Privacy Policy

1. The importance of user privacy, our commitment to your privacy

Due on the importance of the privacy and confidentiality of users’ data collected and processed through the Sehhaty Platform (“Sehhaty”), Sehhaty’s Administration (“We” or "Administration") aims to provide and ensure the best levels of service and protection. Therefore, it seeks to maintain and ensure the confidentiality and privacy of all data entered by or collected about any of the Sehhaty’s users (“You” or "User" or "Users") while adhering to all laws and regulations applicable in the Kingdom of Saudi Arabia (“Kingdom”). This Policy aims to clarify the nature of the data collected from the User, how the Administration will handle such data and User’s rights related thereto. Furthermore, this Policy shall be read along the Platform’s Terms of Use and is any term included in this policy shall be as defined in the Terms of Use.

2. Legal Basis for Collect and Using Your Personal Data

3. How will we be using your data?

4. What Personal Data We Collect and Use

1. We will be collecting the User’s data entered for the purpose of registering and using Sehhaty, collected through or that the User provides for that purpose to the Administration through the approved channels of communication. The data include – but are not limited to – the following:

   - Personal Identifying Data: Full name, national ID or residence number, date of birth, , gender, and any other Personal Identifying Information (PII).

   - Health Data: any data related to the User’s physical, mental and psychological health status and the healthcare provided thereto which can be obtained from his/her Health Record, including – but not limited to - the following

   • Visitation and referrals
   • Allergy Information
   • Vital signals
   • Operations
   • Laboratory tests
   • Radiology tests
   • Clinical notes and summaries, including outpatients’, clearance, and operations summaries,
   • Prescribed and off-counter medication.
   • Vaccination

   - Geographical data, including current location and national address.

   - Contact Information, including postal address, phone number and E-mail.

   - Data obtained through integration with the databases of different parties in the Health Sector, including but not limited to NPHIES and the National Health Information Center, and others.

   - Any other data that the User expressly consents to its collection and usage.

5. How We Collect Your Personal Data

1. We will collect your personal data (User Data) through Sehhaty, Nafath platform, the National Health Information Center's Patients’ Registry, healthcare providers, national health information systems linked to NPHIES and/or other national health information systems while abiding by its privacy policy. We may also collect your data by contacting you directly through the approved channels of communication.
2. We use cookies and similar technologies in a range of ways to collect some data and improve the User’s experience in using Sehhaty. Such use is summarized in the following:

   - By simply visiting Sehhaty, the host server will register User’s Internet Protocol (IP) address and the date of visit as well as the Uniform Resource Locator (URL) of any website that redirects the User to Click or tap here to enter text.. The Administration will also collect all the device’s information that will enable the improvement of the User’s experience such as, but not limited to, the device’s language and the type of operating system.

   - When using Sehhaty, we automatically collect some information, such as Tech-related information; including User’s IP address used to link its device to the Internet, the browser’s name and version, time-zone, language, or other information related to the User’s activity and/ or utilization of Sehhaty.

   - We may obtain your user data if you use any of the other platforms or applications that we operate or take advantage of other services we offer.

   - The Administration is working closely with numerous 3rd parties which may provide some of the User’s data either directly, or through its tools or applications subject to your approval. In this case, User’s data received from such 3rd Party may adhere to its privacy policy. This includes – but is not limited to - the use of information received from Health Connect, whereas User will adhere to the Health Connect Permissions policy, including the Limited Use requirements.

6. The Collection of Personal Data of Children or Their Equivalents

If a User provides personal data about someone under the age of eighteen (18) or someone who is mentally incompetent, they must acknowledge that he is the legal guardian and agrees to the use or processing of personal data, they should also provide evidence that proves guardianship, if required.

7. Personal Information Retention Period

Your personal information and personal identifying data - including health data - will be retained according to the specified retention periods, for as long as it is necessary to achieve the purposes for which it was collected, or in accordance with the fulfilment of legal, regulatory, accounting or reporting requirements. These periods may vary depending on the circumstances and requirements, and the duration of data storage is subject to regular periodic review to ensure that user data is not stored for longer than necessary. As long as we retain your data, we shall use all reasonable administrative, technical, and physical safeguards to protect your data from unauthorized use or disclosure.

The Administration will retain all non-identifying data of the User for the sole purpose of developing and improving the experience of using Sehhaty as mentioned in Section (3) above.

