HelloClinic Docs

English

繁體中文

English

繁體中文

Theme

Privacy Policy Statement

Introduction

Our Commitment

HelloClinic (hereinafter referred to as "the Service") is an AI-assisted clinic management SaaS system designed specifically for medical clinics and institutions, developed, operated, and fully owned by KAKI TECH LIMITED (hereinafter referred to as "the Company," "we," "us," or "our"). We are solemnly committed to protecting the privacy, confidentiality, and security of the personal data of all customers and users with the most rigorous standards. We deeply understand the highly sensitive nature of health and medical data and take it as our responsibility to be your most trusted data custodian. All personal data processing practices of the Company strictly comply with the laws of the Hong Kong Special Administrative Region, particularly the Personal Data (Privacy) Ordinance (Cap. 486) (hereinafter referred to as the "Ordinance" or "PDPO"), and we have internalized the six Data Protection Principles (DPPs) as the core of our corporate culture. This policy aims to clearly and comprehensively explain how we collect, hold, process, use, and protect your personal data, reflecting our proactive adoption of the best practices recommended by the Office of the Privacy Commissioner for Personal Data, Hong Kong (hereinafter referred to as "PCPD").

Scope of Policy

This Privacy Policy Statement applies to all "Data Subjects" whose personal data is collected, held, processed, or used by the Company. This scope comprehensively covers existing and potential patients of our customers (clinics), users of our official website and all digital applications, and any individuals who interact with the Company and provide personal data through business dealings. This policy applies to personal data collected through all channels, including but not limited to in-person registration at clinics, electronic forms filled out on our website or applications, any form of communication with our staff, and data naturally generated during the provision of medical services.

Definitions

To ensure clarity and legal precision, key terms are defined below, consistent with the definitions in the PDPO:

  • Personal Data: Any data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable. In the context of the Service, examples include but are not limited to name, Hong Kong Identity Card number, contact details, medical records, diagnostic images, laboratory results, and in some cases, technical data associated with an individual (such as IP address).
  • Data Subject: The living individual who is the subject of the personal data.
  • Data User: A person or organization who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of personal data. In the context of this policy, "Data User" explicitly refers to the clinic customers using HelloClinic, who have full control over their patients' personal data and bear the ultimate legal responsibility.
  • Data Processor: A person or organization who processes personal data on behalf of another person (the Data User) instead of for their own purposes. In the context of this policy, HelloClinic, as a SaaS provider, acts as the "Data Processor" or "Data Custodian" when processing patient data for clinic customers.
  • Prescribed Consent: Express and voluntary consent given by a Data Subject after being fully informed of the circumstances.

Part 1: Principles of Personal Data Collection and Processing

1.1 Collection Principles and Methods

The Company strictly adheres to Data Protection Principle 1 (DPP1) of the PDPO, which governs the purpose and manner of personal data collection. We commit that all collection of personal data is for lawful purposes directly related to our functions and activities as a medical software provider. The data collected is necessary, adequate, but not excessive in relation to those purposes, reflecting the core principle of "Data Minimization."

We ensure that all methods of collecting personal data are lawful and fair, and we never use deceptive or misleading means. A key mechanism in our compliance strategy is the complementarity between the Personal Information Collection Statement (PICS) and this Privacy Policy Statement. The former serves as a "just-in-time" notice at the point of collection, while the latter acts as a comprehensive reference document available at any time. This dual approach aims to satisfy both the immediate notification obligation under DPP1 and the openness and transparency requirements under DPP5.

At or before the time we collect your personal data, the Company will provide you with a clear and understandable PICS in an appropriate form (e.g., on a registration form or website page). The statement will explicitly outline:

  1. Purpose of Collection: Clearly stating the specific and defined purposes for which your personal data will be used.
  2. Classes of Transferees: Informing you of the categories of third parties to whom your personal data may be transferred or disclosed.
  3. Obligation to Provide Data: Stating whether providing the data is mandatory or voluntary, and the consequences of failing to provide such data.
  4. Rights of Access and Correction: Informing you of your right to request access to and correction of the personal data we hold, and providing contact details for the Data Protection Officer responsible for handling such requests.

