Privacy Policy

Aster DM Healthcare and its group of companies (hereinafter referred to as “Aster DM Healthcare,” “us,” “we,” or “our”) a Free Zone Company registered with Hamriyah Free Zone Authority, Sharjah and having its communication address at Office No. 3301, 33^rd Floor, Aspect Tower-D, Business Bay, PO Box 8703, Dubai, UAE registered office is the “Data Controller” in respect of your Personal Information. We are engaged in providing quality healthcare services from primary to quaternary with an extensive network of hospitals, clinics, diagnostics labs and pharmacies. 

We are committed to respecting your privacy and we strive to take due care and protection of the information we possess, receive, and process regarding people associated with us (the User). In this regard, we adhere to the various governing laws, statutes, and regulations across geographies where Aster operates (refer to Annexure-1). This Privacy (“Policy”) applies to the collection, storage, processing, disclosure, and transfer of Personally Identifiable Information (defined below), particularly when you access the websites and microsites operated by Aster for any information or services (“Services”). The terms ‘you’ or ‘your’ refer to you as the User (registered or unregistered) of the website and/or Services.

Data Subject

• This Policy applies to Users as Data Subjects including but not limited to patients, job applicants, volunteers, Very Important Persons (where applicable), etc. 
• Very Important persons include Senior visitors (leaders and heads of state), Foreign ministers during their visit to the UAE, Ambassadors and Delegates in the UAE, Ministers and Undersecretaries of the Ministry of the UAE, Chairmen and Undersecretaries of the government departments of the UAE, Royals and crown princes of the UAE and other Emirates including their immediate family members (wives, sons, daughters, brothers and sisters), Al Nahyan and Al Maktoum family members, Members with prefix “Sheikh” or “Sheikha” in their official identity, Members with prefix “High Excellence” or “Her Excellence” in their official identity.
• VIP Patient means A Patient identified by the ADHIE Operator as a VIP who receives or has received healthcare services in the Emirate of Abu Dhabi and in respect of whom there are increased levels of control over access to that Patient's Data.

1. How and when we collect your Personal Information

We collect your ‘Personal Information’ directly from you, from third parties and automatically through our website. This Personal Information, for instance, would include but is not limited to the type of device you are using, the time that you logged on to our website, your IP address, Cookies and other Personal Information as listed below.  Personal Information means any information that relates to a natural person, which either directly or indirectly, in combination with other information available is capable of identifying such person. Personal Information shall have the meaning ascribed to “Personally Identifiable Information,” “Personal Data,” or equivalent terms as such terms are defined under Data Protection Laws.  Personal Information encompasses both Sensitive Personal Data and Patient Health Information.

Information from Third-Party Services

If you access the services from an advertisement on a third-party website, application, or other service (a “Third-Party Service”) we may receive information from the owner of the Third-Party Service related to you or that advertisement.

Personal Information Collected

The kinds of information that we collect about you include but are not limited to the following:

A. If you are a Patient:

• Patient/Caregiver/Doctor/Health Care Professional Name,
• Birth date/age,
• Gender,
• Address (including country and pin/postal code),
• Phone number/mobile number,
• Email address,
• Physical, physiological, and mental health conditions, provided by you and/ or your Health Care Professional,
• Personal medical records and history,
• Valid financial information at the time of purchase of product/service and/or online payment,
• Login ID and password,
• User details as provided at the time of registration or thereafter,
• Records of interaction with Aster representatives,
• Usage details such as time, frequency, duration and pattern of use, features used and the amount of storage used,
• Master and transaction data and Email, Phone, lab reports, appointment details, order details, prescriptions, etc. stored in your User account,
• Any other information that is willingly shared by you (collectively referred to as “Personal Information”),
• Biometrics data,
• Genetic Data,
• Transgender Status,
• Intersex Status,
• Caste or Tribe,
• Religious or political belief or affiliation
• Sexual orientation,
• Marital status,
• Citizenship status,
• Family Personal Information (as the need may be) (collectively referred to as “Sensitive Personal Information”).
• Login and authentication information
• Online profile information
• Online activity
• Purchasing information
• Payment information, methods, and history
• Information about the device(s) you use
• Information about service usage

B. If you are a job applicant 

• Name or alias, 
• Gender, 
• Passport number, 
• Government IDs such as Emirates ID, 
• Date of birth, 
• Age, 
• Nationality, 
• Country and city of birth, 
• Photographs,
• Mailing address, 
• Telephone numbers, 
• Email address and other contact details,
• Resume, 
• Educational qualifications,
• Professional qualifications and certifications
• Employment and/or character references,
• Employment and training history,
• Criminal records,
• Details related to credentialing and privileging for doctors, nursing staff and pharmacists,
• Work-related health issues and disabilities,
• List of qualified dependents(s) including their pertinent information
• Family background for your next-of-kin and list of qualified dependent/s including their pertinent information,
• Results of exams and other diagnostic test/s for aptitude, IQ, behaviour, DHA /MOH eligibility (for GCC) etc.

