Introduction

Pontis Medical’s Data Protection Policy (“DPP”) lays out your data protection rights, outlines how we collect, utilize and safeguard your personal information, and serves to inform you of our data handling practices. Pontis Medical Limited (Gibraltar) (“Pontis”) is dedicated to delivering telemedicine services whilst protecting your privacy. As the data controller of your personal data, this Data Protection Policy outlines how we collect, utilize and safeguard the personal information you provide when using our website or engaging in telemedicine services with us.

In our capacity as a data controller, we hold responsibility for determining the purposes and methods of processing your personal data. This includes ensuring compliance with relevant data protection laws and regulations, such as the European Union’s General Data Protection Regulation (“GDPR”), and the United Kingdom’s Data Protection Act (2018) (“UK GDPR”).

Section Headings:

1. What data do we collect?
2. How do we collect your data?
3. How do we use your data?
4. How do we share your data?
5. How do we store your data?
6. What are your data protection rights?
7. Subprocessors
8. What are cookies?
9. How do we use cookies?
10. What types of cookies do we use?
11. Changes to our DPP
12. How to contact us
13. How to contact the appropriate authorities

What data do we collect?

Pontis collects various kinds of information to operate effectively and provide telemedicine services tailored to your needs. Regardless of the source, it is important to treat your personal information with care and to ensure you maintain your privacy.

We may collect the following personal information from you:

• Name, gender, marital status, citizenship and date of birth: Basic demographic details necessary for identification and communication purposes.
• Physical attributes, protected health information, and medical records: We recognize the sensitivity and importance of Protected Health Information (“PHI”) and sensitive health data. Any medical information provided is handled with the highest level of security and confidentiality in accordance with UK GDPR and GDPR requirements.
• Contact information: Including email addresses, mailing addresses, telephone numbers and fax numbers, to facilitate communication and provide relevant updates.
• Financial information : Such as payment card numbers and billing addresses, necessary for processing transactions securely and efficiently.
• Government-issued IDs: such as social security numbers (if provided), essential for identity verification and compliance with regulatory requirements.
• Education, qualifications and previous experience for job applicants (as applicable): Necessary information for assessing eligibility and ensuring the provision of quality telemedicine services.

How do we collect your data?

At Pontis, safeguarding your privacy and ensuring compliance with stringent data protection laws, including UK GDPR, GDPR and other applicable data privacy regulations, is paramount.

We collect your data through various methods:

1. Direct data collection

During your interaction with Pontis telemedicine services, you directly provide most of the information that we collect.

This may include, but is not limited to:

• Personal information: Details provided during registration or consultation set up, including your name, contact information, and any other necessary information required for telemedicine services. This may include basic demographic details such as gender, marital status, citizenship, and date of birth, necessary for identification and communication purposes.
• Health information and medical records: We may collect health-related data during telehealth consultations, including medical history, current symptoms, test results and other relevant medical information necessary for providing healthcare services remotely. The collection, storage and handling of medical information strictly adheres to UK GDPR regulations and GDPR guidelines to ensure confidentiality and protection of sensitive health data.
• Voluntary information: Any other details voluntarily provided during the registration process or subsequent communications with Pontis, by email, phone call or chats. This may include information relevant to your health condition, concerns, or preferences discussed during telemedicine consultations.
• Telemedicine consultations: the telemedicine consultation is conducted through an internet-based, secure video call platform, allowing the Pontis clinician to see your image on the screen and hear your voice.
• Recording and use of consultation data: Subject to your express written consent in advance, the consultation may be viewed by medical and non-medical personnel for evaluation, research, education, quality or technical purposes.
• Release of information: Subject to your express written consent in advance (except in cases of medical emergency), you authorize the release of your medical records and other relevant medical information as required by physicians, healthcare facilities, peer review organizations, or as otherwise may be mandated by law.

1. Indirect data collection

In addition to direct interactions via our website and telemedicine services, Pontis may acquire data indirectly from various sources, in compliance with UK GDPR, GDPR and other applicable data privacy regulations.

This may include, but is not limited to:

• Referral sources: This may encompass entities such as healthcare providers or partnering organizations, who may share information with us to ensure the provision of optimal healthcare services through Pontis.
• Third-party integrations: We may collect data indirectly from third-party integrations or platforms that you have authorized to share data with us, such as wearable technologies or social media.
• Publicly available information: We may gather information about you from publicly accessible sources, including professional networking sites or public databases to ensure the provision of quality telemedicine services.
• Cookies and analytics technology: We may collect data indirectly through the use of cookies and tracking technologies on our website, which may gather information about your browsing behavior, preferences, and device characteristics.

How do we use your data?

• We use your data for the following purposes, essential for fulfilling our contractual obligations and maintaining transparency:
• Assessing healthcare needs: We review your medical history and relevant PHI information to understand our healthcare requirements and ensure the provision of appropriate telemedicine services through Pontis.
• Communication: We engage in communication with you regarding your healthcare needs, appointment scheduling, and other relevant matters pertaining to your engagement with Pontis.
• Service improvement: We may use your data to monitor service usage patterns and identify areas for service improvement within Pontis. This helps us ensure that our telemedicine service is of consistently high quality.
• Legal compliance: We may use your data to comply with legal obligations, such as responding to legal requests or court orders, or to investigate and prevent fraudulent or unlawful activities relating to Pontis services.
• Data retention: We retain your data only for as long as is necessary to fulfill the purposes outlined in this DPP, or as required by law. Once the data is no longer needed it is securely disposed of or anonymized to prevent identification.

