eSmartHealth Privacy Statement
Our Company, eSmartHealth Limited ("eSmartHealth"), provides a range of eHealth and related services and products, including, without limitation, “eSmartHealth Cloud Management Service” (a cloud-based platform for the storage and monitoring of health and related data), “DrGo” (an app-based platform which facilitates the provision of medical, healthcare and related services and health and related data tracking), and “DrGo Health Store” (an online shopping platform for health and related services and products) (collectively, the “Services”).
This Privacy Statement sets out how we, eSmartHealth Limited ("eSmartHealth"), collect, use, manage and protect the personal data and other information ("Data", including Special Data (as defined below)) that we may collect from or about you. It applies to all individuals whose Data may be handled by us in relation to the Services offered by us from time to time.
Protecting your privacy
We are committed to processing your Data in accordance with the required standards. This includes protecting your privacy and ensuring the security of your Data in compliance with, in particular and where applicable, the requirements of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“Ordinance”).
Before using and providing your Data for the purposes as set out in this Privacy Statement, we may be required by law to obtain your written consent, and in such cases, only after having obtained such written consent, may we use your Data in the manner as specified.
Your Data
We may collect, use and hold a range of different Data about you. For purposes in connection with the provision of the Services and complying with laws, rules, guidelines, regulations and/or requests issued by applicable government authorities, courts, law enforcement or other authorities or regulatory bodies, you may be requested to provide Data such as, but not limited to:
| (a) | the name, date of birth and other details documented on your identification document (e.g. Hong Kong Identity Card and Passport); |
| (b) | contact details, including name, address, phone number, mobile telephone number and email address; |
| (c) | Data that you have shared with third party social media platform operators (e.g. account login name, profile picture, contact details); |
| (d) | Data which you have uploaded onto our eSmartHealth Cloud Management platform for storage via certain health devices; |
| (e) | health information, including medical concerns, self-reported symptoms, existing medications, allergies and diagnosis; |
| (f) | messages exchanges between you and our staff or representatives; |
| (g) | insurance information; |
| (h) | payment details, including credit card, debit card and other electronic banking Data; |
| (i) | account details or Data relating to Services registered with us, including the relevant PIN, username or password, account numbers and/or service numbers; |
| (j) | device specific information, such as hardware model, operating system, version, unique device identifier, serial numbers, setting configurations and software and mobile network configuration; |
| (k) | information about how you use our Services, such as your network usage, how you use our network, and your location when you are using our Services; |
| (l) | information that allows us to identify you for verification purpose, including biometric information like your fingerprints and voice pattern; |
| (m) | health and biometric information (which could be provided to us when you use our Services); |
| (n) | your credit and service history to enable us to assess your eligibility to our offers of Services or to accommodate your request for transfer of Services or your account with us; |
| (o) | all Data requested by applicable government authorities, courts, law enforcement or other authorities or regulatory bodies to enable us to comply with or in connection with any law, rule, regulation, judgment or court order (whether within or outside of Hong Kong); and |
| (p) | any other Data as may be required by us and our representatives and/or their respective contractors, sub-contractors, agents, representatives, business partners or representatives, service providers, healthcare providers, healthcare professionals (including doctors, dietitians, physiotherapists, psychologists, nurses, pharmacists and other medical and healthcare staff) from time to time and which is necessary for the provision of the Services and/or for your access to medical and healthcare consultation and prescription services provided by healthcare providers and/or healthcare professionals (collectively, the "Medical Consultation Services") through our platform. |
In some instances, where required by law to do so, we may seek your consent to process the following types of “Special Data” to us so that we may further improve our Services and/or better tailor the type of information or content that we present to you:
| (a) | age; |
| (b) | gender and ethnicity; |
| (c) | marital status; |
| (d) | salary range and employment details; |
| (e) | education and profession; |
| (f) | hobbies and leisure activities; |
| (g) | the Services that you have subscribed for; and |
| (h) | family and household demographics. |
Provision of the Special Data mentioned immediately above is optional, although where the requested Service is a personalised Service or provision of the Service is dependent upon your provision of all requested Data, failure to provide the requested Data may prevent us from providing those particular Services to you.
