Privacy Policy

Effective date: 21 April 2026 | Last updated: 21 April 2026 | Version 2.0

Applies to: MigrantCare mobile application (Android), website, and related services operated by MigrantCare Sdn. Bhd., a company incorporated in Malaysia. This policy applies to users in Malaysia and Bangladesh and is written to comply with Malaysia's Personal Data Protection Act 2010 (PDPA), Bangladesh's Digital Security Act 2018 and ICT Act 2006, and Google Play Store policies for Health & Medical applications.

Contents

Who we are
Data we collect
How we use your data
AI assistant (MIRA) and health data
Third-party data processors
Data sharing and disclosure
Data retention
Your rights
Data security
Children's privacy
Cross-border data transfers
Cookies and tracking
Changes to this policy
Contact and complaints

1. Who We Are

MigrantCare is a digital telehealth platform that connects users with licensed healthcare professionals for remote consultations. The platform is developed and operated by MigrantCare. ("we", "us", "our").

MigrantCare is not a medical device and does not diagnose, treat, cure, or prevent any medical condition. Healthcare professionals (HCPs) listed on the platform are independently licensed and solely responsible for the clinical care they provide.

Data Controller: MigrantCare, Malaysia.
Contact: support@migrantcare.com.my

2. Data We Collect

A. Account and identity data

Full name, email address, phone number, date of birth
Profile photo
Residential address, city, state, country
Login credentials (hashed; never stored in plain text)
Authentication method (username/password, phone OTP, or OAuth via Google/Apple)

B. Health and medical data Sensitive

Self-reported symptoms entered via the app or the MIRA AI intake assistant
Medical history, current medications, allergies, and pre-existing conditions voluntarily provided
Height, weight, age, blood group
Consultation notes and records generated during video/audio appointments
E-prescriptions issued by licensed HCPs
Lab test orders, results, and reports uploaded or generated within the app
Medicine and pharmacy orders placed through the app

C. Financial data

Wallet top-up and transaction history
Subscription plan details and purchase history
Payment method details (processed by Fiuu; we do not store full card numbers)
Agent-facilitated fund transfer records

D. Location data

Approximate and precise device location, used solely to show nearby pharmacies and clinics. Precise location (ACCESS_FINE_LOCATION) is requested only when you actively use the pharmacy/clinic finder feature and is not stored on our servers.

E. Device and usage data

Device identifiers (Android advertising ID), device model, OS version
App interaction logs, feature usage, and navigation events
Crash reports and diagnostic data
IP address and general network information

F. Communications data

In-app messages and chat history between patients and doctors
Voice messages sent to MIRA
Support tickets and email correspondence with our team

G. Healthcare professional (HCP) data

Medical registration number and licensing certificates
Professional specialisation and practice details
Availability schedules

3. How We Use Your Data

Purpose	Lawful basis (Malaysia PDPA)
Creating and managing your account	Contractual necessity
Booking and conducting video/audio consultations	Contractual necessity
Processing payments, wallet top-ups, and subscriptions	Contractual necessity
Generating and storing e-prescriptions	Contractual necessity; legal obligation
Facilitating pharmacy and lab orders from e-prescriptions	Contractual necessity
Operating the MIRA AI symptom intake assistant	Consent (given at first use of MIRA)
Sending appointment reminders and service notifications	Contractual necessity; consent
Improving app performance and fixing bugs	Legitimate interests
Complying with Malaysian and Bangladeshi legal obligations	Legal obligation
Fraud prevention and platform security	Legitimate interests

We do not use your health data for advertising, sell it to third parties, or use it to train AI models beyond what is described in Section 4.

4. AI Assistant (MIRA) and Health Data

Important — MIRA is an AI tool, not a doctor. MIRA is an automated symptom intake assistant powered by Google Gemini. It is not a licensed medical professional, does not provide medical advice, diagnosis, or treatment recommendations, and is not a substitute for consultation with a qualified healthcare professional.

How MIRA processes your data

When you interact with MIRA, the following occurs:

Your symptom descriptions and follow-up answers are sent to Google's Gemini API (via our secure backend) to generate structured intake summaries.
MIRA's output is used only to help you articulate your health concerns before speaking with a licensed HCP and to suggest relevant specialties.
Conversation history with MIRA is stored on our servers and linked to your account.
Google processes this data as a data processor under our agreement. Google does not use your health data to train its public AI models under our enterprise API terms.

Your consent for MIRA

You are presented with a specific consent notice before your first MIRA interaction. You may decline to use MIRA and proceed directly to booking a consultation. Withdrawing MIRA consent does not affect your ability to use other app features.

5. Third-Party Data Processors

We engage the following third-party processors. Each is bound by a data processing agreement and processes your data only on our instructions.

