Al Safwa Medical Center L.L.C ("we", "us", "the Center") is committed to protecting the privacy and security of personal and health information for all patients, employees, and visitors. This Privacy Policy explains how we collect, use, store, and share your data in accordance with UAE federal law and the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2).

This policy applies to all employees, contractors, trainees, third-party service providers, and patients whose data is processed by the Center — including data held within our Electronic Medical Records (EMR) system, physical records, digital communications, and this website.

We comply with the following legal frameworks:

• UAE Constitution (Federal Law No. 1 of 1971)
• UAE Penal Code (Federal Law No. 3 of 1987, as amended)
• Cybercrime Law (Federal Law No. 5 of 2012)
• Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS v2)

We collect and process the following categories of data:

• Identity data: Full name, date of birth, Emirates ID number, passport number, nationality.
• Contact data: Address, telephone number, email address, emergency contact details.
• Health data (PHI): Medical history, diagnoses, prescriptions, laboratory results, imaging, clinical notes, and treatment records.
• Financial data: Insurance policy details, payment records, and billing information.
• Technical data: IP addresses, browser type, and website usage data collected via cookies when you use our website.
• Employment data (staff only): HR records, access logs, and professional credentials.

Data is collected directly from you, from your authorized representatives, from referring healthcare providers, and from insurance entities where applicable. We collect only what is necessary for the stated purpose.

We process your personal and health data for the following lawful purposes:

• Provision of medical care, diagnosis, treatment, and clinical follow-up.
• Scheduling appointments and managing patient records in our EMR system.
• Processing insurance claims and billing.
• Compliance with legal and regulatory reporting obligations (e.g., DOH, HAAD).
• Quality assurance, clinical audits, and staff training.
• Communication regarding your care, including appointment reminders.
• Anonymized research and statistical analysis to improve services (only with your consent).
• IT security monitoring to protect systems and detect unauthorized access.

We will not use your data for any purpose incompatible with those stated above without obtaining your prior explicit consent.

Where processing is based on consent, we obtain your explicit agreement before collecting or using your data. You may withdraw consent at any time by contacting our Data Privacy Officer (see Section 10). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Please use the controls below to set your preferences. Essential processing required for your medical care cannot be opted out of while you remain a patient of the Center.

Under UAE law and ADHICS v2, you have the following rights regarding your personal and health data. To exercise any of these rights, contact our Data Privacy Officer (Section 10). We will respond within 30 days of receiving your request.

We implement robust technical, physical, and administrative controls to protect your data from unauthorized access, disclosure, alteration, or destruction.

• Technical controls: End-to-end encryption for data in transit and at rest, enterprise-grade firewall (Fortinet), antivirus protection (Kaspersky Small Office), intrusion detection systems, multi-factor authentication (MFA), and regular vulnerability assessments.
• Physical controls: Locked filing cabinets, restricted access to server rooms and sensitive data areas, secure storage facilities, and CCTV monitoring.
• Administrative controls: Role-based access permissions (need-to-know), regular staff training, high-availability (HA) systems, daily full backups (Veeam), GP domain controllers, and documented incident response plans.

All systems and devices containing sensitive data are password-protected, and multi-factor authentication is enforced where applicable.

In the event of a data breach involving PHI or PII, we will notify affected individuals, the Department of Health (DOH), and other relevant authorities within 72 hours of discovery, including a description of the breach, types of data affected, and remediation steps taken.

All personal and health data is stored and processed within the United Arab Emirates in compliance with ADHICS v2 data localization requirements. We do not transfer data outside the UAE except where:

• You have provided explicit written consent, for example for an international medical referral or consultation.
• Transfer is strictly necessary for the provision of your care and no UAE-based alternative exists.
• The recipient country provides a level of data protection equivalent to UAE standards, as determined by applicable law.

All cross-border transfers are documented, encrypted in transit, and governed by a formal data processing agreement. UAE-based cloud storage is used for all backups and offsite data replication.

We may share your data with the following categories of recipients, strictly on a need-to-know basis:

• Healthcare providers: Referring physicians, specialist consultants, laboratories, and pharmacies directly involved in your care.
• Insurance and billing entities: Your health insurer or third-party administrator for claims processing and pre-authorization.
• Regulatory and legal authorities: The Department of Health (DOH), HAAD, law enforcement, or courts where legally required or ordered.
• IT and service providers: Third-party vendors supporting our clinical and administrative systems (e.g., EMR providers, backup services, IT support) under strict contractual data protection obligations.

We will never sell, rent, or trade your personal data. All third-party vendors are contractually bound to maintain confidentiality, comply with this policy and UAE law, and report any data incidents immediately. We conduct regular audits to verify third-party compliance.

We retain data only for as long as necessary to fulfil the purposes for which it was collected, or as required by UAE law. Once the retention period expires, data is securely disposed of using the methods listed below.

A record of all data disposal activities is maintained and is available for audit purposes.

All privacy-related enquiries, data subject rights requests, consent withdrawals, and complaints must be directed to our designated Data Privacy Officer using the details below. We will acknowledge your request within 5 working days and respond fully within 30 days.

You also have the right to lodge a complaint directly with the Department of Health – Abu Dhabi (DOH) or any other applicable UAE regulatory authority if you believe your data has been handled unlawfully.