Occasionally, you may need to provide Data about other individuals to us (e.g. when you request for a service on behalf of another individual). If so, we may require you to confirm your compliance with Part VIA of the Ordinance including confirming that you have informed those individuals of the use, disclosure and transfer of Data from you to us and from us to third parties and possible disclosure of the individual’s details (including their usage of our Services) by us to you; and that you have obtained those individuals’ authorisation and/or consent to such use, disclosure and transfer (or the extent to which such authorisation and/or consent was obtained). You should also advise them that we can be contacted for further information at the details stated under the “How to contact us” section below.
Data supplied by you will be held by us, and will be accessible by our employees and authorised third parties specified below (consistent with the situations or for the purposes set out in this Privacy Statement) or as otherwise indicated by prior notice to you or, where required, by obtaining your consent.
How we collect Data
We collect Data in a number of ways, including from:
| (a) | you directly, for example, when you provide Data by submitting your Data in service application forms, through our websites, mobile apps, or over any customer service hotlines or chat sessions; or when you contact us with a query or request or during the ordinary course of the continuation of our business relationship with you, or when we are legally required to do so; |
| (b) | third parties, such as related entities, healthcare providers, healthcare professionals, business partners, or other customers, or your representatives with appropriate consent from you if required; |
| (c) | publicly available sources of information; |
| (d) | our own records of how you use our Services; |
| (e) | your visits on our websites or mobile apps (see "Privacy Data" section below); and/or |
| (f) | your participation in surveys or marketing promotions organised by us or on our behalf. |
Privacy Data
To better serve your needs and preferences, our systems may collect Data relating to your website, device or app activity. We may also collect aggregated, anonymous, statistical data on the server's usage so that we may better cater to the behaviour of users of our websites and mobile apps. This type of Data may include, but is not limited to:
| (a) | browser type, version and user agent; |
| (b) | operating system; |
| (c) | IP (Internet Protocol) address and/or domain name; |
| (d) | connection data, statistics on page views and/or referral URLs; |
| (e) | device ID, location and phone contacts; |
| (f) | links or images clicked on; |
| (g) | cookies and/or browser, app or web server log data; and |
| (h) | device and software characteristics and/or configuration. |
Our websites may use cookies or similar tracking tools on your machine or device in order for us to, for example, personalise your user experience and/or maintain your identity across multiple webpages and/or Internet sessions. This Data may include, but is not limited to, relevant login and authentication details as well as Data relating to your activities and the preference configurations on your device and across our websites and mobile apps. Our websites may be initially set up to accept cookies. You can opt out of or delete historical cookies by changing the settings on your web browsers; however, if you do so, you may find that certain features on our website and/or our app do not work properly.
How we use your Data
We may collect, retain and use your Data for the following purposes (with your consent, if required):
| (a) | to verify your identity; |
| (b) | to process your registration for our Services or application to subscribe to our Services; |
| (c) | to carry out matching procedures, as defined under the Ordinance; |
| (d) | to verify your eligibility to our offers of Services, games and/or promotions or other events; |
| (e) | to provide, activate and/or renew Services and/or loyalty programs (if any) that you may have subscribed for; |
| (f) | to administer and maintain our eSmartHealth Cloud Management platform; |
| (g) | to enable you to access Medical Consultation Services and to enable healthcare providers and healthcare professionals to provide Medical Consultation Services |
| (h) | to provide you with rewards, promotional benefits, updates, offers and invitation to events; |
| (i) | to promote and market our Services to you; |
| (j) | to respond to and follow-up with your enquiries or complaints |
| (k) | to perform research or analyses so that we may improve and optimise the Services; |
| (l) | to conduct surveys and marketing, promotional, behavioural scoring for business operations and/or planning purposes; |
| (m) | to carry out market and product analyses in order to generate statistical or actuarial reports (containing aggregated data that does not relate to any identified or identifiable individual); |
| (n) | to enforce our contractual rights; |
| (o) | to process any payment instructions, direct debit facilities and/or credit facilities in relation to our supply of Services to you; |
| (p) | to maintain and develop our business systems and infrastructure, including testing and upgrading of these systems; |
| (q) | to maintain, enhance and develop our products and service offerings; |
| (r) | to comply with applicable laws in or outside Hong Kong as may be required by applicable government authorities, courts, law enforcement, or regulatory or investigation bodies, in relation to the supply of Services and/or loyalty programs to you, including to assist in the prevention, detection of crime or possible criminal activities; and |
| (s) | to distribute our publications and research materials as well as those of our business partners and counterparties. |
How we disclose your Data
We have a legitimate interest in properly administering the Services. In order to provide the Services that you have requested, we may, to the extent permissible under applicable laws and regulations, disclose your Data to organisations or parties outside of eSmartHealth (which may be within or outside of Hong Kong) (collectively, "Organisations"). Your Data is disclosed to these Organisations for the strict purpose of enabling us to supply our Services to you. In some circumstances as mentioned above, we may need to ask for your consent to use your Special Data where required by law to do so.