C. If you are an Employee

• Name
• Age
• Date of Birth
• Gender 
• Address (Including country and pin/postal code)
• Phone number/mobile number
• Email address
• Physical, physiological, and mental health conditions, provided by you and/ or your Health Care Professional, Prescriptions
• Health data, Personal medical records, Diagnostic reports and medical history
• Login ID and password
• Usage details such as time, frequency, duration and pattern of use, features used and the amount of storage used
• Biometrics data
• Transgender Status
• Caste or Tribe
• Sexual orientation
• Religion
• Marital status
• Citizenship status
• Family Personal Information 
• Passport details
• Emirates ID and other Govt. ID
• Photographs, videography and digital images
• Resume
• Criminal Records
• Work-related health issues and disabilities
• UHDI
• Insurance details, Previous insurer and policy expiry date, Details of critical illness of employee and family members, if included in insurance, prescriptions, personal medical records and history.
• Tax details
• Employee identification number
• Details of educational qualifications, qualification country, professional qualifications, certifications, current or previous employer full name.

D. If you are a student or enrolled on any of the training programs run by Aster Group/ Aster Academy:

1. Information you provide during your application for admission:

• Personal contact information such as name, email address, telephone number, and other contact details
• Academic qualifications
• Performance, etc.

2. Information we acquire or generate upon enrollment and during your association with us:

• Academic or curricular undertakings
• Enrolled classes and scholastic performance
• Attendance record
• Co-curricular and extra-curricular activities

E. If you are CSR volunteers:

• Name
• Email ID 
• Government ID
• Phone number. 
• Address 
• Date of Birth  

F. If you are a Director or Shareholder:

• Personally Identifiable Information or Personal Data: Name, surname, address, telephone number, email address, date of birth, taxpayer identification number, national identification number.
• Financial information: Bank account details, shareholder registration number, number of shares.
• Health information: Health information relevant to the activities you attend, including food allergies and drug allergy information.
• CCTV Recording: Video recording by means of closed-circuit television (CCTV) for security purposes.
• Payment Information: Information related to payments, such as account numbers.

What does not include Personal Information?

• De-identified or anonymized information (i.e., information about you where information that can be used to identify an individual has been removed permanently).
• Aggregated consumer information (i.e., information taken from many people’s data and combined into anonymous groups or categories).
• General business contact information that does not identify an individual.
• The Personal Data you share voluntarily. 

2. How we collect Personal Information

The methods by which we collect your Personal Information include but are not limited to the following:

• When you fill out the patient registration form,
• When you provide details to an Aster Health Care Professional or Aster representative,
• When you register on our website, use our App, or our Chatbot,
• When you provide your Personal Information to us during the course of receiving our Services,
• When you visit our facilities, via CCTVs.
• When you apply for a job using our job portal,
• When you use the features on our website,
• When you provide access to any other website,
• By the use of cookies (more fully detailed in Section 6 of this Policy).

3. Use of Personal Information and Legal Basis for Processing of Personal Information:

Your Personal Information may be used or processed for various purposes including but not limited to the following:

• To provide effective Services,
• To operate and improve the website and/or our Services,
• To perform studies, research, and analysis for improving our information, Services, and technologies and ensuring that the content displayed is customized to your interests and preferences,
• To contact you via phone, SMS, WhatsApp or email for appointments, technical issues, payment reminders, deals and offers and other announcements,
• To offer you medical tourism and other services via email and mobile number and via using SMS and WhatsApp. 
• To send promotional communications via SMS, WhatsApp, email, and other channels, and to support related services such as customer support, marketing, analytics, advertising, and performance tracking etc.
• To carry out insurance-related purposes, including claims processing, verification, and billing,
• To advertise the products and Services of Aster and its third parties,
• To transfer information about you if we are acquired by or merged with another company,
• To share with our business partners for provision of specific Services you have ordered so as to enable them to provide effective Services to you,
• To administer or otherwise carry out our obligations in relation to any agreement you have with us,
• To build your profile on our website,
• To respond to subpoenas, court orders, or legal processes, or to establish or exercise our legal rights or defend against legal claims; and
• To investigate, prevent, or act regarding illegal activities, suspected fraud, violations of our terms of use, Breach of our agreement with you or as otherwise required by law,
• To aggregate Personal Information for research, statistical analysis, and business intelligence purposes, or otherwise transfer such research, statistical or intelligence data in an aggregated or non-personally identifiable form to third parties and affiliates, (referred to as “Purpose(s)”).

If you are a job applicant, your Personal Data will be collected and used by the Company for the following purposes, and we may disclose your Personal Data to third parties where necessary for the following purposes:

• Assessing and evaluating your suitability for employment in any current or prospective position within the organization; and
• Verifying your identity and the accuracy of your personal details and other information provided.

