HelloClinic Docs

English

繁體中文

English

繁體中文

Theme

Privacy Policy Statement

Last Updated: October 24, 2025

Foreword

Our Commitment

HelloClinic (the "Service") is an AI-assisted clinic management SaaS system developed, operated, and fully copyrighted by KAKI TECH LIMITED ("the Company," "we," or "us"), designed for medical clinic organizations. We solemnly pledge our commitment to safeguarding the privacy, confidentiality, and security of all personal data of our clients and users to the most stringent standards. We deeply understand the high sensitivity of health and medical data and consider it our duty to be your most trusted data custodian. All of the Company's personal data handling practices strictly comply with the prevailing laws of the Hong Kong Special Administrative Region, in particular the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (the "PDPO"), and we have internalized its six Data Protection Principles as the core of our corporate culture. This policy aims to clearly and comprehensively explain how we collect, hold, process, use, and protect your personal data, and reflects our proactive adoption of the best operational practices recommended by the Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD").

Scope of this Policy

This Privacy Policy Statement applies to all "Data Subjects" whose personal data is collected, held, processed, or used by the Company. This scope comprehensively covers existing and prospective patients of our clients (clinics), users of the Company's official website and all its digital applications, and any individual who interacts with the Company in the course of business and provides personal data. This policy applies to personal data collected through all channels, including but not limited to in-person clinic registration, electronic forms filled out on the Company's website or applications, communications in any form with the Company's staff, and data naturally generated in the course of providing medical services.

Definitions

To ensure the clarity and legal precision of this policy, the key terms are defined below, with their meanings being identical to those defined in the PDPO:

  • Personal Data: Refers to any data: (a) relating directly or indirectly to a living individual; (b) from which it is practical for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable. In the operational context of the Service, examples of personal data include but are not limited to names, Hong Kong Identity Card numbers, contact information, medical history, diagnostic images, laboratory results, and, in some cases, technical data that can be linked to an individual's identity (such as an IP address).
  • Data Subject: Refers to the living individual who is the subject of the personal data.
  • Data User: Refers to a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of the data. In the context of this policy, "Data User" explicitly refers to the clinic clients who use the HelloClinic service, who have full control over their patients' personal data and bear the ultimate legal responsibility for it.
  • Data Processor: Refers to a person who processes personal data on behalf of another person (the Data User) and does not process the data for any of their own purposes. In the context of this policy, HelloClinic, as a SaaS provider, acts in this "Data Processor" or "Data Custodian" role when processing patient data on behalf of its clinic clients.
  • Prescribed Consent: Refers to the express and voluntary consent given by a data subject after being fully informed of the relevant circumstances.

Part One: Principles of Personal Data Collection and Processing

1.1 Principles and Methods of Collection

The Company strictly adheres to Data Protection Principle 1 ("DPP1") of the PDPO, which governs the purpose and manner of personal data collection. We undertake that all personal data is collected for a lawful purpose directly related to the functions and activities of the Company as a provider of medical service software. The data collected will be necessary and adequate, but not excessive, in nature and quantity to achieve these purposes, reflecting the core principle of "Data Minimisation."

We ensure that all methods of collecting personal data are lawful and fair, and we will never use deceptive or misleading means. A key mechanism in our compliance strategy is the complementary relationship between our Personal Information Collection Statement (PICS) and this Privacy Policy Statement. The former serves as a "just-in-time" notice provided at the point of collection, while the latter serves as a comprehensive reference document available at all times. This dual-track approach is designed to simultaneously meet the immediate notification obligations of DPP1 and the openness and transparency requirements of Data Protection Principle 5.

At or before the time of collecting your personal data, the Company will provide you with a clear and understandable PICS in an appropriate form and manner (e.g., on a registration form or website page). This statement will clearly set out the following information:

  1. Purpose of Collection: A clear explanation of the specific and explicit purposes for which your personal data will be used.
  2. Classes of Transferees: Information on the classes of third parties to whom your personal data may be transferred or disclosed.
  3. Obligation to Supply Data: A statement as to whether it is obligatory or voluntary for you to supply the personal data and the consequences of failing to do so.
  4. Rights of Access and Correction: Information about your right to request access to and correction of the personal data we hold, and the contact details of the Data Protection Officer responsible for handling such requests.

