Date: November 2023
Carepay International B.V. and its affiliates and representatives from time to time (together, and each of them as the context may require “CarePay”, the “CarePay Group”, “we” or “us”) have the mission to give everyone the power to care by enabling mobile access to healthcare through our digital platforms (the “CarePay Platform” or “Platform”) and providing related services (the “Services” in cooperation with payers of healthcare (“Payers”), healthcare providers (“Providers”) and other business partners, to users of our Services (“Users” or “you”).
The CarePay Platform and Services are provided to you via the CarePay Group entity and/or business partners (for example a Payer or Provider) operating in your country. When you use our Platform, they are your primary point of contact for questions, including on personal data. For more information regarding data processing, please consult our country-specific privacy statements and/or the privacy statement of the relevant partner (for example your medical insurer or intermediary). This statement does not cover the processing of your personal data by our partners.
This privacy statement is intended for individuals using our Services and provides information about the processing of personal data by CarePay International B.V. in connection with our Services. By using our Services, you acknowledge and agree to have read, understood and accepted this statement. If you share personal data of other people with us, it is your responsibility to inform and share this statement with them.
Personal data is any information that can be traced back to an individual User who is a natural person. Examples include your name, address, fingerprint (where biometric identification is used at a Provider), medical information (which is considered sensitive data and is processed with extra care) national identification number, telephone number, location data, membership or policy number. This personal data may relate to you or anyone who can access healthcare via your Healthcare Program, including your spouse, child(ren) or any other so-called dependent under the program. To safeguard personal data, it may be pseudonymized or anonymized. Pseudonymized means that personally identifiable information fields are replaced with one or more artificial identifiers (or pseudonyms). Anonymization means that personally identifiable information is removed.
We recognize that processing personal data comes with responsibilities on privacy, confidentiality, access and transparency, which we take seriously. CarePay endeavours to process your personal data carefully, securely, and confidentially. It is important to us that you have confidence in our organization regarding the processing of your personal data. CarePay endorses and observes the principles of the European General Data Protection Regulation (GDPR) and other applicable data protection laws (together the “Data Protection Laws”) throughout the CarePay Group. We design our Services to be compliant with the Data Protection Laws by ensuring that we process personal data with a legal basis and in accordance with the purpose for processing, while respecting your right to privacy. CarePay enters into data processing agreements to govern its activities when processing personal data and to ensure that any (sub)processors it engages undertake their assignments in compliance with the Data Protection Laws.
Your personal data will be treated confidentially and will only be processed for the purpose of providing and improving our Services. We use industry standard technical and organizational measures to secure the information we store. We take the following measures to limit the impact of our data processing on your privacy:
- Where it is not important for us to know exactly who the User is, we process user data in anonymized or pseudonymized form.
- We store anonymised data in a data vault for historical records on use of our Services and at times to conduct analytical reviews and to enhance the Platform and impact of our Services.
- All CarePay entities are bound by a data protection policy and a data processing agreement with provisions safeguarding data privacy in line with Data Protection Laws.
- We use (sub)processors who have privacy/security policies and offer a data processing agreement with provisions safeguarding data privacy in line with Data Protection Laws.
The (sub)processors may only process your personal data to support us in providing and improving our Services.
While we implement safeguards designed to protect your information, no security system is impenetrable due to the inherent nature of the internet, we cannot guarantee that information, during transmission or while stored on our systems or otherwise in our care, is totally safe from intrusion by others. To mitigate the risk of intrusion, we encourage Users to take responsibility for securing storage and access to their information by not sharing their login credentials or other details with third parties and using private network services to access the Services.
Please notify us should you have reason to believe that your account has been accessed by intruders or your privacy has been breached. We have systems in place to mitigate any further risks and enable you to have access to your account.
The CarePay website provides information on the Services offered by us and further information on access and utilization of such Services and provides a chat function that can be used to inquire about our Services or seek support on a User account. The website also lists available job vacancies and provides for the application processes.
CarePay role, the data we process and why?
With respect to the website, CarePay is the controller of the personal data provided by a User. We process your personal data to enable and enhance your use of our website and to know whether our website can be visited properly, which pages are visited, and what errors occur. This way, we can provide website visitors with a seamless experience, update the website where necessary and expedite solving technical errors, while limiting the impact on your privacy.