These Organisations provide support services to our businesses and operations, which may include, without limitation:
| (a) | customer enquiries; |
| (b) | Medical Consultation Services; |
| (c) | medical, health and wellbeing services; |
| (d) | courier, delivery, logistic and warehouse services; |
| (e) | mailing operations; |
| (f) | billing and debt-recovery services; |
| (g) | installation, maintenance and repair services; |
| (h) | information technology services; |
| (i) | marketing, advertising and telemarketing services; |
| (j) | market research; |
| (k) | customer usage and behavioural analysis; |
| (l) | process management; |
| (m) | after sale services; |
| (n) | surveys; |
| (o) | website usage analysis; and |
| (p) | cloud storage services. |
We take the required steps to ensure that these Organisations are bound by appropriate confidentiality and privacy obligations in relation to the protection of your Data and that they use your Data for the sole purpose of carrying out the services for which they have been engaged, and not for their own or other purposes (including direct marketing).
In addition, we may disclose your Data:
| (a) | to your authorised representatives and/or your legal advisers when requested by you to do so; |
| (b) | for the purposes of providing administrative, payment, collection, business, legal and/or operational support, to the following parties: |
| (i) credit-reporting and fraud-checking agencies; | |
| (ii) collection agencies, security agencies, credit providers or other financial institutions (for credit related purposes such as credit-worthiness, credit rating, credit provision and financing); | |
| (iii) telecommunications network operators; | |
| (iv) our affiliates, overseas offices, assignees, transferees and representatives; | |
| (v) our professional advisers, including our accountants, auditors, lawyers and insurers; | |
| (c) | to banks, insurance companies, insurance brokers, underwriters, billing agents and various business partners in connection with the Services and benefits applicable to registered users of our Services; |
| (d) | to any financial institutions, charge or credit card issuing companies, credit providers, credit information or reference bureaux, or collection agencies, security agencies, necessary to establish and support the payment of any services being requested; |
| (e) | to government and regulatory authorities and other organisations, as required or authorised by law; |
| (f) | to organisations who manage our business and corporate strategies, including those involved in a transfer or sale of all or part of our assets or business (including accounts and trade receivables) and those involved in managing our corporate risk and funding functions (e.g. securitisation); |
| (g) | to any proposed or actual participant, assignee or transferee of all or any part of the relevant member of our operations or business; and/or |
| (h) | to charities or non-profit organisations. |
Direct marketing (if applicable)
Subject to obtaining your consent, we intend to, in compliance with applicable laws, rules, and regulations, use your Data (your name, contact particulars (such as phone number, address, email address), information about the Services you have used or purchased, subscription details, location data and other customer profiling data), for the purpose of direct marketing, including sending to you notices and/or updates about gifts, discounts, privileged offers, benefits and promotions related to Services, as well as other products and/or services, including but not limited to: TV, telecommunications, over-the-top (OTT) services, content services, mobile voice, SMS and data communications, IDD / roaming, Internet connectivity, cloud services, electronic / mobile payment, entertainment, secretarial services, personal assistant services and information services (such as weather, finance and news information), device accessories, mobile applications and software, computer peripheral, accessories and software (including notebooks, handsets, mobile devices and accessories, keyboards, security installations and mobile applications), reward, loyalty and privilege programs, lifestyle, networking events, travelling, banking, alcohol and tobacco, sports, music, gaming, transportation, household products, food and beverages, finance, insurance, wealth management services and products, pensions, investments, brokering, financial advisory, loan and credit and other financial services and products, betting, education, health and wellness, beauty products and services, fashion and accessories, electronics, social networking, technology, e-commerce, digital assets and related offerings and services, logistics, retail, home and décor, media and high-end consumer products and services. Marketing may be carried out in a variety of ways (such as in the form of a letter, bill insert / message, email, digital SMS, MMS, instant message, app push notification, targeted TV message, by telephone, social media or advertisements on websites or other means).