Legal Basis Processing of Your Personal Information 

We will only process your Personal Information where we have a legal basis to do so. The legal basis will depend on the purposes for which we have collected and use your Personal Information. In almost every case, the legal basis will be one of the following:

1. Consent: For example, where you have provided your Consent to receive certain marketing/promotional messages from us or where you have provided your explicit Consent for us to process your data during live telemedicine consultation services under tele-Medcare. 
2. Our legitimate interest: Where it is necessary for us to understand our customers, promote our services, and effectively provide services, provided in each case that this is done in a legitimate way that does not duly affect your privacy and other rights. 
3. Compliance with law/agreement: Where we are subject to a legal obligation and need to use your Personal Information in order to comply with that obligation. For example, when you may purchase products/services from us, or book appointments we need to use your contact details and payment information in order to process your order. 
4. Vital Interests: In some limited cases, we may need to process your Personal Information where it is necessary to protect your vital interests or the vital interests of another person. 

We will always take steps to ensure that the processing of your Personal Information is fair and lawful and that it does not unduly affect your privacy.

 Purpose Mapping

4. Your Control over your Personal Information

We will respect your legal rights in relation to your Personal Data. Aster is committed to protecting them and ensuring compliance if you wish to exercise any of the rights under the respective privacy laws. You must submit the Data Subject Request through email at [email protected] and fill the Data Subject Request Form (link to be added here). The request will be processes in accordance with the Aster’s Data Subject Rights Procedure. 

Please note that if as per regulation it is required to pay a reasonable fee for an access request, we will inform you of the fee before processing your request.

We will respond to your request as soon as reasonably possible and/or as per the applicable timeframes laid down by the respective privacy laws/regulations. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing of the same as soon as practically possible. 

Please note that depending on the request that is being made, we will only need to provide you with access to the Personal Information contained in the documents requested, and not to the entire documents themselves. For example, the Company may not be obliged to provide the employee with access to the disciplinary records, investigation reports, or decisions to terminate, that the organization has created for evaluative and/or investigative purposes of the employee.

You have the right to withdraw your Consent at any point, provided such withdrawal of the Consent is intimated to us in writing through an email at [email protected] requesting the same. Once you withdraw your Consent to share the Personal Information collected by us, we shall have the option not to fulfil the purposes for which the said Personal Information was sought, and we may restrict you from using our Services or the website or parts of it as the case may be.

Data Subject Rights

Withdrawing Consent:

• The Consent that you provide for the collection, use and disclosure of your Personal Information will remain valid until such time it is withdrawn by you by submitting your request in writing or via email to [email protected] or in accordance with the applicable legal requirements. 
• Upon receipt of your written request to withdraw Consent, we may require a reasonable period of time to process your request subject to applicable governing laws, statutes, and regulations. We will notify you of any consequences of granting your request, including any legal implications that may affect your rights and obligations with respect to us.
• While we respect your decision to withdraw Consent, please be advised that, depending on the nature and scope of your request, we may be unable to process your request subject to applicable governing laws, statutes, and regulations. In such instances, we will notify you prior to completing the processing of your request, as outlined above. 
• Please note that withdrawing Consent does not affect our right to continue collecting, using, and disclosing your Personal Information where such activities are permitted or required under applicable laws, even without Consent.

Exceptions where Data Subject Requests can be denied

Where any request is refused by DPO/Designated Team in accordance with the internal Data Subject Rights Procedure, it shall provide the Data Subject the reasons in writing for such refusal and shall inform the Data Subject regarding the right to file a complaint with the Authority against the refusal, within such period and in such manner as may be specified by regulations.

5. Sharing and Transferring of Personal Information

• Aster complies with applicable laws and take necessary precautions before sharing your data. Aster enters into data-sharing agreements, implementing technical and organizational safeguards, ensuring transferees adhere to this policy. Additionally, we assess the data protection standards of any country before sharing your Personal Data with cloud providers, affiliates, agents, third-party service providers, partners, authorities, banks, or financial institutions. 

• By Consenting to share your Personal Data, you authorize Aster to transfer or share it across borders with cloud providers, affiliates, agents, insurance providers, third-party service providers, partners, authorities, banks, financial institutions, or for marketing purposes, as necessary to provide services or in compliance with applicable laws.

• We may share your information with authorized third-party vendors and service providers that help us with specialized services, including customer service, email deployment, business analytics, marketing (including but not limited to advertising, attribution, deep-linking, direct mail, mobile marketing, optimization and retargeting) advertising, performance monitoring, hosting, and data processing. These authorized third-party vendors are subject to risk assessment test and will not use your information for purposes other than those related to the services they are providing to us. All such data sharing is conducted in accordance with applicable data localization requirements, security protocols, and applicable regulatory standards.

