Privacy Policy

Updated on October 12, 2023

1. Introduction

HeliumDoc and its affiliates ( collectively or individually as applicable, referred to as “HeliumDoc” "We", "Us", or "Our") offer users a platform to quickly access the services of top healthcare providers in Africa (including Nigeria, Kenya, and Uganda) and the respective Gulf Cooperation Council (GCC) member states, namely Bahrain, Oman, Qatar, Saudi Arabia, Kuwait and the United Arab Emirates.

This Privacy Notice (“Notice”) governs your use of Our website https://www.heliumdoc.com/ (‘the Website”), and any other software, online platform, website, mobile or tablet application or domain used to provide Our medical services (referred to as the “Services"). We provide this Notice because you have a right to know what information We collect, why We collect it, how it is protected and used, and the circumstances under which it may be disclosed.

2. Terms of Use

You are required to comply with the provisions of Our Terms of Use in relation to the information provided.

3. Your data that we process

Personal data is any information about an individual that can be used to identify that person directly or indirectly. For example, while using the website, we may request personal information from you in order to contact or identify you, and some information may be collected automatically in order for our website to function properly. We also collect personal data from third-party sources or through your use of our services, such as when you sign-up or register for any of our services. We obtain the following information:

Health Care Providers/SpecialistsPatientsAll visitors
Full name of the person signing upFull name of the patientSearch queries
Name of the health care facilityEmail address of the patientThe IP address used to connect your device to the internet for identification purposes
Country of ResidencePhone numberLogin email address and password
Email addressAgeName of the internet service provider (ISP)
Phone numberMedical record/statusDate and time of visit
Full names of medical professionalsHome addressWeb pages visited, duration, and frequency of visits
Medical qualificationCountryBrowsing Behaviour
Type of facilityGenderDevice ID
LocationLanguage
Financial detailsFinancial details

4. Sensitive Personal Data

Sensitive personal data includes data pertaining to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trade union membership, criminal records, and any other sensitive personal information. We will only process sensitive personal data (health data) of patients on behalf of health care providers with the patients' express consent or in order to fulfil the healthcare facility's and care provider's obligation to provide care services.

5. Cookies

Cookies are tools used to automatically collect information from you when you visit Our website. We use cookies, and information about their usage is specified in Our Cookie Notice.

6. Lawful Bases for processing data

We are required to process your data under at least one of these lawful bases, as specified under the relevant data protection laws:

  • Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not outweigh those interests.
  • Consent: You have given explicit consent for us to process your data for a specific purpose.
  • Contract: If the data processing is necessary for a contract with us or because we have asked you to take specific steps before entering that contract.
  • Legal obligation: If the processing of your data is necessary where there is a statutory obligation on us.

Purpose of Processing Your Data and the Lawful Bases

Purpose of ProcessingLawful Bases
  • To administer our services
  • To help us develop, improve, customise or restructure our services
  • To inform you whenever there are changes to our terms of business or services
  • To share personal data with third parties service providers that provide services on our behalf.
Legitimate interest, contract
  • To send marketing or promotional messages to you
  • To install non-strictly necessary cookies on your device
  • To manage personal/sensitive data of patients.
Consent
  • To take statistical data and analytics for our internal use
  • To send you service-related messages
  • To analyse site usage and provide, maintain, and improve the content and functionality of the Site.
Legitimate interest
  • To secure your data and prevent fraud
Legitimate interest, legal obligation
  • To manage your account.
  • To enforce our terms of service and any terms and conditions of any other agreements for our services.
  • To communicate with you and for patient support.
  • To recommend and match you with a patient.
  • To recommend your expert services to potential clients/patients.
  • To address your inquiries, process your registration, and complete your transactions.
  • To enable an easy and effective payment system.
Contract
  • To share data with our affiliates.
Contract, consent
  • To fulfil our Know Your Customer (KYC) obligation.
  • To interact with regulatory authorities or other public authorities concerning you
Legal obligation

7. Your Rights as a Data Subject

Depending on your location and subject to applicable law, you are vested with certain rights as a data subject. They include the right to:

  1. access personal data we hold about you by requesting a copy of the personal data we hold about you;
  2. rectify such information where you believe it to be inaccurate;
  3. restrict the processing of your data in certain circumstances;
  4. object to the processing of your data where we intend to process such data for marketing purposes;
  5. where feasible, receive all personal data you have provided to us—in a structured, commonly used, and machine-readable format—and transmit the information to another data controller;
  6. request the erasure of your data (also known as the right to be forgotten);
  7. withdraw your consent to the processing of your data;
  8. not be subjected to a decision based solely on automated processing or profiling; and
  9. lodge a complaint with a relevant authority where you have reason to believe that we have violated the term(s) of this Privacy Notice. (You may complain or seek redress from us within 30 days from when you first detected the alleged violation.)

