- 1. Purpose
- 2. Information about the Controller
- 3. How do we collect and use data?
- 4. Why and how do we use your data?
- 5. Do we use cookies?
- 6. How do we share and disclose data?
- 7. How do we handle your data?
- 9. How do we treat minors?
- 10. How can you manage your personal data?
- 11. How do we update this Notice?
Privacy Notice “Bookimed”
Last updated: 02/07/2024
Bookimed (“Bookimed” or “we”) cares for your personal data and does everything possible to protect it.
We have created this Privacy Notice (“Notice”) to help you understand what personal data is collected, stored and processed and what happens to it when you use our Website (“Website”).
1. Purpose
The Notice explains what data is collected in connection with the Website.
It also explains how we use that data, where we store it, and how we protect it.
In short:
- In order for you to use the Website and services, we need to process some of your data. If nessesary, we will ask you for your consent in advance.
- We will not share your data for third party advertising purposes.
Finally, it explains your rights in relation to your personal data.
You may generally browse our Website without providing us with your information. However, if you want to use the full functionality of our Website and services, you will need to provide some of your data.
In case you do not agree with the whole Agreement or with a part of it, please stop using our Website and Services presented on it.
2. Information about the Controller
| Controller | Bookimed Limited |
|---|---|
| Address of registration | 14 / F Golden Centre, 188 Des Voeux Road Central, Hong Kong |
| Email for general questions | marketing@bookimed.com |
| Email for personal data request | privacy@bookimed.com. |
As for privacy roles:
- Bookimed is the controller with respect to the personal data of Visitors, Clients, and Partners.
- Regarding the personal data of Representatives, Bookimed is a processor.
Please note. Our Partners act as separate controllers when providing services. To contact the Data Protection Officer of Bookimed Limited, please email privacy@bookimed.com.
We also act as a business associate under Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulations and use your personal health information (“PHI”) to provide support functions, activities, and services for a healthcare entity.
3. How do we collect and use data?
For your convenience we divided our users into 4 categories:
- Visitor — anyone who visits the Website.
- Client — is our end-user to whom we provide our services.
- Partner — is the legal entity that provides medical care. Note: while providing you with the medical care services our Partner acts as independent controller.
- Representative — is a user whose data we receive from our Partners: clinics, hospitals, etc.
Regardless of who you are to us (Visitor, Client, Partner, or Representative), we have only three categories of data about you:
- automatically collected data;
- data given to us by Visitor, Client, Partner;
- data received from other sources.
Important: We process medical and health data that is sensitive data. We understand the importance of keeping this data secure. We need you to understand that processing of sensitive personal data (medical and health) is necessary to provide you Service (legal basis: performance of the contract).
Automatically collected data.
When you access our Website some data is collected automatically. We need technical data to operate, maintain, and improve our Website. Such data includes:
| Category of actions | Description of the category | Legal basis |
|---|---|---|
| Your interaction with a Website. | We may collect data about your interaction with our Website. Such data includes: your interaction with the Website, the features you use, the pages you view, the way you use our Website, and the actions you take if such actions are present. | Legitimate interest |
| Device and connection data. |
We collect information about your computer, phone, tablet, or other devices you use to access the Services. Namely, we collect: connection type and settings when you access, update or use our Services. Also, the operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. Geolocation, for instance, we use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. The amount of this information we collect depends on the type and settings of the device you use to access the Services. |
Legitimate interest |
| Cookies and similar technologies | We use cookies for analytical purposes. You may disable cookies at your browser settings at any time. Find out more about our use of cookies further in this Privacy Notice and in our Cookie Policy. | Legitimate interest and/or Consent |
Data you provide to us.
Please pay attention that all data listed here is not mandatory collected. This only means that we may collect it from you.
Data given by Visitors.
During the usage of our website you may want to clarify details about our services or get a recommendation due to your case.
| Category of actions | Description of the category | Legal basis |
|---|---|---|
| Customer support |
|
Performance of the contract |
Data given to us by a Client.