• If you choose to engage in public activities on the third-party sites that we link to, you should be aware that any information you share there can be read, collected, or used by other users of these sites and forums. You should use caution in disclosing personal information while participating in these areas. We are not responsible for the information you choose to submit in public areas.

• Please note that, in line with regulatory requirements and basis your consent, all health-related data is securely shared with government-mandated Health Information Exchanges (HIEs) such as NABIDH, RIAYATI, MALAFFI, and other applicable platforms to support better care coordination and public health outcomes.

• Aster adheres to data localization principles where required by law, ensuring Personal Data is stored within the same jurisdiction as it is collected. However, in certain cases—such as with Patient Health Information where authorized by the User or with approval from relevant health authorities—data may be transferred outside the jurisdiction.

A Data Processor shall only disclose the Personal Data to a Third Party on documented instructions from the Data Controller. The Federal Law No. 2 of 2019 (Health Data Law) by default prohibits the transfer, storage, generation or processing of Patient Health Information that relates to health services. The UAE's Ministry of Health and Prevention (MoHAP) Resolution 51/2021 relaxed the relaxes the data transfer restriction for certain types of processing operation, namely. 

1. Overseas treatment
2. Medical testing
3. Scientific research
4. Insurance claims and coverage
5. Organisations cooperating with the UAE Government or its institutions
6. Wearables and healthcare monitoring devices
7. Pharmacovigilance reporting
8. Data approved by a health authority
9. Telemedicine
10. Formal request

Exceptions

There are certain exceptions under which Patient Health Information can be transferred or shared outside the country of collection, by virtue of a decision issued by the Federal or local governmental Health authority in the State and after getting approval from the Dubai Health Authority or any other Authority wherever applicable. Such exceptions include, but are not limited to:

• Matters of public interest
• Information that is already publicly available
• Medical diagnosis, the provision of healthcare or social care, treatment, or health insurance services
• Protection of the Data Subject’s vital interests
• Compliance with legal obligations or the exercise of established rights in the areas of employment, social security, or social protection laws, as permitted under applicable legislation
• Establishment, exercise, or defense of legal claims, including international judicial cooperation
• Execution of a contract that serves the Data Subject’s interests.

6. Use of Cookies

1. Cookies are small bits of data cached in a user’s browser. Aster utilises cookies to determine whether or not you have visited the home page in the past. However, no other user information is gathered. Aster may use non-personal "aggregated data" to enhance the operation of our website or analyse interest in the areas of our website. 
2. If you would like to find out more about cookies, including how we use them and what choices are available to you, please refer to our Cookie Policy.
3. You may also be able to control or limit the collection of this technical data through your browser or device settings.

7. Security

The security of your Personal Information is important to us. We have adopted and maintained reasonable technical and organizational security measures and procedures including rigorous third-party risk assessments, strong access controls and information sharing on a need-to-know basis, encryption of Personal Data, secure storage of Personal Data, rapid data Breach management procedures, etc. to ensure that the Personal Information collected is secure at rest and in transit. We restrict access to your Personal Information to our and our affiliates’ employees, agents, third-party service providers, partners, and agencies on a need-to-know basis and absolutely limited to the purposes as specified above in this Policy.

8. Third Party references and Links

• During Your interactions with us, it may happen that we provide/include reference to third parties or fiduciaries, and/or links and hyperlinks to third-party websites. It may also happen that you include links and hyperlinks to third-party websites. The reference of such third parties or listing of such third-party external sites (by you or by us) does not imply endorsement of such party or site by Aster. Such third parties and third-party sites are governed by their own terms and conditions and have their own privacy Policies. We do not make any representations regarding the availability and performance of any of the third parties or third-party sites. We are not responsible for the content, terms of use, privacy policies and practices of such third-party websites.
• Do-not-track requests: There is no standard for how online service should respond to “Do Not Track” signals or other mechanisms that may allow you to opt out of the collection of information across networks of websites and online Services. Therefore, we do not honor “Do Not Track” signals. As standards develop, we will revisit this issue and update this Policy if our practices change.

9. Children’s Privacy

We understand the importance of taking extra precautions to protect the privacy and safety of children using our website or Services. Minors are not permitted to use the website or services, and we request that minors under the age of 18 not submit any Personal Information to the website. Since information regarding minors under the age of 18 is not collected, we do not knowingly distribute Personal Information regarding minors under the age of 18. By accessing this website, you affirm and guarantee that you are 18 years of age or older.

We hold no liability for any unsolicited information provided by you, and you Consent to the usage of such information in accordance with this Privacy Policy.  If we become aware that a person submitting Personal Data is under 18, we will delete all the information as soon as possible unless it is with the Consent and involvement of a parent or guardian. If you believe we might have any information from or about a child under 18, please contact us at email lD: [email protected]

10. Term of storage of Personal Information

Aster will retain your personal information for as long as necessary, in accordance with the required timeframe and in compliance with the internal data retention policy.

