Privacy Policy

1. The two roles we play

The Data Privacy Act distinguishes between a Personal Information Controller (PIC) and a Personal Information Processor (PIP). MediFlow plays both roles, depending on the data.

MediFlow as Personal Information Processor. When a subscriber clinic uses our platform to record patient demographics, encounters, prescriptions, lab orders, electronic medical records, or appointments, the clinic is the PIC. We handle that information only on the clinic's documented instructions, under a written Data Processing Agreement concluded under Section 14 of RA 10173.

MediFlow as Personal Information Controller. For our direct relationships with clinic owners, billing contacts, support requesters, marketing leads, prospective subscribers, and our own employees, we determine the purposes and means of processing ourselves and act as PIC.

For four data processing systems (audit logs, transactional email, file attachments and the CDN, and our self-hosted real-time channels), the role is hybrid, because each handles material from both layers.

If you are a patient and have a question about your records, the clinic that registered you is the PIC for those records. The fastest path is to contact that clinic directly. If the clinic cannot help, Section 9 below explains how to reach us so we can route the request.

2. Information we collect

The categories below correspond to the fifteen Data Processing Systems declared in our NPC registration filing.

(a) Account and clinic information. Names, email addresses, mobile numbers, hashed passwords, role and permission assignments within a clinic, clinic name and address, professional licence references for clinicians where the clinic captures them, and the relationship between user accounts and the clinic that owns them.

(b) Patient and clinical information entered by clinic staff. Patient demographics (full name, date of birth, sex, civil status, residential address, contact details, emergency contact, parental or guardian consent metadata for minors), encounter records, SOAP notes, vital signs, allergies, current medications, immunisation history, ICD-10 codes where captured, treatment plans, prescription records, lab and imaging orders, attached lab and imaging files, referral letters, medical certificates, and clinical photographs uploaded by the attending healthcare provider.

(c) Appointment and queue data. Scheduled visit times, queue position, no-show flags, and reschedule history.

(d) Subscription and billing records. Subscription tier, billing period, invoice records issued under the BIR registration of MediFlow Medical Services, payment confirmation references received from PayMongo (we never see the underlying card or bank-account data), and clinic billing-contact details.

(e) Support and feedback records. Emails, in-app messages, screenshots that the requester voluntarily shares, and the resulting ticket trail.

(f) Marketing leads. Name, email, clinic, and the form fields submitted on our website or in response to a campaign, plus unsubscribe state where applicable.

(g) Audit logs. Per-record access, edit, deletion, and export events, with the actor identity, timestamp, and target identifier; reader-accountability events on access to clinical content.

(h) Real-time channel events. The metadata required to route a notification or live update to the right authorised recipient inside a clinic. Channel content is signed, scoped to the clinic, and delivered through a self-hosted real-time messaging service running inside our Singapore region.

(i) System notifications and transactional email. Recipient address, subject, body, delivery state, bounce or complaint state, and message ID. Subject and body content can include patient care context where the clinic instructs us to send a clinical notification (for example, an appointment reminder).

(j) File attachments and CDN. Files that clinic staff upload (lab results, imaging, scanned referrals, clinical photographs, signed receipts), object hashes, and short-lived signed URLs.

(k) Staff HR records for our own MediFlow personnel. Engagement records, payroll, statutory filings (BIR Form 2316, 1601-C, 1604-C; SSS, PhilHealth, Pag-IBIG), and government-ID copies. This system is internal only and never accessible to subscriber clinics.

(l) Usage and device information. Pages visited, features used, device class, browser, originating IP address, and session cookies. We do not run advertising trackers, and we do not share this data with ad networks.

We do not sell personal information. We do not use patient clinical content for product analytics, advertising, or any purpose outside running the Service for the clinic that owns the record. We do not share clinical content with external data-mining or model-training providers.

3. Why we process your information (Sections 12 and 13, RA 10173)

For clinical records and other Sensitive Personal Information ("SPI"), our processing rests on the specific, informed consent of the data subject and on the basis under Section 13(c)(2): processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured. For minors, consent is obtained from a parent or legal guardian under NPC Advisory No. 2022-02.

For non-clinical Personal Information (clinic accounts, billing contacts, support requesters, employees, and marketing leads), we rely on consent under Section 12(a) and on performance of the subscription contract under Section 12(b).

For payroll and statutory-filing records of our own employees, we additionally rely on legal obligation under Section 12(c) (BIR, SSS, PhilHealth, Pag-IBIG, the Labor Code).

