Privacy Statement
Effective June 16, 2026
Template — needs legal review. This document must be reviewed and finalized by Philippine counsel, and the bracketed [PLACEHOLDERS] completed, before public launch.
A. Introduction
This Privacy Statement is adopted in compliance with Republic Act No. 10173, the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (“NPC”). DigiMD (“DigiMD”, “we”, “us”), operated by [REGISTERED BUSINESS NAME], respects and values your data privacy rights and ensures that all personal data we collect from you is processed under the principles of transparency, legitimate purpose, and proportionality.
B. Scope
- This Statement sets out our policy on the collection, use, storage, sharing, and disposal of personal data we process, in accordance with the DPA, its IRR, and related NPC issuances.
- It applies to all personal data processing activities we conduct in connection with patients, doctors, and visitors to our website and mobile application.
- We may amend this Statement to reflect changes in the law or in our processing activities; the latest version will always be available in the app and on our website.
C. Definitions
- Consent — any freely given, specific, and informed indication of will by which you agree to the processing of your personal data.
- Data Subject — an individual whose personal data is processed, including our patients, doctors, and users.
- Processing — any operation performed on personal data, such as collection, recording, storage, use, consolidation, or destruction.
- Personal Information / Personal Data — any information from which your identity is apparent or can reasonably be ascertained.
- Sensitive Personal Information — includes, among others, information about your health, age, and sex. Your consult records are sensitive personal information.
- Personal Information Controller (PIC) — the entity that controls the processing of personal data. For data we collect, DigiMD is the PIC.
- Personal Information Processor (PIP) — a third party to whom a PIC outsources processing (for example, our cloud and payment providers).
D. The collection and use of personal data
1. We collect the following personal data:
- Account details — your name, email address, mobile number, and role (patient or doctor).
- Health information (sensitive personal information) — your age and sex, the reason for your consult, symptoms, allergies, current medications, the messages you exchange during a chat consult, the doctor’s consult notes, and any e-prescription issued to you.
- For doctors — PRC license number, PTR and S2 numbers, uploaded credential documents, professional signature, and the GCash number used for payouts.
- Payment information — processed by our payment provider, PayMongo. We do not store your full card or e-wallet credentials.
- Technical and usage data — device information, IP address, app activity, and connection data needed to run and secure video and chat consults.
2. We collect and use personal data to:
- Create and manage your account and connect patients with PRC-licensed doctors.
- Process bookings and payments and remit doctor payouts — DigiMD retains a 10% platform commission and pays the doctor’s net on a 15-day payout cycle.
- Verify doctors’ PRC credentials before they may accept bookings.
- Send booking confirmations, reminders, and service notifications, and to provide customer support.
- Produce anonymized, aggregated statistics and research to improve the service.
- Comply with legal, tax, regulatory, and lawful record-keeping obligations.
3. We collect personal data directly from you when you register and book a consult; automatically when you use the app or website (including cookies, device, and usage data); and, where applicable, from a doctor who invites you or from a guardian booking on behalf of a household member.
A note on recordings. DigiMD video consults run over a real-time, encrypted, peer-to-peer connection and are not recorded by us. Chat-consult messages and the doctor’s notes are stored as part of your medical record. You may not record a consult without the consent of all participants.
E. Legal basis and consent
We process your health information based on your explicit consent, given when you register and book a consult, and as necessary to provide the telemedicine service you request and to comply with our legal obligations. You may withdraw consent at any time, subject to medical record-keeping and other legal requirements.
F. The disclosure of personal data
We do not sell your personal data. We disclose it only to the doctor you book, to our authorized processors, and to government authorities where required by law or where necessary to protect our rights and the safety of our users. Our authorized processors include:
- Amazon Web Services (AWS) — cloud hosting and storage (data may be stored in AWS facilities in the Asia-Pacific (Singapore) region).
- PayMongo — payment processing.
- Amazon SES — email delivery.
- Our self-hosted relay (TURN) server — routes video-consult traffic when a direct connection between participants is not possible.
These processors are contractually bound to protect your data and to use it only for the purposes we specify. DigiMD remains responsible for the personal data disclosed to them.
G. Your rights as a data subject
- Right to be informed — to know that your personal data is being or has been processed, and to be notified of a personal data breach as required by law.
- Right to access — to obtain a copy of your personal data and details of how it has been processed.
- Right to object — to object to processing, including for direct marketing or automated profiling.
- Right to erasure or blocking — to suspend, withdraw, or order the blocking, removal, or destruction of your data on the grounds allowed by the DPA.
- Right to rectification — to correct any inaccuracy or error in your personal data.
- Right to data portability — to obtain your data in a commonly used, electronic, and structured format.
- Right to file a complaint — to lodge a complaint with us or with the National Privacy Commission.
H. Retention and disposal
We retain personal data only for as long as your account is active or as needed for the purposes above. Medical and consultation records are retained for the minimum period required by applicable Philippine medical record-keeping rules [CONFIRM PERIOD WITH COUNSEL]. When data is no longer needed, we dispose of it securely; electronic records are removed from our active databases and from third-party tools.
I. Information security
We apply reasonable and appropriate organizational, physical, and technical measures to protect your data, including: encryption in transit (TLS) and at rest, restricted role-based access, authentication via Amazon Cognito, private storage accessed only through short-lived signed URLs, redundancy and regular backups, and activity monitoring. No method of transmission or storage is perfectly secure; if a breach affecting your personal data occurs, we will notify you and the NPC as required by law.
J. Data Protection Officer
To oversee our compliance, DigiMD has appointed a Data Protection Officer (“DPO”). For privacy questions, requests, or complaints, contact: [DPO NAME], privacy@digimd.online.
K. Changes to this Statement
We may update this Statement from time to time. We will make the revised version available through the service and indicate the date of the latest revision. Your continued use of DigiMD after the revised Statement takes effect indicates your acceptance of it.