1.2 Types of Personal Data We Collect

To provide the highest quality medical care software and related services and to ensure the smooth operation of our business, the Company collects, holds, and processes the following categories of personal data. We maintain a high degree of transparency regarding the categories of data we collect so that you can fully understand our data processing practices.

  • Identity and Contact Data: This category includes your name (in Chinese and English), gender, date of birth, Hong Kong Identity Card number or other travel document number, contact telephone number, email address, and correspondence address. The collection of Hong Kong Identity Card numbers is conducted only in circumstances permitted or required by the PDPO and the Code of Practice on the Identity Card Number and other Personal Identifiers issued by the PCPD.
  • Health and Medical Data: This is the most sensitive category of data we process as a Data Processor, and it is crucial for our clients (clinics) to provide safe and effective medical services. It covers a wide range, including but not limited to: personal medical history, family medical history, allergy records, consultation notes with the clinic's healthcare professionals, clinical diagnoses, treatment plans, prescription drug details, past surgical procedures, diagnostic imaging results (e.g., X-rays, MRI scans), pathology and laboratory test reports, and any other health-related information provided by the data subject or other medical professionals.
  • Account and Transaction Data: To process service fees, we need to collect account and transaction data, which includes billing and payment information, credit card details processed through a secure payment gateway, medical insurance plan details, insurance claim records, and transaction history related to the Company's services.
  • Technical and Usage Data: When you interact with the Company's website or digital platforms, our systems automatically collect certain technical data. This may include your Internet Protocol (IP) address, browser type and version, operating system, login data, device information, activity logs on how you use our platform (e.g., features used, access times), and data collected via Cookies. When such data can directly or indirectly identify you, we treat it as personal data and afford it the same level of protection.
  • Communications Data: This category includes records of all correspondence between you and the Company, such as emails, messages sent through our secure platform, and summaries of telephone conversations recorded for service quality assurance.

1.3 Purposes of Collecting, Holding, and Processing Data

The Company collects, holds, and processes your personal data for purposes that are lawful and directly related to our functions and activities as a provider of software for medical institutions. We ensure that every data processing activity has a clear and specific purpose, in strict compliance with the requirements of DPP1. The table below outlines the main purposes for which we process different categories of personal data and their legal basis.

Table 1: Summary of Personal Data Processing Activities

Category of Personal DataMain Processing PurposesRelevant Data Protection Principle / Legal Basis
Identity and Contact Data- To verify the patient's identity and ensure medical services are provided to the correct individual.
- To schedule and confirm medical appointments.
- To communicate with you regarding your care, appointments, test results, etc.
- To handle billing and payment matters.		DPP1: Collection for a purpose directly related to the Company's functions.
Health and Medical Data- To provide clinical diagnosis, treatment, and ongoing medical care.
- To establish and maintain comprehensive and accurate electronic and physical medical records.
- To refer you to other medical specialists or facilities when necessary.
- To ensure the safety and appropriateness of medical decisions.		DPP1: Collection for the core function of providing medical services.
Account and Transaction Data- To process service fees, issue invoices, and manage accounts.
- To assist you in making medical claims to insurance companies.
- To conduct internal accounting and financial audits.		DPP1: Collection for purposes related to the Company's administration and operations.
Technical and Usage Data- To maintain and secure the safety and stability of the Company's website and digital platforms.
- To analyze platform usage to improve user experience and service functionality (in an anonymized or aggregated form where feasible).
- To diagnose technical problems.		DPP1 & DPP4: Collection to improve services and ensure system security.
Communications Data- To respond to your inquiries, feedback, or complaints.
- To archive important communications related to your medical care.
- To comply with legal and regulatory requirements.		DPP1: Collection to facilitate communication and fulfill compliance obligations.

Part Two: Use, Disclosure, and Transfer of Personal Data

2.1 Restrictions on the Use of Personal Data

The Company strictly complies with Data Protection Principle 3 ("DPP3") of the PDPO, which imposes strict limitations on the use of personal data. We hereby expressly state that unless we have obtained your prior "Prescribed Consent," your personal data will only be used for the purposes stated at the time of collection (as detailed in Section 1.3 above) or for purposes directly related to them.

