at healthcare facilities, digital platforms or during clinical trials. Data may also be gathered through website cookies, analytics tools and electronic health records.

 

Third-party providers, such as business partners, healthcare institutions and regulatory authorities, may share necessary information to facilitate service provision.

 

Legal Basis and Data Protection Principles

Metaphor Laboratory processes personal data based on legal justifications in compliance with the NDPR and other applicable data protection laws, including international best practices. We rely on one or more of the following legal bases for processing personal data:

 

  • Explicit Consent: We obtain clear, informed, and voluntary consent before processing personal data, particularly for sensitive categories such as health information. Individuals have the right to withdraw their consent at any time without affecting prior lawful processing.

 

  • Contractual Obligation: Where personal data processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the request of the individual.

 

  • Legal and Regulatory Compliance: We process data to fulfil obligations under applicable laws, including regulatory reporting, public health guidelines and ethical research standards.

 

  • Legitimate Interest: We process data where it is necessary for legitimate business interests, provided such interests are not overridden by the rights and freedoms of the individual.

 

  • Vital Interests: Where processing is necessary to protect an individual’s life or safety, especially in healthcare and emergency scenarios.

 

  • Public Interest or Official Authority: When processing is required for tasks carried out in the public interest, including medical research and health initiatives.

 

Data Protection Principles

In addition to compliance with the legalities of processing personal data, Metaphor adheres to the following fundamental principles:

 

  • Legitimacy, Equity and Transparency: All personal data is processed lawfully, fairly and in a transparent manner. We inform all data subjects about the purpose and nature of processing. Third-party suppliers and contractors processing personal data on our behalf are also bound by data protection obligations.

 

  • Metaphor engages only those third parties that can demonstrate compliance and accede to contracts that meet data privacy law requirements. We also provide evidence to data protection authorities confirming adherence to these legal obligations.

 

  • Purpose and Storage Limitation: When we collect data, it is for specific, clearly defined and legitimate purposes. Metaphor will not further process such data for other purposes unless new informed consent is obtained. 

 

Additionally, data is retained only for as long as necessary to fulfil its intended purpose or as required by applicable regulations.

 

  • Data Minimization: Metaphor limits data collection to only what is necessary to fulfil the intended purpose.

 

  • Accuracy: We ensure that all personal data is accurate, complete and updated as necessary.

 

  • Security, Integrity and Confidentiality: Metaphor employs stringent security measures, including encryption, access controls and data anonymization where applicable, to protect data from unauthorized access, loss or damage.

 

Accountability and Compliance Measures

Metaphor conducts regular internal audits and compliance assessments to ensure adherence to this policy and data protection laws. All employees handling personal data must complete mandatory data protection training upon hiring and participate in periodic refresher courses. 

 

In the event of a data breach, Metaphor will promptly notify the Nigerian Data Protection Commission (NDPC) or other relevant authorities within 72 hours, as required by the Nigeria Data Protection Act, 2023. When applicable, affected individuals will also receive notifications. 

 

Third parties processing data on Metaphor’s behalf must comply with strict contractual obligations that align with our data protection standards.

 

How We Use Data and Ensure Its Security

  • Metaphor processes personal data for the following purposes:

 

  • —Conducting clinical research, including data analysis and reporting.

 

  • —Facilitating patient engagement and follow-up.

 

  • —Enhancing healthcare services through digital health innovations.

 

  • —Ensuring compliance with regulatory and ethical requirements.

 

  • —Communicating with stakeholders, including clients and research participants.

 

  • —Improving service delivery, product development and customer experiences.

 

Data Sharing and Transfers

Metaphor may share personal data under strict security measures with regulatory authorities to ensure compliance with medical research and healthcare regulations. In our collaborations with research institutions and healthcare providers for studies, we ensure that all data is anonymized where necessary. 

 

Additionally, third-party service providers assisting in data processing, cloud storage and IT security receive access under strict confidentiality agreements. In cases where legal obligations require, data may also be shared with law enforcement or legal entities.

 

Data Retention Policy

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy. Retention periods depend on legal and regulatory requirements, the nature of the data collected and ongoing research needs. When data is no longer required, it is securely deleted or anonymized.

 

Security Measures

Metaphor is committed to maintaining the highest standards of data security to prevent unauthorized access, loss or breaches. We employ multiple layers of security to ensure the protection of personal data:

 

  • Encryption: All sensitive data is encrypted both in transit and at rest.

 

  • Access Controls: Only authorized personnel have access to specific data, with role-based permissions.

 

  • Regular Security Audits: Routine evaluations are conducted to identify vulnerabilities.

 

  • Incident Response Plan: A structured plan is in place for handling security breaches to ensure timely detection, reporting and mitigation.