When you become our Client we begin to process more data about you. All the data we collect and process is needed for the following reasons: User Account registration, request submission, rating formation, consulting in the form of conversation.
| Category of actions | Description of the category | List of data | Legal basis |
|---|---|---|---|
| User Account registration | To use our service you need to create an account. For User Account registration you will need to provide data and agree to our Terms of Service. |
Contact data:
|
Performance of the contract |
| Account customisation | In account settings, you may choose the preferred messenger (Viber, Telegram, Whatsapp) to communicate with us. Also, you choose to link your account to your social media profile (Facebook, Google+). |
Account data:
|
Performance of the contract |
| Commenting of the content / rating | On our Website you may, also, leave comments. Note: your comments will be publicly available. That is why we kindly ask you to be cautious when leaving a comment. However, you may choose to leave an anonymous comment. Also, you may delete your comment at any time, by sending us an email to contact@bookimed.com. |
|
Performance of the contract Find out more details in the Reviews & Comments Policy. |
| Submitting a request | Through your User Account, you may submit a request to us. You may upload certain data to your request. |
Trip data:
Guardian data:
Pay attention. Guardian data is collected when you are authorized to represent and to disclose data of another person. In case you decide to provide data of another person we will ask you to provide additional data. Medical data:
|
Performance of the contract Pay attention: some of the data may be kept longer due to the Legal obligation.
Consent |
| Consultation | You may also provide your data via phone conversation.Pay attention. We will let you know if your call is being recorded before we do so. If you would prefer that your call was not recorded, you can opt out by stating this, or by hanging up. |
Call Records Data:
|
Performance of the contract. |
Data given to us by a Partner.
If you are representative of the clinic or/and the hospital and you want to register an account we need to process the data about you and your company.
| Category of actions | Description of the category | List of data | Legal basis |
|---|---|---|---|
| Partner Account registration | To use our service you need to create an account. For User Account registration you will need to provide data and agree to our Terms of Service. |
Contact data:
|
Performance of the contract |
Data is given to us about the Representatives
Due to the agreements between us (Bookimed) and our Partners we receive the data that is needed for our Clients and Visitors to make a decision about the most suitable clinic and professional.
| Category of actions | Description of the category | List of data | Legal basis |
|---|---|---|---|
| Account registration | Partner registers its doctors and specialists to create a database for users convenience to choose the appropriate one. |
Contact data:
|
Performance of the contract |
| Detailed description | In order to provide a high-quality service at the choice of a specialist, we request qualification data, as this gives our Client a more complete understanding. |
Qualification data:
Scientific activity information:
|
Performance of the contract |
Data we receive from other sources.
We may also get the information from other sources and combine it with the information which we are gathering through the Website. Such sources include:
| Category of actions | Description of the category | List of data | Legal basis |
|---|---|---|---|
| Social media Data. | To use our service you need to create an account. For User Account registration you will need to provide data and agree to our Terms of Service. |
Contact data:
|
Performance of the contract |
| Data from medical providers | We may receive certain personal data from medical partners. |
|
Performance of the contract |
4. Why and how do we use your data?
4.1. We process your data for seven basic purposes:
- provision of the features of the Website;
- provision of our Services;
- providing information about our Services;
- researches and for analysis purposes;
- complying with security obligations;
- complying with our legal obligations;
- to send marketing communications.