1.2 Types of Personal Data We Collect

To provide the highest quality medical software and related services and ensure smooth operations, the Company collects, holds, and processes the following categories of personal data. We maintain high transparency regarding the types of data collected to ensure you fully understand our data processing practices.

  • Identity and Contact Data: Includes your name (Chinese and English), gender, date of birth, Hong Kong Identity Card number or other travel document numbers, contact phone number, email address, and correspondence address. The collection of HKID numbers is conducted only as permitted or required by the PDPO and the Code of Practice on the Identity Card Number and other Personal Identifiers issued by the PCPD.
  • Health and Medical Data: This is the most sensitive category of data we handle as a Data Processor, critical for our customers (clinics) to provide safe and effective medical services. It covers a wide range of information, including but not limited to: personal medical history, family medical history, allergy records, consultation records with clinic medical staff, clinical diagnoses, treatment plans, prescription drug details, surgical procedures undergone, diagnostic imaging results (e.g., X-rays, MRI scans), pathology and laboratory test reports, and any health-related information provided by the data subject or other medical professionals.
  • Account and Transaction Data: To process service fees, we collect account and transaction data, including billing and payment information, credit card details processed through secure payment gateways, medical insurance plan details, insurance claim records, and transaction history related to our services.
  • Technical and Usage Data: When you interact with our website or digital platforms, our system automatically collects certain technical information. This may include your Internet Protocol (IP) address, browser type and version, operating system, login data, device information, activity logs regarding how you use our platform (e.g., features used, access times), and data collected through cookies. When such data can directly or indirectly identify you, we treat it as personal data and provide equal protection.
  • Communications Data: This category includes records of all correspondence between you and the Company, such as emails, messages sent through our secure platform, and summaries of phone calls recorded for quality assurance purposes.

1.3 Purposes of Collection, Holding, and Processing

The Company collects, holds, and processes your personal data for lawful purposes directly related to our functions and activities as a medical institution software provider. We ensure each data processing activity has a clear, specific purpose and strictly complies with DPP1. The table below summarizes our main purposes and legal bases for processing different categories of personal data.

Table 1: Summary of Personal Data Processing Activities

Category of Personal DataPrimary Processing PurposeRelevant DPP / Legal Basis
Identity and Contact Data- Verify patient identity to ensure services are provided to the correct individual.
- Schedule and confirm appointments.
- Communicate regarding care, appointments, lab results, etc.
- Process billing and payments.		DPP1: Collected for purposes directly related to the Company's functions.
Health and Medical Data- Provide clinical diagnosis, treatment, and ongoing medical care.
- Establish and maintain comprehensive and accurate electronic and physical medical records.
- Refer you to other medical specialists or facilities when necessary.
- Ensure the safety and appropriateness of medical decisions.		DPP1: Collected for the core function of providing medical services.
Account and Transaction Data- Process service fees, issue invoices, and manage accounts.
- Assist in making medical claims to insurance companies.
- Conduct internal accounting and financial audits.		DPP1: Collected for purposes related to administration and operations.
Technical and Usage Data- Maintain and ensure the security and stability of our website and digital platforms.
- Analyze platform usage to improve user experience and service functionality (anonymized or aggregated where feasible).
- Diagnose technical problems.		DPP1 & DPP4: Collected to improve services and ensure system security.
Communications Data- Respond to inquiries, comments, or complaints.
- Archive important communication records related to your medical care.
- Fulfill legal and regulatory requirements.		DPP1: Collected to facilitate communication and fulfill compliance obligations.

Part 2: Use, Disclosure, and Transfer of Personal Data

2.1 Restrictions on Use of Personal Data

The Company strictly adheres to Data Protection Principle 3 (DPP3) of the PDPO, which imposes strict restrictions on the use of personal data. We explicitly state that unless your "Prescribed Consent" is obtained in advance, your personal data will only be used for the purposes stated at the time of collection (as detailed in Part 1.3 above) or for purposes directly related to those purposes.

