MY MEDICAL GATEWAY PRIVACY POLICY

Version: 11 March 2025

Background

My Medical Gateway ("MMG", "we", "our", and "us") is the trading name of My Medical Gateway International Limited, a private limited company incorporated and registered in Hong Kong with company number 77077446. Other entities that directly or indirectly control, are controlled by, or are under common control with MMG are referred to in these terms as "MMG Group Companies". Our website http://www.mymedicalgateway.com ("Platform") is owned, operated and monitored by MMG.

We are not a medical service provider, healthcare provider, healthcare insurance provider or healthcare agent and we are not responsible for any of the healthcare services which are presented on, and made available via, our Platform ("Healthcare Services"). All such Healthcare Services are provided by accredited independent healthcare providers based in the European Union that are bound by MMG's Healthcare Provider Terms and Conditions ("Healthcare Providers".)

About this Privacy Policy

In this Privacy Policy, "Personal Data" has the meaning set out in the General Data Protection Regulation (EU 2016/679) ("GDPR"), the Data Protection Act 2018, and any additional supplementary or replacement applicable laws and regulations relating to the processing of personal data and privacy ("Data Protection Laws").

We understand your privacy is important. We respect and value the privacy of everyone who visits the Platform, or shares data with MMG, and we will only collect and use Personal Data, including special categories of personal data, in a manner that is consistent with our obligations and your rights under the law.

This document ("Privacy Policy") describes:

  • The Personal Data we collect about you;
  • How we obtain your Personal Data;
  • How we use your Personal Data;
  • The basis upon which we use your Personal Data, including special categories of data;
  • How long we retain your Personal Data;
  • The parties with which we share your Personal Data;
  • How we secure your Personal Data;
  • To which countries we transfer your Personal Data; and
  • Your rights regarding your Personal Data.

The Personal Data MMG collects about you

We collect personal information from you in the ordinary course of our business, including through your use of our Platform and Services, when you contact or request information from us, when you engage Healthcare Services or as a result of your relationship with one or more of our staff, users, or affiliates.

The personal information that we process includes:

  • Identifying information, such as your name (including prefix or title);
  • Contact information, such as your postal address, email address and phone number(s);
  • Identification and background information provided by you or collected as part of our business acceptance processes and regulatory compliance;
  • Personal information provided to MMG by or on behalf of our users or affiliates or generated by MMG in the course or providing services to them, which may include special categories of data;
  • Technical information, such as the devices and technology you use and website browser settings.
  • Any other information relating to you which you may provide to MMG.

Special categories of Personal Data

Where necessary, and with appropriate legal justification, we may also collect and process special categories of personal data (as defined under GDPR and other applicable Data Protection Laws). This can include information relating to your health, genetic or biometric data, or other sensitive information ("Special Category Personal Data"). For instance:

  • Data about your physical or mental health, treatments received, or medical history;
  • Genetic or biometric data used for the purpose of uniquely identifying you;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Data concerning your sex life or sexual orientation; and/or

We only process this Special Category Personal Data where the law allows us to do so (see Legal Grounds for Processing below).

How we obtain your Personal Data

We collect Personal Data from you and others as necessary in the course of providing Services.

We gather information about you when you provide it to us via our Platform, or interact with us directly, for instance engaging with our staff or by corresponding with us by phone, email or otherwise, or automatically when you visit our website (see our Cookies Policy).

We may obtain Special Category Personal Data about your physical or mental health, including but not limited to genetic or biometric information from application forms, notes and reports about your health and any treatment and care you've received or need, notes from calls and other communications you've had with us, records of medical services and treatment you've received, or when you provide it to us via our Platform.

How long we retain your Personal Data

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal or regulatory requirements.

Who we share your Personal Data with

We may also share your Personal Data with certain trusted third parties in accordance with contractual arrangements in place with them, including:

  • Third parties engaged in the course of the Services we provide to users or affiliates with their prior consent, such as Healthcare Providers;
  • Our professional advisers and auditors;
  • Suppliers to whom we outsource certain support services such as word processing, translation, photocopying and document review; and
  • Our IT service providers.

Where necessary, or for the reasons set out in this Privacy Policy, Personal Data may also be shared with regulatory authorities, courts, tribunals, government agencies and law enforcement agencies. Whilst unlikely, we may be required to disclose your Personal Data to comply with legal or regulatory requirements. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.

We do not sell, rent or otherwise make Personal Data commercially available to any third party.

How we secure your Personal Data

We use a variety of technical and organisational measures to help protect your Personal Data from unauthorised access, use, disclosure, alteration or destruction consistent with applicable Data Protection Laws.

We have appointed a Data Protection Officer under Article 37 of the GDPR as our core activities require large scale processing of Special Category Data.

Legal grounds for processing your Personal Data (including Special Category Personal Data)

Under the GDPR and other applicable laws, we must ensure that each use of your Personal Data is supported by a lawful basis. We rely on several such bases. In some cases, we process your Personal Data because it is necessary for a contract to which you are a party, or to take steps at your request before entering into a contract (for example, to deliver Healthcare Services). In other situations, we may process your Personal Data where it is necessary for our legitimate interests or those of a third party, provided that your interests and fundamental rights do not override those interests. Examples of these legitimate interests include administering and managing our Services and ensuring network and information security.

