The protection of privacy and the legal use of personal data are a matter of top priority for First Doctor Pvt Ltd, (“FirstDoctor”), therefore, we are committed to guaranteeing your privacy. This privacy notice (the “Privacy Notice”) explains how we collect, use, store and disclose your personal data: This data processing applies to our website, platform and mobile application (collectively, the “Services”).
It is recommended that you read the Privacy Notice carefully before using the Services.
FirstDoctor reserves the right to modify the Privacy Notice at its discretion from time to time, particularly if, due to changes in our operations or applicable legislation, your fundamental rights or freedoms may change.
We are First Doctor Pvt Ltd., No 25, Police Park Avenue, Colombo from where we manage and maintain the platform https://www.firstdoctor.lk (the “Website”).
For the purposes of the data protection laws of Sri Lanka, that is; of the Protection of Personal Data Held by Private Parties on the protection of natural persons with regard to the processing of personal data and on the free circulation of said data, we are responsible for the processing of your personal data.
Strategic decisions regarding the purposes and means of processing patients' personal data are always made by the team that makes up FirstDoctor, in the decision-making process regarding data processing, primarily in relation to the processing of data from doctors and specialists.
If you have any questions, you can contact our data protection team by sending an email to support@firstdoctor.lk.
If you are a patient, or a user of our website seeking information about specialists, the following conditions apply:
We obtain your personal data directly from you when you register with us or use the Services.
When you register to use our Services, we will ask you to provide us with basic information, including your email address.
You can also add additional information such as your first name, last name, gender, and phone number.
We store this information to enable you to use the Services.
You can use our Services through our website or mobile application.
Our Services allow you to, among other things: request appointments with specialists, save your personal information in your user account, chat online with specialists, send messages to specialists and discuss your experience with them.
You can also check the history of your visits and manage your user account from our platform or mobile application.
From your user account in the mobile app, you can manage push notifications (e.g. pop-ups) and other system notifications.
When you register to use our Services, you enter into a legally binding agreement with us. This agreement constitutes a valid legal basis for the processing of your personal data, in accordance with the SRI LANKAN LAW OF PERSONAL DATA PROTECTION.
When you schedule an appointment with a specialist or clinic or when you request a medical examination through our website or mobile application, we obtain additional data from you. This information may include:
We will store these data on our platform and share it with the specialist and/or the clinic that employs the specialist. Once your personal data is shared, the specialist or clinic becomes an independent data controller and will process your personal data for its own purposes (for example, for the provision of medical services or similar). Such treatment will be governed by the specialist's or clinic's privacy policy or notice.
When you schedule an appointment with any specialist listed on our platform or request a medical examination with any of the clinics listed on our platform, we store and share with the specialist or clinic some of your personal health-related data (in particular: the specialist or clinic you visit; the reason for the visit; a history of your reservations).
To do this, we will ask for your prior and explicit consent. We need your consent to disclose your details to the specialist you schedule your appointment with and to provide you with our technical and scheduling services. Without such consent, we cannot provide you with these services.
The processing of your personal data related to health is collected under your consent, as established by the law of protection of personal data in the possession of private parties.
If you schedule an appointment with a specialist, we will share your personal data with this specialist, who, from that moment, becomes an independent controller of your data. Any data processing carried out by the specialist or clinic will be governed by their own privacy policies or notices.
We can send you a reservation confirmation to your cell phone and/or email. We may also send you a reminder when your appointment date is approaching and will let you know if the specialist cancels or reschedules your appointment. After the session, we will ask you to write a review of your experience on the web.
You can fill the profile and add notes during booking describing your symptoms and the reason for the session. You can also attach a report of prescription to enable the specialist to see the same.
As part of our services, we allow you to store your personal health data in your user account. This functionality allows you to:
The data will be processed by us with your consent for the sole purpose of allowing you to host said data and to share it with the specialist of your choice.
To activate this functionality you must provide the data corresponding to your name, surname and email address. Additionally, if you choose to add them, we will collect your phone number, a current government-issued ID, health insurance information (if you have it), allergies, medical history, family history, medications you take, previous visits. For clarity, we will only process your health data if you choose to add it. You are free to add the data you consider, there are no minimum or mandatory data in that sense.
We will only process this data based on your prior consent. Consent can be withdrawn at any time. If you revoke your consent, we will delete your health data. All other data will be deleted in accordance with the retention periods indicated in this policy.
