This policy was last updated on 9th March 2023
If you are not happy for your information to be used in the ways described in this Policy, you should stop using GenderGP services.
The Site is provided by GenderGP PTE. Ltd (“GenderGP”, “we”, “our” and “us”). We are an online health and wellbeing clinic. We are a company incorporated in Singapore under company registration number 202145027H. Our principal office is at 160 Robinson Road, Singapore Business Federation Centre, Singapore 068914.
GenderGP is responsible for keeping the personal information we use safe and making decisions about how it can be used. As such, for the purposes of applicable data protection laws, GenderGP is the “controller” of the personal information that it collects and uses and is responsible for meeting all the requirements of the Singapore Personal Data Protection Act, the European General Data Protection Regulation (“EU GDPR”), and the version of the GDPR as transposed into UK law (“UK GDPR”) to the extent each one applies (“Data Protection Laws”).
We put in place appropriate systems and ensure compliance by our staff with the standards of security and confidentiality prescribed by law.
If you have any questions about the use of your personal information, please visit our Help Centre. You can contact our Data Protection Officer via the Help Centre. You can also contact us as follows:
Patients place their trust in the healthcare industry and expect their providers to be good guardians of their health information, with standards set forth by HIPAA and GDPR to protect the privacy and security of protected health information (where applicable).
GenderGP values the trust given to us by our patients and therefore have worked to make data protection improvements our priority in past years. As a result of this, we took a structured approach to enhance our processes and procedures upholding GDPR and HIPAA standards.
Enhancement of our patient’s health information protection includes:
- Using only trusted data processors that are upholding the GDPR and HIPAA standards, e.g. Cognito, G-Suite.
- Tighter user access management control.
- Data audit control – archive of historical data and their encryption.
- Multifactor authentication, automatic logouts.
- Appointment of a member of the team who is overseeing data security and reports any data breaches.
- Carried out a data audit in the business.
To deliver on our promise to make patients’ data protection our priority we have decided to implement the best in a class CRM system that is highly focused on data security and protection. This is a significant investment into the protection of personal and medical data and is going to significantly improve data safeguarding giving our patients transparency over the data we hold on them.
Key features that will further increase the data protection within the GenderGP are:
- Storing data on safe servers within the EU.
- Data encryption of stored data.
- Encrypting all data in transit.
- Robust field history monitoring and event monitoring. (Audit of all fields and their changes, records are available for 10 years) – product is called Field Audit Trail
- Ability to track any usual activity in Salesforce-covered services.
- Vigorous system defining user (internal staff) profiles and permissions sets governing data visibility.
- Patient-controlled security features that may be implemented by patients.
- All in one place where we store all electronic health records to ensure the highest level of protection.
- Ability to implement controls over unauthorized data download/transit to avoid permissible use of patients’ data.
- Patients’ access to all their electronic health records & their health journey ensuring the process transparency.
Depending upon your use of our services, our Site and/or our App, we may collect and hold some or all of the personal information set out below:
- Account details – username, password, communication preferences, answers to security questions to check your identity;
- Contact details – name, title, home address, email address, phone number;
- Correspondence and communications data – information contained in your emails, messages and other communications with us;
- ID information – any personal description, photograph, driver’s licence, passport;
- Biographical information – your date of birth, nationality, gender and legal gender, marital status and dependants;
- Health and social information – recordings of your online appointments, notes and reports relevant to your health, including any information you have told us about your health, medical history, details of your treatment and care, including any diagnosis, medical advice, comments and care plan from your GenderGP and other staff who have cared for you, results of investigations, such as laboratory tests and x-rays, relevant information from health and social care professionals, relatives or those who care for you, and information from wearable devices, monitors or other apps;
- Sensitive information – information regarding your ethnicity, sexual orientation, sex life, religious beliefs or opinion or genetic data where this is relevant to your care or is information that you have provided to us as part of your care;
- Information about your next of kin and carers – their contact details, relevant medical history if required and emergency contact information;
- Marketing preferences – your marketing preferences and consents;
- Location Data – if you are using a device that has GPS enabled, we will collect information about your location;
- Technical data – data relating to your device – the IP address, browser type, internet service provider, device identifier, your login information, time zone setting, browser plug-in types and versions, preferred language, activities, operating system and platform, and geographical location;
- Usage data – data relating to your usage of our Site and/or our App – URL, clickstream to, through and from the Site, pages you viewed and searched for, page response times, length of visits to certain pages, referral source/exit pages, page interaction information (such as scrolling, clicks and mouse-overs), date and time pages are accessed, Site navigation and search terms used; and
- Payment and financial information – data relating to your purchases and orders for our services, the charges you have incurred, payments you have made, your payment card details.
Collection of personal information
Information provided by you:
Most of the personal information we use is provided to us directly by you so that you can access our services. This includes personal information you provide when you:
- search our Site and/or the App;
- download one our Apps;
- register with us and create a GenderGP account on-line;
- purchase and pay for our services through our Site and/or our App;
- log in to GenderGP and use the Services;
- report a problem with our Site and/or the App;
- request marketing to be sent to you;
- enter a competition, promotion, or survey; or
- correspond with us or give us some feedback.
