1. About Us

Vcare is a health-checkup booking and prepayment platform. Actual checkup services are delivered by our licensed partner clinics ("Partner Clinics"); we operate the booking and prepayment layer and do not provide medical services ourselves. Our services include health-checkup bookings, voucher issuance and redemption, medical report delivery, and membership account management.

2. Scope of This Policy

This policy applies to all personal data collected through our website (vcare.com.sg), mobile application (Vcare App), and any related services provided by the Company. Our platform may contain links to third-party websites; this policy does not apply to external sites, and we encourage you to review their privacy policies separately.

3. Personal Data We Collect

(a) Data you provide

• Account data: email address, name, phone number, password (stored hashed)
• Profile data: date of birth, occupation, passport number, student ID number, international address (street, city, postal code, country)
• Identity documents: photos of your identity document / passport (up to 2), used for verification
• Booking data: the Partner Clinic, time slot, and checkup items you book
• Out-of-pocket reports & feedback: self-reported amounts, receipt images, ratings and comments

(b) Health-checkup data (sensitive)

• Health-checkup report PDFs, report images, and medical notes
• Medical / attendance certificates for appointments

(c) Data collected automatically

• Push identifiers: Firebase Cloud Messaging (FCM) device token and device platform, used to deliver notifications
• Payment identifiers: payment charge id, payment method, invoice number, amount. Full card numbers are handled by our payment processor — we do not store full card numbers
• Operational logs: user id, action type, request id, and timestamp, used for operations, security, and debugging

4. Mobile App Permissions

Our app requests the following permissions on Android and iOS, used only when you actively use the related feature:

You may disable any of these in your device settings at any time; the related features (e.g. document upload, push notifications) will then be unavailable.

5. Purposes of Collection, Use, and Disclosure

1. Providing and managing health-checkup bookings, voucher issuance / redemption, and report delivery
2. Creating and managing your member account
3. Verifying your identity to prevent impersonation
4. Processing payments and refunds, and managing billing
5. Sending notifications (booking confirmations, clinic acceptance, report uploads, subscription expiry / renewal, announcements)
6. Sharing necessary appointment and checkup information with Partner Clinics to deliver services
7. Responding to enquiries and providing customer support
8. Preventing fraud and ensuring platform security
9. Complying with applicable laws and regulations, and enforcing our terms of service
10. Any other purpose for which you have given consent

6. Consent and Withdrawal of Consent

By using our services or agreeing to our terms, you consent to the collection, use, and disclosure of your personal data as described in this policy.

You may withdraw your consent at any time by contacting our DPO at dpo@vcare.com.sg. Withdrawal may result in our inability to provide certain services; we will inform you of the likely consequences upon receiving your request, and will cease to collect, use, or disclose your data unless legally required to retain it.

7. Access and Correction

You have the right to access the personal data we hold (and how it was used or disclosed in the past year) and to correct any inaccuracy or omission. To make a request, contact our DPO at dpo@vcare.com.sg. We may verify your identity first and will respond within 30 days, or inform you if more time is needed. A reasonable fee may apply to access requests, of which we will inform you beforehand.

8. Disclosure to Third Parties

We will not sell, rent, or trade your personal data. We disclose to, or engage, the following third parties only as necessary:

These third parties act as our data processors and are required to process your data only for the purposes above and to apply appropriate protection. We may also disclose data when required by law, regulation, or court order, or with your explicit consent.

9. Data Storage Location and International Transfers

Your personal data (including identity-document images and health-checkup reports) is primarily stored and processed on AWS infrastructure within Singapore (the ap-southeast-1 region).

Mobile push notifications are delivered via Google Firebase Cloud Messaging, so push identifiers and notification content may be processed on Google's global infrastructure outside Singapore. For such transfers, in line with the PDPA Transfer Limitation Obligation, we require recipients to provide a standard of protection comparable to this policy.

10. Data Retention and Account Deletion

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Financial (invoice / payment / refund) and medical (checkup report) records may be subject to statutory retention periods under applicable Singapore regulations.

Account deletion (self-service)

You may request deletion of your account within the app or website. On deletion:

• Your email is anonymised to a non-identifying placeholder; your name, phone, passport, and student ID fields are cleared; and your uploaded identity-document images are deleted from storage.
• For legal compliance, financial and medical records are retained in de-identified form (no longer linked to an identifiable individual) rather than deleted.