11. International Users and Personal Data

We welcome users from around the world and are committed to respecting their privacy. We encourage them to visit Aster Medical Travel on (https://astermedicaltravel.ae) for more details on how we handle their Personal Data.

12. Modifications Of the Privacy Policy

We reserve the right to change this Policy from time to time to meet the requirements and standards. We will not reduce your rights under this Policy without your explicit Consent. If changes are significant, we will provide a more prominent notice (including, for certain Services, email notification of Policy changes).  Therefore, customers are encouraged to frequently visit these sections in order to be updated about the changes on the website.

Modifications will be effective on the day they are posted and the date of this Privacy Policy of when it was last updated will appear at the top of this document

13. Contact Us

If you have any questions regarding this Privacy Notice, you may contact our Group Data Protection Officer:

DPO Details: [email protected] 

Contact No.- +971565037221

Or you can write to us/post at:

The Data Protection Officer,

Aster DM Healthcare Limited.

Official Address: 33rd Floor - Aspect Tower, Business Bay, P.O. Box: 8703 - Dubai - U.A.E

If you have any questions, concerns, or complaints regarding our compliance with the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.

Annexure 1

We collect your ‘Personal Information’ directly from you, from third parties and automatically through our website. This Personal Information, for instance, would include but is not limited to the type of device you are using, the time that you logged on to our website, your IP address, Cookies and other Personal Information as listed below.  Personal Information means any information that relates to a natural person, which either directly or indirectly, in combination with other information available is capable of identifying such person. Personal Information shall have the meaning ascribed to “Personally Identifiable Information,” “Personal Data,” or equivalent terms as such terms are defined under Data Protection Laws.  Personal Information encompasses both Sensitive Personal Data and Patient Health Information.

Information from Third-Party Services

If you access the services from an advertisement on a third-party website, application, or other service (a “Third-Party Service”) we may receive information from the owner of the Third-Party Service related to you or that advertisement.

Personal Information Collected

The kinds of information that we collect about you include but are not limited to the following:

A. If you are a Patient:

• Patient/Caregiver/Doctor/Health Care Professional Name,
• Birth date/age,
• Gender,
• Address (including country and pin/postal code),
• Phone number/mobile number,
• Email address,
• Physical, physiological, and mental health conditions, provided by you and/ or your Health Care Professional,
• Personal medical records and history,
• Valid financial information at the time of purchase of product/service and/or online payment,
• Login ID and password,
• User details as provided at the time of registration or thereafter,
• Records of interaction with Aster representatives,
• Usage details such as time, frequency, duration and pattern of use, features used and the amount of storage used,
• Master and transaction data and Email, Phone, lab reports, appointment details, order details, prescriptions, etc. stored in your User account,
• Any other information that is willingly shared by you (collectively referred to as “Personal Information”),
• Biometrics data,
• Genetic Data,
• Transgender Status,
• Intersex Status,
• Caste or Tribe,
• Religious or political belief or affiliation
• Sexual orientation,
• Marital status,
• Citizenship status,
• Family Personal Information (as the need may be) (collectively referred to as “Sensitive Personal Information”).
• Login and authentication information
• Online profile information
• Online activity
• Purchasing information
• Payment information, methods, and history
• Information about the device(s) you use
• Information about service usage

B. If you are a job applicant 

• Name or alias, 
• Gender, 
• Passport number, 
• Government IDs such as Emirates ID, 
• Date of birth, 
• Age, 
• Nationality, 
• Country and city of birth, 
• Photographs,
• Mailing address, 
• Telephone numbers, 
• Email address and other contact details,
• Resume, 
• Educational qualifications,
• Professional qualifications and certifications
• Employment and/or character references,
• Employment and training history,
• Criminal records,
• Details related to credentialing and privileging for doctors, nursing staff and pharmacists,
• Work-related health issues and disabilities,
• List of qualified dependents(s) including their pertinent information
• Family background for your next-of-kin and list of qualified dependent/s including their pertinent information,
• Results of exams and other diagnostic test/s for aptitude, IQ, behaviour, DHA /MOH eligibility (for GCC) etc.

C. If you are an Employee

• Name
• Age
• Date of Birth
• Gender 
• Address (Including country and pin/postal code)
• Phone number/mobile number
• Email address
• Physical, physiological, and mental health conditions, provided by you and/ or your Health Care Professional, Prescriptions
• Health data, Personal medical records, Diagnostic reports and medical history
• Login ID and password
• Usage details such as time, frequency, duration and pattern of use, features used and the amount of storage used
• Biometrics data
• Transgender Status
• Caste or Tribe
• Sexual orientation
• Religion
• Marital status
• Citizenship status
• Family Personal Information 
• Passport details
• Emirates ID and other Govt. ID
• Photographs, videography and digital images
• Resume
• Criminal Records
• Work-related health issues and disabilities
• UHDI
• Insurance details, Previous insurer and policy expiry date, Details of critical illness of employee and family members, if included in insurance, prescriptions, personal medical records and history.
• Tax details
• Employee identification number
• Details of educational qualifications, qualification country, professional qualifications, certifications, current or previous employer full name.