We will only share your data with specialists with your prior consent and only with those specialists who you decide can have access to your health profile. Please note that the specialists will act as independent data controllers and will process your data in accordance with their own privacy policies.
When you use our Services, we may obtain additional data, including, for example: information about your device, IP address, time zone and language, or the browser you use. We also obtain information about when you first and last used our Services and how much time you spend using them.
If you use a mobile application, we may also obtain your location data via GPS. You will always have the possibility to disable this functionality.
We will process this personal data to:
We process this information on the basis of our legitimate interests, which constitute a legal basis for the processing of personal data according to law of protection of personal data in the possession of private parties.
When you schedule an appointment with a specialist, save personal data in your user account, request a medical examination, we may obtain information relating to your health. We may also act as data processors on behalf of specialists and clinics who entrust us with their personal health data. For further information, see the section above: “How we obtain your personal data; for what purposes and with what legal basis we process them”; and the bottom section: "Do we act as data processors on behalf of specialists and clinics?"
If you schedule an appointment on behalf of another person (for example, for a family member), you authorize us to obtain that person's personal data. We will process your personal data for the same purposes that we process yours.
We provide different services to doctors and clinics. Our Services allow doctors and clinics, among others, to upload and save patients' personal data, information about patient visits, and information regarding their health status. They are also allowed to send marketing campaigns, text messages or emails to patients, and to manage their work schedule. To do this, we act as a data processor (as defined in the law of protection of personal data in the possession of private parties) processing the personal data of their patients.
When we act as a data processor, we process personal data solely on the instructions of specialists and clinics (our clients), and not for our own purposes. This also applies to specialists and clinics who send you text messages, emails, campaigns or similar communications through our platform: they, and not us, decide whether or not to send them to you. We are not responsible for such communications, nor for the processing of your personal data by specialists or clinics.
If you do not wish to receive such messages, you may contact the doctor or clinic who sent you the message.
If you are a doctor who uses our platform and our Services in a professional capacity, and (i) you have registered a profile on the platform, (ii) you have entered into a contract to receive our Services, or (iii) you work on, for or with a clinic that has signed a contract to receive our services, then the following conditions apply:
You provide us with your data when you register with us or use our Services.
When registering, we ask you to provide us with data related to your professional activities and other aspects that help you inform our users about you and that are published in your profile on our platform. The information you provide us includes:
By registering to use our Services, you enter into a legally binding agreement with us. The need to comply with our obligations and compliance with said legal agreement constitutes a valid legal basis for the processing of your personal data, as specified in the law of protection of personal data in the possession of private parties.
We also process your personal data on the basis of our legal obligations, for example to issue invoices and keep our financial records up to date. This constitutes a valid legal basis for the processing of your personal data, in accordance with the law of protection of personal data in the possession of private parties.
As part of our services, we may include your professional information, your first name, last name, specialization and address in search engines and maps, among others. This helps us provide you with our services.
We may also obtain your personal data from clinics you work for or with, which have entered into a contract to receive our Services. These clinics may, under the clinic's responsibility, transfer your personal data to us, which we will process in order to execute the contract we have with the entity. The processing of your personal data is essential to us, however, you can always contact the clinic that transferred your personal data to us and object to the processing or withdraw your consent to the use of your personal data.
When you use our Services, we may obtain additional data, including, for example: information about your device, IP address, time zone and language, or the browser you use. We also obtain information about when you first and last used our Services and how much time you spend using them.
If you use a mobile application, we may also obtain your location data via GPS. You will always have the possibility of deactivating it.
We will process this personal data to:
We process this information on the basis of our legitimate interests, which constitute a legal basis for the processing of personal data according to law of protection of personal data in the possession of private parties.
If you are a specialist whose name and professional details appear on our platform but who have not registered with us (i.e. do not have an account) and do not receive our Services, then the following conditions apply to you:
FirstDoctor obtained your personal data from public information sources, for example:
We process your personal data to:
If you contact us to receive information about us or our Services, we may also use your personal data to send you marketing communications about our services. Remember that you can cancel these messages at any time.
FirstDoctor processes your personal data on the basis of the legitimate interests of the entity, which constitute an independent legal basis for the processing of personal data according to law of protection of personal data in the possession of private parties.