You may seek to exercise any of the above rights at any time by sending us an email at heliumdocprivacy@heliumhealth.com.

In the event of a complaint, users may direct such a complaint to us or to the appropriate supervisory authority in their respective country. See section 12 on jurisdiction-specific provisions for more details.

8. Who do we share your data with?

We share your data with the following third-parties and affiliates:

Third PartiesPurpose of data sharing
Google AnalyticsWe use various Google APIs and services for our Website’s operation. Read Google’s Privacy Notice here.
Google Tag ManagerWe use Google Tag Manager to centrally manage all users tracking codes. Read their Privacy Notice here.
Google Ad ServicesWe use Google Ad Services to help promote our business and sell our products and services. Read Google Ads’ Privacy Notice here.
MixpanelWe use Mixpanel for product analytics and to engage users. Read Mixpanel’s Privacy Notice here.
StripeWe use Stripe to enable users to make financial transactions. Read Sripe's Privacy Notice here.
WixWe use Wix to help us create and manage our online presence. Read their Privacy Notice here.
ZapierWe use Zapier for automation. Read Zapier’s Privacy Notice here.
Google CloudThis is used to protect your data from fraudulent activity, spam, and abuse. Read Google’s Privacy Notice here.
InfobipWe use their cloud communications platform to enable us to communicate with you. Read their Privacy Notice here.
AWSWe use AWS for cloud computing. Read their Privacy Notice here.
MailchimpWe use their service to send users marketing emails. Read Mailchimp's privacy Notice here.
HotjarWe use it to analyse how users interact with our website. Read Hotjar’s Privacy Notice here.
MetaWe use their service to measure ad impressions and provide advertising and site analytics services. Read Meta’s Privacy Notice here.
Tingg by CellulantWe use their service to process payments for African countries such as Kenya. Read Tingg’s Privacy Notice here.
TermiiTermii helps us use messaging channels to verify and authenticate transactions. Read Termii’s Privacy Notice here.
Financial Institution(s)We collaborate with various financial institutions to develop and market our product, and we may only use this information to market-related products unless the customer has given consent for other uses.
Legal and Regulatory AuthorityWe may disclose your personal information if we believe it is reasonably necessary to comply with a law, regulation, order, subpoena, audit, or to protect any person's safety, or to address fraud, security, or technical issues.
Service ProvidersWe will share your personal data with service providers in order for them to provide services to us, such as payment processing service providers, or to conduct data processing on our behalf, or for data verification, centralisation, or logistics purposes.
HeliumDoc AffiliatesWe share personal data with other HeliumDoc affiliated entities, including Meddy QSTP-LLC,Meddy Technologies-FZE, One Global Medical Technology Limited, and Helium Health Limited. When we share personal data with these entities, it is for purposes identified in this Privacy Notice.

9. Retention of your data

The data and any other information we collect from you will be stored for as long as necessary to fulfil the purposes described in this Notice.

However, we will also retain data subject to relevant provisions of applicable laws, resolve disputes, prevent fraud and abuse, and enforce our legal agreements and policies. In addition, we delete your data for targeted marketing purposes once you unsubscribe from our marketing communications.

Please note that your data may be retained for a longer period, notwithstanding your request to remove it, where there is a legal requirement to do so.

10. How your data is stored and secured

We are very particular about preserving your privacy and protecting your data. We deploy reasonable and appropriate technical and organisational measures to keep your data safe. However, we cannot completely guarantee the security of any information you transmit via our website, as the internet is not an entirely secure place. Nevertheless, we are committed to doing our best to protect you.

We protect your data using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure, and alteration.

Where there is an actual or suspected data breach capable of causing harm to your rights and freedoms, we will notify you without undue delay and use our best effort to remedy the breach promptly.

11. International transfer of data

As a multinational with a presence in multiple countries, we may transfer your personal data outside our country of operation or where you are resident. We sometimes transfer data internationally using third-party providers when we offer our services. We ensure any cross-border data transfers adhere to all necessary data protection regulations. This means that before transferring personal data, we either confirm that the recipient country has robust data protection laws or, if not, employ specific contractual terms and other appropriate safeguards to protect the data. In cases where the destination country might not meet stringent data protection standards, we will leverage the relevant data transfer mechanism, seek authorisation from the regulator, or obtain your consent before proceeding and inform you of any risks. Wherever your data is processed globally, we ensure the consistent application of the protections outlined in this notice. Should you wish to learn more about how we ensure data protection during these transfers, details will be provided upon request.

