Lasted update: September 08, 2020
Section 1 Definition
“Platform Data Controller” refers to WeDoctor Cloud (Hangzhou) Holdings Ltd. (微医云（杭州）控股有限公司) (“we”);
“WeDoctor Global Pandemic-Fighting Platform” refers to the platform (“Platform”) developed by us for the provision of healthcare consulting and information services to the users during the Covid-19 pandemic (“Pandemic”);
“GDPR” refers to the General Data Protection Regulation (EU) 2016/679;
“Data Subject” refers to the user of the Platform or the Services, which may be referred to as “you” or “user” in this policy;
“Personal Data” have the meaning defined in GDPR;
“Special Category Personal Data” have the meaning defined in GDPR;
“Personal Data Breach” has the meaning defined in GDPR;
“Processing” has the meaning defined in GDPR; and
“Supervisory Authority” has the meaning defined in GDPR.
XI. Your California Privacy Rights
You agree that we may collect and process your Personal Data as described below:
1. Basic Personal Data: We may need to collect your Personal Data so that you may log into the Platform to access the services. If you log into the Platform with your WeChat account by granting access through WeChat, we may collect, without storing, your nickname, avatar, gender and the location of your WeChat account. If you log into the Platform with your Facebook account by granting access through Facebook, we may collect, without storing, your Facebook user ID. If you log into the Platform with your Google account by granting access through Google, we may collect, without taking initiative to store, your Google ID.
After logging onto the Platform, you need to provide your nickname, gender, age and country of residence to have access to psychological consulting services.
If you further provide your health information via the Doctor Assistant during the process of consulting a doctor, we will collect your name, gender, age and permanent address.
If you use the mental health assessment function, we will collect your name, gender, age and permanent address.
2. Online Identification Information: If you log into the Platform as a guest or with your WeChat, Facebook or Google account, a WeDoctor user ID will be generated for WeDoctor to identify the user internally.
3. Personal Health Information: If you use the WeDoctor consulting service, we may collect the information that you share with the Chinese doctor with whom you are consulting over our Platform. This includes medical information you provide, such as information regarding your symptoms/diseases, length of symptoms, body temperature, description of the health conditions, exam/test reports, or photos of the affected area so as to inform the doctor of the conditions. You may further provide your health history via the Doctor Assistant, such as: history of fertility, diseases, surgical operations, injuries; family medical history; and allergy history. We may retain chat records generated from your consulting of doctors (including texts, voice messages and graphics). You may provide information regarding your history of contracting COVID-19 and mental health assessment by using the mental health assessment function during a psychological consult. You may provide information regarding your water consumption habits, smoking history, exercise frequency, sleeping conditions and length of sleep.
4. Online Records of Service: The Personal Data generated from use of the consulting services provided by Chinese doctors includes service information (service number, time service was placed, and amounts payable). Leaving messages and feedback to WeChat account managers, chatting on the pandemic-fighting forums and engaging in user evaluation of such consulting services may trigger the collection of operation and service logs (message records, user evaluation records and records of searches and views). Client software, Baidu traffic statistics and Google traffic statistics will automatically collect information regarding the pages accessed by Users (i.e. statistics of “Page View” and “Unique Visitor”). The business will generate cookies.
1. We collect your Personal Data only for such purposes as described in “I. What Personal Data may we collect from you?”. We will not profile your Personal Data or make customized recommendations based on your Personal Data.
2. Under applicable laws and regulations, your authorization or consent is not required if:
(1) your Personal Data is collected or used for the interests of national security or national defense;
(2) your Personal Data is collected or used for the protection of public interests regarding public health or of significant interests (such as against epidemics or infectious diseases);
(3) your Personal Data is collected or used for the protection of the life, property and other significant legitimate interests of the Data Subject or other persons where your personal consent is difficult to obtain;
(4) the Personal Data collected is voluntarily made public by you, unless the Personal Data may not be processed under the laws of the country in which you reside;
(5) your Personal Data is collected or used as is necessary for entering into a contract at your request;
(6) your Personal Data is collected or used as necessary for statistics or academic research by academics for the public interest and the Personal Data contained is made unidentifiable in the provision or description of the academic results to third parties; and
(7) your Personal Data is collected or used as permitted by the applicable laws.