"Prescribed Consent" means express and voluntary consent given by you with full knowledge of the circumstances. For example, a phone number collected for sending appointment reminders will never be used to send promotional messages about new services without your separate express consent. For any proposal to use personal data for a new purpose, we will provide a new PICS and seek your authorization.

2.2 Disclosure and Transfer of Personal Data

The Company maintains a strict duty of confidentiality regarding your personal data. We will only disclose or transfer your personal data to third parties in lawful, reasonable, and necessary circumstances. All disclosures follow the "need-to-know" principle and are governed by legally binding confidentiality agreements where applicable. Your personal data may be disclosed or transferred to the following categories of persons or organizations:

  • Third-Party Service Providers (as Data Processors): The Company engages reputable and reliable third-party service providers to assist in our daily operations. These providers act as our "Data Processors" and can only process personal data according to our instructions, not for their own purposes. We commit to ensuring through legally binding contracts or other means that all data processors comply with the PDPO, particularly regarding data security (DPP4) and data retention (DPP2). Such providers include:
    • External partners providing diagnostic laboratory or medical imaging services.
    • SaaS providers offering Electronic Health Records (EHR) systems, cloud storage, and other critical IT infrastructure.
    • Organizations assisting in billing and, if necessary, debt collection management.
  • Insurance Companies and Employers: With your express consent, we may provide required medical information to your medical insurance company, medical benefits organization, or relevant employer (e.g., in the context of pre-employment medical examinations) to process medical fee settlements, claims, or related administrative matters.
  • Disclosure under Legal Requirements: Under laws, regulations, legally binding court orders, or requests from government departments (such as the Department of Health), or to cooperate with lawful investigations by law enforcement agencies to prevent or detect crime, we may be obligated to disclose relevant personal data.
  • Emergency Situations: In emergency situations where there is a serious threat to the life or health of you or others, we may disclose personal data when necessary to prevent or mitigate that threat.

2.3 Cross-border Data Transfer

The Company's operations may involve the use of global cloud service providers, which may result in personal data being transferred outside Hong Kong for processing or storage. We are well aware of the privacy risks involved in cross-border data transfer and have adopted rigorous governance measures that exceed local regulatory requirements.

Although Section 33 of the PDPO, which regulates cross-border data transfer, is not yet formally in effect, the Company has voluntarily adopted its core spirit and relevant guidelines issued by the PCPD as our best practice. This forward-looking compliance strategy aims to ensure that even if your personal data is transferred outside Hong Kong, it receives a level of protection comparable to that provided under the Hong Kong PDPO.

To this end, we take the following measures:

  • Contractual Protection: Before transferring personal data outside Hong Kong (e.g., for processing by an overseas cloud service provider), we enter into legally binding contracts with the data recipient. These contracts will include Model Contractual Clauses recommended by the PCPD or provisions with an equivalent level of protection, ensuring the recipient must comply with obligations consistent with the six DPPs of the PDPO.
  • Due Diligence: We conduct prudent due diligence on all overseas data processors, assessing the data protection laws of their jurisdiction and their own security capabilities to ensure they can provide adequate protection for your personal data.
  • Transparent Notification: If cross-border data transfer is involved, we will inform you in the relevant PICS that data may be transferred outside Hong Kong and the measures we take to protect the data.

2.4 Commitment Against Data Commercialization and Marketing

We will never sell identifiable personal information of patients or consumers to any third party. We have never done so and will never do so.

We strictly distinguish between medical service communications and marketing activities. We commit that we will never use your personal data (such as name, phone number, or email address) for direct marketing purposes without your express consent. We will not use the patient data you enter to market any products or services to patients, and we will never provide patient data to any third party so they can conduct direct marketing—any such behavior is intolerable to us.

Any information regarding the Company's new services, health talks, promotional offers, etc., that is not essential for medical care will only be sent to you after obtaining your express "opt-in" authorization. Such consent must be given voluntarily, and you have the right to withdraw it (i.e., "opt-out") at any time, free of charge and easily, by contacting our Data Protection Officer. If non-practitioners register to use HelloClinic for their personal health records, they are subject to their own independent terms.

