This Privacy Policy explains how MYCURE collects, uses, discloses, protects, and retains personal data when you use our websites, clinic management platform, patient-facing features, applications, integrations, support services, and related services (collectively, the “Services”).

This Privacy Policy should be read together with our Terms of Agreement and any applicable written agreement, Data Processing Addendum, Business Associate Agreement, Order Form, or other addendum.

1. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed through MYCURE’s Services, including information relating to Customers, Authorized Users, Patient Users, website visitors, and other individuals who interact with us.

For purposes of this Privacy Policy:

•Customer means the clinic, healthcare organization, company, practice, or other entity that subscribes to or uses the Services.
•Authorized User means a doctor, nurse, staff member, administrator, billing user, or other person authorized by a Customer to use the Services.
•Patient User means a patient, parent, guardian, or legally authorized representative using patient-facing features where enabled.
•Customer Data means data submitted to, uploaded to, stored in, generated through, or processed by the Services on behalf of a Customer, including patient and clinical data.
•Personal Data means information that identifies or can reasonably be linked to an individual.
•Patient Data means personal data relating to a patient, including health, clinical, billing, appointment, communication, or care-related information.

This Privacy Policy does not replace a Customer’s own privacy notices, consent forms, patient intake forms, medical record policies, or legal obligations. Customers are responsible for their own privacy and healthcare compliance obligations.

2. Our Role in Processing Data

MYCURE processes different types of personal data in different roles.

For patient and clinical data entered, uploaded, or processed by or on behalf of a Customer, the Customer is generally the personal information controller, data controller, healthcare provider, covered entity, legal custodian of the medical record, or equivalent responsible party under applicable law.

MYCURE generally acts as a personal information processor, data processor, service provider, business associate, or equivalent service provider role for such data, depending on the applicable legal framework and only to the extent such framework applies.

For information relating to MYCURE’s own website visitors, billing contacts, sales leads, administrative contacts, support communications, and business operations, MYCURE may act as the controller or personal information controller.

If you are a patient and have questions about your medical record, treatment, billing, consent, or clinical information, you should first contact your healthcare provider or clinic. Where appropriate, we may direct or forward your request to the relevant Customer.

3. Information We Collect

We may collect the following categories of information.

3.1 Customer and Account Information

We may collect information about Customers and Authorized Users, such as:

•name;
•work email address;
•phone number;
•clinic, company, or organization name;
•job title, role, or department;
•account login information;
•user permissions, preferences, and settings;
•billing contact information; and
•communications with MYCURE.

3.2 Patient and Clinical Information

When Customers use the Services to manage patient care or clinic operations, the Services may process Patient Data, such as:

•patient name, contact details, date of birth, sex, address, and identifiers;
•appointment records;
•medical history;
•clinical notes;
•diagnoses, assessments, and treatment plans;
•prescriptions and medication information;
•laboratory, imaging, dental, pharmacy, or other clinical records;
•medical certificates, forms, and documents;
•billing, claims, or payment-related information;
•patient communications;
•consent, authorization, or representative information; and
•other information entered by the Customer, Authorized Users, Patient Users, or authorized third-party integrations.

3.3 Patient-Facing Feature Information

Where patient-facing features are enabled, we may process information provided by or about Patient Users, such as:

•account registration information;
•appointment requests;
•patient forms;
•uploaded files or documents;
•messages or communications with the clinic;
•payment or billing-related information;
•access logs and portal activity;
•parent, guardian, caregiver, or representative information; and
•other information submitted through patient-facing tools.

3.4 Payment and Billing Information

We may collect billing-related information, such as:

•billing name and contact details;
•subscription plan;
•invoices;
•payment status;
•transaction records; and
•tax or business registration information where applicable.

Payment card or payment method details may be processed by third-party payment processors. We do not intend to store full payment card numbers unless expressly stated and supported by appropriate safeguards.

3.5 Technical, Device, and Usage Information

We may collect technical and usage information, such as:

•IP address;
•device type;
•browser type;
•operating system;
•log data;
•session activity;
•access times;
•pages or features used;
•error reports;
•performance data;
•security logs;
•approximate location derived from IP address; and
•other diagnostic or analytics information.

