Πολιτική Εμπιστευτικότητας

INTRODUCTION

Welcome to the ICLINIC Privacy Policy, which contains essential information informing you of how we process your personal data.

Our purpose is to improve people’s lives by providing high quality telemedicine service which is truly affordable.

Your personal data is central to us delivering quality healthcare services and we are committed to protecting it. We comply with the General Data Protection Regulation (GDPR) and relevant implementing legislation and always commit ourselves to putting our users, subscribers, doctors and healthcare providers first and foremost.

This Privacy Policy explains how we use your personal data, to deliver our telemedicine services to you, so you can make informed choices and be in control of your personal data. This Privacy Policy governs the processing of your personal data through both ICLINIC’s website and App (the “Platform”).

Please take some time to read and understand this Privacy Policy, which must be read in conjunction with our Terms and Conditions, found here.

For Participating Doctors this Privacy Policy should be read in conjunction with our Service contract with you.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time in order to incorporate any changes in our processing practices or changes in the law. We will notify you when we make any material changes. This version was last updated on 10^th September 2023. By continuing to use our service after you have received notification of material changes, you agree to the updated Privacy Policy.

THIRD PARTY LINKS

Our Platform may include links to third-party websites, plug-ins, and applications. By clicking on those links or enabling those connections you are allowing third parties to collect and use data about you. We have no control over these third-party websites and we are not responsible for their use of your personal data. Please read the privacy policy of every website you visit through a third-party link.

INFORMATION ABOUT US

ICLINIC [ https://www.iclinic.com.cy] and the ICLINIC App (the Platform) are owned and operated by ICLINIC LIMITED a private company duly registered and existing under the laws of the Republic of Cyprus with registered office situated at Lordou Vyronos 4, Office 401, 1046, Pallouriotissa, Nicosia, Cyprus.

In this Privacy Policy, ‘ICLINIC’, ‘WE’, ‘US’ or ‘OUR’ means ICLINIC LIMITED, who acts as a Data Controller in relation to your personal data, except for circumstances where we act as the Data Processor, for example when you opt to make an in-person appointment with one our registered Doctors or other healthcare professionals, at their private-practice office or healthcare facilities. Any further processing of your personal data outside the Platform will constitute the Doctor or healthcare professional a Data Controller and will be subject to the confidentiality laws to which the specific professional is subject to.

CONTACT DETAILS

We have appointed a Data Protection Officer (DPO) who is responsible for answering any questions or requests you may have in relation to this Privacy Policy.

You can contact our DPO by sending an email to info@iclinic.com.cy

Alternatively, you can contact our DPO by sending us a letter at: Data Protection Officer ICLINIC LTD, P.O.Box 29631.

Response time

We try to respond to all legitimate requests within one month of receiving the request. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when we have a lawful basis to do so. Most commonly we will use your personal data in the following circumstances:

Where we need to perform a contract, that is to provide you with our services or enroll you on our service as a doctor or a healthcare professional.
Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests, for example when conducting and managing our business, to enable us to give you the best and most secure experience. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting our Data Protection Officer using the information provided above.
Where we need to comply with a legal obligation that we are subject to.
Your consent and if we are processing special categories of personal data your explicit consent.

PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA

We have set out below a description of the purposes for which we use your personal data, and which of the lawful bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

