Legal

Privacy Policy

Effective date: April 4, 2026  ·  HelloDoc Jamaica Limited

1. Introduction

HelloDoc Jamaica Limited (“HelloDoc”, “we”, “us”) operates the HelloDoc platform — a healthcare information management service for patients and healthcare providers in Jamaica. This Privacy Policy explains how we collect, use, store, and protect personal information in accordance with the Jamaica Data Protection Act, 2020 and its amendments.

By creating an account or using the platform you agree to the practices described in this policy. If you do not agree, do not use the platform.

2. What Information We Collect and Why

We only collect information that is adequate, relevant, and limited to what is necessary for the purposes described below (DPA Section 3 — Data Minimisation).

2.1 Account Registration

  • Full name and email address — to identify your account and send security alerts or appointment notifications.
  • Phone number — to enable appointment reminders and emergency contact by your care team.
  • Password (hashed) — to secure your account. We never store or transmit your password in plain text.
  • Timestamp of Terms acceptance — recorded to demonstrate that informed consent was obtained at the time of registration (DPA Section 1).

2.2 Health Profile (completed after registration)

  • Date of birth and gender — to ensure age-appropriate care and medications; to apply clinical guidelines that differ by biological sex.
  • Blood type — for clinical safety in emergency situations.
  • Home address and parish — to identify the nearest facility and to enable location-relevant appointment reminders. Never used for marketing.
  • Emergency contact (name, relationship, phone) — accessed only in urgent medical situations where you cannot be reached.
  • Insurance information — for billing and insurance claim processing only; optional.

All health profile fields are optional. Incomplete profiles do not affect your ability to book appointments.

2.3 Medical History (optional — you control what is shared)

  • Chronic conditions and current medications — to enable your doctor to prescribe safely and avoid harmful drug interactions.
  • Surgical and medication history — to provide clinicians with a complete clinical picture.
  • Family history — to identify hereditary risk factors that may affect your care plan.
  • Lifestyle factors (smoking, alcohol, exercise) — to inform preventive care recommendations.
  • Women's health information — collected only for patients who indicate a female gender; relevant to hormone-related clinical decisions. Optional.

2.4 Clinical Records Created During Care

Healthcare providers on the platform may create consultation notes, prescriptions, referral letters, vital sign records, uploaded documents, and other clinical records in connection with your care. These records are associated with your account and protected by database-level access controls.

  • If a clinical record is created under a facility, authorised doctors at that same facility may access that record for continuity of care.
  • If your doctor sends an internal referral to another HelloDoc doctor, the referred doctor may access records created by the referring doctor for that patient and referral context.
  • Broader patient-entered history (such as baseline medical history) remains consent-based per doctor and can still be granted or revoked in your dashboard.

2.5 Usage and Security Logs

We record login timestamps and session identifiers for security monitoring, fraud prevention, and DPA compliance audit purposes. These logs are not used for marketing.

3. How We Use Your Information

We will only use your personal data for the specific purpose for which it was collected (DPA Section 2 — Purpose Limitation). We will not use your data for any other purpose without first informing you and, where required, obtaining your consent.

  • Providing and maintaining your HelloDoc account
  • Facilitating appointment booking, management, and reminders
  • Enabling safe clinical care by your treating providers
  • Sending security alerts and account notifications
  • Complying with legal obligations

We do not sell your personal data to any third party. We do not use your data for advertising or direct marketing purposes without your explicit consent.

4. Who Can See Your Data

Access to your personal and health information is strictly role-based and enforced at the database level (Row Level Security).

  • You — always have full access to all your own data.
  • Doctors — can access clinical records they create during your care. For records created under a facility, authorised doctors at that same facility may also access those records for continuity of care.
  • Referred doctors — when your doctor makes an internal referral, the doctor who receives that referral may view records created by the referring doctor for your care handoff.
  • Consent-gated historical data — certain patient-entered history remains controlled by your per-doctor consent settings. You can grant or revoke that access at any time.
  • Nurses and Receptionists — can access the information necessary to manage your appointment at the facility you are attending.
  • Facility Managers — can access finance, inventory, and audit-log records for their assigned facility only, and do not have access to your clinical records.
  • Administrators — can access governance, user-management, finance, and system-wide audit-log workflows, but do not have access to patient clinical records. All admin access is logged.
  • Third parties — we do not share, sell, or disclose your personal data to third parties for commercial purposes.

5. How Long We Keep Your Data

We will not keep your personal data longer than is necessary for the purpose for which it was collected (DPA Section 5 — Storage Limitation).

  • Account and profile data — retained while your account is active.
  • Clinical records — retained for a minimum of 10 years from the date of creation, as required under Jamaica's medical records retention guidelines.
  • Security and audit logs — retained for up to 2 years.

To request account deletion, contact us at luke@hellodocja.com. Deletion requests for clinical records may be limited by the retention period above.

6. Your Rights

Under the Jamaica Data Protection Act you have the following rights:

  • Right of access (Section 20 DPA) — to request a copy of the personal data we hold about you.
  • Right to rectification (Section 21 DPA) — to request correction of inaccurate personal or clinical data. Use the “Request a Data Correction” feature in your profile, or email us. HelloDoc takes reasonable steps to verify accuracy, including format validation where appropriate, the data correction request process, and reliance on you to keep your information up to date.
  • Right to object (Section 22 DPA) — to object to certain types of processing.
  • Right to erasure (Section 23 DPA) — to request deletion of your personal data in certain circumstances.
  • Right to withdraw consent — to revoke your consent for per-doctor, consent-gated records at any time through your dashboard. Facility-based care access and referral handoff access remain limited to care-delivery purposes and are still governed by role and facility controls.

To exercise any of these rights, contact our Privacy Officer at luke@hellodocja.com. We will respond within 30 days.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction (DPA Section 7).

  • All data is transmitted over TLS 1.2 or higher (HTTPS)
  • Data at rest is encrypted using AES-256
  • Row Level Security (RLS) is enforced at the database level — no query can return data outside the user's authorised scope
  • Role-based access controls limit what each user type can see
  • Authentication tokens are stored in HTTP-only cookies and are never accessible to JavaScript
  • Passwords are hashed using industry-standard algorithms and never stored or transmitted in plain text

8. Cookies

We use session cookies solely to maintain your authenticated session after login. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can disable cookies in your browser, but the platform will not function without session cookies. For a full list of cookies used and detailed guidance on how to manage them, see our Cookie Policy.

9. Cross-Border Data Transfers

The HelloDoc platform is hosted on Supabase infrastructure. Your data is stored and processed in the United States, specifically in the West US (North California) AWS region (us-west-1). Any such transfer is made only to jurisdictions that provide an adequate level of data protection, and is governed by appropriate data processing agreements with our service providers (DPA Section 8).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of any material changes by email at least 30 days before the change takes effect. Continued use of the platform after notification constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related queries or to exercise your data rights:

HelloDoc Jamaica Limited

Email: luke@hellodocja.com

Phone: +31(0)647283266

This policy is subject to legal review and does not constitute legal advice. Consult a qualified attorney for regulatory compliance questions specific to your situation.