Privacy Policy

1) What data we collect

We collect Personal Data and Health Data you provide or that we generate when delivering care and ecommerce:

• Account & identity: name, date of birth, national ID/passport (where legally required for care), photos/avatars, login credentials, language.
• Contact: email, phone, addresses (billing/shipping/visit location).
• Transactional: orders, invoices, delivery status, returns, warranty/recall history.
• Medical/health (special category): symptoms, history, medications/allergies, referrals, physician notes, diagnostic files (e.g., images, labs), consultation recordings/notes (if applicable), triage outcomes, care plans, home-visit observations, assistive-device measurements/fittings.
• Telehealth & device data: call/consult metadata, device/app diagnostics, optional wearable data you connect.
• Location: approximate geolocation (for dispatch/visit routing) and optional precise location (if you enable it).
• Payment: masked payment tokens and outcomes (we don't store raw card data; processors are PCI-DSS compliant).
• Marketing preferences: consents for email/SMS/WhatsApp.
• Technical/usage: cookies/SDKs, IP, device type, app version, crash logs.

We do not sell your personal data.

2) Why we process your data (purposes & legal bases)

We process data to:

• Provide care and services: triage, schedule, treat, deliver/maintain medical equipment; legal basis: contract, consent, and/or vital interests; for health data, explicit consent or other healthcare exemptions as allowed by local laws (e.g., PDPL Egypt, PDPL KSA, PDPL UAE).
• Operate ecommerce: orders, payments, delivery, returns; basis: contract, legitimate interests, legal obligation.
• Quality & safety: clinical audit, pharmacovigilance/UDI tracking, device recalls; legal obligation/public interest (where applicable).
• Security & fraud: identity verification, abuse prevention, cybersecurity; legitimate interests/legal obligation.
• Improvement & analytics: de-identified aggregates to improve pathways and supply planning; legitimate interests; for health data we anonymize/pseudonymize where feasible.
• Marketing: only with your opt-in; you can withdraw any time from Settings or unsubscribe link.

3) Minors & capacity

Our services are for adults. For minors (or where consent capacity is limited), we obtain consent from a parent/guardian or as permitted by local health-care laws.

4) Cookies, SDKs & tracking

We use strictly necessary cookies/SDKs (login, basket, security), functional analytics (to improve reliability), and optional marketing tags (only with consent, where required). You can manage preferences in Settings → Privacy and device OS settings.

5) Telehealth & home-outreach specifics

• Recordings: Consultations are not recorded unless you give explicit consent or where required for quality/safety or legal defense; we'll display a clear in-app notice if recording is on.
• Emergency use: In emergencies we may process/share health information to protect your vital interests or public health as allowed by local law.
• Clinical messaging: Messages/photos you send to clinicians become part of your medical record (retained per health-record retention rules).

6) Payment processing

Payments are handled by vetted PCI-DSS processors. We store only tokens/identifiers and reconciliation data. In the UAE, financial sector rules may also apply (e.g., Central Bank Retail Services rules on retention/breach).

7) Who we share data with

• Care providers & dispatch partners: physicians, nurses, therapists, labs, radiology centers, and home-visit teams involved in your care.
• Vendors/processors: hosting, cloud, analytics (de-identified where possible), customer support, identity verification, logistics and payment gateways—bound by contracts and processing only under our instructions.
• Insurers/TPAs (if you use insurance): claim processing/authorizations.
• Regulators & law enforcement: where required by law or to protect rights/safety.
• Business transfers: in M&A/restructuring, your data may transfer subject to this Policy.

We do not permit third parties to use your health data for their own marketing.

8) International transfers & health-data localization

We operate a regional architecture with country-specific controls. Cross-border transfers follow adequacy/consent/contractual safeguards and local health-data localization rules:

• UAE: ICT in Health Fields Law (Federal Law No. 2/2019) generally prohibits storing/processing/transferring health data outside the UAE unless approved by the Health Authority + MoHAP; limited exemptions exist via resolutions (e.g., for insurance, research). We maintain UAE-resident hosting for UAE patient health data and seek approvals for permitted transfers.
• KSA (Saudi Arabia): PDPL and guidance restrict cross-border transfers and increasingly require localization for sensitive/PII; transfers follow SDAIA rules and permitted mechanisms. We host Saudi patient data in KSA and use approved transfer tools when needed.
• Egypt: PDPL No. 151/2020 restricts foreign transfers unless the destination offers adequate protection or other legal grounds are met; we prioritize Egypt-resident hosting for Egyptian patient data and use PDPC-recognized transfer bases.
• Qatar, Bahrain, Oman: Each has a general PDPL (Qatar Law 13/2016; Bahrain Law 30/2018; Oman RD 6/2022). We assess adequacy and apply contracts/consents or local hosting where required.
• Kuwait: No comprehensive PDPL yet (sectoral rules apply). We still apply GDPR-style safeguards and minimize cross-border flows.