PROVIDING YOU WITH A SERVICE OR REGISTERING YOU AS A DOCTROR OR HEALTHCARE PROFESSIONAL ON OUR PLATFORM

Purpose/ Activity	Lawful basis
We collect and use your name, email and contact details to establish and deliver our service to you or register you as a Doctor or healthcare professional.	Consent and for Doctors Performance of a contract.
We use your name and contact details to verify your identity where applicable	Consent and Performance of a contract.
We use your registered email address and telephone number to send you reminders and alerts about your upcoming appointments.	Performance of contract.
For Doctors and Healthcare professionals, we collect and review your CVs and other information about your working experience, to verify your professional qualifications	Performance of a contract.
We obtain either directly from you or from an official public electronic database, such as the Cyprus Medical Association or Cyprus Association of Physiotherapists and other professional regulators, your license registration and practice number (Doctors and Healthcare Professionals).	Performance of a contract
We collect your financial information to verify and carry out financial transactions related to payments made by one-time users and subscribers and payments received by our Doctors and healthcare professionals.	Performance of a contract.
We receive information about our Subscribers’ choice of medical insurance provider and medical insurance scheme including information about your policy scheme start and end dates.	Performance of a contract.
We collect information about your organization (where you work) and the position you hold within that organization. We need to process that information when you are part of our Corporate Client Subscriber Scheme.	Performance of a contract.
Doctors and healthcare professionals, we collect and display information about your location (medical office/ healthcare facility) when you choose to include this on your ICLINIC profile.	Consent.
Log Collection: we collect log data regarding your user activity such as log in and logout times, your interaction with the platform such as scheduling appointments and joining video consultations, information about access and permissions, session information, information about the performance of the platform including error rates, security events, audit trails such as logging user actions that affect data privacy and security, compliance records which include compliance with healthcare rules and regulations and records of consent and data access requests and user engagement analytics.	Contractual necessity and Legitimate interest maintaining the security of our platform and systems, improving the quality of the service and ensuring the platform’s reliability.
We do not monitor or record audio or video conversations you have with our Doctors or healthcare professionals. Our chat option is session -only, specially designed with privacy and data protection in mind so it does not retain any information after the session ends. You can opt to download the contents of the chat conversation on your device. Any information you share during the video conversations or through the chat can only be viewed by you and the Doctor or healthcare professional and are protected by doctor-patient confidentiality.	Explicit Consent.
Your personal and medical data will be used by our Doctors and healthcare professionals delivering the service to you for the purposes of making a medical evaluation, diagnosis, recommendation or provide you with a medical prescription.	Explicit Consent
If during the call the doctor or healthcare professional decides that there is a medical emergency, your personal data which includes special categories of data may be given to the emergency services.	Your Explicit consent and Vital Interests
Our team will use your personal data to respond to your requests.	Performance of a contract.

KEEPING YOU INFORMED

Purpose/ Activity	Lawful Basis
We use your email address to send you activation instructions for the platform.	Performance of a contract
We send important transactional communications to your email, text message and push notifications such as successfully activating your subscription, reminders about a booked appointment, confirmation of a booking and booking charges.	Performance of a contract.
We use your email address to send you the occasional engagement email to promote our service where you have not opted out of receiving such communications. You can unsubscribe or opt out from this kind of communication at any time.	Legitimate interest.
We may sometimes use your email to send you information about other offers and services where you have consented to this type of communication. You can opt in or out of this type of promotional communication at any time by sending us an email at support@iclinic.com.cy	Consent.

RESEARCH AND ANALYSIS

Purpose/ Activity	Lawful Basis
We carry out research on our user demographics.	Legitimate Interest.
We monitor the demand and trends of our subscription products to enable is to capacity plan.	Legitimate Interest
Aggregated and anonymized data are used to……	Legitimate Interest

OTHER PURPOSES

Purpose/ Activity	Lawful Basis
Co-operate with regulators such as Cyprus Medical Association or the Commissioner for Personal Data Protection.	Legal Obligation
Respond to a court order	Legal Obligation
Deal with disputes and legal claims.	Legal Obligation

If you fail to provide personal data or keep it up to date:

Where we need to process personal data to comply with the law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide our products / services to you. We may be required to cancel a product or service; however, we will notify you if this is the case at the time.

At ICLINIC we take reasonable steps to ensure that the personal data we hold about you is accurate and up to date. However, you have overall responsibility to provide us with correct data and keeping this up to date on the Platform. We have no responsibility and do not accept any liability for incorrect data entered by you in the case of your information being sent to the locations you have specified.

GOOGLE CALENDAR INTEGRATION USING GOOGLE API SERVICES

Our Application provides the functionality to sync with Google Calendar through Google API Services. This integration allows you to seamlessly manage your calendar calls and appointments withing our app. You can enable or disable this feature at any time. By using this feature you agree to the following collection and use of your personal data as described below:

Data Collected:

Google account information, including your email address and profile information
Calendar events and scheduled calls , including description of event, location, start and end times and attendee information.
Usage data such as frequency of syncs and errors encountered.

Purpose of Data Collection:

We collect and process this data for the following purposes:

Providing and Enhancing Services: To enable the synchronization of your Google Calendar with our app, allowing you to view and manage your events and appointments seamlessly.
User Experience: To personalize your experience within our app by providing tailored notifications and reminders based on your calendar events.
Security and Authentication: To verify your identity and ensure the secure use of the calendar integration feature.
Support and Improvements: To monitor and analyze usage patterns, address any issues, and improve the overall functionality and performance of our app.

Data Sharing:

We may share the data collected through Google API Services with:

Service Providers: Third-party service providers who assist us in providing our services, subject to strict confidentiality agreements and only for the purposes described in this policy.
Google: In accordance with Google’s privacy policy, to facilitate the synchronization process. For more information on how Google handles your data iClinic use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy including the Limited Use requirements.

Note that apps distributed on Google Play are also subject to the Google Play Developer Distribution Agreement.

You can also find more information in the Limited Use Requirements section of the OAuth API Verification FAQ.

