A. INTRODUCTION AND SCOPE
This Policy applies to all internet sites and mobile applications operated under PedMD, ParentUP, Travis, Anakloud, by or on behalf of its owner, Trails Center for Children, Inc., as well as any of its subsidiaries and/or affiliates. It likewise applies to all personal information which PedMD may otherwise collect and process: (a) through its products and services, other than its site and mobile app; (b) when users interact with PedMD by other means such as, for example, in person, by telephone or through training; and (c) from PedMD’s suppliers, vendors, and other business partners.
PedMD may have additional products or services other than those made available through its website or mobile application. If additional or different disclosures are required for a specific product or service, PedMD will provide those disclosures separately on, or with, the relevant site, app, product or service. Each such specific privacy disclosure, policy or statement supplements and amends this policy.
As there may be new issuances which may govern the right to process personal data as well as the expression of consent thereto, PedMD maintains the right to amend and/or modify this document to comply with any future developments in data privacy regulations, where applicable, and to reflect any changes in the organization’s policies and/or personal data processing activities.
B. DEFINITION OF TERMS
- Anonymization: refers to the processing of data to render it in such a way that the User or the Data Subject is not or no longer identifiable.
- Consent: refers to any freely given, specific, informed indication of will, whereby the User or Data Subject, as the case may be, agrees to the collection and processing of his/her personal information.
- Data Sharing: refers to the disclosure or transfer to a third party of personal data, which may come under the control or custody of PedMD.
- Data Subject: refers to the individuals whose personal data is being processed. This may include the User/s and their patients, as the case may be.
- Personal Information / Personal Data: refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. It refers to all personal data, reports, addresses, files, records, and other data that a User of PedMD, ParentUP and Anakloud stores within the Site.
- Personal Information Controller: refers to any person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. Within the context of the availment of PedMD’s services, the Users are the personal information controllers of the personal information of their patients.
- Personal Information Processor: refers to any qualified natural or juridical person to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. PedMD serves as the personal information processor of User/s with respect to the personal information of the User’s patient data.
- Processing: refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Public Area: means the area of the PedMD site that can be accessed by both Users and Visitors without needing to use a login ID and password.
- Restricted Area: means the area of the Site that can be accessed only by Users, and where access requires the use of a login ID and a password.
- Sensitive Personal Information: refers to personal information (a) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (d) Specifically established by an executive order or an act of Congress to be kept classified.
• Service/ Services: refers to the PedMD, ParentUP mobile applications and website, https://www.anakloud.com
• User: refers to the licensed physician and/or individual who avails of the products and/or services of PedMD, either through its website or mobile application.
C. THE TYPES OF PERSONAL INFORMATION COLLECTED
PedMD collects different types of information from or through the Service:
● User-provided Information. When you use the Service we may collect your Personal Data. The personal information we may collect includes, among others, your name, email address, mailing address, mobile phone number, birthdate, government issued identifying information, and credit card or other billing information. It also includes other personal information, which will identify you as the User, such as geographic area or preferences. By registering an account with the Service, you will be required to provide us with both Personal Information and Sensitive Personal Information. As the use of PedMD is also limited to licensed and registered physicians, authorized to practice medicine in the Philippines pursuant to applicable laws, and to juridical persons, such as hospitals and medical facilities, that hire licensed and registered physicians to provide healthcare services, we will also store, process and/or collect your license and registration number, PRC ID, and other personal information which may establish your authority to practice medicine in the Philippines.
- Information Collected by Users from their patients. A User may store or upload into the Service, personal information or sensitive personal information of their respective clients. In this case, as the Personal Information Processor of the Users, PedMD has no direct relationship with the individuals whose Personal Data are being uploaded and/or stored by its Users. Each User is responsible for securing the required consent and providing notice to its customers and third persons concerning the purpose for which User collects their Personal Data and how this Personal Data is processed in or through the Service.