3.6 Cookies and Similar Technologies

Our websites and Services may use cookies, local storage, analytics tools, and similar technologies to operate the Services, remember preferences, improve performance, understand usage, and protect security.

We do not use identifiable patient health data for third-party advertising.

3.7 Support and Communications

If you contact us for support, sales, onboarding, implementation, training, or other inquiries, we may collect:

•your name and contact details;
•organization information;
•support request details;
•screenshots, files, or logs you provide;
•communications with our team; and
•information necessary to investigate or resolve the request.

4. How We Collect Information

We may collect information:

•directly from you;
•from Customers and Authorized Users;
•from Patient Users, parents, guardians, or authorized representatives;
•through use of the Services;
•from devices, browsers, and systems used to access the Services;
•from third-party integrations authorized by the Customer;
•from payment processors or service providers;
•from public or business sources where permitted; and
•from communications with our sales, support, implementation, or operations teams.

5. How We Use Information

We use personal data to provide, operate, maintain, secure, and improve the Services.

Depending on the context, we may use information to:

•create and manage accounts;
•provide clinic management and patient-facing features;
•support scheduling, documentation, billing, reporting, and other workflows;
•process payments and manage subscriptions;
•provide onboarding, implementation, training, and support;
•troubleshoot errors and technical issues;
•monitor performance and availability;
•protect against unauthorized access, fraud, misuse, abuse, or security threats;
•communicate with Customers, Authorized Users, and Patient Users;
•send service notices, updates, and administrative messages;
•respond to inquiries and requests;
•comply with legal, regulatory, contractual, and audit obligations;
•enforce our Terms of Agreement and other agreements;
•improve and develop the Services;
•create anonymized or aggregated data as described in this Privacy Policy; and
•perform other purposes authorized by the Customer or permitted by applicable law.

For Patient Data processed on behalf of a Customer, MYCURE uses such data to provide the Services according to the Customer’s instructions, applicable agreements, and applicable law.

6. Legal Bases for Processing

Where a legal basis is required, we process personal data based on one or more of the following grounds, depending on the context:

•performance of a contract;
•steps taken before entering into a contract;
•compliance with legal obligations;
•legitimate business interests, such as operating, securing, supporting, and improving the Services;
•consent, where required;
•protection of vital interests, where applicable;
•performance of a task carried out in the public interest, where applicable; or
•other lawful bases available under applicable law.

For Patient Data processed through a Customer’s use of the Services, the Customer is generally responsible for determining the lawful basis for processing and for obtaining any required consents, notices, or authorizations.

7. How We Share Information

We do not sell personal data. We do not sell patient health data. We do not use identifiable patient health data for third-party advertising.

We may disclose personal data in the following situations.

7.1 With Customers and Authorized Users

Information may be made available to the Customer and its Authorized Users according to account settings, user permissions, clinical workflows, and Customer configuration.

7.2 With Patient Users and Authorized Representatives

Where patient-facing features are enabled, information may be made available to Patient Users, parents, guardians, or authorized representatives according to Customer settings, applicable law, and the Customer’s policies.

7.3 With Service Providers and Subprocessors

We may share information with vendors, service providers, and subprocessors who help us provide, secure, operate, support, and improve the Services.

These may include providers of hosting, infrastructure, storage, communications, SMS, email, payments, analytics, monitoring, security, support, implementation, and other operational services.

We require service providers to protect personal data and use it only for authorized purposes. A current list is available in our Subprocessor List.

7.4 With Third-Party Integrations

Customers may enable integrations with third-party systems, such as laboratories, imaging centers, pharmacies, HMOs, payment providers, messaging tools, or other services.

When a Customer enables or authorizes an integration, personal data may be shared with or received from that third party as needed for the integration.

Third-party integrations may be subject to their own terms, privacy policies, and data practices.