"Prescribed Consent" refers to express and voluntary consent given by you after being fully informed. For example, a telephone number collected by the Company for sending appointment reminders will never be used to send promotional messages about new services without your separate, explicit consent. For any proposed use of personal data for a new purpose, we will provide you with a new PICS and seek your authorization.

2.2 Disclosure and Transfer of Personal Data

The Company has a strict duty of confidentiality regarding your personal data. We will only disclose or transfer your personal data to third parties under lawful, reasonable, and necessary circumstances. All disclosures adhere to the "need-to-know" principle and are, where applicable, governed by legally binding confidentiality agreements. Your personal data may be disclosed or transferred to the following classes of persons or organizations:

  • Third-Party Service Providers (as Data Processors): The Company engages reputable and reliable third-party service providers to assist in our daily operations. These providers act as our "Data Processors" and can only process personal data according to our instructions, not for their own purposes. We commit to ensuring, through legally binding contracts or other means, that all data processors comply with the requirements of the PDPO, especially concerning data security (DPP4) and data retention (DPP2). Such providers include:
    • External partners providing diagnostic laboratory or medical imaging services.
    • Software as a Service (SaaS) providers who supply us with electronic health record (EHR) systems, cloud storage, and other critical IT infrastructure.
    • Agencies that assist with billing and, where necessary, accounts receivable management.
  • Insurance Companies and Employers: With your explicit consent, we may provide necessary medical information to your health insurance company, healthcare organization, or relevant employer (e.g., in handling pre-employment physical examinations) to process medical fee settlements, claims, or related administrative matters.
  • Disclosures Required by Law: We may be obliged to disclose relevant personal data as required by law, regulation, a legally binding court order, or a request from a government department (such as the Department of Health), or to cooperate with a lawful investigation by law enforcement agencies for the prevention or detection of crime.
  • Emergency Situations: In an emergency that poses a serious threat to your life or health or that of others, we may disclose personal data if it is necessary to prevent or lessen that threat.

2.3 Cross-Border Data Transfer

The Company's operations may involve the use of global cloud service providers, which may result in personal data being transferred to regions outside of Hong Kong for processing or storage. We are acutely aware of the privacy risks associated with cross-border data transfers and have adopted strict governance measures that exceed local regulatory requirements.

Although Section 33 of the PDPO, which regulates cross-border data transfers, has not yet been formally implemented, the Company has voluntarily adopted its core principles and the relevant guidelines issued by the PCPD as our best operational practice. This forward-looking compliance strategy is designed to ensure that even if your personal data is transferred abroad, it receives a level of protection comparable to that provided under the Hong Kong PDPO.

To this end, we take the following measures:

  • Contractual Safeguards: Before transferring personal data outside of Hong Kong (e.g., for processing by an overseas cloud service provider), we will enter into legally binding contracts with the data recipient. These contracts will include the Model Contractual Clauses recommended by the PCPD or provisions offering an equivalent level of protection, to ensure that the data recipient is obliged to comply with obligations consistent with the six Data Protection Principles of the PDPO.
  • Due Diligence: We conduct prudent due diligence on all overseas data processors, assessing the data protection laws of their jurisdiction and their own security capabilities to ensure they can provide adequate protection for your personal data.
  • Transparent Notification: If cross-border data transfer is involved, we will inform you in the relevant PICS that your data may be transferred outside of Hong Kong and of the measures we have taken to protect the data.

2.4 Commitment on Data Commercialization and Marketing

We will never sell identifiable personal information of patients or consumers to any third party. We have never done so, and we will never do so.

We strictly distinguish between medical service communications and marketing activities. We promise that we will never use your personal data (such as name, phone number, or email address) for direct marketing purposes without your explicit consent. We will not use the patient data you enter to market anything to patients, nor will we provide patient data to others so they can market directly to them—any such action is intolerable to us.

Any information regarding new services, health talks, promotional offers, or other non-essential healthcare communications from the Company will only be sent to you after we have obtained your explicit "opt-in" authorization. This consent must be given voluntarily, and you have the right to withdraw it (i.e., "opt-out") at any time, free of charge and with ease, by contacting our Data Protection Officer. If non-practitioners do sign up for HelloClinic to use our personal health records, they are subject to their own separate terms.