- “Automatically Collected” Information. When a User uses the Service, PedMD may automatically record certain information from the User’s device by using various types of technology, including cookies, “clear gifs” or “web beacons.” This “automatically collected” information may include IP address or other device address or ID, web browser and/or device type, the web pages or sites visited just before or just after using the Service, the pages or other content the User views or interacts with on the Service, and the dates and times of the visit, access, or use of the Service. PedMD may also use these technologies to collect information regarding a User’s interaction with email messages, such as whether the User opens, clicks on, or forwards a message. This information is gathered from all Users of the Service.
● Information from Other Sources. We may obtain information, including Personal Data, from third parties and sources other than the Service, such as our partners, advertisers, credit rating agencies, and Integrated Services. If we combine or associate information from other sources with Personal Data that we collect through the Service, we will treat the combined information as Personal Data in accordance with this Policy.
D. USE AND PROCESSING OF INFORMATION COLLECTED
PedMD collects and processes personal data for the following reasons:
- We collect and process personal data for the fulfilment of contractual services to Users. This is also used to operate, maintain, enhance and provide all features of the Service, including the information that you may request; for debugging; as well as to respond to all queries and provide support for Users of the Service.
- We may use the personal information of our Users for administrative purposes, such as customer service and providing notices; and for promotional activities, relating to products and services offered by us and by third parties we work with. You have the ability to opt-out of receiving any promotional communications by sending us an e-mail at firstname.lastname@example.org.
- We may use your anonymized personal data for statistical, analytical, research, and other related purposes to create anonymous and aggregate reports. We may also use your personal data in connection with Google Analytics, to measure and evaluate access to and traffic on the Public Area of the Service and create user navigation reports for our Site Administrators. In the event we do so, we will take the necessary safeguards required by law for the protection of your personal information.
- We may also use the information provided to us to understand and analyze the usage trends and preferences of our Visitors and Users, to improve the Service, and to develop new products, services, features, and functionality.
- We may use automatically collected information, such as cookies and similar technologies, to identify your device and record your preference. We use this information to enhance your customer experience and determine tailored content to meet your preferences and needs.
E. DISCLOSURE OF PERSONAL DATA
We do not sell or disclose the personal data we process to third parties without the consent of Users, unless we are legally required to do so; if it is necessary to fulfill the purposes for which we process personal data as mentioned above; or if such action is necessary to protect, defend and/or enforce our rights, property or the personal safety of our employees and other individuals. We only permit our authorized personnel, Users and their registered representatives to access or process personal data in the possession of PedMD. We restrict access to such information to our authorized personnel, contractors, and agents who need to know such information in order to process it for us, who are subject to strict contractual and technical safeguards, and are accountable if they fail to meet these obligations.
We work with third party service providers who provide website, application development, hosting, maintenance, and other services for us. These third parties may have access to, or process your personal data in the possession of PedMD as part of providing those services for us. We limit the information provided to these service providers to that which is reasonably necessary and sufficient for them to perform their functions. Again, all our contracts with third parties require them to maintain the strictest confidentiality of such information. Thus, whenever personal data is disclosed with the requisite consent to third parties, we ensure that such third parties are contractually obligated to comply with the requirements of the Data Privacy Act and shall process any personal data strictly in accordance with the purposes enumerated above.
F. THE RIGHTS OF USERS
1. Right to be informed: As User, you have the right to be informed that your personal data shall be, are being, or have been processed. This right also requires us to notify you within a specific period of time if your data has been compromised, i.e. in the case of a personal data breach.
2. Right to access: You have the right to gain reasonable access to your personal data upon request. You may request access to the following:
- Contents of your personal data that were processed;
- Sources from which they were obtained;
- Names and addresses of the recipients of your data;
- Manner by which such data were processed;
- Reasons for disclosure to recipients, if there were any;
- Information on automated processes where the data will or likely to be made as the sole basis for any decision which would significantly affect you;
- Date when your data was last accessed and modified; and,
- Name and address of the personal information controller
3. Right to object: You have a right to object to the processing of your personal data, including processing for direct marketing, automated processing or profiling. You likewise have the right to be notified and given an opportunity to withhold consent to the processing in case of changes to the information given to you regarding the processing of your information.