 

Rights of Data Subjects

Individuals whose personal data is processed by Metaphor have the following rights under the NDPR and other applicable laws:

 

  • Right to Access: You have the right to request a copy of the personal data we hold about you and obtain information about how it is processed.

 

  • Right to Correction: If your personal data is inaccurate or incomplete, you have the right to request a correction.

 

  • Right to Deletion (Right to be Forgotten): Under certain circumstances, you have the right to request the deletion of your personal data, except where retention is required for legal, regulatory or public interest purposes.

 

  • Right to Object to Processing: You have the right to object to the processing of your data if it affects your fundamental rights and freedoms unless we have compelling legitimate grounds to continue processing it.

 

  • Right to Restriction of Processing: If not an outright objection, you may request that we temporarily suspend the processing of your data under certain conditions, such as if the accuracy of the data is contested.

 

  • Right to Data Portability: Where applicable, you have the right to request your data in a structured, commonly used, machine-readable format and transfer it to another service provider.

 

  • Right to Withdraw Consent: If processing is based on consent, you may withdraw your consent at any time. This will not affect the legality of prior processing.

 

  • Right Against Profiling: You have the right not to be subject to a decision based solely on automated processing that may have legal implications for you.

 

  • Right to Lodge a Complaint: If you believe your rights have been violated, you have the right to file a complaint with the NDPC or any relevant data protection authority.

 

How to Exercise Your Rights

To exercise any of these rights, submit a written request via email to info@metaphorlaboratory.com or contact us at our registered office address. We may require identity verification before fulfilling your request to ensure data security.

 

Metaphor will respond to valid requests within one month. Where necessary, we may extend this period by an additional two months depending on the complexity of the request, in which case we will provide an explanation.

 

Protection of Children’s Privacy

Metaphor is committed to protecting the privacy of children and ensuring that their personal data is handled with the highest level of care. We do not knowingly collect, process or store personal information from minors without verified parental or legal guardian consent. The age at which an individual is considered a minor is subject to applicable federal and state laws.

 

If a minor attempts to provide unauthorized personal information through our platforms or during research engagements, we will take immediate steps to delete the data upon discovery.

 

If a healthcare provider or legal guardian consents to a minor’s participation in research involving data collection, strict confidentiality and data protection measures will apply to safeguard the minor’s information.

 

Parental and Guardian Rights

Parents or legal guardians have the right to review, correct or request deletion of their child’s data at any time. If you believe we may have collected personal data from a minor without proper consent, please contact us immediately so that we can investigate and take corrective action.

 

Compliance and Responsibilities

At Metaphor, data protection is a collective responsibility, with designated individuals and departments ensuring adherence to this policy.

 

Data Protection Officer (DPO)

Metaphor has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection laws, conducting audits, trainings and advising on best practices. They are in charge of investigating and responding to data breach incidents.

 

The DPO also serves as the primary contact for regulatory authorities and data subjects regarding data protection inquiries. They are responsible for reviewing and updating data protection policies as required.

 

For data protection inquiries, please contact our Data Protection Officer at:

 

Email: info@metaphorlaboratory.comn

Phone: +2349039581408

 

Leadership and Organizational Responsibility

Metaphor’s Executive Leadership has ultimate responsibility for ensuring company-wide compliance with data protection laws and integrating privacy considerations into business operations. Key responsibilities include:

 

  • —Approving policies and frameworks that align with legal requirements.

 

  • —Ensuring adequate resources are allocated for data protection initiatives.

 

  • —Reviewing periodic compliance reports from the DPO.

 

Employee and Partner Responsibilities

Every employee, contractor and third-party service provider handling personal data must:

 

  • —Process personal data following this policy and applicable laws.

 

  • —Report any suspected data breaches or security concerns immediately.

 

  • —Participate in mandatory data protection training.

 

  • —Ensure personal data is handled securely and only accessed when necessary.

 

Metaphor strictly oversees third-party relationships to ensure that data is handled with the same level of care and compliance as internal operations.

 

Contact Us

For any inquiries or concerns regarding this policy or how Metaphor handles personal data, please contact us at:

 

Address 1: Metaphor Biopartners Limited 

                    7495 New Horizon Way, Suite 210

                   Frederick, MD 21703, USA

 

Address 2: Metaphor Laboratory

                    142 Oba Akran Avenue

                    Ground Floor, Poatson House

                    Ikeja, Lagos, Nigeria

 

Phone: +234-9039581408

Email: info@metaphorlaboratory.com

 

We aim to respond to all inquiries within the timeframe applicable law requires. If you still believe your rights have been violated after contacting us or have questions about how your data is processed, you may also contact the Nigerian Data Protection Commission (NDPC).