This Privacy Policy explains how Medifly collects, uses, shares, and protects your personal data when you use our platform and concierge service.
Medifly (“Medifly”, “we”, “us”) operates the Medifly platform and concierge service, which provides information about hospitals, doctors, and treatments and helps patients compare, match, and coordinate care, including across borders. This Privacy Policy explains how we collect, use, share, and protect personal data, in accordance with Indonesia’s Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) and other applicable laws.
Data controller: Medifly Pte. Ltd., a company incorporated in Singapore, 68 Circular Road, #02-01, Singapore 049422 (the “Controller”). General contact: contact@medifly.ai. Data protection contact: data@medifly.ai.
This Policy applies to individuals who use the Medifly website (medifly.ai), the AIRA AI assistant, WhatsApp and other messaging with our care team, and related services.
Medifly is operated by a company incorporated in Singapore and provides services to patients in Indonesia and other markets. Accordingly, this Policy and our processing of personal data are subject to Singapore’s Personal Data Protection Act (PDPA) and, for individuals in Indonesia, to Indonesia’s PDP Law, which applies to organisations outside Indonesia that offer services to or target individuals in Indonesia.
We aim to collect only what is needed to provide the service.
We rely on the individual’s consent, and for health information on explicit consent, obtained at the point of collection. Consent may be withdrawn at any time (see Section 11). Where permitted by the PDP Law, we may also rely on other lawful bases, such as performing a service the individual has requested, complying with legal obligations, or our legitimate interests, balanced against the individual’s rights.
We may share personal data with: partner hospitals and clinics selected by or relevant to the individual; service partners such as medical evacuation, travel, and accommodation providers when arranging those services; service providers (processors) acting on our behalf under contract, such as messaging, hosting, and analytics providers; and authorities where required by law. We do not sell personal data. Advertising and analytics partners (for example Google and Meta) may process technical data via cookies; we do not share health information with advertising partners.
Personal data — including health information — is transferred across borders in two ways. First, because Medifly is operated from Singapore, the personal data of individuals in Indonesia is transferred to Singapore, where it is processed by the Controller. Second, to arrange care, relevant personal data may be transferred to treating hospitals and service partners in destination countries such as Malaysia, Singapore, Thailand, and other destinations we add.
For each transfer of personal data outside Indonesia, including the transfer to Singapore described above, we rely on the individual’s explicit consent and take steps so that the recipient provides a level of protection at least equivalent to that required under the PDP Law, or is bound by appropriate and binding safeguards. Where practicable, the destination country and recipient are identified to the individual before the transfer.
We keep personal data only as long as necessary for the purposes described, or as required by law, after which it is deleted or anonymised. Enquiry and coordination records are retained for retention period; an individual may request earlier deletion (see Section 11).
We apply technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, access controls, and confidentiality obligations on staff and processors. No system is completely secure; we work to protect personal data and to respond to incidents, including notifying affected individuals and the relevant authority where required by law.
Subject to the PDP Law and its limits, individuals may: access their personal data; correct or update it; obtain information about how it is processed; end processing and request deletion; withdraw consent; object to certain processing; and obtain or transfer their data. To exercise these rights, contact data@medifly.ai. We respond within the timeframes required by law. Complaints may be made to the relevant personal data protection authority in Indonesia.
The website uses cookies and similar technologies for essential functionality and for analytics and marketing (for example Google Tag Manager and the Meta pixel). Non-essential cookies are used only with consent, which can be managed through cookie banner / settings. We take care that these tools are not configured to capture health information entered into forms or chats.
Our services are intended for adults. Where care involves a minor or a person who cannot give consent, a parent, guardian, or authorised representative must provide the consent and the relevant information on their behalf.
We may update this Policy from time to time. The current version and its date are posted on the website, and material changes are communicated as appropriate.
Medifly Pte. Ltd., 68 Circular Road, #02-01, Singapore 049422. Privacy enquiries and rights requests: contact@medifly.ai. Data protection contact: data@medifly.ai.