GDPR Data Protection Policy
Effective: 7 May 2026 · .
EU GDPR (Regulation 2016/679) and UK GDPR (Data Protection Act 2018)
This GDPR Data Protection Policy (“Policy”) applies to individuals located in the EU or UK who interact with Med Alliance. It supplements our Singapore Personal Data Protection Policy ("PDPP") at www.medalliance.sg/personal-data-protection-policy. Med Alliance is a Singapore-based medical concierge service. We do not currently run advertising campaigns targeting EU or UK residents. If you are in the EU or UK and contact us on your own initiative, GDPR applies to that interaction and this Policy governs how we handle your data. |
1. Who We Are
Med Alliance Pte. Ltd. is a Singapore-based medical concierge service that connects local and international patients with the right doctors and specialists. As part of that work, we may handle personal and medical information — and we are committed to treating it with care and discretion.
Our contacts:
Med Alliance Pte. Ltd.
600 North Bridge Rd, #11-08 Parkview Square, Singapore 188778
Email:hello@medalliance.sg · Tel:+65 9737 3777
2. Our Services
We provide two types of service:
– Patient concierge. We connect patients with licensed doctors and clinics in Singapore, coordinate appointments, organise and translate medical documents, and support international travel logistics where requested.
– Services for healthcare providers. We provide project management, business development, and marketing services to doctors and clinics. Where we handle patient data on behalf of a healthcare provider, we do so under their instruction and their own privacy policy governs that processing.
Med Alliance does not make clinical decisions and does not determine or influence medical treatment plans. All clinical decisions rest with licensed healthcare professionals.
3. What We Collect and Why
The table below sets out our processing activities and maps each to its legal basis, as required by Article 13(1)(c) GDPR.
Purpose | Personal data used | Legal basis (EU/UK GDPR) | Retention |
Connecting patients with doctors; coordinating appointments | Name, contact details, health condition or needs as disclosed | Art. 6(1)(b): contract Art. 9(2)(h): healthcare management Art. 9(2)(a): explicit consent where Art. 9(2)(h) does not apply | As long as necessary for the service and to meet applicable legal obligations |
Organising, translating, and transmitting medical documents | Medical records, test results, clinical notes — provided by or with consent of patient | Art. 6(1)(b): contract Art. 9(2)(h): healthcare management Art. 9(2)(a): explicit consent | As long as necessary for the service and to meet applicable legal obligations |
International patient logistics — travel, accommodation, visa | Nationality, passport details, travel dates, emergency contact | Art. 6(1)(b): contract Art. 6(1)(a): consent for data beyond contractual necessity | As long as necessary to fulfil the purpose and resolve related matters |
Responding to enquiries | Name, email, phone, content of enquiry | Art. 6(1)(f): legitimate interests — responding to a voluntary enquiry | As long as reasonably necessary to manage the enquiry and any resulting relationship |
Services to healthcare providers | Professional contact details, clinic or practice information | Art. 6(1)(b): contract Art. 6(1)(f): legitimate interests — managing professional relationships | For the duration of the engagement and as long as necessary to meet legal obligations thereafter |
Website operation and security | IP address, browser and device data, pages visited | Art. 6(1)(f): legitimate interests — operating and securing our website | As long as necessary for security and operational purposes |
Compliance with legal obligations | Any data relevant to the applicable requirement | Art. 6(1)(c): legal obligation | As required by applicable law |
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with applicable legal obligations, or to resolve disputes — whichever is longest. When data is no longer required, we take appropriate steps to delete or anonymise it.
4. Legitimate Interests
Where we rely on Article 6(1)(f), we have assessed that our interests are not overridden by data subjects' rights, having regard to the limited nature and volume of data processed and the reasonable expectations of the individuals concerned. Those interests are: responding to voluntary enquiries; operating and securing our website; and maintaining professional relationships with healthcare providers. Details of our assessments are available on request at hello@medalliance.sg.
5. Health and Medical Data
Health data is special category data under Article 9 GDPR. We process it on the following bases:
– Article 9(2)(h) — Healthcare management. The primary basis where we coordinate care with a licensed doctor or clinic, subject to professional secrecy obligations binding our staff and contractors.