2.5 Case Studies and Use of Customer Company Information

Provided that no personal data or sensitive information is involved, your company authorizes HelloClinic to use your company name, logo, industry category, non-confidential implementation profiles, and aggregated or anonymized performance results as Case Studies, customer success stories, or marketing materials. These materials may be displayed on our official website, product presentations, social media platforms, tender documents, media interviews, and other relevant promotional channels.

We solemnly commit to:

  • Strict Privacy Protection: Never use or disclose any patient data or any information that could identify a specific individual.
  • Maintenance of Business Secrets: Never disclose any details involving contract specifics, pricing plans, proprietary technology, or protected trade secrets.
  • Professional and Compliant Use: If use of your trademark or brand materials is required, you grant us a non-exclusive, royalty-free, and limited license for the above purposes.

Unless otherwise agreed in writing, the above authorization does not constitute an endorsement or testimonial relationship between HelloClinic and your company, nor does it affect the rights or obligations of either party under the service agreement.

Part 3: Data Security and Retention

3.1 Data Security Commitment

The Company strictly adheres to Data Protection Principle 4 (DPP4) of the PDPO, taking all practicable steps to protect the personal data we hold from unauthorized or accidental access, processing, erasure, loss, or use. Our data security strategy is a comprehensive, multi-layered framework covering governance, technical, and physical aspects, designed with reference to authoritative guidelines issued by the PCPD and international best practices.

Data Governance and Organizational Measures

  • Designated Responsibility: We have appointed a senior executive as the Data Protection Officer (DPO), responsible for overseeing the Company's compliance with the PDPO and serving as the dedicated contact point for all privacy-related matters. Contact details can be found in Part 6 of this policy.
  • Role as Data Custodian: HelloClinic has no right to access your data. We are merely the custodians of your data and are technically and policy-wise unable to access sensitive patient or clinic information. When we need to access your account to assist with service inquiries, all confidential information is systematically anonymized or technically removed. For example, HelloClinic staff will ask for an anonymous patient ID rather than a patient name to handle support requests.
  • Policies and Procedures: We have established and implemented a comprehensive set of internal policies and standard operating procedures to govern the handling of personal data throughout its lifecycle from collection, use, and storage to final destruction.
  • Access Control: We strictly enforce the "Principle of Least Privilege" and the "need-to-know" principle. The HelloClinic system features multi-layered and granular permission management. Except for the SuperAdmin account designated by the clinic, which can access all data under its jurisdiction, clinics can flexibly assign different levels of access permissions to staff accounts. Only formally authorized employees whose duties require it can access the minimum amount of personal data necessary to perform their roles. All access rights are regularly audited and immediately revoked upon employee resignation or change in duties.
  • Employee Training: All employees must undergo mandatory personal data privacy and information security training upon joining and participate in regular update training. Training covers the legal requirements of the PDPO, the Company's internal policies, identifying and responding to social engineering attacks like phishing, and best practices for safely handling sensitive data.
  • Risk Assessment: We regularly conduct data security risk assessments and Data Protection Impact Assessments (DPIA), especially before introducing new technologies, systems, or starting new data processing activities. This helps us proactively identify and mitigate potential privacy risks.

Technical Measures

We utilize advanced and industry-recognized technologies to build a solid digital defense for your personal data.

  • Encryption Technology: All personal data transmitted over the network (data in transit) is protected using strong encryption technologies such as Transport Layer Security (TLS 1.2 or above). All personal data stored on our servers and databases (data at rest) is encrypted using high-strength encryption standards such as AES-256.
  • Network Security: Our services are deployed on secure Google Cloud servers and utilize Cloudflare for network-level security protection, including Web Application Firewall (WAF) and DDoS mitigation. We also deploy enterprise-grade firewalls, intrusion detection and prevention systems, and maintain up-to-date anti-malware software on all endpoints and servers to defend against internal and external cyber attacks and threats.
  • Security Configuration: We perform security hardening configurations on all servers, applications, and network devices and implement a strict patch management policy to ensure timely repair of known security vulnerabilities.
  • Anonymization and Pseudonymization: When conducting internal research, statistical analysis, or system testing activities not directly related to providing medical services, we use anonymization or pseudonymization techniques to process personal data where practicable, thereby minimizing privacy risks.