What is the legal basis for processing personal data?
The legal basis to process your personal data on the website is the legitimate interest of CarePay to run and improve its website.
Which parties process personal data for us?
Where are personal data processed and for how long?
We host carepay.com on WebFlow, which is located in the United States of America. Google Analytics processes data on their servers in various locations, including the United States of America. In each case, all processing is only done for as long as necessary for the purpose of running and improving our website, or for legal compliance.
The CarePay Platform is used by the CarePay Group entities and business partners in various countries to digitally enable your access to healthcare. For example, the CarePay Group entities may enable Payers (such as medical insurers, employers or donors) to digitally administrate your healthcare cover. Or a business partner may use the CarePay Platform under their own brand to offer digital administration services to your Payer. In this setting, you may interact with our Platform. The local CarePay Group entity or business partner (as the case may be) is your primary point of contact for questions, including on personal data. For more information regarding data processing, please consult our country-specific privacy statements and/or the privacy statement of the relevant partner (for example your medical insurer). This statement provides information about the processing of personal data by CarePay International B.V. and does not cover the processing of your personal data by our partners.
What is the role of CarePay?
In this setting, CarePay acts as a data (sub-)processor on behalf of the business partner using the CarePay Platform or the CarePay Group entity providing the Services.
Which data are processed and why?
The following personal data may be processed by CarePay for the following purposes as necessary to provide the Services:
- Registration and account data: data to enable your account on the Platform may include your name, date of birth, birth certificate, gender, mobile number, e-mail address, system identification numbers, national ID or passport, policy membership number, photo, staff identification number and employer, location, address and tax identification number.
- Biometrics: if required by the Payer, your biometrics (fingerprint) may be processed for identification and fraud prevention purposes.
- Treatment and health data: to enable access to healthcare, claim identification and invoice number as well as treatment data may be processed, which includes Provider visited, items billed, symptoms, diagnoses, medical notes and reports.
- Medical information: to enable access to healthcare, information regarding your medical history and medical treatment, status or diagnosis may be processed.
- Program information: to enable access to healthcare, information on your healthcare cover may be processed, including cover, benefits, limits, exclusions and dependents.
- Financial data: to facilitate payments related to your access to healthcare, financial data may be processed, including insurance premium or other cover charge, account details, payments, healthcare service charges.
What is the legal basis for processing personal data?
As the (sub-)processor, we process personal data because it is necessary to perform the contracts you have with our business partner or the CarePay Group entity in your country, to enable your access to healthcare.
For how long are personal data processed?
The data are processed for as long as you use the CarePay Platform and for a reasonable duration thereafter as determined by our business partner or the CarePay Group entity providing services to you, or as long as necessary for legal compliance.
C. GENERAL PLATFORM AND OPERATIONAL PROCESSING
When you use the CarePay Platform, we monitor your use to improve our Services. Where possible, we do so on pseudonymized basis. You may elect to opt out of such processing if it is not necessary to provide our Services. See more information on your rights in section 8 below.
What is the role of CarePay?
CarePay as the operator of the CarePay Platform processes personal data to improve, avail and enhance your use, and for the support, of the Platform.
Which data are processed why?
The following personal data may be processed for the following purposes:
- Platform monitoring: to know whether our platform can be visited properly and to locate and address root causes of errors, we process user actions (using cookies), IP address, location information and device details, in each case in pseudonymised form. This way we can provide our users a seamless experience, update the platform functionalities where necessary and expedite solving technical errors, while limiting the impact on your privacy.
- Other information: when you contact us through phone calls, the call may be recorded for quality assurance and to assist with training purposes. When necessary, we may ask for additional consent for certain processing activities such as conducting surveys on your user experience.
- Necessary cookies: these cookies enable us to address platform efficiency features like automatic filled text boxes, allowing access without re-entering your username or password, live web chat and platform security parameters like a single sign-on (SSO). We therefore do not allow you to opt out as that would affect the platform usability for you. These cookies remain on your device for up to 365 days from last use.
- Analytical cookies: these cookies are used to improve platform usage and performance. We use Heap analytics, Google analytics and Datadog to track the user journey to help us improve it and to offer you a better user experience. You can review and update your cookie preference by clicking on Manage Cookies.