We do not perform automated decision-making or profiling under Section 16(e). The platform supports clinical work; clinical decisions are made by the attending clinician.

4. Who can see your data

The audience for any record depends on the layer it sits in.

Patient and clinical records are visible only to (i) the clinic that owns the record and the staff its administrator has authorised, (ii) the named MediFlow personnel who maintain the platform under the Clinic-MediFlow Data Processing Agreement, and (iii) the data subject on a verified access request. Other clinics cannot see the record. Our marketing or website infrastructure cannot read the record.

Operational records (clinic accounts, billing, support, marketing leads, employees) are visible to the relevant MediFlow personnel under least-privilege access, and to the data subject on request.

Sub-processors receive only the minimum needed to perform their function. Section 5 lists them.

Lawful disclosures to PhilHealth, the Department of Health, the Bureau of Internal Revenue, the National Privacy Commission, the courts, and law enforcement are made only on a valid order or statutory requirement, with notice to the affected clinic or data subject where lawful and operationally feasible.

PayMongo runs the hosted-checkout flow for our subscription billing. PayMongo is a separate Personal Information Controller for the payer data it collects there. We never see card numbers or bank-account numbers, and no patient record reaches PayMongo.

5. Sub-processors and where data is hosted

We use a small, audited set of sub-processors. Each is bound by a written Data Processing Agreement.

Our real-time messaging service is open-source software that we self-host on our infrastructure in the Singapore region. The publisher of that software is not a processor of MediFlow data.

PayMongo Philippines, Inc. handles subscription checkout under a hosted-checkout pattern and is a separate PIC for payer data. It is not a sub-processor.

We do not use third-party analytics suites, advertising trackers, or session-replay vendors on the application. We use a self-hosted monitoring and metrics stack for operational monitoring. Anomaly and threshold alerts are delivered to the DPO's monitored alert channel for round-the-clock visibility.

A current sub-processor list is published at mediflow.ph/legal/sub-processors. Where we propose to add or replace a sub-processor that handles personal information for clinic clients, we give clinic clients at least 30 days' prior notice through the Service or by email and an opportunity to object.

6. Cross-border transfers

Personal information is hosted primarily in Singapore, on Vultr's certified data centre, which the NPC has acknowledged as offering an adequate level of protection. Two flows leave Singapore and we want clinics and data subjects to be aware of them.

Transactional email (DPS #12) goes through Resend in the United States. Where a clinic instructs us to send a clinical notification, the recipient address, subject, and body of that email pass through Resend, which means the United States is in scope for those events. Resend is bound by the standard contractual clauses in its DPA.

TLS termination, DNS, and edge mitigation run on Cloudflare's global edge. Cloudflare sees encrypted application traffic and request metadata; it does not store decrypted clinical content.

We disclose these flows on each clinic's onboarding DPA. A clinic that wants email kept inside the Philippines can ask us to disable Resend on its account; we have a Philippine-only mail path available on request, with the trade-off that delivery reliability and analytics visibility are reduced.

7. Retention and disposal

We retain personal information for the duration of the clinic's active subscription and then for a 60-calendar-day grace window during which the clinic may export records, with hard-deletion afterwards. Encrypted backup snapshots rotate on a 90-calendar-day cycle, so deleted records fall out of backups within that window. Specific reckoning events for each Data Processing System are documented in our Privacy Manual Chapter 7.

Disposal is multi-stage: soft-delete (30-calendar-day administrator undo window), hard-delete from the production database, and backup purge inside the 90-day rotation. Every deletion is logged in the Audit Log Data Processing System.

A verified Data Subject Right erasure request runs on a faster track: 5-business-day soft-delete, 30-calendar-day hard-delete, 90-calendar-day backup purge, subject to any applicable statutory floor.

8. How we secure your data

Security is documented in detail in the MediFlow Privacy Manual v1.0 Chapter 8. The standing controls are:

1. Transport. TLS 1.2 or higher on all client-server traffic, with HSTS at the edge.
2. Encryption at rest. AES-256 on the production database and on the encrypted storage volumes that hold backups and snapshots.
3. Authentication. A modern adaptive password-hashing algorithm with per-user salt, a 10-character minimum, and a common-password blocklist; two-factor authentication enforced on every proprietor and DPO infrastructure account (cloud hosting, edge and CDN, domain registrar, transactional email, source-control). In-app two-factor authentication for clinic admin, doctor, and staff accounts is a pre-launch delivery item before the first paying clinic onboards, and is mandatory at launch on accounts with broad access to billing, audit logs, support, transactional email, file attachments, and HR.
4. Access control. Role-based access at the application layer; tenant-level isolation enforced by application logic; least-privilege for our own personnel.
5. Audit logging. Create, edit, delete, and export events captured with append-only semantics; reader-accountability logs on access to clinical content; logs retained per Section 7 above.
6. Origin lockdown. Origin servers accept traffic only from Cloudflare edge ranges, verified independently from outside vantage. No direct origin ingress is possible.
7. Application security. Pre-deployment security review covering OWASP Top-10 categories on every release; formal third-party penetration testing scheduled prior to commercial launch. We do not currently run a Web Application Firewall and we do not claim one.
8. Backups. Encrypted block-storage snapshots on a 90-calendar-day rolling window, with periodic restore testing.
9. Monitoring. A self-hosted monitoring and metrics platform, with anomaly and threshold alerts delivered to the DPO's monitored alert channel for 24/7 visibility.
10. Lifecycle controls. 30-calendar-day soft-delete with administrator undo, 5-business-day erasure on verified DSR, scheduled hard-delete, and 90-day backup rotation.

We do not rely on third-party advertising or analytics SDKs in the application, and we do not share application code or patient data with external data-mining or model-training providers.

9. Your rights and how to use them

Under the Data Privacy Act, you can:

• (a) ask whether we hold personal information about you and access it;
• (b) ask us to correct inaccurate or out-of-date entries;
• (c) ask us to delete entries that are no longer necessary or for which you have validly withdrawn consent;
• (d) block processing on legitimate grounds;
• (e) ask us to export your information in a portable format;
• (f) object to processing where permitted; and
• (g) lodge a complaint with the National Privacy Commission (privacy.gov.ph).

If you are a patient, the clinic that registered you is the PIC for your records. The fastest path is to ask the clinic directly, and we will assist them under our DPA. If the clinic cannot help, we will accept your request and route it to them.

If you are a clinic owner, staff member, billing contact, support requester, or marketing-list subscriber, send your request to dpo@mediflow.ph.

We acknowledge any DSR within 2 business days and respond substantively within 15 calendar days, in line with NPC Advisory No. 2021-01. Verified erasure runs on the schedule in Section 7. We may ask for proof of identity and, where relevant, proof of authority, before acting on a request.

10. Personal data breach notification

We follow our Personal Data Breach Response Procedure v1.0, aligned with NPC Circular 16-03.

If a notifiable breach affects a clinic's data (where MediFlow is PIP), we will notify the clinic within 24 hours of discovery, so the clinic, as PIC, can meet its 72-hour obligation to the NPC and to affected data subjects.

If a notifiable breach affects data for which MediFlow is the PIC, we will notify the NPC and affected data subjects within 72 hours of discovery.

We maintain a Breach Register for at least 5 years (NPC Circular 16-03 §20) and a Data Subject Rights Register for at least 3 years.

11. Cookies and similar technologies

We use cookies for authentication, session continuity, and CSRF protection. We do not use cookies for cross-site advertising or for tracking you across other websites. Where the marketing website uses analytics or marketing cookies, those are flagged in the cookie banner and can be turned off without affecting your ability to use the application.

12. Children

The application is intended for use by adults: clinic owners, doctors, and staff. We do not invite children to create accounts. Patient records of minors are entered by authorised clinic staff with parental or legal-guardian consent under NPC Advisory No. 2022-02.

13. Updates to this Policy

We update this Policy when our processing changes, when a sub-processor changes, when statutory requirements change, or when our annual Privacy Manual review surfaces a material correction. Material updates are announced through the Service or by email at least 14 days before they take effect, except where a regulator requires an earlier date. The version table at the top of this Policy lists the effective date and the version it replaces. A change history is maintained in our Privacy Manual.

14. Contact

Data Protection Officer: dpo@mediflow.ph

Support: help@mediflow.ph

Postal: MediFlow Medical Services (DTI BN 8059068), Philippines. The full registered address is provided to data subjects on a verified identity check, and is on the NPC registration record once Phase I submission completes.

National Privacy Commission
Complaints: complaints@privacy.gov.ph
Website: privacy.gov.ph

Authoritative source documents: MediFlow Privacy Manual v1.0; Privacy Impact Assessments v1.0; Personal Data Breach Response Procedure v1.0; Compliance Addendum v1.1 (23 April 2026); MediFlow NPCRS Phase I DPS Answer Sheet v1.0 (23 April 2026). DPO Affidavit of Designation duly notarised on 22 April 2026.