Physical Measures

We provide high protection for personal data existing in physical form.

  • All physical documents containing personal data are stored in locked filing cabinets or storage rooms within access-controlled office areas.
  • The Company's office premises and server rooms are equipped with strict physical access control systems to prevent unauthorized entry.

3.2 Data Breach Incident Response Plan

Despite our rigorous preventive measures, we have developed a detailed response plan to deal with potential data security incidents (i.e., data breaches). The plan aims to quickly contain the situation, assess the impact, and take remedial measures to minimize potential harm to affected individuals.

Our response plan includes the following key steps:

  • Immediate Action: Upon discovery or suspicion of a data breach, the response team will take immediate action, including isolating affected systems to stop the continuation of the leak.
  • Harm Assessment: We will quickly assess the nature of the incident, the types and volume of personal data involved, and the risk of harm to the data subjects.
  • Notification Mechanism: Following PCPD recommendations, if we determine that a data breach incident poses a risk of actual harm to affected individuals, we will notify the PCPD and the affected data subjects as soon as practicable.
  • Post-incident Review: After the incident is handled, we will conduct an in-depth review to identify the root cause and take necessary improvement measures to strengthen our security system and prevent similar incidents from recurring.

3.3 Data Retention Policy

The Company strictly adheres to Data Protection Principle 2 (DPP2) of the PDPO, which stipulates that personal data shall not be kept longer than is necessary for the fulfillment of the purpose for which the data is or is to be used.

Our data retention policy is based on the following principles:

  • Purpose-driven: The retention period for different categories of personal data is determined based on the purpose of collection and any applicable laws, professional codes, or regulatory requirements. For example, patient medical records will be retained in accordance with guidelines issued by professional bodies like the Medical Council of Hong Kong and relevant legislation.
  • Retention Schedule: We have established and maintain an internal data retention schedule detailing specific retention periods for various types of personal data.
  • Secure Destruction: Once the retention period for personal data expires or the original purpose for use no longer exists, we will take all practicable steps to securely and permanently delete or destroy the data from our electronic systems and physical records, ensuring it cannot be recovered or accessed.

Part 4: Your Rights and Our Responsibilities

4.1 Transparency of Information

The Company abides by Data Protection Principle 5 (DPP5) of the PDPO, striving to ensure high transparency in our policies and practices regarding personal data. This Privacy Policy Statement is our primary tool for fulfilling this responsibility, aimed at clearly informing you of the types of personal data the Company holds and the primary purposes for which such data is used. We commit to disclosing our data handling practices in clear, easy-to-understand language.

4.2 Rights of Access and Correction

The PDPO grants you important rights over your personal data, and the Company fully respects and has clear procedures to assist you in exercising these rights. This follows the core requirements of Data Protection Principle 6 (DPP6). Translating legal principles into actionable processes for users reflects our commitment to transparency and accountability.

Data Access Request (DAR)

You have the right to ascertain whether the Company holds your personal data and, if we do, to request a copy of such data.

How to make a Data Access Request:

  • In Writing: All DARs must be made in writing (in Chinese or English). For ease of processing, we recommend using the "Data Access Request Form" (Form OPS003) specified by the PCPD.
  • Submission: Please mail or email the completed form to the Data Protection Officer listed in Part 6 of this policy.
  • Identity Verification: To protect your personal data from unauthorized access, we need to take reasonable steps to verify your identity before processing the request.
  • Processing Time: According to PDPO regulations, we will comply with your request or provide a written response within 40 calendar days of receiving your request.
  • Fees: We may charge a fee that is not excessive for processing a DAR to cover the direct administrative costs involved in providing copies of the data. If a fee is required, we will notify you in advance.

Data Correction Request (DCR)

If you believe that the personal data the Company holds about you is inaccurate, you have the right to request that we make corrections.

How to make a Data Correction Request:

A DCR should be made after you have exercised your right of access and obtained a copy of the data. The procedure is similar to a DAR, requiring a written request to our Data Protection Officer, clearly specifying the data that needs correction and the correct content. We will likewise process your request within 40 calendar days of receipt.