WHAT DATA WE HAVE ABOUT YOU

We collect and use the following categories of personal data about you:

USERS

Users’ Data:

Personal Information:

Full Name
Date of Birth
Gender
Contact Information (Email, Phone Number, Address)
Profile Picture (optional)

Insurance Information:

Insurance Provider

Payment Data:

Payment Methods (Credit Card)
Transaction History (for consultations)

Consultation Data:

Previous Consultation Records
Follow-up Appointments
Feedback and Ratings on Doctor’s Service

DOCTORS AND HEALTHCARE PROFESSIONALS

Doctors’ Data:

Personal Information:

Full Name
Date of Birth
Gender
Contact Information (Email, Phone Number, Address)
Profile Picture

Professional Credentials:

Medical License Number
Qualifications (Degrees, Diplomas)
Specializations (e.g., Cardiologist, General Practitioner)
Experience (Years of Practice, Previous Employment)
Certifications (Board Certifications, Fellowships)
Medical School Attended
Professional Memberships (e.g., Medical Associations)

Work Information:

Hospital or Clinic Affiliations
Consultation Hours
Telemedicine Availability (Days and Time Slots)
Languages Spoken
Areas of Expertise (Special procedures, research interests)

Legal and Regulatory Compliance:

Background Check (if applicable)

Payment Information:

Consultation Fee Structure
Bank Account Details
Payment Methods Accepted

Consultation Data:

Consultation History (Types and frequency of consultations)
Patient Feedback and Ratings

Financial data:
If you use one of our pay as you go or subscription services, your debit/credit card details are processed by a third-party processor that will store all payment and transaction data on their secure servers. We do not store your debit/credit card number on the Platform.

Technical data and analytics:

Your login details and password are stored securely. You are responsible for maintaining your password to protect your account and we advise you to make use of security controls which are available to you.
Data from your activity on the Platform will be collected where we have your consent to do so, including your IP address, location (based on IP address), login information, operating system, device model, version, time zone, browser, language and mobile phone carrier.
Data such as how you use the Platform, the services you select, when you last logged on and how you interact with the Platform (such as button clicks).

Cookies:
We also use ‘cookies’. Cookies are files saved on your devices such as computer, phone or tablet when you visit a website. They collect information about how you use the website and the pages you visit. We do not use cookies on your medical or health information. You can determine what cookies we collect and find out more about how we use cookies in our Cookie Policy, which you can access here.

Information from third parties:

Where you receive our service as part of your healthcare insurance scheme, we collect information from them and store it to enable you to activate your Subscription and manage your entitlements. This includes your name, contact information, insurance provider, insurance scheme, start and end dates.

Where you receive our service as part of our Corporate Client Scheme, we collect information from them and store it to enable you to activate your Subscription and manage your entitlements. This includes your name and contact information, the name of your employer/ organization and may also include your position within the organization.

WHO YOUR DATA IS SHARED WITH

Your privacy is paramount to us, so we share your data when it is necessary and lawful to do so as described below. We require any party who we share your data with to respect the security of your data and to only process it in accordance with the law. We do not allow our third-party service providers to use your data for their own purposes and only permit them to process your personal data for specific purposes and in accordance with our written instructions.

We share your personal data with the doctors and healthcare professionals registered on our website. All of them are registered with their respective regulatory bodies in the Republic of Cyprus and are licensed to provide medical and other healthcare services in accordance with the laws and regulations of the Republic of Cyprus. These parties either act as data controllers on their own right or as data processors on our behalf as instructed by us in accordance with Article 28 GDPR. All of them are bound by strict confidentiality and security provisions.

Our Video, text, in-platform chat, and email partners: We have elected to use service providers that store information within the European Economic Area (EEA). All of our services providers are bound by a contract with us.

Payment provider: Your financial information is securely shared directly with our payment provider Stripe. You will be providing your email address and your credit or debit card information directly to “Stripe”, a company located in the USA and which operates a secure server to process payment details, encrypting your credit/debit card information and authorizing payment. We do not store your debit/credit card number on the Platform.

Subject to your rights as set out in this policy, in the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party.

We may also need to disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Platform or the rights, property or personal safety of any person.

Anonymized data
We may disclose anonymous, aggregated statistics about visitors to our Platform, subscribers and use of our services to commercial partners, prospective partners, investors, advertisers, sponsors, and other third parties and for tother lawful purposes, but these statistics will not include your personal data.