11. Data Protection and Security

• Passwords are stored as one-way hashes; mobile sessions use tokens kept in the device's secure storage.
• Sensitive files (identity images, health reports) are stored in access-controlled storage and retrievable only via back-end authorisation.
• Card data is handled by a PCI-DSS-compliant payment processor; our servers do not store full card numbers.
• Back-office access to health and identity data follows the principle of least privilege.
• Personnel handling personal data are bound by confidentiality obligations, and security practices are reviewed regularly.

No method of internet transmission or electronic storage is, however, perfectly secure.

12. Data Breach Notification

In the event of a data breach likely to result in significant harm to affected individuals, or involving 500 or more individuals, we will notify the Personal Data Protection Commission (PDPC) within three (3) calendar days of our assessment, and notify affected individuals as soon as practicable so they may take protective measures.

13. Children and Family Accounts

Our service supports parent / child accounts and guardian companionship. A child's personal and health data is visible to the parent / guardian account only within the scope the child authorises. If you create an account for, or provide data about, a minor, you confirm that you have the lawful consent or guardianship to do so.

14. Cookies

Our website uses cookies and similar technologies to maintain your login session, improve service quality, and provide a personalised experience. You may configure your browser to reject cookies; however, this may affect certain features.

15. Changes to This Policy

We may amend this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date; for material changes, we will make reasonable efforts to notify you via our platform or email. Your continued use of our services after changes constitutes acceptance of the updated policy.

16. Contact Us

You may also refer to the Personal Data Protection Commission (PDPC) website for more information on your rights under the PDPA.

一、關於我們

Vcare 是一個健康檢查預約與預付服務平台。實際健檢服務由合作之合法醫療機構（下稱「合作診所」）提供，本公司僅提供預約與預付服務，不自行提供醫療服務。本服務包含健檢預約、健檢券核發與兌換、醫療報告遞送及會員帳號管理。

二、本政策適用範圍

本政策適用於透過本公司網站（vcare.com.sg）、行動應用程式（Vcare App）及相關服務所蒐集之所有個人資料。本平台可能包含連結至第三方網站，本政策不適用於任何外部網站，建議您另行閱讀其隱私權政策。

三、我們蒐集的個人資料

（一）您主動提供的資料

• 帳號資料：電子郵件、姓名、電話號碼、密碼（加密儲存）
• 會員詳細資料：出生日期、職業、護照號碼、學生證號碼、國際地址（街道、城市、郵遞區號、國家）
• 身分證件影像：身分證件 / 護照照片（最多 2 份），供身分核驗
• 預約資料：您預約之合作診所、時段與健檢項目
• 自費回報與評價：自費金額回報、收據影像、評分與意見

（二）健康檢查相關資料（敏感個資）

• 健檢報告 PDF、報告圖片與醫療備註
• 預約之就醫 / 健檢證明文件

（三）自動蒐集的資料

• 裝置推播識別碼：Firebase Cloud Messaging（FCM）device token 與裝置平台，用於推播通知
• 付款交易識別碼：付款 charge id、付款方式、發票編號、金額。完整卡號由金流處理商處理，本公司不儲存完整卡號
• 操作日誌：使用者 ID、操作類型、請求識別碼與時間戳，用於系統維運、資安與除錯

四、行動應用程式權限

本 APP 在 Android 與 iOS 上會請求下列權限，僅於您主動使用對應功能時啟用：

您可隨時於裝置系統設定中關閉上述權限；關閉後相關功能（如證件上傳、推播）將無法使用。

五、蒐集、使用及揭露之目的

1. 提供及管理健檢預約、健檢券核發 / 兌換與報告遞送
2. 建立及管理您的會員帳號
3. 驗證您的身分以避免冒用
4. 處理付款與退款及帳務管理
5. 發送通知（預約確認、診所接受預約、報告上傳、訂閱到期 / 續約、平台公告）
6. 與合作診所共享必要之預約及健檢資訊，以利提供服務
7. 回應您的詢問並提供客戶支援
8. 防範詐欺並確保平台安全
9. 遵守適用法律法規並執行服務條款
10. 其他經您同意之目的