2.5 Use of Client Company Data for Case Studies

Provided that no personal data is involved, your company grants HelloClinic a default authorization to use your company's name, logo, industry category, non-confidential implementation profile, and aggregated or anonymized usage performance data as material for case studies, customer success stories, or marketing promotions, unless you explicitly opt-out in writing. The aforementioned materials may be displayed on our official website, product presentations, social media platforms, tender documents, media interviews, and other marketing channels.

We commit to:

  • Never using or disclosing any patient data or any identifiable personal information.
  • Never disclosing contractual terms, pricing, proprietary technical details, or other trade secrets.
  • Providing a clear and simple opt-out mechanism; you may notify us in writing at any time to withdraw this authorization or request the removal of existing materials.
  • Upon receiving an opt-out notice, we will cease all subsequent use as soon as reasonably practicable and remove or delete the relevant materials from channels under our control in the next version update.
  • If your trademark or brand materials are used, you grant us a non-exclusive, royalty-free, revocable, limited license solely for the purposes described above, which does not include any right to sublicense.

Unless otherwise agreed in writing, the above authorization does not constitute an endorsement of HelloClinic or any third party, nor does it affect the rights or obligations of either party under the service agreement.

Part Three: Data Security and Retention

3.1 Commitment to Data Security

The Company strictly adheres to Data Protection Principle 4 ("DPP4") of the PDPO, taking all practicable steps to protect the personal data we hold from unauthorized or accidental access, processing, erasure, loss, or use. Our data security strategy is a comprehensive, multi-layered framework covering governance, technical, and physical domains, designed with reference to authoritative guidelines from the PCPD and international best practices.

Data Governance and Organizational Measures

  • Designated Responsibility: We have appointed a senior management member as the Data Protection Officer (DPO), whose responsibilities include overseeing the Company's compliance with the PDPO and acting as the dedicated contact for all privacy-related matters. Their contact details are provided in Part Six of this policy.
  • Role as Data Custodian: HelloClinic has no right to access your data. We are merely the custodian of your data and are technically and policy-wise unable to access sensitive patient or clinic information. When we need to access your account to assist with service inquiries, all confidential information is systematically anonymized or technically removed. For example, HelloClinic staff will ask you for an anonymous patient ID instead of a patient's name to handle a support request.
  • Policies and Procedures: We have developed and implemented a comprehensive set of internal policies and standard operating procedures that govern the handling of personal data throughout its entire lifecycle, from collection and use to storage and final destruction.
  • Access Control: We strictly enforce the "Principle of Least Privilege" and the "need-to-know" principle. The HelloClinic system has built-in multi-layered and granular permission management. Except for the SuperAdmin account designated by the clinic, which can access all data under its jurisdiction, the clinic can flexibly assign different levels of access rights to its staff accounts. Only formally authorized employees whose duties require it can access the minimum amount of personal data necessary to perform their roles. All access rights are reviewed periodically and are immediately revoked upon an employee's departure or change of duties.
  • Employee Training: All employees must undergo mandatory personal data privacy and information security training upon joining, and must participate in regular refresher training. The training covers the legal requirements of the PDPO, the Company's internal policies, identifying and responding to social engineering attacks like phishing, and best practices for securely handling sensitive data.
  • Risk Assessment: We regularly conduct data security risk assessments and Data Protection Impact Assessments (DPIAs), especially before introducing new technologies, systems, or undertaking new data processing activities. This helps us to proactively identify and mitigate potential privacy risks.

Technical Measures

We utilize advanced and industry-recognized technologies to build a robust digital defense for your personal data.

  • Encryption: All personal data transmitted over the network (data in transit) is protected using strong encryption technologies such as Transport Layer Security (TLS 1.2 or above). All personal data stored on our servers and in our databases (data at rest) is encrypted using high-strength encryption standards such as AES-256.
  • Network Security: Our service is deployed on secure Google Cloud servers and uses Cloudflare for network-level security protection, including a Web Application Firewall (WAF) and DDoS mitigation. We also deploy enterprise-grade firewalls, intrusion detection and prevention systems, and install and promptly update anti-malware software on all endpoints and servers to defend against internal and external cyber-attacks and threats.
  • Secure Configuration: We perform security hardening configurations on all servers, applications, and network devices, and implement a strict patch management policy to ensure that known security vulnerabilities are promptly remediated.
  • Anonymization and Pseudonymization: When conducting internal research, statistical analysis, or system testing, where circumstances permit, we employ anonymization or pseudonymization techniques to process personal data, thereby minimizing privacy risks.

