Introduction
HRG Healthcare Ltd ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications HRG Health and HRG Clinic.
Information We Collect
We collect information that you provide directly to us:
- Personal Information: Name, email address, phone number, date of birth, gender, and address
- Health Information: Medical history, prescriptions, appointment details, and health records
- Payment Information: Payment card details processed securely through Stripe
- Device Information: Device type, operating system, and unique device identifiers for push notifications
How We Use Your Information
We use the collected information to:
- Provide and maintain our healthcare services
- Process appointments and payments
- Send appointment reminders and notifications
- Facilitate video consultations between patients and doctors
- Improve our services and user experience
- Comply with legal obligations
Data Security
Your data is protected with:
- AES-256 encryption for all sensitive data
- HTTPS/TLS encryption for all data in transit
- Secure authentication with OTP and MPIN
- GDPR-compliant data handling practices
Data Retention
We retain your personal information for as long as necessary to provide our services. Medical records are retained for 7 years as required by healthcare regulations. You can request deletion of your account and data at any time.
Your Rights (GDPR)
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure of your data
- Restrict processing of your data
- Data portability
- Object to processing
Video Consultation Data (GDPR Compliant)
Important Information About Video Consultations:
Our video consultation service is designed with privacy and GDPR compliance in mind:
- Self-Hosted Infrastructure: All video calls are processed on our own secure servers in the EU. We do not use third-party video services that might transfer your data outside the EU.
- No Third-Party Data Sharing: We use self-hosted STUN/TURN servers for NAT traversal. Your IP address is not shared with Google, Jitsi, or any other third-party services.
- Recording Consent: Video consultations are recorded ONLY when BOTH the doctor AND patient explicitly consent. Without dual consent, no recording takes place.
- Encryption at Rest: All recordings are encrypted using AES-256 encryption before storage.
- Encryption in Transit: All video streams use DTLS-SRTP encryption and TLS 1.3 for signaling.
- 7-Year Retention: Medical records including consultation recordings are retained for 7 years as required by healthcare regulations, then securely deleted.
- Secure Deletion: When recordings are deleted, we use secure overwrite techniques to ensure data cannot be recovered.
Recording Consent Process
Before any video consultation can be recorded:
- Both parties (doctor and patient) must explicitly consent to recording
- Consent is captured with timestamp and stored in our database
- Either party can withdraw consent at any time before recording starts
- Consent status is clearly displayed to both parties during the call
- Without dual consent, the recording feature is automatically disabled
Third-Party Services
We use the following third-party services with GDPR-compliant data processing agreements:
- Stripe: Payment processing (PCI-DSS compliant, EU data storage)
- Firebase: Push notifications only (no health data transmitted)
Note: Our video consultation infrastructure (Jitsi Meet) is self-hosted on EU servers. No video data is processed by external services.
Children's Privacy
Our services are intended for users aged 18 and over. We do not knowingly collect information from children under 18.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.