7.5 For Legal, Safety, and Compliance Reasons

We may disclose information where we believe disclosure is necessary to:

•comply with law, regulation, court order, subpoena, or legal process;
•respond to lawful requests from government, regulatory, or law enforcement authorities;
•protect the rights, privacy, safety, or property of MYCURE, Customers, users, patients, or others;
•investigate fraud, abuse, security incidents, or technical issues;
•enforce our Terms of Agreement or other agreements; or
•defend against legal claims.

7.6 Business Transfers

If MYCURE is involved in a merger, acquisition, financing, restructuring, sale of assets, or similar transaction, personal data may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards.

8. AI-Assisted Features

MYCURE may introduce artificial intelligence, machine learning, automation, or assistive features from time to time.

AI-assisted features, where enabled, are intended to support administrative, operational, documentation, communication, analytics, or workflow tasks. They are not a substitute for professional medical judgment.

Unless expressly agreed in writing, MYCURE does not use identifiable patient data or identifiable Customer Data to train artificial intelligence or machine learning models.

Users are responsible for reviewing and verifying AI-assisted outputs before relying on them or including them in patient records, communications, reports, claims, prescriptions, orders, certificates, or other official documents.

Additional terms may apply to specific AI-assisted features.

9. Anonymized and Aggregated Data

We may create and use anonymized, aggregated, or statistical information derived from use of the Services for purposes such as:

•operating and improving the Services;
•product development;
•analytics and reporting;
•performance monitoring;
•security and fraud prevention;
•benchmarking;
•research and development; and
•developing or improving features, including automation or AI-assisted features where appropriate.

Anonymized and aggregated data must not identify, and must not reasonably be capable of being used to identify, any individual patient, user, or Customer.

We do not attempt to re-identify anonymized data, and we require the same from third parties with whom we share such data.

We do not sell anonymized and aggregated data.

Where available, Customers may request to opt out of having data associated with their account contribute to optional analytics, benchmarking, or machine-learning improvement activities that are not necessary to provide the Services.

Opting out does not affect processing necessary to provide, secure, support, maintain, or improve the reliability of the Services.

10. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law, contract, audit requirements, backup practices, dispute resolution, or legitimate business needs.

Retention periods may vary depending on the type of data and context.

For Customer Data, including Patient Data, retention may be governed by the Customer’s subscription, configuration, written agreement, legal obligations, and medical recordkeeping requirements.

Customers are responsible for determining appropriate retention periods for medical records and other regulated records under laws applicable to their organization and practice.

Following termination or expiration of a paid subscription, Customer Data will generally be made available for export for thirty (30) days, unless a different period is stated in an applicable agreement.

After the export period, we may delete, archive, anonymize, or retain Customer Data in accordance with our agreements, backup practices, legal obligations, and legitimate business needs.

Backup copies may remain for a limited period before being overwritten or deleted according to our backup cycles.

11. Security

We use reasonable administrative, technical, physical, and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

Safeguards may include access controls, authentication, encryption, logging, monitoring, backups, security review, and other measures appropriate to the Services and deployment model.

No system, network, software, method of transmission, or method of storage is completely secure. We cannot guarantee absolute security.

Customers are responsible for managing their own users, permissions, devices, networks, passwords, authentication settings, and internal security practices.

Customers should notify us promptly if they suspect unauthorized access, account compromise, or a security incident involving the Services. For more information, see our Security Overview.

12. Support Access

MYCURE personnel may access Customer accounts or Customer Data only where reasonably necessary to provide, maintain, secure, troubleshoot, improve, or support the Services; investigate suspected abuse, security issues, or technical problems; comply with law; or perform obligations under an applicable agreement.

We use reasonable safeguards designed to limit support access to authorized personnel and appropriate purposes.

Customers acknowledge that certain support, maintenance, security, and troubleshooting activities may require limited access to Customer Data.

13. Data Breach and Security Incident Notification

If we become aware of a security incident involving personal data that requires notification under applicable law or applicable agreement, we will notify affected Customers or individuals as required by law and applicable agreement.

For Patient Data processed on behalf of a Customer, the Customer may be responsible for determining whether and how to notify patients, regulators, payors, employers, partners, or other third parties, unless applicable law requires MYCURE to notify directly.

We will provide reasonable cooperation and information available to us to support assessment and response, subject to security, confidentiality, legal, and operational limitations.