4.2. If we need to process your data for other purposes, we will ask your consent to do so.
| Category of data processing purpose (“processing purpose”) | Description | Legal Basis | Categories of personal data |
|---|---|---|---|
| To provide the features of the Website. |
We collect the data to provide you with access to our Website and Services. Also, to maintain and improve our services. This includes using the data to:
|
Performance of a contract | Contact data, Account data. |
| To provide our Service. |
You may provide us additional data so that we can tailor our Service just for your needs. This includes using data to:
|
Performance of a contract | Contact data, Account data, Social media data, Medical data, Trip data Guardian data, Consultation data. |
| To communicate information about our Services. |
We use the data we collect to communicate with you about the Services you have requested. This includes using data to:
|
Performance of a contact | Contact data, Social media data, Medical data, Trip data, Guardian data, Consultation data |
| To communicate information about our Services. |
We use the data we collect to communicate with you about the Services. This includes using data to:
|
Legitimate interest | Contact data, Account data |
| To conduct research and for analysis purposes. | We may use data we collect for the purpose of testing, analysis, research and overall development of the product and services. This also allows us to enhance safety and security, develop new features and monitor and improve customer support. | Legitimate interest | Automatically collected data, Device and connection data, Cookies and similar technologies, Account Data. |
| To create a safe environment. | We may also use data about how you use our Website to prevent, detect, or investigate fraud, abuse, illegal use, violations of our Terms of Service, and to comply with court orders, governmental requests or applicable law. | Legitimate interest | Automatically collected data, Device and connection data, Cookies and similar technologies, Data from our partners, Contact data, Social media data, Account data, Trip data, certain Guardian data |
| To operate our business and to comply with our legal obligations. | We use the personal data you give us to run our business and to comply with our legal obligations. | Compliance with legal obligations | Automatically collected data, Device and connection data, Cookies and similar technologies, Data from our partners, Contact data, Social media data, Account data, Trip data, certain Guardian data |
| To send marketing communications. | If you are our Representative and you gave us your consent, we may use the contact details you provided to send you our marketing communications, where permitted by applicable law (unless you have opted-out). You may opt-out of receiving such communications at any time. | Consent | Contact data, Social media data. |
| Other Purposes. | We will ask for your consent to further process your personal data in case we use your personal data for other purposes. During data collection, we will send you individual messages and get your consent. | Consent |
-
Pay attention.
If we use consent as a legal basis for processing, you will have a choice to opt-in or to opt-out from any processing activity. You may withdraw your consent at any time by sending us an email to privacy@bookimed.com.
The only legal basis for processing of Medical data is the performance of a contract. We don’t use this data for no reason other than providing you with a Service.
5. Do we use cookies?
A cookie is a piece of data stored on the user’s hard drive containing information about the user. Cookies generally do not permit us to personally identify you. We generally use session cookies to save your preferences and such cookies expire when you close your browser. These cookies are likely to be analytical, or performance cookies.
Data collected by cookies may include the following:
- the website that referred you to us;
- the web pages you viewed on our Website;
- the advertisements you viewed and clicked while browsing different websites;
- browser preferences such as language;
We also collect information using web beacons (also known as “tracking pixels”).
Read more in the Cookie Policy.
However, if you do want to manage cookies, here is an instruction on how to do it. For example, you can choose to turn off all cookies. You do this through your browser settings on each browser and device that you use. Each browser is a little different, but usually, these settings are under the “options” or “preferences” menu. The links below provide information about cookie settings for the browsers:
Also, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.
6. How do we share and disclose data?
6.1. We may share your personal data under the following conditions:
- Authorized third parties;
- Safety, Legal purposes, and Law enforcement;
- Business transfers;
- With your consent;
- Service providers.
6.2. We, as the controller, have certain obligations to secure your data. Before transferring it every vendor goes through a security audit.
6.3. We transfer your personal data to our contractors in Ukraine.
There is no adequacy decision by the European Commission.
6.4. According to the GDPR we use “appropriate safeguards” as a legal basis for transfer – Standard Contractual Clauses approved by the EU Commission. You can read more detailed information here.
We want you to pay your attention. We share your data with the Partner you have chosen to receive medical care. When signing the Agreement with the Partner, the Data Sharing Agreement and Data Transfer Agreement are mandatory parts of the deal. All the standards and procedures written down there are compliant with the EU legislation (GDPR)
Note: while providing you with the medical care services, our Partner acts as an independent controller.