六、同意與撤回同意

當您使用我們的服務或同意服務條款時，即表示您同意依本政策所述方式蒐集、使用及揭露您的個人資料。

您可隨時聯繫資料保護官（dpo@vcare.com.sg）撤回同意。撤回同意可能導致我們無法繼續提供某些服務；我們將在收到請求後告知您可能的影響，並停止蒐集、使用或揭露您的資料（除非法律要求保留）。

七、存取與更正權利

您有權存取我們持有的您的個人資料（及過去一年內的使用 / 揭露情形），並更正任何不正確或遺漏之處。如需提出請求，請聯繫資料保護官（dpo@vcare.com.sg）。我們可能需先驗證您的身分，並將於 30 日內回覆，如需更多時間將另行通知。處理存取請求可能收取合理費用，屆時將事先告知。

八、向第三方揭露

我們絕不會販售、出租或交換您的個人資料。我們僅在必要時，向下列第三方揭露或委託處理：

上述第三方均為本公司之資料處理者，依約僅得為前述目的處理您的資料並採取適當保護措施。我們亦可能在法律、法規或法院命令要求，或經您明確同意時揭露資料。

九、資料儲存位置與跨境傳輸

您的個人資料（含身分證件影像、健檢報告）主要儲存與處理於新加坡境內之 AWS 基礎設施（ap-southeast-1 區域）。

行動裝置推播透過 Google Firebase Cloud Messaging 提供，相關之推播識別碼與通知內容可能經由 Google 位於新加坡以外之全球基礎設施處理。就此類跨境傳輸，我們依 PDPA 之「資料移轉限制義務」，要求接收方提供與本政策相當之保護水準。

十、資料保留與帳號刪除

我們僅在實現蒐集目的所必要之期間內保留您的個人資料，或依適用法律法規之要求保留。財務（發票 / 付款 / 退款）與醫療（健檢報告）紀錄可能依新加坡相關法規受法定保留期間規範。

帳號刪除（您可自助執行）

您可於 APP / 網站內申請刪除帳號。執行刪除時：

• 您的 email 將被匿名化為不可識別之佔位值，姓名 / 電話 / 護照 / 學生證等欄位將被清空，上傳之身分證件影像將自儲存空間刪除。
• 基於法令遵循，財務與醫療紀錄將以去識別化方式保留（不再與可識別之個人連結），不會一併刪除。

十一、資料保護與安全

• 密碼以單向雜湊儲存；行動端登入採權杖機制，權杖儲存於裝置安全儲存區。
• 敏感檔案（證件影像、健檢報告）儲存於受存取控制之空間，須經後端授權始能取得。
• 卡片資料由 PCI-DSS 合規之金流商處理，本公司伺服器不儲存完整卡號。
• 後台對健檢與身分資料採最小權限原則。
• 處理個人資料之人員均受保密義務拘束，並定期檢視安全措施。

惟任何透過網際網路傳輸或電子儲存之方式皆無法保證絕對安全。

十二、資料外洩通報

若發生可能對受影響個人造成重大損害，或涉及 500 人以上之資料外洩事件，我們將在評估後三（3）個日曆天內通報新加坡個人資料保護委員會（PDPC），並儘速通知受影響個人以便其採取保護措施。

十三、兒童與家庭帳號

本服務支援母 / 子帳號與監護人陪同。子帳號之個人與健檢資料，僅於子帳號授權之範圍內，母帳號 / 監護人始得查看。若您為未成年人建立帳號或代為提供其個人資料，應確認已取得合法之同意或監護權限。

十四、Cookies

本網站使用 Cookie 及類似技術以維持您的登入狀態、改善服務品質及提供個人化體驗。您可透過瀏覽器設定拒絕 Cookie，但這可能影響部分功能之正常運作。

十五、政策變更

我們保留隨時修訂本隱私權政策之權利。任何變更將公佈於本頁面並更新生效日期；如有重大變更，我們將盡合理努力透過平台或電子郵件通知您。您在變更後繼續使用我們的服務，即表示接受更新後的政策。

十六、聯絡我們

您亦可參閱新加坡個人資料保護委員會（PDPC）網站，以瞭解更多關於 PDPA 下您的權利。