– Article 9(2)(a) — Explicit consent. Where Article 9(2)(h) does not apply. Consent may be withdrawn at any time by contacting hello@medalliance.sg. Withdrawal does not affect prior processing but may prevent continuation of certain services.
– Article 9(2)(c) — Vital interests. In emergency situations where you are unable to consent.
Providing health information is necessary for us to coordinate your care. If you prefer not to share it, we can discuss what general assistance may be possible.
6. Who We Share Your Data With
We share personal data only where necessary:
– Healthcare providers. Licensed doctors, specialists, hospitals, and clinics in Singapore — to coordinate your care.
– Translators and interpreters. Engaged to support appointments or document handling, subject to confidentiality obligations.
– Travel and logistics partners. For international patient logistics only, limited to data strictly required.
– IT service providers. Website hosting, CRM, Google Analytics, and similar service providers, and communication platforms — processing data only on our instruction.
– Other third-party service providers, vendors, suppliers, business and collaboration partners. For the provision of such, and related, requested inquiries, services and products to you, subject to confidentiality obligations.
– Regulatory authorities. Where required by Singapore law or government demand.
We do not sell personal data. We do not share it for third-party marketing.
7. International Transfers
Med Alliance is established in Singapore. Transfers from the EU or UK to Singapore are made on the following basis:
– EU transfers. Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914, pursuant to Article 46(2)(c) EU GDPR.
– UK transfers. UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU SCCs, approved by the UK ICO under s.119A Data Protection Act 2018.
8. Your Rights
To exercise any right, contact hello@medalliance.sg. We will respond within the timeframe required by applicable law. We may verify your identity before acting.
– Access (Art. 15). Obtain a copy of personal data we hold and information about its use.
– Rectification (Art. 16). Have inaccurate or incomplete data corrected.
– Erasure (Art. 17). Request deletion where data is no longer needed, consent is withdrawn, or processing is unlawful, subject to legal retention obligations.
– Restriction (Art. 18). Request that processing is limited in certain circumstances.
– Portability (Art. 20). Receive data in a machine-readable format where processing is based on consent or contract and is automated.
– Objection (Art. 21). Object to processing based on legitimate interests. Absolute right to object to direct marketing.
– Withdraw consent. At any time, without affecting prior lawful processing.
– Automated decisions (Art. 22). We do not make solely automated decisions producing significant legal effects.
9. Supervisory Authorities
EU residents: Supervisory authority in your Member State — directory at edpb.europa.eu/about-edpb/board/members_en
UK residents: Information Commissioner's Office (ICO) — ico.org.uk· 0303 123 1113 ·casework@ico.org.uk
10. Children
Services for minors must be requested by a parent or legal guardian. The digital consent age varies across EU Member States between 13 and 16; in the UK it is 13. Where the data subject is under 16, we require parental or guardian consent before processing their data.
11. Cookies
Strictly necessary cookies operate the site without consent. Other cookies are set only with your prior consent, which you may withdraw at any time. Our Cookie Policy — including cookie names, retention periods, and any associated third-country transfers — is at www.medalliance.sg/cookie-policy.
12. Security
We maintain reasonable security arrangements appropriate to the sensitivity of the data we hold. In the event of a high-risk personal data breach, we will notify the relevant supervisory authority and, where required, affected individuals, as required by applicable law.
13. Changes to This Policy
We may update this Policy from time to time. Where required by law, we will take steps to bring material changes to your attention. The effective date above reflects the current version.
14. Contact and Data Protection Officer
Med Alliance has designated a Data Protection Officer (DPO). For all privacy queries and data rights requests, please contact our DPO:
Med Alliance Pte. Ltd.— Attention: Data Protection Officer
600 North Bridge Rd, #11-08 Parkview Square, Singapore 188778
Email:hello@medalliance.sg
All EU/UK enquiries should be directed to the above-mentioned contacts.
We will respond within the timeframe required under the applicable law.
© 2026 Med Alliance Pte. Ltd. · May 2026 ·EU GDPR & UK GDPR
