Privacy Policy

What we collect and why

We collect only what we need to deliver in-home elder care: who you are, where you live (so the nurse can find you), your current health picture (so the care plan is right for you), and a record of every visit we've made. We collect family-contact details so we can send a copy of the care report after each visit. We collect staff details to know who delivered which visit and to keep them safe.

We do not collect data we don't need. We do not run third-party advertising trackers. We do not sell data.

Who can see your data

Inside the clinic: only staff with a legitimate role-based need (admin, doctor, nurse-assigned-to-your-visit, finance for invoicing) can see your data. Access is logged.

Outside the clinic: only the sub-processors listed in the PDPA notice — and only the minimum data each one needs to do its job.

How long we keep it

Clinical records: 7 years from case closure (Malaysian medical records standard). After that, an automated process removes them permanently.

Audit logs: 7 years (matches clinical records).

Session tokens / login state: shorter — usually less than a day after you sign out.

Your rights, in practice

You can ask us:

• What data we hold about you (we'll send you a copy).
• To correct anything that's wrong.
• To restrict how we use your data while a query is pending.
• To export your data to another provider.
• To withdraw consent for any non-essential processing.

Email dpo@klinikdrgian.com.my. We respond within 21 days.

You can also lodge a complaint with the Personal Data Protection Commissioner of Malaysia at pdp.gov.my.

How we protect your data

All data is encrypted in transit (TLS) and at rest. Access is gated by row-level security at the database level — meaning even with a valid login, staff can only see records their role entitles them to. Administrative accounts are protected by two-factor authentication. Every action against patient data is logged with the actor, timestamp, and source IP.

If despite these defences a breach occurs that affects you, we commit to notifying you within 72 hours of detection, as required by the PDPA 2024 amendment.

Cookies and tracking

We use only the cookies strictly necessary to keep you signed in (Supabase auth session cookies, markedHttpOnlyand Secureso they cannot be read by JavaScript or transmitted over unencrypted connections). We do not use third-party tracking cookies, advertising cookies, or fingerprinting techniques.

We use first-party Vercel Web Analytics + Speed Insights to measure site performance. These ship only anonymous, aggregated metrics (page-view counts, Core Web Vitals) and do not identify you.

Children

The Caregiver System is designed for elder care and is not intended for children under 13. If we become aware that we hold data about a child without parental consent, we will delete it.

Changes

We update this policy when the underlying processing changes. Material changes are communicated by email to all active data subjects.

Contact

Data Protection Officer: dpo@klinikdrgian.com.my
General enquiries: hello@klinikdrgian.com.my