Physical Measures

We provide a high level of protection for personal data that exists in physical form as well.

  • All physical documents containing personal data are stored in locked file cabinets or storage rooms within access-controlled office areas.
  • The Company's office premises and server rooms are equipped with strict physical access control systems to prevent entry by any unauthorized individuals.

3.2 Data Breach Response Plan

Although we have taken rigorous preventive measures, we have also developed a detailed response plan to handle potential data security incidents (i.e., data breaches). The plan is designed to quickly contain the situation, assess the impact, and take remedial action to minimize any potential harm to the affected individuals.

Our response plan includes the following key steps:

  • Immediate Action: Upon discovering or suspecting a data breach, the response team will take immediate action, including isolating the affected systems to stop the ongoing leak.
  • Damage Assessment: We will quickly assess the nature of the incident, the types and volume of personal data involved, and the risk of harm to the data subjects.
  • Notification Mechanism: In accordance with the PCPD's recommendations, if we determine that a data breach poses a real risk of harm to the affected individuals, we will notify the PCPD and the affected data subjects as soon as practicable.
  • Post-Incident Review: After the incident is resolved, we will conduct an in-depth review to identify the root cause and take necessary improvement measures to strengthen our security systems and prevent similar events from recurring.

3.3 Data Retention Policy

The Company strictly adheres to Data Protection Principle 2 ("DPP2") of the PDPO, which stipulates that personal data shall not be kept for longer than is necessary for the fulfillment of the purpose for which the data is or is to be used.

Our data retention policy is based on the following principles:

  • Purpose-Driven: The retention period for different categories of personal data is determined based on the purpose of their collection and any applicable legal, professional, or regulatory requirements. For example, the retention period for patient medical records will follow the guidelines issued by professional bodies such as the Medical Council of Hong Kong and relevant legislation.
  • Retention Schedule: We have developed and maintain an internal data retention schedule that details the specific retention periods for various types of personal data.
  • Secure Destruction: Once the retention period for personal data expires, or the original purpose of its use no longer exists, we will take all practicable steps to securely and permanently erase or destroy the data from our electronic systems and physical records, rendering it unrecoverable and inaccessible.

Part Four: Your Rights and Our Responsibilities

4.1 Information Transparency

The Company abides by Data Protection Principle 5 ("DPP5") of the PDPO, striving to ensure a high degree of transparency in our policies and practices regarding personal data. This Privacy Policy Statement is the primary tool through which we fulfill this responsibility, aiming to clearly inform you of the types of personal data the Company holds and the main purposes for which the data is used. We are committed to openly communicating our data processing practices in clear and easy-to-understand language.

4.2 Right of Access and Correction

The PDPO grants you significant rights over your personal data, which the Company fully respects and for which we have established clear procedures to assist you in exercising. This is a core requirement of complying with Data Protection Principle 6 ("DPP6"). Translating legal principles into actionable user procedures is a testament to our commitment to transparency and accountability.

Data Access Request (DAR)

You have the right to ascertain whether the Company holds your personal data and, if so, to request a copy of that data.

How to make a Data Access Request:

  • In Writing: All data access requests must be made in writing (in Chinese or English). For convenience, we recommend using the "Data Access Request Form" (Form OPS003) specified by the PCPD.
  • Submitting the Request: Please mail or email the completed form to the Data Protection Officer listed in Part Six of this policy.
  • Identity Verification: To protect your personal data from unauthorized access, we will need to take reasonable steps to verify your identity before processing your request.
  • Processing Time: In accordance with the PDPO, we will comply with your request or provide a written response within 40 calendar days of receiving it.
  • Fee: We may charge a reasonable fee for processing a data access request to cover the directly related administrative costs of providing a copy of the data. If a fee is required, we will inform you in advance.

Data Correction Request (DCR)

If you believe that the personal data the Company holds about you is inaccurate, you have the right to request that we make a correction.