D. If you are a student or enrolled on any of the training programs run by Aster Group/ Aster Academy:

     1. Information you provide during your application for admission:

• Personal contact information such as name, email address, telephone number, and other contact details
• Academic qualifications
• Performance, etc.

     2. Information we acquire or generate upon enrollment and during your association with us:

• Academic or curricular undertakings
• Enrolled classes and scholastic performance
• Attendance record
• Co-curricular and extra-curricular activities

E. If you are CSR volunteers:

• Name
• Email ID 
• Government ID
• Phone number. 
• Address 
• Date of Birth  

F. If you are a Director or Shareholder:

• Personally Identifiable Information or Personal Data: Name, surname, address, telephone number, email address, date of birth, taxpayer identification number, national identification number.
• Financial information: Bank account details, shareholder registration number, number of shares.
• Health information: Health information relevant to the activities you attend, including food allergies and drug allergy information.
• CCTV Recording: Video recording by means of closed-circuit television (CCTV) for security purposes.
• Payment Information: Information related to payments, such as account numbers.

 What does not include Personal Information?

• De-identified or anonymized information (i.e., information about you where information that can be used to identify an individual has been removed permanently).
• Aggregated consumer information (i.e., information taken from many people’s data and combined into anonymous groups or categories).
• General business contact information that does not identify an individual.
• The Personal Data you share voluntarily. 

The methods by which we collect your Personal Information include but are not limited to the following:

• When you fill out the patient registration form,
• When you provide details to an Aster Health Care Professional or Aster representative,
• When you register on our website, use our App, or our Chatbot,
• When you provide your Personal Information to us during the course of receiving our Services,
• When you visit our facilities, via CCTVs.
• When you apply for a job using our job portal,
• When you use the features on our website,
• When you provide access to any other website,
• By the use of cookies (more fully detailed in Section 6 of this Policy).

Your Personal Information may be used or processed for various purposes including but not limited to the following:

• To provide effective Services,
• To operate and improve the website and/or our Services,
• To perform studies, research, and analysis for improving our information, Services, and technologies and ensuring that the content displayed is customized to your interests and preferences,
• To contact you via phone, SMS, WhatsApp or email for appointments, technical issues, payment reminders, deals and offers and other announcements,
• To offer you medical tourism and other services via email and mobile number and via using SMS and WhatsApp. 
• To send promotional communications via SMS, WhatsApp, email, and other channels, and to support related services such as customer support, marketing, analytics, advertising, and performance tracking etc.
• To carry out insurance-related purposes, including claims processing, verification, and billing,
• To advertise the products and Services of Aster and its third parties,
• To transfer information about you if we are acquired by or merged with another company,
• To share with our business partners for provision of specific Services you have ordered so as to enable them to provide effective Services to you,
• To administer or otherwise carry out our obligations in relation to any agreement you have with us,
• To build your profile on our website,
• To respond to subpoenas, court orders, or legal processes, or to establish or exercise our legal rights or defend against legal claims; and
• To investigate, prevent, or act regarding illegal activities, suspected fraud, violations of our terms of use, Breach of our agreement with you or as otherwise required by law,
• To aggregate Personal Information for research, statistical analysis, and business intelligence purposes, or otherwise transfer such research, statistical or intelligence data in an aggregated or non-personally identifiable form to third parties and affiliates, (referred to as “Purpose(s)”).

If you are a job applicant, your Personal Data will be collected and used by the Company for the following purposes, and we may disclose your Personal Data to third parties where necessary for the following purposes:

• Assessing and evaluating your suitability for employment in any current or prospective position within the organization; and
• Verifying your identity and the accuracy of your personal details and other information provided.

Legal Basis Processing of Your Personal Information 

We will only process your Personal Information where we have a legal basis to do so. The legal basis will depend on the purposes for which we have collected and use your Personal Information. In almost every case, the legal basis will be one of the following:

1. Consent: For example, where you have provided your Consent to receive certain marketing/promotional messages from us or where you have provided your explicit Consent for us to process your data during live telemedicine consultation services under tele-Medcare. 
2. Our legitimate interest: Where it is necessary for us to understand our customers, promote our services, and effectively provide services, provided in each case that this is done in a legitimate way that does not duly affect your privacy and other rights. 
3. Compliance with law/agreement: Where we are subject to a legal obligation and need to use your Personal Information in order to comply with that obligation. For example, when you may purchase products/services from us, or book appointments we need to use your contact details and payment information in order to process your order. 
4. Vital Interests: In some limited cases, we may need to process your Personal Information where it is necessary to protect your vital interests or the vital interests of another person. 