What is the legal basis for processing personal data?
The legal basis to process the data is the legitimate interest of CarePay to run and improve our Platform and Services and your user experience.
For how long are personal data processed? The Platform use data are processed as long as you use the Platform and are retained for up to seven years or as necessary for legal compliance.
CarePay engages various third-party sub-processors for the processing of personal data on the web-portals, USSD service and online applications of our Platform. This includes AWS (Amazon Web Services) as host of our Platform on their cloud servers, meaning AWS processes the Platform (personal) data. The Platform may also contain third-party tools to enable certain functionalities, and we may apply tools to develop, operate, support and monitor our platform as well as solve technical errors. This way we can provide our users a seamless user experience, update the platform functionalities where necessary and expedite solving technical errors. The third parties operating these tools may have access to the data processed by the tools. As the Platform is under development, these parties may change from time to time, and you can contact us for an up-to-date overview and further information.
Personal data may also be processed by the various CarePay Group entities which provide Platform support services.
Where the CarePay Platform is made available to you via a business partner, we may share data with the partner. We may further develop, and share insights based on anonymized (non-personal) data with our partners.
Please note that CarePay or its partners may at times be obliged under laws and regulations to share data with regulators or other public authorities.
CarePay hosts the Platform on AWS cloud servers as much as possible in the country where users are located. Where that is not possible, the Platform is hosted in the European Union. Similarly, we aim to have our third-party processors process data in the country where our users are based or in the European Union. Where that is not possible, these third-party tools may process data in other locations, subject always to putting measures in place safeguarding data privacy (such as contractual clauses). In order to support all our business partners effectively, data may also be processed in CarePay’s offices from which Platform support services are provided. As the platform is under development, the processing locations may change from time to time, and you can contact us for an up-to-date overview and further information.
CarePay considers it important that you can properly exercise your rights under Data Protection Laws. We work together with our business partners and within the CarePay Group to facilitate this. You can exercise your rights by contacting the business partner (for example your Payer) or the CarePay Group entity (as the case may be) who controls your data.
In summary, you have the following rights:
- The right of access: you can request access to your personal data. When you have a Platform account, you can access information (such as account details and healthcare cover) via the account.
- The right of rectification: you have the right to update your personal data where they are not correct or incomplete. You can update your Platform account information yourself in your account settings.
- The right of erasure: under certain circumstances, you may request for your personal data to be erased. This right is not absolute but applies for example if the processing is no longer necessary for the intended purpose or if the data were processed illegally.
- The right of restriction: under certain circumstances, you have the right to limit further use of your personal data. This right is not absolute but applies for example where you contest the accuracy of data and the controller is validating or if processing by the controller is no longer necessary but you would like them to retain the data.
- The right to object / opt out: under certain circumstances, you have the right to object to / opt out from your data being processed. This right is not absolute and applies for example where the legal basis for your data being processed is the legitimate interest of the controller. In this case, a balancing between your interests and the controller’s interests will take place.
- The right to data portability: this right protects your ability to obtain some of your information in a structured, commonly used and machine-readable format. This right will apply to some of your information depending on the context.
You may request your rights verbally or in writing. Upon a request, some time may be needed to validate the request and you may be asked to complete a form to confirm the request and the data concerned. Your request should be handled within one month.
Please note that CarePay and our partners need to process certain data to be able to deliver the services and that some information may have to be retained under applicable laws and regulations.
Where the CarePay Group entity providing Services to you is the controller of your data, you can contact them for any questions or complaints. You can also email firstname.lastname@example.org. We will handle your queries together with the CarePay Data Protection Officer who is appointed to safeguard compliance with Data Protection Laws.
Where our business partner using the CarePay Platform to enable your access to healthcare is the controller of your data, you should contact them for further information and any questions in connection with the processing of your data. When it comes to the protection of your personal data it is also possible to file a complaint with the supervisory authority in your country. We would appreciate the opportunity to address and solve any issue you may have prior to filing such a complaint.
CarePay may from time to time make changes to its Services, functionalities and reserves the right to update this privacy statement accordingly. Your continued use of the CarePay Platform constitutes your acknowledgement and acceptance of any updated version of this statement.