How to make a Data Correction Request:

A data correction request should be made after you have exercised your right of access and obtained a copy of your data. The procedure is similar to a data access request and must be made in writing to our Data Protection Officer, clearly specifying the data that needs correction and the correct information. We will also process your request within 40 calendar days of receipt.

Grounds for Refusal

While we are committed to helping you exercise your rights, in a very small number of specific circumstances prescribed by the PDPO, we may need to refuse your access or correction request. These circumstances include, but are not limited to:

  • The request is not made in writing in Chinese or English.
  • We are unable to verify the identity of the requester through reasonable steps.
  • Complying with the access request would disclose the personal data of a third party, and it is not possible to provide the data without revealing the identity of that third party.
  • Other exemptions stipulated in the PDPO apply.

If we refuse your request, we will inform you in writing of the reasons for the refusal within the 40-day statutory period and will, as required by law, record the details of the refusal.

4.3 Use of Website Tracking Technologies

To enhance the performance and user experience of the Company's website and digital platforms, we may use "Cookies" and similar website tracking technologies. We are committed to maintaining full transparency in this regard.

  • What are Cookies: Cookies are small text files stored on your computer or mobile device. They help websites remember your preferences (such as language selection) and collect anonymous statistical data about website traffic and usage patterns.
  • Types of Cookies We Use:
    • Strictly Necessary Cookies: These cookies are essential for the proper functioning of the website, such as maintaining your login session or handling security features. They do not require your consent.
    • Performance and Analytics Cookies: These cookies help us understand how visitors interact with our website (e.g., which pages are visited) by collecting aggregated statistical data to improve website design and services. We will only use these cookies after obtaining your consent.
  • Your Choices and Control: You have full control over whether to accept non-essential cookies. Our website features a cookie consent banner through which you can, at any time, accept or reject the storage of such cookies, or you can do so through your browser settings. Please note that if you choose to reject all cookies, it may affect the normal functioning of some parts of the website. This practice reflects global best practices in data privacy.

5.1 Responsibilities of Service Users

As a SaaS software, HelloClinic only provides a technical service platform. Our clients (i.e., the clinics using the Service), as the "Data Users" of their patients' data, are independently and fully responsible for complying with the PDPO and other applicable laws. The legal liability for all content entered, generated, or managed through the Service rests solely with the user (the clinic).

5.2 Disclaimer for AI-Generated Content

The Service may include features that generate content with the assistance of artificial intelligence (AI). Users must understand and agree that all content generated by AI (such as medical record summaries, draft reports, etc.) is for reference purposes only and must never replace professional medical judgment. The user has the final responsibility to review, modify, and independently confirm its accuracy, completeness, and clinical appropriateness. HelloClinic shall not be liable for any consequences arising from the use of or reliance on AI-generated content.

Part Six: Contact and Policy Review

6.1 Changes to this Policy

To ensure that this Privacy Policy Statement always reflects the latest legal requirements, technological developments, and the Company's operational practices, we will review and update it periodically. Any amendments will be published on this website. The "Last Updated" date at the top of this policy will indicate the latest version. We encourage you to review this policy regularly to stay informed about how we protect your personal data. In the event of a material change to the policy, we may issue a notification via email or through a prominent notice on our platform.

6.2 Contacting Our Data Protection Officer

Establishing a clear, single point of contact is a crucial part of our commitment to accountability and protecting your rights. This ensures that you can communicate directly with the person responsible for privacy matters when needed, demonstrating our serious approach to data governance.

If you have any questions about this Privacy Policy Statement, or if you wish to make an inquiry, file a complaint, or exercise your rights of access and correction regarding your personal data, please contact our Data Protection Officer through the following means:

All communications will be treated confidentially, and we will do our best to respond to your inquiries in a timely manner.

6.3 Complaints to the PCPD

The Company is committed to resolving any concerns you may have about your personal data privacy in a fair and transparent manner. However, in the spirit of fully protecting your rights and ensuring information transparency, we hereby inform you that if you are not satisfied with our handling of your privacy matters or our response, you have the right to file a complaint with Hong Kong's independent regulatory body—the Office of the Privacy Commissioner for Personal Data (PCPD). For information on the complaint procedure and contact details, you can refer to the official website of the PCPD.

Copyright © 2025 HelloClinic