// Legal
Privacy Policy
Effective date: 1 January 2025 · Last reviewed: January 2025
Vive Medical (“we”, “us”, “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, share, and protect your data in accordance with Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations.
We are registered with the National Privacy Commission (NPC) and maintain a designated Data Protection Officer (DPO), [TODO: DPO name], whom you may contact at privacy@vive.ph.
1. Who We Are
Vive Medical, operated by [TODO: registered legal entity name] of [TODO: registered business address], is a telehealth platform in the Philippines that connects patients with licensed PRC physicians for online medical consultations related to GLP-1 and weight-management therapies. We are the personal information controller for data collected through our platform.
2. Data We Collect
Account & identity data
- Full legal name, email address, date of birth, sex
- Philippine mobile number and mailing address
- Authentication credentials (password stored as a one-way bcrypt hash via Supabase Auth)
Sensitive personal information (health data)
Under the DPA, health information is classified as sensitive personal information and receives heightened protection. We collect:
- Body metrics: weight, height, and derived BMI
- Reported medical conditions, current medications, and supplements
- Treatment goals and clinical notes submitted during your intake
- Prescriptions issued by our affiliated physicians
Transaction & order data
- Payment method type and transaction IDs (we do not store card numbers — processed by PayMongo)
- Order history, shipping address, and delivery status
Technical & usage data
- IP address, browser type, and device identifiers
- Pages visited, session timestamps, and error logs
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Consent — You provide explicit, informed consent at account creation and again at the point of submitting your medical intake form. You may withdraw consent at any time (see Section 8).
- Contractual necessity — Processing is required to fulfil our agreement to provide you with telehealth services and deliver your medication.
- Legal obligation — Prescription records must be retained to comply with Philippine FDA and DOH regulations.
- Legitimate interests — Technical data is processed to ensure platform security and prevent fraud.
4. How We Use Your Data
- Creating and managing your account
- Transmitting your medical intake to a licensed PRC physician for review
- Generating electronic prescriptions where clinically appropriate
- Processing payment and fulfilling medication orders
- Sending transactional communications (order updates, prescription notifications)
- Complying with Philippine FDA, DOH, and NPC regulatory requirements
- Detecting and preventing fraud, abuse, and security incidents
- Improving platform functionality through aggregate, anonymised analytics
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
5. Sharing of Personal Data
We share your information only as described below:
- Licensed reviewing physicians — Doctors affiliated with our platform receive your medical intake data for the purpose of clinical review and prescription issuance.
- Supabase Inc. — Our cloud database and authentication provider, acting as a personal information processor. Data is stored on servers in Singapore.
- PayMongo Philippines Inc. — Our payment processor. Payment data is processed directly by PayMongo and governed by their privacy policy.
- Courier partners (LBC, J&T, Lalamove, GrabExpress) — Receive your name and delivery address solely for shipment fulfilment.
- Government authorities — We disclose information when required by Philippine law, court order, or NPC directive.
All third-party processors have executed data processing agreements and are bound by confidentiality and security obligations consistent with the DPA.
6. Data Retention
- Account data: retained for the duration of your account, plus 2 years after closure
- Medical intake & prescription records: retained for a minimum of 10 years as required by Philippine DOH regulations on medical records
- Payment transaction records: retained for 5 years per BIR requirements
- Server & access logs: retained for 90 days then deleted
7. Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row Level Security (RLS) policies ensuring patients can only access their own records
- Role-based access controls limiting health data to authorised medical staff
- Regular security assessments and vulnerability monitoring
- Two-factor authentication available for all accounts
In the event of a personal data breach that poses a real risk of serious harm, we will notify affected data subjects and the National Privacy Commission within 72 hours of discovery.
8. Your Rights as a Data Subject
Under the DPA, you have the following rights:
- Right to be informed — to know how your data is being processed
- Right of access — to request a copy of your personal data we hold
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure — to request deletion, subject to legal retention obligations
- Right to object — to object to processing based on legitimate interests
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to withdraw consent — at any time, without affecting lawfulness of prior processing
- Right to complain — to file a complaint with the National Privacy Commission
To exercise any of these rights, email our DPO at privacy@vive.ph. We will respond within 15 business days.
9. Cookies & Tracking
We use essential session cookies required for authentication and security. We do not use third-party advertising cookies or cross-site tracking technologies. You can manage cookie preferences in your browser settings; disabling session cookies will prevent login.
10. Children's Privacy
Our platform is restricted to individuals aged 18 years and older. We do not knowingly collect personal information from minors. If we discover that a minor has created an account, we will delete the account and all associated data immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our platform at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Contact Us
Data Protection Officer
Vive Medical
Email: privacy@vive.ph
For NPC complaints: www.privacy.gov.ph