PRIVACY POLICY
1. Introduction
Smart Care Poly Clinic L.L.C (“we,” “our,” or “the Clinic”) is a healthcare facility licensed and regulated by the Dubai Health Authority (DHA) in the Emirate of Dubai, United Arab Emirates. We are committed to protecting the privacy, confidentiality, and security of all personal data and patient health information (PHI) entrusted to us. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data and health information when you access our website, mobile application, or receive clinical services at our facility. This Policy applies to all patients, visitors, website users, and mobile application users.
1.1 Legal Framework
This Privacy Policy has been developed in compliance with the following laws and regulations:
• UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
• UAE Federal Law No. 2 of 2019 on the Use of Information and Communications Technology (ICT) in Health Fields
• Dubai Health Authority (DHA) Policy for Health Data Protection and Confidentiality
• DHA Policy for Health Data and Information Sharing (HISHD/PP-13)
• DHA Standards for Health Information Consent and Access Control (DHA/HISHD/ST-09)
• DHA Policy for Health Information Assets Management
• DHA Nabidh Policies and Standards
• UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes
• Any other applicable UAE federal and Dubai emirate-level legislation
2. Data Controller Information
| Data Controller | Smart Care Poly Clinic L.L.C |
|---|---|
| Address | 29 Doha Centre, Al Maktoum Rd, Deira, Dubai, United Arab Emirates |
| Phone | +971 (0) 4379 3562 +971 (0) 4379 3562 |
| smart@smcare.ae | |
| DHA License No. | [Insert DHA License Number] |
| Data Protection Officer | [Insert DPO Name and Contact] |
3. Definitions
Personal Data: Any data relating to an identified or identifiable natural person, directly or indirectly, through the linking of data or by reference to identifiers such as name, voice, image, identification number, online identifier, geographical location, or physical, physiological, economic, cultural, or social characteristics.
Patient Health Information (PHI): Any information relating to the physical or mental health of an individual, including the provision of healthcare services, which reveals information about the health status of the individual. This includes medical records, diagnoses, treatment plans, prescriptions, laboratory results, imaging reports, and billing information associated with health services.
Processing: Any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
Data Subject: The identified or identifiable natural person to whom the personal data relates.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they agree to the processing of their personal data.
4. Personal Data We Collect
4.1 Information You Provide Directly
• Identity Information: Full name, date of birth, gender, nationality, Emirates ID number, passport number, photograph, and visa/residency status.
• Contact Information: Residential address, telephone number, mobile number, email address, and emergency contact details.
• Health and Medical Information: Medical history, current medications, allergies, chronic conditions, family medical history, presenting complaints, clinical examination findings, diagnoses, treatment plans, prescriptions, laboratory and radiology results, surgical records, and discharge summaries.
• Insurance Information: Health insurance provider, policy number, member ID, coverage details, and claims information.
• Financial Information: Payment card details, billing address, and transaction records for services rendered.
• Consent and Communication Records: Signed consent forms, authorisation documents, and records of communications with the Clinic.
4.2 Information Collected Automatically
When you use our website or mobile application, we may automatically collect:
• Technical Data: IP address, browser type and version, device type, operating system, time zone setting, and browser plug-in types.
• Usage Data: Pages visited, links clicked, time spent on pages, search queries, navigation paths, and interaction data.
• Location Data: Approximate geographical location based on IP address (precise location only with your explicit consent).
• Cookies and Similar Technologies: Session cookies, persistent cookies, web beacons, pixels, and local storage objects. Details are provided in our Cookie Policy section below.
4.3 Information from Third Parties
• Referral information from other healthcare providers
• Insurance verification data from insurance companies
• Health information shared through the DHA Nabidh Health Information Exchange platform
• Laboratory and diagnostic results from partnered facilities
5. Lawful Basis for Processing
We process your personal data based on one or more of the following lawful bases, in accordance with UAE Federal Decree-Law No. 45 of 2021 (PDPL) and UAE Federal Law No. 2 of 2019 (ICT Health Law):
1. Consent: Where you have provided your explicit, informed, and freely given consent for specific processing activities.
2. Performance of a Contract: Where processing is necessary for the performance of a healthcare service agreement between you and the Clinic.