Please be aware that, according to the applicable laws, if we take technical measures and other necessary measures to render the Personal Data in a form where data recipients are unable to identify any specific individual or re-identify the Personal Data, or if we conduct research, statistical analysis and forecasts based on the information collected and made unidentifiable to (i) support business decisions from a product or service perspective and (ii) improve the Platform’s products and services (including machine learning or model algorithm training with anonymous data), we will not give you further notice or obtain your consent in connection with such uses of the Personal Data.
You may elect to agree to the installation of relevant Cookies, and you may elect to deactivate Cookies. You may accept all Cookies, set up your web browser to notify you before the installation of Cookies, or refuse to accept all Cookies by configuring your web browser. However, if you refuse to accept all Cookies, certain services may not be available on the Platform.
1. You understand and agree that our doctors are providing services in the PRC. For the purpose of performing the service agreement by providing you with the services, we will transmit to and store your Personal Data on secure and reliable servers within the territory of the PRC.
2. When the Data Subject deletes his/her Personal Data, the Platform will take steps to delete relevant Personal Data at both the front and back ends as soon as possible in accordance with applicable laws. If the Data Subject does not require deletion, only the relevant Personal Data collected will be retained for 15 days, and the relevant Personal Data will be scheduled for deletion at both front and back ends immediately in 15 days. Users logging into the Platform with your Google, Facebook or WeChat account are provided with a simple and convenient way to log out. When the User has deregistered his/her account or logged off as a guest, the Platform will delete all Personal Data at both the front and back ends as soon as possible in accordance with applicable laws.
We have taken reasonable and practicable security measures in line with industry standards to protect the information provided by you and to prevent information from unauthorized access, public disclosure, use, modification, damage or loss. For example, we will adopt encryption technologies (such as SSL) to protect your Personal Data. Our major information systems have completed the information security assessment (level 3) and filing, and received ISO 27001 certification.
We have established special management systems, protocols and organizations to ensure information security. For example, we have imposed strict restrictions on staff members with access to information, require them to follow their confidentiality obligations and will review their compliance with the confidentiality obligations.
At the same time, we have a data protection officer (“DPO”), whose responsibilities include providing notification and advice to data processing personnel; monitoring GDPR readiness, and compliance with the data protection regulations and the personal data protection policies applicable to data controllers and/or processors in the EU and its member states, including responsibility allocation, awareness promotion/training for personnel participating in data processing and related auditing activities; advice on data protection impact assessments when necessary and supervision on the implementation thereof; cooperation with regulatory authorities; acting as a contact point for the regulatory authorities taking regulatory actions (including pre-action and other consultations). At the same time, the DPO is also responsible for considering the risks associated with data processing based on its nature, scope, content and purposes.
We keep records of data processing activities in writing.
We may share your Personal Data with your consent or at your direction, such as where you have approved or confirm that the third party has obtained your approval by way of letter of confirmation, texts of confirmation under specific scenarios or a pop-up window.
Under any one of the following circumstances, we may share your information without your prior approval:
1. We may share your Personal Data with our corporate affiliates.
2. We may share your Personal Data with third parties that provide contractual services to us, such as hosting and database services provided on our behalf.