Processor	Purpose	Data transferred	Location
Google LLC (Firebase)	Authentication, push notifications, crash reporting, file storage	Account data, device identifiers, crash logs, profile photos, medical documents	United States (adequacy safeguards apply)
Google LLC (Gemini API)	AI-powered symptom intake (MIRA)	Symptom descriptions, MIRA chat content	United States
Google LLC (Maps SDK)	Pharmacy and clinic location finder	Approximate device location	United States
Fiuu (formerly Razer Merchant Services)	Payment processing for wallet top-ups, subscriptions, and prescription payments	Payment method details, transaction amounts, email/phone for verification	Malaysia

6. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

With your chosen HCP: Your symptom summary, MIRA intake report, medical history you have shared, and consultation notes are visible to the licensed doctor you book with.
With pharmacies and labs: When you place an order from an e-prescription, relevant prescription data is shared with the selected pharmacy or laboratory.
With authorised agents: Agents who facilitate wallet top-ups on your behalf see only the transaction amount and your account reference number.
Legal and regulatory obligations: We may disclose data to competent authorities in Malaysia (e.g., Ministry of Health, PDPC) or Bangladesh when required by law, court order, or regulatory directive.
Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred. You will be notified in advance.

7. Data Retention

Data category	Retention period	Basis
Account identity data (name, phone, email)	Deleted within 30 days of account deletion request	User request
Medical and clinical records (consultations, prescriptions, lab results)	Minimum 7 years	Private Healthcare Facilities and Services Act 1998 (Malaysia)
Financial and wallet transaction records	7 years	Income Tax Act 1967 (Malaysia) / LHDN audit requirements
MIRA conversation history	2 years, or until account deletion (whichever comes first)	Service improvement; capped by consent period
Crash logs and diagnostic data	90 days	Legitimate interests (bug fixing)
HCP licensing documents	Duration of registration on platform + 3 years	Regulatory compliance

Upon account deletion, all data outside mandatory legal retention periods is permanently purged. Retained clinical and financial records are anonymised where legally permissible.

8. Your Rights

Malaysia (PDPA 2010)

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

Access: Request a copy of personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Withdrawal of consent: Withdraw consent at any time (e.g., for MIRA). This does not affect prior processing.
Limit processing: Request that we stop using your data for purposes other than those required by law.
Account and data deletion: Request deletion of your account and non-legally-retained data.

Bangladesh (Digital Security Act 2018 / ICT Act 2006)

Users in Bangladesh have rights consistent with Bangladesh's applicable digital and consumer protection laws, including the right to know how their data is used and to request correction or deletion of personal data that is not subject to a legal retention requirement.

How to exercise your rights

In-app: Profile → Settings → Delete Account (for deletion requests)
Email: support@migrantcare.com.my — subject line: "Data Rights Request"
Web form: https://request.migrantcare.com.my

We will respond to all rights requests within 21 days. Complex requests may take up to 30 days; we will notify you if an extension is needed.

9. Data Security

All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Health data and financial records are encrypted at rest using AES-256.
Access to patient data is restricted to authorised personnel and the HCP you are consulting with, using role-based access controls.
We conduct periodic security reviews and vulnerability assessments.
In the event of a data breach that is likely to affect your rights, we will notify you and the relevant authority (PDPC Malaysia) within 72 hours of becoming aware of the breach.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@migrantcare.com.my.

10. Children's Privacy

MigrantCare is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If a parent or guardian believes their child has created an account, please contact us immediately and we will delete the account and associated data without delay.

11. Cross-Border Data Transfers

Some of our processors (Google, LiveKit) are located in the United States. Where we transfer personal data outside Malaysia or Bangladesh, we ensure adequate protections are in place through:

Standard contractual clauses or data processing agreements that meet PDPA requirements.
Processor commitments under Google Cloud's Data Processing Addendum.

Health data is not transferred to any country without an adequate level of data protection unless covered by one of the above safeguards.

12. Cookies and Analytics

The MigrantCare mobile app does not use browser cookies. The app uses Firebase Analytics to collect anonymised, aggregated usage statistics (e.g., feature usage rates, session lengths). You can opt out of analytics data collection in Profile → Settings → Privacy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification and email at least 14 days before the change takes effect. Continued use of the app after the effective date constitutes acceptance of the updated policy. Previous versions are available on request.

14. Contact and Complaints

MigrantCare.

Email: support@migrantcare.com.my

Data rights / deletion requests: https://request.migrantcare.com.my

Privacy Policy URL: https://privacy-policy.migrantcare.com.my

If you are unsatisfied with our response, you may escalate to the Personal Data Protection Commissioner of Malaysia at www.pdp.gov.my or the relevant authority in Bangladesh.