INTERNATIONAL TRANSFERS

If we need to transfer your personal data out of the EEA, we ensure a sufficient degree of protection is afforded to it by ensuring the transfer is either to a country deemed adequate by the European Commission or subject to appropriate safeguards (Such as Standard Contractual Clauses and binding corporate rules or where appropriate your explicit consent).Please email us at info@iclinic.com.cy if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

WHRE IS YOUR DATA STORED

Your data is stored in the EEA, in secure data centres. We do not store your data on your device (e.g. PC, Laptop, Mac, Tablet or Phone) or that of our healthcare professionals. Occasionally, your data is processed on servers outside of the EEA as described in this Privacy Policy. We ensure your personal data is protected in such circumstances by complying with transfer mechanisms as prescribed by the GDPR (see more detail on this under ‘International Transfers’ above).

HOW LONG DO WE KEEP YOUR PERSONAL DATA

We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

If your have not used the service:

If you have registered as a onetime user, a Subscriber or you are receiving our services as a part of your insurance healthcare scheme or our Corporate Client Subscription Scheme and have never used the service, no medical data have been shared with our platform doctors and healthcare professionals. We will retain your personal data for up to 7 years.

If you have registered as a Subscriber or receive our services as part of as a part of your insurance healthcare scheme or our Corporate Client Subscription Scheme and have never activated your account and are no longer eligible to receive a service, we will retain your personal data for up to two (2) years following your last eligible date.

SECURITY OF YOUR PERSONAL DATA

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where we are legally required to do so.

We have implemented the following measures:

All data is encrypted when it is in transit over the internet from our servers to your device.
Both our website and our application are ISO/IEC 27001 certified.
We regularly test our systems with penetration test to ensure our security is robust and continues to protect your data against the latest cyber threats.
We enforce a minimum standard for passwords to ensure they meet a certain level of strength. However, it is your responsibility to keep your password/ login information safe and confidential.

YOUR DATA PROTECTION RIGHTS

You have the following rights as per the GDPR:

Access your information: Most information we hold about you is your Subscriber or Doctor/ Healthcare Professional profile, and it is accessible from the Platform. However, you have the right to ask us to provide you with a copy of the personal data we hold about you and to check that we are lawfully processing it.

Rectify incorrect information: If you believe that any of your data is incorrect, you can ask us to rectify it. We may, however, need to verify the accuracy of the new data you provide to us.

Erase your information: This right enables you to ask us to delete or remove personal data from our systems when there is no lawful basis for us to continue processing it. You also have the right to as us to delete or remove personal data where you have successfully exercised your right to object to processing (more information below). However, we may not always be able to comply with an erasure request for specific legal reasons that may be applicable at the time of your request. We will inform you if such a reason exists.

Object to our processing of your personal data: You can object to our processing when we are relying on legitimate interests to process your personal data. You also have the right to object to where we are processing your personal data for direct marketing purposes.

Restrict further processing: This enables you to ask that we suspend further processing of your personal data when:

The accuracy of your personal data is contested.
Where your data has been processed unlawfully, but you do not want us to erase it.
Where you need us to retain data, even if we no longer require it, to establish, exercise or defend legal claims, and
You have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to process it.

Request transfer of your data to a third party: Your data will be provided in a structured, commonly used, machine-readable format. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Note that this right only applies to information you have provided to us.

Withdraw your consent at any time: This is applicable where we are relying upon your consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Automated decision making and Profiling:

If we use your personal data for the purposes of automated decision-making (a decision solely by automated means without any human involvement) and those decisions have a legal (or similarly significant effect) on you, you have the right to challenge to such decisions under the GDPR. You may request human intervention, express your point of view, and obtain an explanation of the decision from us. This right does not apply in the following circumstances:

where the decision is necessary for the entry into, or performance of, a contract between DCA and you;
the decision is authorised by law; or
you have given your explicit consent to such processing.

At the time of Publishing this Privacy Policy, we do not engage in any automated decision-making processes.

If we ever use your personal data for profiling purposes (automated processing of personal data to evaluate certain things about you), the following will apply:

clear information explaining the profiling will be provided, including its significance and the likely consequences;
appropriate statistical procedures will be used;
technical and organisational measures necessary to minimise the risk of errors and to enable such errors to
be easily corrected shall be implemented; and
all personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling.
At the time of Publishing this Privacy Policy, we do not process any personal data for profiling purposes.

Right to complain with the Supervisory authority: If you are unhappy with the ways in which we process your personal data, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus. Details of the complaints procedure can be found here.

EXERSISING YOUR RIGHTS

You can exercise any of the above data protection rights by emailing us at info@iclinic.com.cy

When responding to such requests we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This ensures that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request (such as clarifications about your subscription) to speed up our response. We try to respond to all legitimate requests within one month of receiving the request. On rare occasions, it may take us longer if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.

This version was last updated on 18^th August 2024.