In this Policy, our platform and websites will collectively be referred to as the "Services", and we use the word "Customer" to refer to any party or individual who subscribes to and pays for our services. We use the word "you" to refer to any individual user of our Services, such as a practitioner or staff member at a Customer's clinic, or an individual browsing or using our websites.
Notice to Patients
If you are a patient of one of our Customer clinics or practitioners, your clinic or practitioner controls your patient information, including your contact information, and patient records. Please contact your clinic or practitioner for any questions about your patient information.
Information We Collect
- Contact Information. We collect your contact information, such as your name, mobile and email address, when we set up your user account for our Services. We use your contact information to activate your user account, give you access to the Services, and to send you information about your user account. We may also use your contact information for marketing purposes from time to time. You can opt-out of our marketing communications at any time by unsubscribing or contacting us at firstname.lastname@example.org. Please note that Helm does not manage any marketing or other communications between a Customer and its patients.
- Billing Information. When a Customer subscribes to our Services, we may also collect credit card information to process payment. In the event that we do so, Credit card information is provided directly to our payment processor and is processed in a PCI-compliant manner. We do not keep your credit card information. An authenticated token is stored in place of your credit card information and acts as a non-sensitive placeholder that can be used by the payment processor to reference your credit card information when payments need to be processed.
- Log and Device Information. When you access and browse our Services, we collect information about how you are accessing our Services, such as your internet or mobile network connection, your browser or the type of mobile device you are using (if applicable). We use this log and device information to identify how our Services are being accessed and used so we can optimise them for the types of connections, browsers and devices being used. information when payments need to be processed.
Purpose of Information Collection
For personal information that is subject to the Personal Data Protection Act (PDPA) in Singapore, we rely on the following legal bases for collecting and using your personal information:
- Your consent
- Our legitimate interests (which are not overridden by your privacy rights), such as ongoing operations of the business, understanding and improving our Services, direct marketing related to our Services, communicating with our Customers and users about our Services, improving our websites and protecting our legal rights and interests.
You may withdraw your consent at any time. Where we are using your personal information for our legitimate interests, you have the right to object to that use. See below under Your Rights for how to withdraw consent or object.
If you are a patient of one of our Customer clinics, please contact your clinic or practitioner if you have any questions about the legal basis for collecting and using your personal information. Our Customers may have a different legal basis for collecting and using a patient's personal information, such as providing health care or treatments as a regulated healthcare professional.
- Patient Data. Customers use our clinic management platform to collect personal information from their patients and create patient records. These records may include a patient's name, address, billing information, medical charts, appointment history and other patient data ("Patient Data”). If you are a patient, Patient Data is collected from you when you visit your Customer clinic or practitioner. If you have any questions about your Patient Data, please contact the respective Customer clinic or practitioner.
- Customer's Role. Customers retain sole control over Patient Data and are responsible for complying with laws and regulations governing the use of Patient Data, and for determining the legal basis for such use. Effectively, they determine:
- What Patient Data to collect;
- Who has access to the Patient Data;
- How will the Patient Data be used;
- How long will the Patient Data by stored;
- Storage Location. Patient Data is stored in the regional data centre for the location chosen by the Customer during the sign-up process. We currently have regional data centres in Southeast Asia only, though this may change from time to time. Please note that we use US-based service providers for appointment reminders sent by email or SMS and, therefore, Patient Data contained in appointment reminders will go through and may be stored temporarily in the United States.
- Patient Rights. Patients have certain rights with respect to their Patient Data, which may include knowing what information the Customer clinic has about you, correcting any inaccurate Patient Data, obtaining a record of your Patient Data and, in certain circumstances, deleting or removing your Patient Data. Please note that Customers have legal and regulatory obligations around Patient Data and may not always be permitted to delete or remove Patient Data. If you wish to exercise any or your patient rights, please contact the respective Customer clinic or practitioner.
Sharing of Information
- We do not sell or distribute personal information to third parties for their own commercial or marketing purposes. We will only share personal information we collect in the following circumstances:
- Suppliers and Service Providers. In order to operate our business and provide the Services to our Customers and their users, we may need to share a limited amount of information, including Patient Data, with our third-party suppliers and service providers. Some of the areas where we use third-party suppliers and service providers include:
- Data centers for storage of platform data
- Services to enable us to support and engage the Customers
- Services to allow us to send out email and SMS reminders
- Payment processors for payment processing services
- Compliance with Laws. We may disclose personal information to a third party if we are required to do so by applicable law, official request, court order or regulatory body. We may also be required to disclose personal information to enforce our legal rights, or to respond to an emergency which requires us to disclose personal information. In such instances, we will, to the best of our efforts, give you as much notice as possible regarding the disclosure of your personal information, what information was disclosed and why.
- Anonymised/Aggregated Data. Helm may use computer-generated algorithms to gather anonymous and aggregated information from Customer Data in order to assist in our continued development and improvement of the Services, and for research, data analysis, benchmarking, statistics or trend analysis. We will ensure that none of the information we gather identifies, or could be used to identify, any user or patient. Helm may share such anonymised information with Customers and others by providing insights into the general findings.
We protect your personal information, including Patient Data stored in our platform, by:
- Using industry standard security controls such as encryption and a verified security certificate to ensure information is transmitted over a secured connection between your browser and our web server.
- Using state-of-the-art data centres managed by Amazon Web Services (AWS)
- Having our personnel adhere to strict confidentiality agreements to ensure they understand the confidential nature of the data we process, and only accessing a Customer account when assistance is required by the Customer.
While we employ industry standard measures to protect your information, no electronic communication can ever be completely secure. You share responsibility for protection of your personal information by setting a strong password and by keeping your username and password confidential.
We retain personal information only for as long as required to achieve our stated purposes, or as required by applicable law. In general, personal information is kept for as long as a Customer account is active and for a period of no longer than 90 days after it has been deactivated in the event you or the Customer wishes to re-activate the account. User account information may also be retained as necessary to comply with our legal obligations or to resolve any ongoing disputes. Credit card information is never kept or stored by us.
Individuals have certain rights with respect to their personal information. These rights are set out below. If you are a patient of one of our Customer clinics, please contact your clinic or practitioner to exercise any of these rights with respect to your Patient Data.
- Correction and Deletion. We will make reasonable efforts to ensure that the personal information we collect from you is accurate and complete. You may update, correct or delete your account information at any time by logging into your user account and modifying your personal information. You may also update, correct or delete your personal information by contacting us as noted below.
- Withdrawing Consent. Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting us as noted below. In addition, all our marketing email messages contain the option to "opt-out" or unsubscribe from the mailing lists and marketing messages.
- Access and Portability. You have the right to request for a record of the personal information that we have collected about you and to ask that the information be provided in a structured, used electronic format (where applicable and technically feasible). There may be some cases where we cannot provide you with certain information about you if it would mean disclosure of personal information of another person or other confidential information, or if it would compromise our security systems. If you require access to your personal information, please contact us at email@example.com.
- Complaints. You have the right to lodge a complaint with a supervisory authority should there be any proven breach of the above conditions and no appropriate and acceptable measures have been taken to contain the breach.