Information we collect automatically:
We collect information about your location if you are using a computer, tablet or mobile phone that has GPS enabled. You can stop us using your location information at any time by turning off the GPS setting in your device.
Use of personal information
Under Data Protection Laws, we can only use your personal information if we have a legal basis to do so. For example:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you or to take steps at your request before entering into a contract; or
- for our legitimate interests or those of a third party.
A “legitimate interest” is when we have a business or commercial reason to use your personal information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
Special category personal information
Certain personal information we collect is treated as a special category to which additional protections apply under Data Protection Laws. This includes:
- data concerning health, sex life or sexual orientation.
- personal information revealing racial or ethnic origin;
- genetic data and biometric data (when used to uniquely identify an individual).
Where we process special category personal information, we will also ensure we are permitted to do so under applicable Data Protection Laws. For example:
- where you have given your explicit consent;
- where the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
- where the processing is necessary to establish, exercise or defend legal claims.
Criminal Offence Data
Applicable Data Protection Laws require us to provide extra safeguards to any personal information we collect about criminal convictions and offences. We do not use this type of information very often but, for example, you might tell us about a drug-related conviction or time in prison.
In the limited circumstances where we do process such personal information, our use of the information complies with the relevant requirements of applicable Data Protection Laws.
Changes to your personal information
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
Marketing from us
From time to time, we may contact you with information about our services, including for the purposes of sending you marketing messages and asking for your feedback.
We will only send you marketing messages if you have given us your consent to do so, unless consent is not required under applicable Data Protection Laws (for example, where we have a pre-existing customer relationship with you).
You have the right to opt out of receiving marketing communications at any time by:
- contacting us using the contact details set out above;
- using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts; or
- updating your marketing preferences on our Site and / or our App.
We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
Third party marketing
We will always treat your personal information with the utmost respect and will never sell or share it with other organisations for marketing purposes unless we have your express opt-in consent.
Sharing of personal information
We routinely share personal information with:
- GenderGP Affiliated Specialists – In order to provide you with GenderGP services we need to share your personal information with GenderGP Affiliated Specialists. GenderGP Specialists work in partnership with GenderGP as self-employed contractors.
- Partner organisations – We also need to share information with partner organisations that help administer GenderGP accounts and provide other elements of our services. Such partner organisation may include:
- Service Providers – Providing a variety of critical services such as hosting, security, data storage, cloud services, testing services and non-critical services such third party review platforms.
- Payment processors (see further below).
- Partners – Who process your data on our behalf so we can provide you with our Services, this may include appointment booking, getting in touch with us, using our online platforms, and pharmacies.
- Other health care professionals if we work with them jointly to provide you a Service.
- Regulatory and Compliance bodies.
- Other partners, professionals, and service providers required to provide you with our services.
We only allow such third party organisations to handle your personal information if:
- we are satisfied that they take appropriate measures to protect your personal information;
- we have imposed contractual obligations on them to ensure they can only use your personal information to provide services to us and to you (in accordance with our instructions), and not to use your personal information for their own purposes;
- we have vetted these organisations to ensure that they will deal with your personal information responsibly.
We may occasionally share your personal information:
- with any relevant regulators;
- with your agreement, with your relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity. We may share information with anyone you have given as an emergency contact, for example your next of kin;
- with anyone else that you authorise us to share your personal information with, e.g., employers, insurers or other third parties;
- with any relevant police, fire and rescue services if there is an immediate risk of harm to you or other people, or if there is a legal requirement to do so e.g., where a road traffic offence has been committed or the police have obtained a court order requiring us to provide information;
- with bodies with public health responsibilities to control infectious diseases such as meningitis, tuberculosis (TB) or measles and manage public health incidents;
- with our professional advisors, including lawyers and accountants, if this is necessary to take and receive professional advice (including legal advice), or to bring or defend a legal claim or threatened claim;
- with our insurers and brokers and the insurers and brokers of other organisations where this is necessary to investigate insurance cover and to handle a claim or threatened claim;
- with individuals or organisations if we are legally required to, for example if this is specified in a warrant or court order;
- where we, or substantially all of our assets, are merged or acquired by a third party, in which case this information may form part of the transferred or merged assets;
- with other organisations that help provide medical or social care. These organisations include:
- your doctor, for example so that they have a record of your on-line appointment and/or consultation. If you would like to know more about what your GP practice does with the information, we share with them you should look at your GP practice’s patient privacy notice. This is normally available on your GP practice’s website;
- organisations that help deliver medical services outside of hospital;
- private sector organisations that deliver healthcare such as private hospitals, dentists, opticians and pharmacists;
- out-of-hours providers e.g., organisations providing out of hours medical services;
- voluntary sector organisations that deliver healthcare such as charities;
- local councils if social workers are part of your care team, education services, children’s services, housing, or benefit offices;
- organisations that provide diagnostic tests;
- organisations that provide ambulance or patient transport services;
- other organisations involved in the delivery of medical care, social care or the protection of public health;
- marketing organisations, if you have agreed to receive information about our services and offers. For example, we may share you contact information with companies that we use to send marketing emails. Although we will not share information about your health with these organisations, it may be possible for them to infer this information due to the content of the marketing email. For example, if we are sending you information about how we can help you manage your diabetes, our partners will be able to infer that you have this condition.