14. International Data Transfers

MYCURE primarily serves healthcare organizations in the Philippines, but the Services may be accessed, supported, hosted, or processed in other locations depending on the Customer’s deployment, configuration, service providers, support needs, and applicable agreement.

Where personal data is transferred across borders, we use reasonable safeguards designed to protect personal data in accordance with applicable law.

Where specific transfer mechanisms, contractual clauses, local hosting arrangements, or additional data protection terms are required, they must be addressed in an applicable Data Processing Addendum, Order Form, Business Associate Agreement, or other written agreement.

MYCURE does not represent that the Services are approved, certified, or compliant for use in every jurisdiction unless expressly stated in a signed written agreement.

15. Children and Minor Patients

MYCURE does not knowingly collect personal data directly from children through patient-facing features except where such use is enabled by a Customer and occurs with the involvement, consent, or authorization of a parent, guardian, healthcare provider, or legally authorized representative where required by law.

Where a minor’s Patient Data is processed in the Services, it is generally processed on behalf of the treating clinic, healthcare provider, or Customer.

Customers are responsible for determining who may access a minor patient’s information and for obtaining and documenting any consent, authorization, or legal basis required for such access.

MYCURE may restrict, suspend, or require additional verification for minor-related accounts or access where necessary to support legal, safety, privacy, or security requirements.

We do not sell minors’ personal data or use identifiable minor patient health data for third-party advertising.

16. Your Privacy Rights

Depending on where you are located and the context of processing, you may have rights over your personal data, such as the right to:

•access your personal data;
•request correction of inaccurate or incomplete data;
•request deletion of personal data;
•object to certain processing;
•restrict certain processing;
•withdraw consent where processing is based on consent;
•request data portability where applicable;
•opt out of certain communications or optional uses; and
•lodge a complaint with a relevant authority where applicable.

These rights may be subject to legal limits, verification requirements, healthcare recordkeeping obligations, contractual obligations, security requirements, and exceptions under applicable law.

If your request relates to Patient Data controlled by a clinic or healthcare provider, we may direct you to that Customer or forward your request to them. The Customer is generally responsible for responding to requests relating to medical records, care, treatment, billing, and clinical information.

To exercise rights relating to MYCURE-controlled information, contact us using the details in the Contact Information section below.

17. Marketing Communications

We may send service-related messages, administrative notices, product updates, billing notices, and security alerts.

Where permitted by law, we may also send marketing or promotional communications. You may opt out of marketing communications by following the unsubscribe instructions in the message or contacting us.

Even if you opt out of marketing communications, we may still send non-marketing messages relating to your account, subscription, security, support, transactions, or use of the Services.

We do not use identifiable patient health data for third-party advertising.

18. Cookies and Website Choices

Our websites may use cookies and similar technologies for functionality, analytics, security, performance, and user experience.

You may be able to manage cookies through your browser settings or tools we provide. Blocking cookies may affect website or Service functionality.

Where required by applicable law, we will provide additional choices or notices regarding cookies and similar technologies.

19. Third-Party Links and Services

The Services may contain links to or integrations with third-party websites, applications, systems, or services.

This Privacy Policy does not apply to third-party services that are not operated by MYCURE.

We are not responsible for the privacy, security, or data practices of third parties. You should review their privacy policies and terms before using them.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will provide reasonable notice, such as by posting the updated policy on our website, sending email notice, or providing in-platform notice.

The updated Privacy Policy will take effect on the date stated above or as otherwise stated in the notice.

Continued use of the Services after the effective date means the updated Privacy Policy applies to your use of the Services.

21. Limitations

This Privacy Policy explains our privacy practices. It does not create warranties, expand contractual obligations, or limit rights and obligations set out in our Terms of Agreement or applicable written agreements.

To the maximum extent permitted by law, liability relating to the Services is governed by our Terms of Agreement and applicable written agreements.

22. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

MYCURE / TOPSI Inc.
Email: helpdesk@mycure.md

For privacy-related matters or data subject requests, you may contact:

Data Protection Officer
Email: dpo@mycure.md