FirstDoctor has carried out a competing interests test to ensure that your fundamental rights and freedom do not override our legitimate interests in processing your personal data. You can always contact us if you wish to object to our processing of your personal data.
We process the following personal data:
We can also process the license or professional ID number (which entitles you to carry out your professional activities).
If you choose to share your personal information with a specialist, and you consent to this, we will share the data of your choice with the specialist.
We may also share your personal data with third party providers, again solely for the purpose of providing you with our Services. Most of these third parties act as data processors and have entered into data processing agreements with us.
For example, we may share your personal data with the following categories of entities:
Finally, we may disclose data to respond to legal requirements, enforce our policies, contact legal or regulatory authorities when required by applicable law, and protect our rights and property. We may also share your personal information with other business entities, in the event of a merger, acquisition or investment in that business entity, or corporate reorganization.
We will not transfer your personal information to any other third party unless you give us your prior consent or we have another legal basis to do so.
Some of our suppliers (data processors) are based outside of Sri Lanka, so we may transfer your personal data to third countries. We always ensure that these transfers comply with the requirements of the law of protection of personal data in the possession of private parties.
We will only retain the information we collect about you for as long as necessary for the purposes set out above, or as necessary to comply with any legal obligations to which we are subject.
The period for which we retain your data will vary depending on the type of information and the purposes for which we use it. Generally, we will retain our records for up to 5 years after your relationship with us has ended, to comply with our legal obligations. For more information, see the following table:
| Purpose of treatment | Retention period |
|---|---|
| To provide you with our Services | We will process your data until you have a user account or an active service contract. If you delete your user account or terminate the service contract, we will retain your personal data for a period of 6 years. |
| Patient data: To schedule an appointment or request a medical examination. | We will process your personal data until you have a user account. If you delete your user account, we will retain your data for a period of 5 years. |
| Technical and statistical information. | We will process your personal data until you have a user account. If you delete your user account, we will retain your data for a period of 5 years. |
| Commercial communications | We will process your personal data until you withdraw your consent for marketing purposes or object to the processing of your personal data. |
| Patient data: chats with a specialist | We will process the personal data you provided during the chat for a period of 2 years. |
| Host your data in the Health Profile and share it with specialists | Health data included in your health profile will be deleted upon account deactivation or if you revoke your consent or request data deletion. Other data will be retained for a period of 6 years from the date you deactivate the health profile functionality or your account. |
| Patient data: doctor-on-demand functionality. | We will process your personal data for 5 years from the last time you used the doctor on demand function. |
| Claims | We will process your personal data for 5 years after you have made a complaint. |
| Profiles of unregistered specialists | We will process your personal data until you object to the processing. |
Under the law of protection of personal data in the possession of private parties you have the following rights:
You can contact us (see contact details at the end of this policy) if you wish to assert any of these rights. We will comply with our legal obligations regarding your rights as a data subject.
Any request for access to your personal data must be made in writing and we will respond within a period of no more than 30 (thirty) days.
We reserve the right to refuse to respond where requests are manifestly unfounded or excessive: in this case, we will explain the situation and inform you of your rights.
We aim to ensure that the information we hold about you is accurate at all times.
To help us keep your information up to date, you will need to tell us about any changes to your personal data. Upon request, we will take reasonable steps to ensure that the data are accurate and will rectify any incorrect personal data immediately or within a period no later than 30 (thirty) days.
It is not decided solely on automated decisions. We do not use any profiling system or tool to process your data.
Our website or application may contain links to other sites, including through social media buttons. While we try to only include links to websites that share our high standards and respect for privacy, we are not responsible for the content, security or privacy practices employed by other websites and a link does not constitute an endorsement of their website. Once you go to another website from our website or application, you are subject to the terms and conditions of that website, including, but not limited to, its Internet privacy policy and practices. Please review these policies before submitting data to these websites.
We ensure that appropriate technical, physical, electronic and administrative security measures are in place to protect your personal data from unauthorized access.
We follow accepted industry standards to protect the personal information submitted to us, both during transmission and after receipt.
Unfortunately, the transmission of information over the Internet (including email) is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website, platform or staff; the user assumes the risk derived from the transmission.
Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
For any questions related to your personal data.
you can contact us:
by email to:support@firstdoctor.org
First Doctor Pvt Ltd, No 25, Police Park Avenue, Colombo 05, Sri Lanka