How do we share your data?

We adhere to strict protocols to ensure the protection of your sensitive information. This includes implementing contractual safeguards and obtaining your explicit consent when necessary, particularly when sharing sensitive information, such as PHI.

We may share your data with third parties for the following purposes:

• Healthcare provision: Your medical information may be shared with healthcare providers or partnering organizations to facilitate the provision of telemedicine services through Pontis. This sharing is conducted in strict accordance with GDPR, UK GDPR and any other applicable data protection regulations, ensuring the confidentiality and security of your data.
• Legal obligations: We may be required to disclose your data to comply with legal obligations, respond to lawful requests from government authorities, or protect the rights, assets or safety of Pontis or others. Any such disclosures are made in accordance with UK GDPR, GDPR and other applicable data protection regulations.

Any sharing of your data is strictly limited to the above purposes. The recipients are informed that all personal data shared with them must only be utilized for the purposes outlined above, and must be handled in accordance with UK GDPR and GDPR.

How do we store your data?

• Data storage: To ensure that data is stored securely, we utilize industry-standard, regulation-compliant technology, ensuring that data is stored in full compliance with UK GDPR and GDPR requirements.
• Data retention: We retain your data only for as long as is necessary to fulfill the purposes outlined in this DPP, or as required by law. Once the data is no longer needed it is securely disposed of or anonymized to prevent identification.

What are your data protection rights?

As for all data subjects, you are entitled to the following data protection rights:

• The right to access: You have the right to request copies of your personal data from Pontis
• The right to rectification: You have the right to request Pontis to complete information you believe to be incomplete.
• The right to erasure: You have the right that Pontis erase your personal data.
• The right to restrict processing: You have the right to request that Pontis restrict processing of your personal data under certain conditions. This includes the right to opt out of certain types of data processing, such as direct marketing.
• The right to data portability: You have the right to request that Pontis transfer the data we have collected about you to another organization or directly to you.

If you would like to exercise any of these rights, please contact our data protection officer, John Howe at john.howe@pontismedical.com. If you make such a request, please note that we have one month to respond to you.

Sub-processors

Pontis may engage third-party sub-processors to assist in the provision of healthcare services and the maintenance of our systems. These sub-processors may have access to personal data as part of the service delivery.

• Cliniko Limited: Cliniko is an industry-leading, secure and regulation-compliant electronic medical record platform headquartered in Australia. Pontis clinicians provide telemedicine consultations through the video call functionality on the Cliniko platform, and record the medical aspects of the consultation in Cliniko’s secure electronic medical record system.

• Stripe: Stripe is a market-leading secure payment platform which allows online payment from a wide range of credit and debit cards. Stripe may process personal data for the purpose of making payments and processing refunds.

Pontis maintains comprehensive agreements with all sub-processors to ensure the protection of personal data and compliance with applicable data protection laws.

What are cookies?

Cookies are small text files placed on your computer or device when you visit our website. Cookies are commonly used to collect standard internet log information and user behavior online. When you visit our website, we may collect information from you automatically through cookies or similar tracking technologies.

How do we use cookies?

Pontis uses cookies for the following purposes:

• Website analytics: We use cookies to understand how you interact with our website, such as which pages you visit and how long you spend on each page. This helps us improve the performance and usability of each website.
• Personalization: We may use cookies to remember your preferences and provide you with customized contents and advertising based on your interests.
• Performance monitoring: We may use cookies to monitor the performance of our website, including tracking error messages and page load times, to ensure optimal functionality and user experience.
• Security: Cookies may be utilized to enhance the security of our website and detect any fraudulent or unauthorized activities.
• Third-party integrations: We may use cookies in conjunction with third-party services and integrations to provide additional functionality or features on our website.

By using our website, you consent to the use of cookies as described in this notice. You can control and manage your cookie preferences through your browser settings. You can typically find your browser settings in the ‘options’ or ‘preferences’ menu of your browser.  Please note that blocking certain types of cookies may impact your experience on our website.

What types of cookies do we use?

There are several different types of cookies, but on our website, we primarily use the following:

• Functionality cookies: Pontis utilizes these cookies to recognize you on our website and remember your previously selected preferences. This may include language preferences and your geographic location. These cookies may be first-party or third-party cookies.
• Advertising cookies: These cookies are used to collect information about your visit to our website, including the content you viewed, the links you followed, and information about your browser, device, and IP address. Pontis may share limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. As a result, you may see targeted advertisements on other websites based on your browsing patterns on our website.
• Analytics cookies: We use analytics cookies to gather information about how visitors use our website, such as which pages they visit most frequently, how long they spend on each page, and any error messages encountered. This data helps us analyze and improve the performance and usability of our website.

Changes to our DPP

Pontis keeps its DPP under regular review. This DPP was last updated on 5^th February 2025.

How to contact us

If you have any questions about Pontis’ DPP, the data we hold about you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us:

Email: info@pontismedical.com

How to contact the appropriate data protection authorities

If you feel that Pontis has not addressed your concern in a satisfactory manner, you may contact the appropriate data protection authority.

• European Data Protection Board:
  • https://www.edpb.europa.eu/about-edpb/more-about-edpb/contact-us_en
• UK Information Commissioner’s Office:
  • https://ico.org.uk/global/privacy-notice/how-you-can-contact-us