4. Information associated with the account you use may be accessible to others who access consultation services through your account;
5. As required in any legal proceeding or at the request of any regulatory authority, we may disclose your data to government entities and others pursuant to applicable laws or in the legal procedures relevant to legal proceedings;
6. Your data may be disclosed as part of a merger, acquisition or asset sale (such as a service agreement) or the services transferred to WeDoctor Group or any other company; and
7. Any other exempted circumstances under Clause II, Section 2 of this policy.
As a Data Subject, you have the following rights:
(1) Right of access
You have the right to access your Personal Data unless otherwise provided by applicable laws. You may access your Personal Data by following the steps below:
Account information. You may access or edit your profiles in your account, change your nickname or deregister your account by logging into your account and going to “My Consulting - Account Setting”.
Management of access to consultation services. You may add, delete and change the individuals who may actually use the consulting services by logging into your account and going to “My Consulting – Account Setting –User Settings”.
If you are unable to access the Personal Data by following the above steps, you may contact us at any time pursuant to Section X of this policy.
(2) Right to rectification
You may edit the Personal Data of the users by logging into your account and going to “My Consulting – Account Setting –User Settings”.
(3) Right to erasure
You may delete your relevant Personal Data in the following manner:
1. Account information: “My Consulting – Account Setting – Account Deregistration”. Upon the deregistration of your account, we will delete all your Personal Data;
2. Consulting order data: “My Consulting – Order Details–Order Deletion”;
3. User information: “My Consulting – Account Setting –User Settings”
(4) Right of deregistration
You may deregister your account by “My Consulting – Account Setting – Account Deregistration”
When you have deregistered your account or logged off as a guest, the Platform will take steps to delete all your Personal Data at both front and back ends as soon as possible in accordance with applicable laws.
(5) Right to data portability
If you have a request regarding the right to data portability, you may contact us by email (DPO@wedoctor.com). We will process each of such requests one by one and we may transmit your Personal Data to a third party designed by you.
(6) Right to withdraw consent, restrict processing and object
The Platform secures your right to withdraw consent, restrict processing and object. The processing of your Personal Data will be terminated by way of the mechanism of erasure. You may contact us by email (DPO@wedoctor.com) to withdraw your consent of our processing your Personal Data or to restrict or object to the processing your Personal Data.
The Platform currently does not provide services to minors under the age of 16, and we do not knowingly collect Personal Data of minors under the age of 16. If the Platform starts collecting Personal Data of minors under the age of 16, once the user has selected his/her age, a pop-up window will prompt that the minor will not be allowed to use the Platform unless the Platform has received an email of confirmation from his/her guardian acknowledging the his/her use of the Platform.
We may update this policy if and when necessary. Please view the latest version of this policy in your personal center settings on a regular basis. We will inform you of any material changes to this policy by way of notification, pop window or banner at your next login and when a new version is available.
Data Controller of the WeDoctor Global Pandemic Fighting Platform: WeDoctor Cloud (Hangzhou) Holdings Ltd. (微医云（杭州）控股有限公司) (registered office: 13F, Block D, 198 Qidi Road, Xiaoshan Economic and Technological Development Zone, Xiaoshan, Hangzhou, Zhejiang 311215).
Platform’s Representative to EU: [VeraSafe] (registered office: [22 Essex Way #8203，Essex，VT 05451 USA]). You may contact our representative to the EU by email (legal@VeraSafe.com).
DPO: DPO@wedoctor.com. Should you have any concerns regarding your rights as a Data Subject or our processing actions, you may contact the DPO, and we will reply to you within seven (7) days.
XI. Your California Privacy Rights
This section supplements the description of our information collection and sharing practices elsewhere in this Policy to provide certain disclosures to California residents whose personal information we process pursuant to the California Consumer Privacy Act (“CCPA”). Please note that these disclosures do not apply to information that is not processed under the CCPA.
We provide you certain of the rights described in the section, “The Rights You are Entitled to as a Data Subject” above in accordance with state law. We will not charge you different prices or provide different quality of services unless those differences are related to your information or otherwise permitted by law. You or your authorized agent may also submit your request by sending an email to DPO@wedoctor.com. Once we receive your request, we may verify it by requesting information sufficient to confirm your identity, including by asking you to verify information about your use of the service.