We will always take steps to ensure that the processing of your Personal Information is fair and lawful and that it does not unduly affect your privacy.

 Purpose Mapping

We will respect your legal rights in relation to your Personal Data. Aster is committed to protecting them and ensuring compliance if you wish to exercise any of the rights under the respective privacy laws. You must submit the Data Subject Request through email at [email protected] and fill the Data Subject Request Form (link to be added here). The request will be processes in accordance with the Aster’s Data Subject Rights Procedure. 

Please note that if as per regulation it is required to pay a reasonable fee for an access request, we will inform you of the fee before processing your request.

We will respond to your request as soon as reasonably possible and/or as per the applicable timeframes laid down by the respective privacy laws/regulations. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing of the same as soon as practically possible. 

Please note that depending on the request that is being made, we will only need to provide you with access to the Personal Information contained in the documents requested, and not to the entire documents themselves. For example, the Company may not be obliged to provide the employee with access to the disciplinary records, investigation reports, or decisions to terminate, that the organization has created for evaluative and/or investigative purposes of the employee.

You have the right to withdraw your Consent at any point, provided such withdrawal of the Consent is intimated to us in writing through an email at [email protected] requesting the same. Once you withdraw your Consent to share the Personal Information collected by us, we shall have the option not to fulfil the purposes for which the said Personal Information was sought, and we may restrict you from using our Services or the website or parts of it as the case may be.

Data Subject Rights

Withdrawing Consent:

• The Consent that you provide for the collection, use and disclosure of your Personal Information will remain valid until such time it is withdrawn by you by submitting your request in writing or via email to [email protected] or in accordance with the applicable legal requirements. 
• Upon receipt of your written request to withdraw Consent, we may require a reasonable period of time to process your request subject to applicable governing laws, statutes, and regulations. We will notify you of any consequences of granting your request, including any legal implications that may affect your rights and obligations with respect to us.
• While we respect your decision to withdraw Consent, please be advised that, depending on the nature and scope of your request, we may be unable to process your request subject to applicable governing laws, statutes, and regulations. In such instances, we will notify you prior to completing the processing of your request, as outlined above. 
• Please note that withdrawing Consent does not affect our right to continue collecting, using, and disclosing your Personal Information where such activities are permitted or required under applicable laws, even without Consent.

Exceptions where Data Subject Requests can be denied

Where any request is refused by DPO/Designated Team in accordance with the internal Data Subject Rights Procedure, it shall provide the Data Subject the reasons in writing for such refusal and shall inform the Data Subject regarding the right to file a complaint with the Authority against the refusal, within such period and in such manner as may be specified by regulations.

• Aster complies with applicable laws and take necessary precautions before sharing your data. Aster enters into data-sharing agreements, implementing technical and organizational safeguards, ensuring transferees adhere to this policy. Additionally, we assess the data protection standards of any country before sharing your Personal Data with cloud providers, affiliates, agents, third-party service providers, partners, authorities, banks, or financial institutions. 

• By Consenting to share your Personal Data, you authorize Aster to transfer or share it across borders with cloud providers, affiliates, agents, insurance providers, third-party service providers, partners, authorities, banks, financial institutions, or for marketing purposes, as necessary to provide services or in compliance with applicable laws.

• We may share your information with authorized third-party vendors and service providers that help us with specialized services, including customer service, email deployment, business analytics, marketing (including but not limited to advertising, attribution, deep-linking, direct mail, mobile marketing, optimization and retargeting) advertising, performance monitoring, hosting, and data processing. These authorized third-party vendors are subject to risk assessment test and will not use your information for purposes other than those related to the services they are providing to us. All such data sharing is conducted in accordance with applicable data localization requirements, security protocols, and applicable regulatory standards.

• If you choose to engage in public activities on the third-party sites that we link to, you should be aware that any information you share there can be read, collected, or used by other users of these sites and forums. You should use caution in disclosing personal information while participating in these areas. We are not responsible for the information you choose to submit in public areas.

• Please note that, in line with regulatory requirements and basis your consent, all health-related data is securely shared with government-mandated Health Information Exchanges (HIEs) such as NABIDH, RIAYATI, MALAFFI, and other applicable platforms to support better care coordination and public health outcomes.

• Aster adheres to data localization principles where required by law, ensuring Personal Data is stored within the same jurisdiction as it is collected. However, in certain cases—such as with Patient Health Information where authorized by the User or with approval from relevant health authorities—data may be transferred outside the jurisdiction.

A Data Processor shall only disclose the Personal Data to a Third Party on documented instructions from the Data Controller. The Federal Law No. 2 of 2019 (Health Data Law) by default prohibits the transfer, storage, generation or processing of Patient Health Information that relates to health services. The UAE's Ministry of Health and Prevention (MoHAP) Resolution 51/2021 relaxed the relaxes the data transfer restriction for certain types of processing operation, namely. 