Each payment transaction made via the Site and/or the App is processed by one of our third-party payment processing partners. You will be required to provide such payment processing providers with your relevant financial information in order to use the payment processing services. You are subject to the terms and conditions of those named in the relevant section.
Links to third party sites
Our Sites and the App may, from time to time, contain links to and from third party websites, including those of other news publications and affiliates. Our Sites and the App may include some social media features, such as the Facebook button and the ‘Share This’ button. You can use these features to share information about your use of GenderGP through social media. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.
Storage of data
Your personal information may be transferred to our partners in the United States and Singapore.
Where the EU GDPR or the UK GDPR applies, and where your personal information is transferred outside the UK or the European Economic Area (which consists of all EU member states, plus Norway, Iceland, Liechtenstein) (the “EEA”), we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal data.
- Where we transfer your personal information to other controllers or service providers, we may use standard data protection clauses approved for use by the EEA or the UK which give personal information the same protection it has in the EEA or the UK.
Alternatively, in the absence of adequacy or other appropriate safeguards, we will only transfer your personal information to a third country on one of the following conditions:
- the transfer is necessary for the performance of a contract between us;
- where you have given your explicit consent;
- where the transfer is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
- where the transfer is necessary to establish, exercise or defend legal claims.
Please contact us using the contact details above if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EEA.
How long does GenderGP keep my personal information for?
We will not keep your personal information for longer than we need it for the purpose for which it is used. However, different retention periods apply for different types of personal information and for different aspects of our services. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
- Special category personal information will be stored on GenderGP systems. This information will be deleted in accordance with our records management rules.
- Account information for individuals (including people who have completed the on-line registration process) who have not used our consultation services will be deleted after two years, unless we are required to retain such information for any legal or regulatory reason.
- Account information about individuals (for example your name, log in details, summary details of the GenderGP services you have used, any complaints you have made about our service) who have accessed our services will be kept until two years after they last accessed the services or communicated with us, whichever is later.
- If you have let us know that you are happy to receive marketing information, we keep the information we need for marketing for a maximum of 2 years from when you last accessed the GenderGP Site or App.
- In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
At GenderGP we take security and the secure storage of personal information seriously. We have appropriate technical and organisational data security measures to prevent personal information from being accidentally or unlawfully lost, used or accessed. Such measures include, but are not limited to:
- limiting access to your personal information to those who have a genuine business need to access it. Those processing your personal information will do so only in an authorised manner and are subject to a duty of confidentiality;
- the pseudonymisation and / or encryption of personal data;
- transmitting all your personal information collected in the course of your use of the Site or the app using Secure Socket Layers (SSL) technology. SSL is an industry standard technology designed to prevent any third party from capturing and viewing your personal information while in transit;
- recommending users of the Site and the App to go through a two-step identity verification process to create their account and to reset their password. We will never ask you for your password in any unsolicited communication (including unsolicited correspondence such as letters, phone calls, emails or text messages).
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
For more information on how we keep your personal information secure, please contact us using the contact details above.
Rights over personal information
Under certain circumstances, you have rights under Data Protection Laws in relation to your personal information. Specifically:
Your right of access
You have the right to ask us for copies of your personal information. There are some exemptions, which mean you may not always receive all the information we have about you.
Your right to rectification
You have the right to ask us to rectify information you think is incomplete or inaccurate.
We will not usually amend medical records. This is because it is important that we have a copy of the information available to practitioners at the time they are treating you. Instead, we usually add a note to your record to highlight the information you consider to be incorrect.
Your right to erasure
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, we will not normally delete information from medical records. This is because it is important that we have a copy of the information available to doctors at the time they are treating you.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances e.g., if you contest the accuracy of the personal information.
Your right to object to processing
You have the right to object:
- at any time to your personal information being processed for direct marketing (including profiling);
- in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims.
Your right to data portability
The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that personal information to a third party.
Your right to withdraw consent
Where we rely on consent to process your personal information, you have the right to withdraw this consent at any time. However, if you withdraw consent, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.
Your right to not be subject to automated individual decision making
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
How do I exercise my rights?
If you wish to exercise one of these rights, please contact us using the contact details above.
Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may also ask you to provide us with identification so that we can be sure that we are dealing with the right person. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time if you are not happy with the way that we have dealt with your personal information or a request from you to exercise your privacy rights.
We would appreciate the chance to deal with your concerns in the first instance, so please contact us first using the contact details above. You also have the right to lodge a complaint to your national data protection authority if you are in the UK or EEA.
If you are in the UK, the relevant data protection authority is the Information Commissioner’s Office (“ICO“). Information on how to make a complaint to the ICO is available at www.ico.org.uk.
Updating this notice
We may update this notice from time to time. If we plan to update the policy we will let you know through the Site and/or App. When you log on to your account we will also let you know if the notice has been updated since you last accessed GenderGP services. You should stop using our Site and/or App if you do not agree to any changes.