12. Jurisdiction-Specific Provisions

Nigeria: The Nigeria Data Protection Act (NDPA) provides for the rights of data subjects, including the right to access, object to processing, restrict processing, data portability, not to be subject to automated processing, erasure, rectification, withdraw consent to processing and the right to lodge a complaint with the supervisory authority. You can contact our DPO atheliumdocprivacy@heliumhealth.com at any time to exercise any of these rights. In the case of a complaint, you can contact the Supervisory Authority at info@ndpc.gov.ng.

Kenya: Data is processed in Kenya according to the Data Protection Act and the Data Protection Regulations. The legal framework provides for the rights of data subjects, which we respect. We also ensure that our processing is in accordance with the relevant law. You can contact our DPO atheliumdocprivacy@heliumhealth.com for any inquiries or to exercise your rights. In case you have a complaint, feel free to contact the Supevisory Authority at policy@odpc.ke.

Uganda: Uganda’s Data Protection and Privacy Act and its Data Protection and Privacy Regulations regulate the processing of personal data in the country and any international transfer of data. It provides for the rights of data subjects, such as the right to erasure, blocking, destruction, access, rectification, prevention of processing, appeal to a decision to continue processing, and automated processing. If you wish to exercise your rights, you can contact our DPO atheliumdocprivacy@heliumhealth.com. Data subjects can lodge any complaint with the Supervisory Authority at info@pdpo.go.ug.

Saudi Arabia: The relevant law is the Saudi Arabia Personal Data Protection Law (PDPL), which provides for your rights as a data subject. Although the law does not provide for the right to object to processing, restrict processing, or demand not to be subject to automated decision making, you have the right to information, access, data portability, rectification, and destruction of your data. You can contact our Data Protection Officer (DPO) at heliumdocprivacy@heliumhealth.com to exercise any of these rights. Alternatively, you can lodge a complaint directly with the Supervisory Authority, the Saudi Data and Artificial Intelligence Authority (SDAIA), at info@sdaia.gov.sa.

Kuwait: The Data Privacy Protection Regulation (DPPR) provides for your rights as a data subject using our services in Kuwait. We process your data only based on your consent and in accordance with the principles of lawful processing as provided under the regulations. We will not transfer your data outside Kuwait unless you have consented to such a transfer. You can contact our DPO atheliumdocprivacy@heliumhealth.com to learn more about how we process your data or lodge a complaint with the Supervisory Authority at info@citra.gov.kw.

The United Arab Emirates: We process data in the UAE according to the Federal Law on the Protection of Personal Data. You can get in touch with us to exercise your rights under the data protection law by contacting our Data Protection Officer (DPO) at heliumdocprivacy@heliumhealth.com.

Qatar: The applicable law is the Qatar Personal Data Privacy Protection Law (PDPPL), which provides for the rights of data subjects and imposes obligations on us to ensure the security of your data. You can contact our Data Protection Officer (DPO) at heliumdocprivacy@heliumhealth.com to exercise your rights and file any complaints. You can also lodge a complaint with the Supervisory Authority atcdp@motc.gov.qa.

Bahrain: Bahrain’s Personal Data Protection Law is the applicable legal framework for data protection for your data if you reside in this country. Where necessary, authorisation is obtained from the Personal Data Protection Authority. It provides for your rights as a data subject and our obligation as a data controller to protect those rights. You can contact our Data Protection Officer (DPO) atheliumdocprivacy@heliumhealth.com to exercise these rights or file a complaint with the Supervisory Authority at dp-team@moj.gov.bh.

Oman: The primary legislation for safeguarding your data in Oman is the Personal Data Protection Law (PDPL). This law requires us to process your data with your consent or in line with other stipulated exceptions within the legislation. When dealing with sensitive data, we ensure we secure approval from the Ministry of Transport, Communications, and Information Technology. The right to object to the processing is not available under the law. Should you have any queries regarding your rights or our data processing methods, please get in touch with our Data Protection Officer (DPO) atheliumdocprivacy@heliumhealth.com If our response does not address your concerns, contact the Supervisory Authority directly at info@mtcit.gov.om.

13. Marketing and communications

We only send marketing communications to you with your consent. You can opt-out of our marketing or object to further processing by clicking on the 'unsubscribe' button at the bottom of the page.

14. Complaints

If you are concerned about an alleged breach of data protection law or any other regulation by us, you can contact the Data Protection Officer (DPO) at heliumdocprivacy@heliumhealth.com The DPO will investigate your complaint and provide information about how it is handled.

Please be informed that you may complain to the relevant data protection authority if your complaints are not satisfactorily addressed.

15. Changes to this Notice

We update our privacy notice from time to time. We will notify our users when we make a change, and visitors will know this by checking the last date of update on this page whenever they visit.

16. Contact Us

If you have any questions relating to this Notice, your rights under this Notice, or are not satisfied with how we manage your personal data, kindly reach out to our Data Protection Officer atheliumdocprivacy@heliumhealth.com or email us at contact@heliumdoc.com