4. Right to erasure or blocking: You have the right to suspend, withdraw, or order the blocking, removal or destruction of your personal data. You can exercise this right upon discovery and substantial proof of any of the following:
- Your personal data is incomplete, outdated, false, or unlawfully obtained;
- It is being used for purposes you did not authorize;
- The data is no longer necessary for the purposes for which they were collected;
- You decided to withdraw consent, or you object to its processing, and there is no overriding legal ground for its processing;
- The data concerns personal information prejudicial to you — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized;
- The processing is unlawful; or,
- The personal information controller, or the personal information processor, violated your rights as a data subject
5. Right to rectification: You have the right to dispute any inaccuracy or error in your personal data and have PedMD correct it immediately, unless the request is vexatious or unreasonable.
6. Right to data portability: Where your personal information is processed by electronic means, you have a right to obtain from PedMD a copy of your personal data in an electronic or structured format that is commonly used and allows for further use.
G. INFORMATION SECURITY POLICY
1. We apply reasonable and appropriate security measures to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data in our possession. This includes, for example, firewalls, password protection and other access and authentication controls. We use SSL technology to encrypt data during transmission through the public internet, and we also employ application-layer security features to further anonymize Personal Data.
In addition, we implement the following physical, technical, and organizational controls to ensure the security of the personal data:
- PedMD implements server redundancy and creates multiple backups in different availability zones within Digital Ocean Cloud Computing Services to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
- PedMD maintains a secure computer network to protect against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
- Data is anonymized and transferred securely when processing the information;
- Processes are in place for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
- Regular monitoring of server activity is done to detect security breaches; and in the event of a breach, procedures are in place to allow PedMD to take preventive, corrective and mitigating action and to inform its users about the impact of the breach and inform them about necessary steps to secure themselves from the vulnerability.
- PedMD imposes an obligation upon its employees who have access to information not intended for public disclosure, to keep all the data under strict confidentiality. This obligation shall continue even after they leave the company, transfer to another position, or upon termination of employment or contractual relations.
- PedMD implements data breach protocols that are activated when the personal data of our clients and customers are compromised.
Despite the foregoing controls, we emphasize that no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store in our Website or mobile application, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your personal data has been compromised, please contact our data protection officer in the contact details provided in this document. If we learn of a security systems breach, we will inform you of the occurrence of the breach in accordance with applicable law.
2. We practice the Data Minimization principle in the retention and disposal of your personal data. We only retain the Personal Data collected from you for as long as your account is active or otherwise for a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law. We also retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, in accordance with the statute of limitations as provided by law.
When disposing of your Personal Information, we take reasonable measures to ensure that it is done properly and is not accessible to the public.
- Physical records are shredded within thirty (30) days from our receipt of the client’s opt-out;
- Copies of electronic records are removed in the active database and all third-party tools; and,
- Historical snapshots of data are only kept for one year, at the most.
3. Our disclosure of personal data to third-party processors are governed by the following safeguards:
- Support secure transmission of data through the use of industry standard encryption and while data is at rest;
- Technical Review of third-party service to ensure it passes security standards and adheres to privacy policies of PedMD; and,
- Removal and disposal of all client data from third-party platforms upon the opt-out of the user and when data is no longer needed.
H. CHANGES AND UPDATES TO THIS POLICY
Please revisit this page periodically to stay aware of any changes to this Policy, which we may update from time to time. If we modify the Policy, we will make it available through the Service, and indicate the date of the latest revision, and will comply with applicable law. Your continued use of the Service after the revised Policy has become effective indicates that you have read, understood and agreed to the current version of the Policy.