9) Security

We implement administrative, technical and physical controls appropriate to medical data: encryption in transit/at rest, access control with least privilege, MFA for staff, network segregation, audit logging, continuous monitoring, vendor due diligence, and secure SDLC. No system is 100% secure; we continually improve our controls.

10) Data retention

• Medical records: kept per national health-record retention rules or professional guidance in each country (and longer if required for legal defense).
• Ecommerce & finance: invoices/tax records retained per statutory periods.
• Marketing & support: retained until you withdraw consent or after inactivity thresholds we apply to minimize data.

11) Your rights & how to exercise them

We honor applicable rights under Egyptian and GCC laws (subject to legal/clinical limitations):

• Access, portability, correction, deletion (where applicable), restriction, objection, withdrawal of consent, and complaint to the relevant authority.
• Sensitive/health data: additional protections; we may need to keep certain records for patient safety/legal obligations even if you request deletion.

Contacts & regulators (non-exhaustive):

• Egypt: Personal Data Protection Center (PDPC/"the Centre") under MCIT.
• UAE: UAE Data Office (PDPL) and MoHAP/Health Authorities for Health Data Law matters.
• Saudi Arabia: Saudi Data & AI Authority (SDAIA).
• Qatar: Compliance per Law 13/2016 (NCSA guidance).
• Bahrain: PDPA under Bahrain PDPL.
• Oman: Royal Decree 6/2022.

To exercise rights: Settings → Privacy, or email the DPO: [DPO email]. We may need to verify your identity and (for medical data) consult treating clinicians before actioning.

12) Data breaches

If a personal-data breach occurs, we assess impact and notify regulators and affected individuals as required. Current frameworks typically require notification to the regulator within ~72 hours in Egypt and KSA; UAE timeframes depend on implementing regulations and sectoral rules. We will also notify you without undue delay if a breach is likely to harm you.

13) Third-country frameworks (GDPR/EEA visitors, DIFC/ADGM)

If you access our Services from the EEA/UK or UAE free-zones (DIFC/ADGM), we apply comparable principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability) and use SCCs or equivalent safeguards for transfers.

14) Automated decision-making & profiling

We do not use fully automated decision-making that produces legal or similarly significant effects in clinical eligibility. We may use risk scoring (e.g., fraud/risk flags) or triage aids; a clinician or human reviewer remains in the loop for medical decisions. You can request human review of significant automated assessments where your local law grants that right.

15) Marketing communications

Marketing is opt-in where required. You may withdraw consent via Settings or the unsubscribe link in messages. Withdrawing marketing consent does not affect clinical or delivery communications.

16) Cross-app and third-party links

Our Website/App may contain links to third-party services (labs, pharmacies, logistics, payment gateways). Their privacy practices apply; please review their policies before use.

17) Changes to this policy

We may update this Policy. If changes are material, we will notify you in-app or by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

18) Country addenda (operational details)

Egypt (PDPL No. 151/2020)

• DPO appointment and (when in force) registration with the PDPC.
• International transfers only to jurisdictions with adequate protection or under PDPC-approved mechanisms.
• Breach: notify the PDPC within 72 hours; notify affected individuals within 3 days thereafter (or immediately for national security concerns).

United Arab Emirates

• Health data must remain in the UAE unless an approved exception applies (ICT Health Law).
• PDPL establishes general personal-data principles/rights; the UAE Data Office oversees PDPL matters; sector regulators may impose additional rules (e.g., Central Bank for payment data).

Kingdom of Saudi Arabia

• PDPL governs processing and cross-border transfers; SDAIA is the competent regulator; localization increasingly enforced for sensitive/PII; breach: notify SDAIA within 72 hours and affected data subjects without undue delay if risk of harm.

Qatar (Law 13/2016), Bahrain (Law 30/2018), Oman (RD 6/2022)

• Each imposes controller/processor duties, data-subject rights, and transfer conditions; we apply local hosting where required and adequate safeguards for any transfers.

Kuwait

• No omnibus PDPL; we apply contractual/consent safeguards and sectoral requirements (e.g., telecom/CITRA DPPR for relevant services).

19) Contact us

• Egypt PDPC complaint: see regulator details above.
• UAE Data Office queries: see UAE Data Office resources.
• SDAIA (KSA): see SDAIA guidance/portals.