Privacy Policy

DPP 1 – Collection: We collect personal data only for lawful, specified purposes and in a fair manner, limited to what is necessary for those purposes.

DPP 2 – Accuracy: We take reasonable steps to ensure personal data is accurate and kept up-to-date.

DPP 3 – Use: We use personal data only for the purpose it was collected or a directly related purpose, unless consent is obtained.

DPP 4 – Security: We protect personal data against unauthorised or accidental access, processing, erasure, loss, or use.

DPP 5 – Openness: We make our data policies and practices readily available to the public.

DPP 6 – Access and Correction: We respect your right to access and correct your personal data.

Self-Funded Outpatient Service: data collected during GP/Specialist consultations, appointment bookings, and claim submissions.

Wellness Marketplace: data collected when you browse, book, and transact with third-party Wellness Providers.

Flexible Spending Account (FSA): data collected to administer your employer-funded benefit balance, eligible claims, and transaction history.

Flexible Benefit Solution: data collected to configure and manage personalised employee benefit packages on behalf of corporate clients.

Wellness Events: data collected for event registration, attendance, feedback, and follow-up communications.

Identity information: full name, date of birth, staff ID, gender

Contact details: email address, phone number, mailing address

Financial information: bank account details, credit/debit card details, payment transaction records

Health and medical information: appointment records, consultation notes, diagnosis and treatment information, claim documents and wellness receipts

Profile information: profile photo, membership status, benefit entitlements

Usage data: platform activity logs, booking and claim history, session data

Technical data: IP address, device identifiers, browser type, cookie data

Online registration, membership applications, and account management on our Platform

Completion of forms, surveys, feedback, or wellness event registration

Email, chat, phone, or SMS communications with our team

Appointment booking and claims submission through the MixCare app or website

Website cookies and tracking technologies (see Cookie Policy)

Third parties such as payment gateways, your employer or plan sponsor, social media platforms, or family members acting on your behalf

Providing, operating, and improving our services, platform, and mobile application

Processing membership applications, renewals, and benefit entitlements

Administering FSA balances, claims processing, and benefit allocation under the Flexible Benefit Solution

Verifying your identity and conducting fraud prevention checks

Processing payments and maintaining financial records

Facilitating appointment bookings with GPs, Specialists, and Wellness Providers

Sending service notifications, appointment reminders, and transactional communications

Conducting wellness event management and post-event follow-up

Displaying your profile image and membership information within the app or website

Conducting market research, analytics, and service improvement (using aggregated or anonymised data where possible)

Complying with applicable laws and regulations, including PDPO requirements and court orders

With your separate consent: sending marketing communications about our services and partner offers

Personalised health and wellness recommendations based on your usage history, benefit selections, and stated preferences

Wellness Marketplace search ranking and product recommendations tailored to your profile

FSA and Flexible Benefit optimisation suggestions to help you maximise your benefit credits

Automated processing of claim documents and wellness receipts for eligibility checks

Anomaly detection for fraud prevention and account security

Wellness Providers on the Marketplace who fulfil your bookings and services

Your employer or plan sponsor for benefit administration purposes under the FSA or Flexible Benefit Solution

Payment gateway providers and financial institutions for processing transactions

IT service providers, cloud hosting providers, and analytics partners who support our platform operations

Regulatory authorities, law enforcement, or courts as required by law, including compliance with PDPO obligations

End-to-end encryption of sensitive data in transit and at rest

Role-based access controls limiting data access to authorised personnel only

Regular security assessments, penetration testing, and vulnerability management

Staff training on data protection obligations and privacy best practices

Incident response procedures for data breaches, including notification to the Privacy Commissioner for Personal Data (PCPD) where required

Membership and account records: for the duration of membership plus 7 years

Health and medical records: as required by applicable medical record retention laws or 7 years, whichever is longer

Financial and payment records: 7 years in compliance with Hong Kong tax and commercial regulations

Marketing communications data: until you withdraw consent or opt out

Right of Access (DPP 6): You may request access to personal data we hold about you. We will respond within 40 days of receiving a valid Data Access Request (DAR).

Right of Correction (DPP 6): You may request correction of inaccurate personal data. We will respond within 40 days.

Right to Opt Out of Direct Marketing: You may at any time withdraw consent to the use of your personal data for direct marketing.

Right to Complain: If you believe your rights under the PDPO have been infringed, you may lodge a complaint with the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.