3. Legal Obligation: Where processing is necessary for compliance with UAE federal laws, Dubai emirate-level legislation, DHA regulations, or court orders.
4. Vital Interests: Where processing is necessary to protect your life or the life of another individual in emergency medical situations.
5. Public Health: Where processing is necessary for reasons of public health, disease surveillance, or infection control as mandated by health authorities.
6. Legitimate Interests: Where processing is necessary for the legitimate interests of the Clinic, provided such interests are not overridden by your fundamental rights and freedoms.
6. Purposes of Data Processing
6.1 Primary Purposes (Healthcare Delivery)
• Providing clinical consultations, diagnoses, medical treatment, and follow-up care
• Managing appointments, referrals, admissions, and discharge processes
• Dispensing medications and managing prescriptions
• Conducting laboratory tests, diagnostic imaging, and medical procedures
• Maintaining accurate and complete medical records as required by DHA regulations
• Processing health insurance claims, pre-authorisations, and billing
• Communicating with you regarding your healthcare, appointment reminders, test results, and follow-up instructions
• Exchanging health information with other healthcare providers involved in your care, including through the DHA Nabidh platform
6.2 Secondary Purposes
With your consent or as otherwise permitted by law, we may also process your data for:
• Clinical audits, quality improvement initiatives, and accreditation purposes
• Research and statistical analysis (using anonymised or de-identified data where possible)
• Staff training and education (with anonymisation of patient-identifiable information)
• Compliance with DHA regulatory reporting requirements and public health notifications
• Sending health education materials, wellness tips, and promotional communications about our services (with your opt-in consent)
• Improving our website, mobile application, and clinical services
7. Cookies and Tracking Technologies
7.1 Types of Cookies Used
Strictly Necessary Cookies: Essential for website and application functionality, including authentication, security, and session management. These cannot be disabled.
Performance and Analytics Cookies: Help us understand how visitors interact with our digital platforms, enabling us to improve user experience.
Functionality Cookies: Remember your preferences such as language selection and display settings.
Marketing Cookies: Used only with your explicit consent to deliver relevant health-related content and advertisements.
7.2 Managing Cookies
You can manage your cookie preferences through your browser settings or through the cookie consent banner displayed on our website. Disabling certain cookies may affect the functionality of our website or application. We will not deploy non-essential cookies without your prior consent.
8. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:
8.1 Healthcare Providers
We may share PHI with other licensed healthcare professionals and facilities involved in your care, including specialists, laboratories, hospitals, and pharmacies, to ensure continuity and quality of care.
8.2 DHA and Regulatory Authorities
We are required to share health data with the Dubai Health Authority, including through the Nabidh Health Information Exchange platform, and with other competent government authorities as mandated by UAE law. This includes disease reporting, public health surveillance, and compliance with regulatory audits and inspections.
8.3 Insurance Companies
We share relevant health and billing information with your health insurance provider for claims processing, pre-authorisation, and reimbursement purposes.
8.4 Service Providers
We engage trusted third-party service providers who process data on our behalf, such as IT support, cloud hosting, payment processing, laboratory services, and communication platforms. All such providers are contractually obligated to maintain data confidentiality and security in compliance with UAE law.
8.5 Legal Requirements
We may disclose personal data where required by law, court order, or at the request of competent judicial or law enforcement authorities in the UAE.
8.6 Emergency Situations
We may disclose PHI to emergency medical services, hospitals, or relevant parties when necessary to protect your vital interests or those of another person.
9. Cross-Border Data Transfers
Your personal data is primarily stored and processed within the United Arab Emirates. If it becomes necessary to transfer your data outside the UAE, we will ensure that adequate safeguards are in place in accordance with Articles 22 and 23 of UAE Federal Decree-Law No. 45 of 2021 (PDPL). This includes ensuring the receiving country provides an adequate level of data protection, or implementing appropriate contractual safeguards to protect your data.
We will obtain your explicit consent before transferring your personal data or PHI outside the UAE, except where the transfer is necessary for the performance of healthcare services, compliance with legal obligations, or protection of your vital interests.