8. Personal Data Protection and Access

1. We will continuously develop security practices to ensure that information and systems are maintained and confidential using the organizational, administrative, and technical procedures and means necessary to protect your data from any unauthorized access, use, alteration, or destruction, including conducting internal and external audits and data encryption, and training employees in privacy.  
2. Access to your identifying data – in is limited to authorized persons only, based on the need for knowledge, and their handling of information will be the subject of direct guidance, control, and monitoring by the administration. They are committed to maintaining the confidentiality of information.
3. With regard to personal health data, it will be protected and sealed, and will access to it will only be authorized to those who have the authority to break this seal - such as the treating health practitioner - or whenever your interest so requires or under the applicable laws and regulations.
4. A log will be kept to record any access to your personal data for the Administration or competent authorities’ auditing purposes.

9. Personal Data Disclosure

We will always ensure maintaining the privacy and confidentiality of your personal data, and shall not share or disclose such data unless permitted and/or required by law, or when the we believe – acting in good faith – that such disclosure would be necessary for compliance or to provide products and services or technical support as requested by the User and in accordance with this Policy, or if we think it is important or necessary to protect public health and national security.

1. Disclosure to Relevant Parties:

   - We may – to necessary and reasonable extent - disclose your personal data to entities – whether public or private – that are involved in providing the services of Sehhaty including our partners and contractors; to provide you with requested services, or the information regarding the services or new services, or to send invitations to participate in screening of applicants regarding new products or new/current services, as well as to improve Sehhaty’s services and other internal purposes.

   - We may also disclosure to entities authorized by the government authorities to receive, process, transfer, or pass requests for those services or provide Sehhaty services whenever the implementation of the service requires access, storage, processing, and use of those data by any of those parties.

2. Disclosure to Third Parties:

   We will not disclose or share any of your personal data to third parties, except for the following cases:

   - Disclosure to a government entity is permitted if that disclosure is in accordance with the applicable laws and regulations implemented in the Kingdom of Saudi Arabia or any order issued by the government authorities therein.

   - In the case of using the support of a third party, you will use trusted and referenced entities, while requesting, and confirming its compliance with the confidentiality standards approved by the Administration, noting that the Administration will put in place all necessary safeguards and undertakings to ensure data privacy and confidentiality, including signing non-disclosure agreements with any 3rd party,

3. Disclosure to entities outside the Kingdom of Saudi Arabia:
   We will not disclose or process any of your personal data outside the Kingdom of Saudi Arabia unless we obtained the necessary approvals whether your explicit consent or the approval of the relevant government authorities. This is done if necessary or to achieve the intended purposes of collecting and processing them in the first place.

10. Use of External Links

1. Sehhaty may contain links to third parties’ sites or services, which may be subject to separate privacy policies. Kindly note that such links are out of our control, and we are not responsible for any of their policies. Reviewing those links' policies is within the User’s responsibility.
2. Sehhaty is not associated with any trademarks, logos, symbols, commercial or service, or any other means used or appearing on websites linked to this platform or any of its contents and is not considered a participant in any way.
3. The Administration reserves the right to disable, cancel or forward any link in any way.

11. User’s Rights (Your personal rights)

1. With consideration to the (Personal Data Retention) clause above, you may – at any time - request any of the following:

   - Knowing the purpose and statutory reason for collecting and using your personal data.

   - Accessing your personal data and obtaining a copy thereof per your request.

   - Correct, complete, or update your Personal information in accordance with Sehhaty’s policies.

   - Have your account deactivated, unless there was a legal justification to maintain it, or whenever the data was linked to a case that is looked before a judicial authority.

   - Withdraw your consent on reviewing your health record and/or any of the matters to which you have expressly consented unless there is a legal justification to prevent such withdrawal, and the possibility of requesting re-consent if required at any time.

2. If you wish to submit any request as described above, you may do it by contacting us at: support@sehhaty.sa. Please note that the Administration may require additional data to respond to the User’s request or to confirm their identity.

12. Your responsibility as a user to protect privacy

To be able to help you protect your personal data, we recommend the following:

• Contact us immediately when you believe that someone has gained access to your data or access your account.
• Avoid giving any confidential or personal information over the phone or the Internet unless the recipient is identified.
• Use a secure web browser when conducting transactions through the internet and close unused applications and to be sure to use a virus protection program that is periodically updated.
• Assure your contact information on Sehhaty is up to date.

13. Policy Update

We reserve the right to modify this Privacy Policy at any time, and you will be notified for your consent. If the updated version of the Privacy Policy is not accepted, we reserve the right to suspend or terminate your account.

Issue number: 3.18

Update date: 11- September- 2024