Wellcare respects the privacy of patients and users and is committed to protecting their information. We adhere to the following three standards:
- The General Data Protection Regulation (GDPR) of Europe.
- The Health Insurance Portability and Accountability Act (HIPAA) of the United States.
- The Cybersecurity Safety Requirements of the Ministry of Information and Communications of Vietnam (Circular 03/2017/TT-BTTTT).
The privacy policy below outlines how patient and user information is collected and used. We may update this policy to comply with the latest privacy guidelines. If these changes significantly impact users, we will notify you and invite you to review the changes. By receiving these notifications and continuing to use the Wellcare system, you agree to the changes we have made.
If you have any questions regarding the information collection and use policy, please contact our Information Security Department immediately:
Information Security Officer
Address: LA0208, Lexington Building, 67 Mai Chí Thọ, An Phú Ward, District 2, Ho Chi Minh City.
Email: [email protected]
Purpose and Scope of Collection
When using Wellcare services on our websites, mobile applications, and call center, or through partners using our software in a white-label format, the following types of information and data are collected by Wellcare:
| Scope | Purpose |
| Contact Information: Phone number, email, address | - Phone number: To verify users and connect calls between patients and doctors via the call center. - Email & Phone number: To send notifications to users, appointment reminders, and consultation results from doctors. - Address: Required only when users need home delivery of medication or to receive results & documents by mail. |
| Personal Information: Name, birth year, gender, health insurance card, ID card (number or image), medical license | - To identify users in the application. - For doctors to provide appropriate advice based on the patient's age and gender. - To verify user information with third parties, e.g., health insurance, hospitals, Ministry of Health. - To comply with regulatory requirements, e.g., ensuring doctors have a valid medical license for telemedicine practice. |
| Health Information: Types of information: symptoms, prescriptions, diagnoses, vital signs, physical activity indicators, test results, imaging results, health screening results, messages exchanged with chatbots or other users. Data forms: text, images, audio, voice recordings, video, or other digitized documents. | - Before detailed consultation, doctors require patients to provide all medical history information to build a comprehensive medical record. - To maintain a lifetime electronic medical record in chronological order for better health tracking by doctors and patients. - A complete medical record is essential for consultations among doctors when necessary. - As a basis for insurance reimbursement. - Information will be de-identified (removal of identifiable and contact information) before being used to analyze and improve AI algorithms, enhance software usability, and provide practical benefits for doctors and patients in healthcare. |
| Financial Information: Types of information: bank account details & payment transaction history for service use. We do not store credit card information. When paying by credit card or e-wallet, users are redirected to the payment page of state-licensed electronic payment gateways to complete the transaction. | - We store doctors' bank account information to transfer consultation revenue but do not store patients' bank account information. - We store customer payment transaction history to reconcile with electronic payment gateways. |
| Technical Information: IP address, device used, time zone, language, cookies, viewed content, interaction results with the application, content access time. | - This information is recorded to: - Detect and fix application errors, improve application speed and performance. - Support analysis to optimize user experience. |
This information is collected from the Wellcare application, or in part, from partner applications (e.g., Facebook, Google...). Regardless of the source, we adhere to a unified policy for information collection and usage.
Information Storage Period
User's personal data will be stored until there is a request for deletion or the user logs in and performs the deletion themselves. In all other cases, user personal information will be securely stored on our servers as recommended by the Ministry of Health.
| Type of Information | Storage Period |
| Contact Information | Until the user requests deletion. If no deletion request is made, information will be stored for a minimum of 10 years from the time the user stops using the application. |
| Personal Information | Until the user requests deletion. If no deletion request is made, information will be stored for a minimum of 10 years from the time the user stops using the application. |
| Financial Information | Transaction information is stored for a minimum of 2 years after the transaction date for reconciliation and audit purposes. |
| Health Information | Information associated with the user is stored until the user requests deletion. De-identified information is stored for at least 10 years from the date it was created. |
| Technical Information | De-identified information is stored for at least 10 years from the date it was generated. |
Data Storage, Security, Transmission, and Safety
All user information is encrypted when stored from the user’s device and on our servers. Data can only be accessed and viewed with the correct password. Please do not share your password, SMS messages, or OTP codes with anyone.
Wellcare does not store credit card information or user passwords in payment gateways or third-party applications. The payment gateway partners we select comply with PCI security standards and are licensed to operate by the state.
All information transmitted from the user’s device to our system, and between our system and third-party systems, is encrypted using SSL and the latest security standards to limit unauthorized access.
User data is stored and backed up in major data centers in Vietnam, Singapore, and the United States.
We do not use, transfer, provide, or disclose any user information to any third party without the user's consent.
In the event that our information storage server is hacked, leading to the loss of users' personal data, we will notify the authorities for timely investigation and resolution and inform users of the incident.
User Rights Regarding Data
Customers have the right to access their own data and download it to their own devices (except in cases where the storage period has expired or the data is co-owned by other users, such as audio recordings).
Request data correction if there are errors or request data deletion. For data that serves as a basis for consultation & diagnosis content or prescriptions, the data will be de-identified but not deleted or modified until the minimum storage period has expired.
Set and change the permissions for the use of information and data.