10. Data Security
We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
• Encryption of data in transit (TLS/SSL) and at rest
• Role-based access controls with unique user authentication credentials
• Regular security audits, vulnerability assessments, and penetration testing
• Firewall protection, intrusion detection, and prevention systems
• Physical security measures at our clinic premises, including restricted access to medical records and server rooms
• Staff training on data protection, confidentiality, and information security
• Incident response and data breach management procedures
• Regular backup systems and disaster recovery protocols
• Compliance with DHA information security standards and the DHA Policy for Health Information Assets Management
11. Data Retention
We retain your personal data and health information in accordance with DHA regulations and UAE law:
• Patient medical records are retained for a minimum of five (5) years from the date of the last encounter, or as otherwise specified by DHA regulations and applicable UAE law.
• Records of minors are retained until the patient reaches the age of majority (18 years) plus the applicable retention period.
• Clinical trial and research records are retained for fifteen (15) years after completion of the trial.
• Financial and billing records are retained in accordance with UAE commercial law requirements.
• Website and application usage data is retained for a maximum of twenty-four (24) months unless a longer retention is required by law.
Upon expiry of the applicable retention period, personal data will be securely and irreversibly deleted or anonymised.
12. Your Rights as a Data Subject
Under UAE Federal Decree-Law No. 45 of 2021 (PDPL) and applicable DHA regulations, you have the following rights regarding your personal data:
1. Right of Access: You have the right to request access to the personal data we hold about you and to receive a copy in a commonly used format.
2. Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data.
3. Right to Erasure: You have the right to request deletion of your personal data, subject to legal and regulatory retention obligations.
4. Right to Restrict Processing: You have the right to request restriction of certain processing activities.
5. Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
6. Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
7. Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
8. Right to Lodge a Complaint: You have the right to lodge a complaint with the UAE Data Office or the Dubai Health Authority if you believe your data protection rights have been violated.
To exercise any of these rights, please contact our Data Protection Officer using the contact details provided in Section 2. We will respond to your request within thirty (30) days. Identity verification may be required before processing your request.
13. Children’s Privacy
We are committed to protecting the privacy of children. Where we provide clinical services to individuals under the age of eighteen (18), consent for the collection and processing of personal data will be obtained from the child’s parent or legal guardian. In the case of our website and mobile application, we do not knowingly collect personal data from children under the age of thirteen (13) without verifiable parental consent.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant authorities, including the DHA and the UAE Data Office, without undue delay and within seventy-two (72) hours of becoming aware of the breach, where feasible. Where the breach is likely to result in a high risk to you, we will also notify you directly, providing information about the nature of the breach, its likely consequences, and the measures taken to address it.
15. Mobile Application-Specific Provisions
If you use the Smart Care Poly Clinic mobile application, the following additional provisions apply:
• Permissions: The app may request access to device features such as camera (for document scanning), location services (for navigation to our clinic), push notifications (for appointment reminders), and storage (for downloading reports). You may manage these permissions through your device settings.
• Push Notifications: We may send you appointment reminders, health tips, and service updates via push notifications. You may opt out at any time through your device settings.
• Telemedicine: If our app provides telemedicine or video consultation services, additional security measures including end-to-end encryption are applied to protect the confidentiality of the consultation.
• Data Storage on Device: Certain data may be cached locally on your device for offline access. We recommend enabling device-level security features such as PIN, fingerprint, or facial recognition to protect this data.
16. Third-Party Links
Our website and mobile application may contain links to third-party websites or services. We are not responsible for the privacy practices or content of such third-party sites. We encourage you to review the privacy policies of any third-party site before providing them with your personal data.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or regulatory obligations. Any material changes will be communicated to you through our website, mobile application, or by email where appropriate. The “Effective Date” at the top of this document indicates when this Policy was last revised. Your continued use of our services after the publication of changes constitutes your acceptance of the updated Policy.
18. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of the United Arab Emirates and the Emirate of Dubai. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts of the Emirate of Dubai.
19. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
| Clinic Name | Smart Care Poly Clinic L.L.C |
|---|---|
| Data Protection Officer | General Manager |
| Address | 29 Doha Centre, Al Maktoum Rd, Deira, Dubai, United Arab Emirates |
| Phone | +971 (0) 4379 3562 +971 (0) 4379 3562 |
| smart@smcare.ae | |
| Website | www.smartcareclinic.ae |
You may also contact the Dubai Health Authority (DHA) or the UAE Data Office if you wish to lodge a complaint regarding the processing of your personal data.