Before using and providing your Data for the direct marketing purposes as set out in this Privacy Statement, where we are required by law to obtain your consent, and in such cases, only after having obtained such consent, may we use your Data for any direct marketing purpose.
We will honour each individual's request to not use his/her Data for the purposes of direct marketing. You may opt out from receiving direct marketing material and/or communications from the relevant Service. At the same time, you may resume receiving the same (if you have previously opted out of receiving such material and/or communications from the relevant Service) by making a written request to our Privacy Compliance Officer together with your registered name, registered telephone number or email address (as applicable).
Transfer of Data outside Hong Kong
At times it may be necessary and/or prudent for us to transfer your Data to places outside of Hong Kong, for instance, for the prevention, detection or investigation of crime or for storage, processing and other purposes for which the Data were collected. In the event that we do transfer your Data outside of Hong Kong, we will do so in compliance with the prevailing requirements of the Ordinance.
The safety of your Data is important to us
All reasonable efforts are made to ensure that any personal data held by us is stored in a secure and safe place and is accessible only by our authorised employees, authorised third parties or other Organisations referred to in this Privacy Statement.
You should be aware that no system is impenetrable and no information provided over the Internet can be guaranteed to be completely secure. Accordingly, we cannot guarantee the security of any information that you transmit to us or receive from us over the Internet.
When we pass your Data to third party Organisations for them to process, we seek to ensure that they have appropriate security measures in place to keep your Data safe and to comply with applicable principles in relation to data protection. Some of the people we share your Data with may process it overseas. You can contact us for more information about the safeguards we use to ensure that your Data is adequately protected in these circumstances.
Retention of your Data
We will retain your Data in accordance with our internal policies. Our policies are in compliance with the Ordinance, and cover the following principles:
| (a) | Data will only be retained for as long as is necessary to fulfil the original or directly related purposes for which it was collected, unless the Data is also retained to satisfy any applicable legal, regulatory or contractual obligations; and |
| (b) | Data are purged from our electronic, manual and other filing systems based on the above criteria and our internal procedures. |
Links
Our websites and mobile applications (if any) may contain links to other websites, webpages and mobile applications operated by third parties. We have no control over the content of the linked websites, webpages and mobile applications or the way in which the operators of those websites, webpages and mobile applications deal with your Data, and are not responsible for the content of such third-party websites, webpages or mobile applications. You should review the privacy policy of such third-party websites, webpages and mobile applications to understand the ways in which your Data may be used by those third parties.
Your right to access, correct and delete Data
We take all reasonable precautions to ensure that the Data we collect, use and disclose is accurate, complete and up-to-date. However, the accuracy of that Data depends to a large extent on the Data you provide. You have a right to request access to, and correction of, your Data and we recommend that you:
| (a) | let us know if there are any errors in your Data; and |
| (b) | keep us up-to-date with changes to your Data. |
If you wish to access or amend any of your Data we hold, or request that we delete (only applicable where the rights to erasure is required by law) any of your information that is no longer necessary for the provision of our Services, you may contact us in the manner as set forth under the “How to Contact Us” section. We may apply an administrative charge for providing you with access to your Data in response to such request.
In some situations, you may also exercise your right of access and correction by logging on to our relevant service app, e.g. DrGo app, where you will be able to view and correct some of the Data held by us about you.
You may decline to share Data with us and/or withdraw any consents which you may have provided, in which case, we may not be able to provide you with some of our Services.
At any time, you may object to us holding or processing your Data, on legitimate grounds, save and except as otherwise permitted by the applicable law.
How to contact us
For all issues and enquiries regarding our compliance with our obligations under the Ordinance, and any request for access to, correction or deletion of your Data, please contact eSmartHealth’s Privacy Compliance Officer by letter to GPO Box 9896, Hong Kong or by email to privacy@pccw.com.
To raise an issue regarding our handling of your Data, please contact us in order that we can attempt to resolve your issue.
This Privacy Statement may be amended from time to time and all handling of Data will be governed by the most recent version of this Privacy Statement. If there is any inconsistency between the English and Chinese versions of the Privacy Statement, the English version shall prevail.