We may share your personal data under the following conditions:
- Authorized third parties
- Safety, Legal purposes, and Law enforcement
- Business transfers
- With your consent
- Service providers
7. How do we handle your data?
7.1. We provide industry-standard physical, electronic, and procedural safeguards to protect personal data we process and maintain. Despite our efforts, no website, mobile application, database or system is completely secure or “hacker proof.” If you have a reason to believe that your interaction with our Website and/or Service is no longer secure, please immediately notify us by contacting us in writing at privacy@bookimed.com.
7.2. We use the Standard Contractual Clauses approved by the European Commission to ensure adequate protection in the mutual processing of data with our Partners.
7.3. We retain your personal data for as long as necessary to fulfill the purposes described in this Notice unless otherwise required by law. However, we may keep some of your personal data for as long as reasonably necessary for our legitimate business interests, including fraud detection and prevention and to comply with our legal obligations including tax, legal reporting, and auditing obligations.
7.4. Before the disclosure of your personal data to any third party we handle the vendor security check to see if there are appropriate safeguards in place.
We store your data at our servers in Germany. To handle it in a secure and compliant GDPR way we use: encryption, contractual obligations, retention controls, levels of access and vendor security check.
- Encryption & Security.
We provide industry-standard physical, electronic, and procedural safeguards to protect personal data we process and maintain. For example, we take reasonable operational and technical measures to limit access to your data. For example, data which we receive is available only to authorized employees and contractors. Also, we use encryption and other safeguards to make sure your data is safe. Such measures are reasonably designed to help protect your personal data from loss, unauthorized access, disclosure, alteration or destruction.
Despite our efforts, no website, mobile application, database or system is completely secure or “hacker proof.” As a result, we cannot guarantee or warrant the security of any information you transmit on or through the Website and you do so at your own risk. You can help keep your data safe by taking reasonable steps to protect your personal data against unauthorized disclosure or misuse. If you have a reason to believe that your interaction with our Website and/or Service is no longer secure, please immediately notify us by contacting us in writing at privacy@bookimed.com.
- Contractual obligations.
We use the Standard Contractual Clauses approved by the European Commission to ensure adequate protection in the mutual processing of data with our Partners.
Note: while providing you with the medical care services our Partner acts as independant controller.
- Retention of your personal data.
We retain your personal data for as long as necessary to fulfill the purposes described in this Notice unless otherwise required by law. However, we may keep some of your personal data for as long as reasonably necessary for our legitimate business interests, including fraud detection and prevention and to comply with our legal obligations including tax, legal reporting, and auditing obligations.
- Third-parties.
Before the disclosure of your personal data to any third party we handle the vendor security check to see if there are appropriate safeguards in place.
9. How do we treat minors?
We do not and will not knowingly collect personal data directly from any child under 16. We may process data of a child under 16 only upon a parent or guardian’s request and only after the verification of parent/guardian identity and authority to represent a child. However, if you are a parent or guardian and are concerned about the personal data of your child, please contact privacy@bookimed.com.
10. How can you manage your personal data?
In case you provide us with your personal data you may use your powers and exercise any of the rights described in this section. If you have any additional questions you can always send an email to privacy@bookimed.com and we will do our best to help you.
European Economic Area and United Kingdom residents
| Right | Description |
|---|---|
Right to access |
You can request information on whether personal data are being processed, and, where that is the case, access to this personal data and the information required by law. |
|
Right to rectification |
You can change the data if it is inaccurate or incomplete. |
|
Right to erasure |
You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law. |
|
Right to restrict the processing |
You may partially or completely prohibit us from processing your personal data in cases provided by law. |
|
Right to data portability |
You can request all the data you provided to us and request to transfer data to another controller. |
|
Right to object |
You may object to the processing of your personal data that is collected on the base of legitimate interest. |
|
Right to withdraw consent |
You can withdraw your consent at any time. |
|
Right to file a complaint |
If your request was not satisfied, you could file a complaint to the regulatory body. |
|
To exercise your rights, contact us. |
|
|
For EEA residents: We will answer your request within one month. If your request is not satisfied, you can submit a complaint to your local Data Protection Authority. You may find it here. |
|
|
For UK residents: We will answer your request within one month. If your request is not satisfied, you can submit a complaint at the Information Commissioner’s Office via number 0303-123-1113 or go online at www.ico.org.uk/concerns. |
|
United States residents
Your rights vary depending on the state of your residency, as indicated below.