We may also process your Personal Data where required for compliance with legal obligations (for instance, under health and safety legislation or other regulatory requirements). In certain circumstances, particularly where we handle Special Category Personal Data not covered by the above grounds, we rely on your explicit consent (for example, if we need to process specific health data). You have the right to withdraw this consent at any time.

We may also process Special Category Personal Data such as health data, race, religion, or genetic or biometric data, which enjoy enhanced protection under data protection laws. In addition to relying on one of the lawful bases mentioned above, we must have an additional justification for processing these categories. Processing may be necessary for the provision of Healthcare Services, including preventive or occupational medicine, medical diagnosis, or the management of healthcare systems. It may also be necessary for reasons of substantial public interest, such as fraud prevention or protecting someone's welfare, or for establishing, exercising, or defending legal claims. In some cases, it may be required to protect vital interests where an individual is physically or legally incapable of giving consent. If none of these justifications apply, we will seek your explicit consent before processing these special categories of Personal Data.

How we use your Personal Data

We collect and process your Personal Data in a number of ways, including through your use of our Platform and in the provision of our Services.

We collect, process, hold and use Personal Data provided to us by or on behalf of our users or affiliates in the course of and in connection with the Services we provide.

We have set out a description of the ways we may use your Personal Data in the table below and, in each case, on which legal bases we rely in doing so. Our legitimate interests to do so are identified where appropriate.

Purpose/Activity Lawful basis for processing (including legitimate interests)
To register you as potentially interested in services from Healthcare Providers listed on our website. Necessary for our legitimate interests (to develop our services and grow our business).
To manage our relationship with you which will include:
(a) notifying you about changes to our privacy policy;
(b) inviting you to complete a medical history questionnaire;		 (a) Necessary to comply with a legal obligation.
(b) Necessary for our legitimate interests (to keep our records updated and to consider website users', patients', and healthcare providers' interest in our services or future services and how to develop them and grow our business.
Your consent.
To deliver relevant content to you and measure or understand the effectiveness of providing said content Necessary for our legitimate interests (to study how website users, patients and/or other healthcare providers may use our services, to grow our business and to inform our marketing strategy.
To assist Healthcare Providers in their evaluation of your suitability for a procedure or treatment and manage their capacity for the relevant / required treatments. Necessary for the performance of a contract with you and for our legitimate interests (to provide efficient Healthcare Services).

Children

The minimum age to use our Platform is 18 years of age. We do not knowingly collect or use Personal Data from anyone under 18 years of age. If we learn that we have collected Personal Data from anyone under 18 years of age, the personal data will be deleted as soon as possible. If a child under 18 years of age has provided us with Personal Data, their parent or guardian may contact us.

Countries to which we transfer your Personal Data

In order to provide our services, MMG may need to transfer your Personal Data to locations outside the jurisdiction in which you provide it or where you are viewing the Platform for the purposes set out in this Privacy Policy.

This may entail a transfer of your information from a location within the European Economic Area (the "EEA") to outside the EEA, or from outside the EEA to a location within the EEA.

The level of information protection in countries outside the EEA may be less than that offered within the EEA. Where this is the case, we will implement appropriate measures to ensure that your Personal Data remains protected and secure in accordance with applicable Data Protection Laws. We can also transfer Personal Data to countries that have not been assessed as adequate if we use appropriate safeguards.

The main safeguards we use are:

  • regulator-approved Standard Contractual Clauses; and
  • additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer).

Transfers within the MMG Group Companies will at all times be covered by an agreement that contractually obliges each company to ensure an adequate and consistent level of protection.

Your rights regarding your Personal Data

GDPR and other applicable Data Protection Laws provide certain rights for data subjects. We would like to make sure you are fully aware of all of your rights under Data Protection Laws.

Under GDPR, every user has the following rights:

  • You have the right to request we correct any information you believe is inaccurate.
  • You also have the right to request we complete information you believe is incomplete.
  • You have the right to request we erase your personal data, under certain conditions.
  • You have the right to request we restrict the processing of your Personal Data, under certain conditions.
  • You have the right to object to our processing of your Personal Data, under certain conditions.
  • You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

You are entitled to request details of the data we hold about you and how we process it. You may also have a right in accordance with applicable Data Protection Laws to have it rectified or deleted, to restrict our processing of that data, to stop unauthorised transfers of your Personal Data to a third party and, in some circumstances, to have Personal Data relating to you transferred to another organisation.

If you object to the processing of your Personal Data, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations.

Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve the purposes set out above or that you may not be able to make use of the Services and products offered by us. Please note that even after you have chosen to withdraw your consent, we may be able to continue to process your Personal Data to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations.

Complaints

If you have any concerns about our use of your Personal Data, you can make a complaint to us at the contact details at the end of this Privacy Policy. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled / required to deal with the request in a different way.

If you remain unhappy with how we've used your Personal Data after raising a complaint with us, you can also complain to the Information Commissioner's Office here.

Contact us

We must ensure that your Personal Data is accurate and up to date, therefore please advise us immediately of any material changes to the information we hold.

In addition, if you have any questions about the processing of your Personal Data or this Privacy Policy, please get in touch with our Data Protection Officer and privacy team at info@mymedicalgateway.com.