At Alkalma (“Company,” “we,” “our,” or “us”), we are committed to protecting the privacy of individuals who use our digital platforms, including but not limited to mobile applications, web portals, internal systems and websites (collectively, the “Services”). These Services are used to support healthcare operations such as tele-consultations, electronic medical record (EMR) access, patient engagement and related administrative workflows. This Privacy Policy explains how we collect, use, store, share and protect your personal and health information whenever you use our Services. It is designed to provide transparency and to ensure compliance with the applicable laws and regulations of both the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA). By using our Services, you acknowledge that your information will be processed in accordance with this Privacy Policy and the applicable laws of these jurisdictions.
When you interact with our Services, we may collect and process different categories of information. This may include personal identification details such as your name, date of birth, gender, national identification (for example, Emirates ID, Iqama or passport) and contact information including mobile number, email address and residential address. We also collect login credentials such as usernames, passwords and multi-factor authentication tokens to ensure secure access. If you access healthcare functionality, our systems may process sensitive medical information such as patient identifiers, medical history, diagnoses, prescriptions, treatment plans, consultation notes, laboratory and radiology results, vaccination records, allergies, family medical history and appointment details. Technical information such as your device type, operating system, browser version, IP address, network provider, usage patterns, crash logs and performance metrics may also be collected automatically to ensure proper functionality and security of the Services. In addition, if you communicate with us through our helpdesk, email or within the Services, we may process copies of those communications, feedback, complaints and support
logs We use the information we collect for a variety of purposes. First and foremost, we process your information to provide healthcare services such as account creation, secure login, tele-consultations, access to your EMR and management of appointments and reminders. We also process data to ensure compliance with UAE and KSA laws, including the UAE Federal Law No. 2 of 2019 on the Use of ICT in Healthcare, the UAE Personal Data Protection Law (PDPL), Abu Dhabi’s ADHICS standards and the Dubai Health Authority Health Data Law, as well as the Saudi PDPL, SeHE Policy, Ministry of Health (MOH) eHealth Guidelines and SDAIA/NDMO governance standards. Compliance activities include medical record retention, regulatory reporting and cooperation with regulators and law enforcement where legally mandated. We also use data to communicate with you, such as sending service notifications, policy updates or responding to support requests. In addition, information helps us maintain and improve the performance, quality and security of our Services, enabling fraud detection,monitoring of system performance, personalization of your experience and quality assurance in healthcare delivery.
Our legal basis for processing your information depends on the context. Much of our processing is necessary for the performance of a contract, such as delivering tele-consultations, providing access to your medical records and scheduling appointments. In many cases, we are also legally required to process data under UAE and KSA healthcare and data protection laws, which mandate secure storage, local residency of health data and long-term record retention. We may process information based on legitimate interests, for example, to improve security, prevent fraud or train staff, provided your rights are not overridden. In emergencies, we may process your data to protect vital interests, such as sharing limited health information with emergency responders. For some purposes, we rely on your explicit consent, including for optional features such as marketing communications, participation in surveys, location-based services or authorized cross-border transfers. Finally, in line with public interest in healthcare, we may process information to ensure quality and safety of care or to report notifiable diseases to health authorities.
We treat your data with strict confidentiality and share it only when necessary. Your health information is accessible only to licensed doctors, nurses and allied healthcare professionals directly involved in your care and to authorized administrative staff handling scheduling, billing or technical support under restricted access. We may also engage carefully selected third-party providers to support the Services, including hosting, IT maintenance and cloud infrastructure, but only within UAE or KSA based data centers unless explicit regulatory approval has been granted. Regulators and government authorities such as MOHAP, DOH, DHA, MOH, SDAIA and NDMO may receive data when required by law. In case of emergencies, limited information may be shared with hospitals or emergency responders to protect your vital interests. We do not sell, rent or trade your personal or health data. In some cases, we may use anonymized or aggregated data that cannot identify you for internal analytics, service improvement or public health reporting.
Your information is stored securely and in compliance with UAE and KSA residency requirements. Health data collected in the UAE is stored in UAE approved data centers, while data collected in the KSA is stored in KSA based secure hosting facilities. No health data is transferred outside the country of collection unless explicitly authorized by the competent authorities and subject to strong safeguards. All data is encrypted during transmission using TLS protocols and at rest using AES-256 encryption. Access is strictly role-based, protected by multi-factor authentication and logged for auditing purposes. Tele-consultations are conducted using encrypted channels and are not recorded unless required by law or with your explicit consent. Regular encrypted backups are maintained locally and disaster recovery measures are in place. Oursystems are continuously monitored for threats and we maintain incident response procedures that include notifying users and regulators of data breaches in accordance with UAE PDPL and Saudi PDPL requirements.
As a user, you have rights regarding your personal and health information. You have the right to access your information, request corrections to inaccuracies, request restrictions on processing in certain cases and request portability of your data in a structured format. You may also object to non-essential processing such as marketing or analytics and withdraw consent where processing is based on consent. While you may request deletion of your personal data, healthcare regulations require that medical records be retained for legally mandated periods, often twenty-five years or longer and cannot be deleted earlier. You also have the right to file complaints with relevant regulators, such as the UAE Data Office, DOH, DHA or KSA authorities including SDAIA, NDMO and MOH. We respond to verified user requests within thirty days, extendable to sixty days for complex requests.
With respect to data transfers, our policy is to keep health data within the UAE or KSA by default, in line with national residency requirements. Limited exceptions may apply where regulators approve transfers, patient consent is obtained and adequate safeguards such as encryption and legal protections are in place. Examples include specialist consultations abroad, international research participation or emergency treatment overseas. Certain non-health technical data, such as crash logs or notification tokens, may be processed outside the UAE or KSA by service providers like Apple or Google, but always under equivalent protection levels. If we introduce cross-border transfers in the future, we will update this Privacy Policy, notify users and provide full details of the purpose, legal basis and safeguards applied.
We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance or our practices. Updates will be published on our website and across our digital platforms and continued use of our Services after such updates will be treated as acceptance of the revised policy.
If you have any questions, concerns or complaints about this Privacy Policy or the way your information is processed, you may contact us at ithelpdesk@alkalmaholding.com or write to us at our office in Abu Dhabi, United Arab Emirates..
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