1. Overseas treatment
2. Medical testing
3. Scientific research
4. Insurance claims and coverage
5. Organisations cooperating with the UAE Government or its institutions
6. Wearables and healthcare monitoring devices
7. Pharmacovigilance reporting
8. Data approved by a health authority
9. Telemedicine
10. Formal request

Exceptions

There are certain exceptions under which Patient Health Information can be transferred or shared outside the country of collection, by virtue of a decision issued by the Federal or local governmental Health authority in the State and after getting approval from the Dubai Health Authority or any other Authority wherever applicable. Such exceptions include, but are not limited to:

• Matters of public interest
• Information that is already publicly available
• Medical diagnosis, the provision of healthcare or social care, treatment, or health insurance services
• Protection of the Data Subject’s vital interests
• Compliance with legal obligations or the exercise of established rights in the areas of employment, social security, or social protection laws, as permitted under applicable legislation
• Establishment, exercise, or defense of legal claims, including international judicial cooperation
• Execution of a contract that serves the Data Subject’s interests.

1. Cookies are small bits of data cached in a user’s browser. Aster utilises cookies to determine whether or not you have visited the home page in the past. However, no other user information is gathered. Aster may use non-personal "aggregated data" to enhance the operation of our website or analyse interest in the areas of our website. 
2. If you would like to find out more about cookies, including how we use them and what choices are available to you, please refer to our Cookie Policy.
3. You may also be able to control or limit the collection of this technical data through your browser or device settings.

The security of your Personal Information is important to us. We have adopted and maintained reasonable technical and organizational security measures and procedures including rigorous third-party risk assessments, strong access controls and information sharing on a need-to-know basis, encryption of Personal Data, secure storage of Personal Data, rapid data Breach management procedures, etc. to ensure that the Personal Information collected is secure at rest and in transit. We restrict access to your Personal Information to our and our affiliates’ employees, agents, third-party service providers, partners, and agencies on a need-to-know basis and absolutely limited to the purposes as specified above in this Policy.

• During Your interactions with us, it may happen that we provide/include reference to third parties or fiduciaries, and/or links and hyperlinks to third-party websites. It may also happen that you include links and hyperlinks to third-party websites. The reference of such third parties or listing of such third-party external sites (by you or by us) does not imply endorsement of such party or site by Aster. Such third parties and third-party sites are governed by their own terms and conditions and have their own privacy Policies. We do not make any representations regarding the availability and performance of any of the third parties or third-party sites. We are not responsible for the content, terms of use, privacy policies and practices of such third-party websites.
• Do-not-track requests: There is no standard for how online service should respond to “Do Not Track” signals or other mechanisms that may allow you to opt out of the collection of information across networks of websites and online Services. Therefore, we do not honor “Do Not Track” signals. As standards develop, we will revisit this issue and update this Policy if our practices change.

We understand the importance of taking extra precautions to protect the privacy and safety of children using our website or Services. Minors are not permitted to use the website or services, and we request that minors under the age of 18 not submit any Personal Information to the website. Since information regarding minors under the age of 18 is not collected, we do not knowingly distribute Personal Information regarding minors under the age of 18. By accessing this website, you affirm and guarantee that you are 18 years of age or older.

We hold no liability for any unsolicited information provided by you, and you Consent to the usage of such information in accordance with this Privacy Policy.  If we become aware that a person submitting Personal Data is under 18, we will delete all the information as soon as possible unless it is with the Consent and involvement of a parent or guardian. If you believe we might have any information from or about a child under 18, please contact us at email lD: [email protected]

Aster will retain your personal information for as long as necessary, in accordance with the required timeframe and in compliance with the internal data retention policy.

We welcome users from around the world and are committed to respecting their privacy. We encourage them to visit Aster Medical Travel on (https://astermedicaltravel.ae) for more details on how we handle their Personal Data.

We reserve the right to change this Policy from time to time to meet the requirements and standards. We will not reduce your rights under this Policy without your explicit Consent. If changes are significant, we will provide a more prominent notice (including, for certain Services, email notification of Policy changes).  Therefore, customers are encouraged to frequently visit these sections in order to be updated about the changes on the website.

Modifications will be effective on the day they are posted and the date of this Privacy Policy of when it was last updated will appear at the top of this document

If you have any questions regarding this Privacy Notice, you may contact our Group Data Protection Officer:

DPO Details: [email protected] 

Contact No.- +971565037221

Or you can write to us/post at:

The Data Protection Officer,

Aster DM Healthcare Limited.

Official Address: 33rd Floor - Aspect Tower, Business Bay, P.O. Box: 8703 - Dubai - U.A.E

If you have any questions, concerns, or complaints regarding our compliance with the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.