Grounds for Refusal

While we strive to assist you in exercising your rights, in a few specific circumstances prescribed by the PDPO, we may need to refuse your access or correction request. These circumstances include but are not limited to:

  • The request is not made in writing in Chinese or English.
  • We are unable to verify the identity of the requester through reasonable steps.
  • Complying with the access request would involve disclosing personal data of a third party who cannot be anonymized.
  • Other exemptions specified in the PDPO apply.

If we refuse your request, we will notify you in writing of the reasons for refusal within the 40-day statutory period and record the details of the refusal as required by law.

4.3 Use of Website Tracking Technologies

To enhance the performance and user experience of the Company's website and digital platforms, we may use "Cookies" and similar website tracking technologies. We commit to being fully transparent in this regard.

  • What are Cookies: Cookies are small text files stored on your computer or mobile device. They help the website remember your preferences (such as language choice) and collect anonymous statistical data about website traffic and usage patterns.
  • Types of Cookies We Use:
    • Strictly Necessary Cookies: These cookies are essential for the website to function properly, such as maintaining your login status or handling security features. They do not require your consent.
    • Performance and Analytics Cookies: These cookies help us understand how visitors interact with our website (e.g., which pages are visited), thereby collecting aggregated statistics to improve website design and services. We only use these cookies after obtaining your consent.
  • Your Choice and Control: You have full control over whether to accept non-essential cookies. Our website features a cookie consent management banner, allowing you to accept or refuse the storage of such cookies at any time through the banner or browser settings. Please note that refusing all cookies may affect the normal use of some website functions. This practice reflects global best practices in data privacy.

5.1 Responsibility of Service Users

HelloClinic, as a SaaS software, provides only a technical service platform. Our customers (i.e., clinics using the Service), as the "Data Users" of their patient data, are independently responsible for full compliance with the PDPO and other applicable laws. All content entered, generated, or managed through the Service is the sole legal responsibility of the user (the clinic).

5.2 AI-Generated Content Disclaimer

The Service may include features that assist in generating content using Artificial Intelligence (AI). Users must understand and agree that all AI-generated content (e.g., medical record summaries, report drafts, etc.) is for reference only and can never replace professional medical judgment. Users have the ultimate responsibility to review, modify, and independently confirm its accuracy, completeness, and clinical appropriateness. HelloClinic is not responsible for any consequences arising from the use of or reliance on AI-generated content.

Part 6: Contact and Policy Review

6.1 Language Version

This agreement is concluded in Traditional Chinese, and the Traditional Chinese version is the only legally binding formal text. Translations in other languages are for reference only and have no contractual or legal effect; in case of any discrepancy between versions, the Traditional Chinese version shall prevail.

6.2 Changes to the Policy

To ensure this Privacy Policy Statement always reflects the latest legal requirements, technological developments, and the Company's operational practices, we conduct regular reviews and updates. Any amendments will be published on this website. The "Last Updated" date at the top of this policy will indicate the latest version. We encourage you to review this policy periodically to understand how we protect your personal data. If there are significant changes to the policy, we may notify you via email or a prominent notice on the Company's platform.

6.3 Contacting Our Data Protection Officer

Establishing a clear, single point of contact is an important part of our practice of accountability and protection of your rights. This ensures you can communicate directly with personnel dedicated to privacy matters when needed, reflecting our serious attitude toward data governance.

If you have any questions about this Privacy Policy Statement, or wish to make inquiries or complaints regarding personal data matters, or exercise your rights of access and correction, please contact our Data Protection Officer via:

All correspondence will be handled confidentially, and we will endeavor to respond to your inquiries in a timely manner.

6.4 Complaining to the PCPD

The Company is committed to resolving any concerns you may have regarding personal data privacy in a fair and transparent manner. However, in the spirit of fully protecting your rights and ensuring information transparency, we hereby inform you that if you are dissatisfied with the way we handle your privacy matters or our response, you have the right to lodge a complaint with the independent regulatory body in Hong Kong—the Office of the Privacy Commissioner for Personal Data (PCPD). For complaint procedures and contact information, please refer to the PCPD official website.

Copyright © 2026 HelloClinic