Version: February 2023
DrGo Personal Information Collection Statement
The personal data and other information that you provide and other information collected and/or compiled by us, eSmartHealth Limited ("eSmartHealth"), about you from time to time subsequently (including, without limitation, your basic personal information, contact information, identification document information and images, health information, insurance information, credit card and payment information) (collectively, the “Data”) in relation to DrGo (“Services”) will be collected, used and retained by us as a result of or in connection with the Services, in accordance with the requirements of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) and other applicable laws, rules and regulations.
The details of the collection, compilation, retention, use, disclosure and processing of the Data and any further information about the Services are set out in the applicable terms and conditions of the Services, this “DrGo Personal Information Collection Statement” and the “eSmartHealth Privacy Statement” (available on DrGo website: www.drgo.com.hk and DrGo App).
The Data may be disclosed to, used by and/or retained by, at all times to the extent permitted under applicable laws, licences, rules, and regulations, and/or collected on behalf of other members of the Group (being HKT Limited, its subsidiaries, affiliates and associated companies) (HKT Limited is a company incorporated in the Cayman Islands with limited liability), their respective agents and service providers (including, without limitation, delivery companies, insurance companies, software or platform developers, and debt collection agents), healthcare providers (such as hospitals and clinics), healthcare professionals (such as doctors, dietitians, physiotherapists, psychologists, nurses and pharmacists) and business partners (those agents, service providers, healthcare providers, healthcare professionals and business partners collectively, as “Business Partners”) for purposes in connection with the Services, including, without limitation, processing your registration, providing the Services, enabling your access to the medical / healthcare consultation, prescription services and follow-up treatments, identification of users and service administration (such as delivery of medication, medical certificates and/or referral letters, quality improvement and billing) and other purposes to which you may have consented at any time. We may also be ordered by regulatory bodies, government authorities and courts of law in different jurisdictions to disclose the Data in order to comply with legal obligations and duties imposed on us.
It is obligatory for you to provide certain Data for Services provisioning purposes. We may not be able to offer the Services if you do not provide the corresponding Data upon request.
Any Data collected on behalf of or directly by Business Partners in connection with the Services may be subject to the privacy policy statements and/or personal information collection statements issued by such Business Partners. Any healthcare professional’s diagnosis made after your video consultation on the DrGo platform may be made available to you on the DrGo App.
We require your consent in order to use your personal data for direct marketing purposes. For the purpose of some features of the Services (e.g. DrGo Walk-to-Earn), you may be entitled to gifts, rewards and/or promotional offers as essential parts of the Services. By registering to such Services, you agree to be bound by the relevant service terms and conditions and consent to our use of your Data in providing to you such Services, including providing you with the said gifts, rewards and/or promotional offers. Otherwise, subject to obtaining your consent, we intend to use your Data (such as your name, contact particulars, service usage, registration details, location data and other customer profiling data), for the purpose of direct marketing, including sending to you notices and/or updates about gifts, discounts, privileged offers, benefits and promotions related to the Services, as well as other products and/or services relating to TV, telecommunications, over-the-top (OTT) services, content services, mobile voice, SMS and data communications, IDD/roaming, Internet connectivity, cloud services, electronic/mobile payment, entertainment, secretarial services, personal assistant services and information services (such as weather, finance and news information), device accessories, mobile applications and software, computer peripheral, accessories and software (including notebooks, handsets, mobile devices and accessories, keyboards, security installations and mobile applications), reward, loyalty and privilege programs, lifestyle, networking events, travelling, banking, alcohol, sports, music, gaming, transportation, household products, food and beverages, finance, insurance, asset and wealth management services and products, pensions, investments, brokering, financial advisory, credit and other financial services and products, education, health and wellness, beauty products and services, fashion and accessories, electronics, social networking, technology, e-commerce, digital assets and related offerings and services, logistics, retail, home and décor, media and high-end consumer products and services.
You have a right to withdraw your consent to the use of your Data for direct marketing purpose (if given) at any time. You are also entitled to access, correct or enquire about your personal data being held by us. For any such request, please do so by writing to eSmartHealth's Data Protection Officer by letter to GPO Box 9896, Hong Kong or by email to privacy@pccw.com.