| Right | Description | Area | |
|---|---|---|---|
|
Right to access |
You can request an explanation of the processing of your personal data. |
|
|
|
Right to correct |
You can change the data if it is inaccurate or incomplete. |
|
|
|
Right to delete |
You can send us a request to delete your personal data from our systems. |
|
|
|
Right to portability |
You can request all the data you provided to us and request to transfer data to another controller. |
|
|
|
Right to opt out of sales |
The right to opt out of the sale of personal data to third parties. |
|
|
|
Right to opt out of certain purposes |
The right to opt out of processing for profiling/targeted advertising purposes. |
|
|
|
Right to opt out of the processing of sensitive data |
The right to opt-out of processing of sensitive data. |
|
|
|
Right to opt in for sensitive data processing |
The right to opt in before processing sensitive data. |
|
|
|
Right against automated decision-making |
A prohibition against a business making decisions about a consumer based solely on an automated process without human input |
|
|
|
Private right of action |
The right to seek civil damages from a controller for violations of a statute. |
|
|
|
To exercise your rights, contact us. |
|||
|
We will answer your request within 30 to 60 days, depending on the state and legislative requirements. If your complaint is not satisfied, you can submit a complaint to the Federal Trade Commission. |
|||
|
Please note! Some states do not have privacy laws. The rights of residents of such states are governed by U.S. federal law. If your state is not on the list, please contact us. |
|||
Do not sell my personal information
California residents have the right under the California Consumer Privacy Act (“CCPA”) to opt out of the “sale” of their personal information by a company governed by CCPA.
We do not sell your personal information to anyone nor use your data as a business model.
However, we support CCPA by allowing California residents to opt out of any future sale of their personal information. If you would like to record your preference that we will not sell your data in the future, please contact us.
Do-not-track requests
California residents visiting the Website may request that we do not automatically gather and track information about their online browsing movements across the Internet.
Such requests are typically made through web browser settings that control signals or other mechanisms that allow consumers to exercise choice regarding collecting personal data about an individual consumer’s online activities over time and across third-party websites or online services.
We currently do not have the ability to honour these requests. We may modify this Privacy Notice as our abilities change.
HIPAA Rights
As a business associate under HIPAA regulations, we are committed to safeguarding your privacy and protecting the confidentiality of your PHI. This includes using and disclosing PHI for treatment, payment, and healthcare operations.
| Right | Description |
|---|---|
|
Right to request privacy protection |
You can request restrictions on certain uses and disclosures of PHI. |
|
Right to access |
You can ask for an inspection and receive a copy of your PHI. |
|
Right to amend |
You have the right to request corrections to your medical records if, on obtaining a copy of your PHI, it is found to be inaccurate or incomplete. |
|
Right to access an accounting of disclosures |
You have the right to access an accounting of disclosures, which explains who your PHI has been disclosed to and why over the past six years. Please note that this right has some exclusions. For instance, if the information is requested by a law enforcement officer or public health official. |
|
Right to be notified of a breach |
You have the right to be notified of any breach of unsecured PHI when there is reason to believe the PHI has been accessed, acquired, used, or disclosed without authorization. |
|
Right to file a complaint |
If you believe your rights are being denied or your health information isn’t being protected, you can:
|
|
To exercise your rights, contact us. |
|
|
We have 30 days to exercise your request from the moment it is received. |
|
11. How do we update this Notice?
Applicable law and our practices change over time. If we decide to update the Privacy Notice, we will post the changes on our Website. If we materially change the way in which we process your personal data, we will provide you with prior notice, or where legally required, request your consent prior to implementing such changes. We strongly encourage you to read the Privacy Notice and keep yourself informed of our practices.