Tq

Teqcare

com.teqcare.mobile

Legal

Privacy Policy

Effective date: 1 January 2025  ·  Last updated: 8 July 2026

1. Introduction

Teqcare — by Medteqpro ("we", "our", or "us") is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our healthcare management platform, including the Teqcare mobile application (com.teqcare.mobile) and all associated web applications (collectively, the "Platform").

By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use immediately.

Where Teqcare — by Medteqpro processes Protected Health Information (PHI) on behalf of a covered entity, we act as a Business Associate under HIPAA and will enter into a Business Associate Agreement (BAA) upon request.

2. Information We Collect

We collect the following categories of information:

Personal Identifiers: Name, email address, phone number, date of birth, and government-issued identification numbers where required for registration.

Protected Health Information (PHI): Medical records, diagnoses, prescriptions, lab results, treatment histories, and other clinical data entered by authorised healthcare providers on behalf of patients.

Account Credentials: Usernames, hashed passwords, role-based access identifiers, and multi-factor authentication (MFA) tokens.

Usage and Audit Data: Log files, IP addresses, browser type, device identifiers, pages visited, actions performed, and timestamps — collected automatically to maintain platform security, generate audit trails, and meet regulatory obligations.

Payment Information: Billing details processed through PCI-DSS compliant third-party payment processors. We do not store full card numbers on our servers.

3. How We Use Your Information

We use collected information to:

Operate, maintain, and improve the Platform and its features

Facilitate patient care coordination between healthcare providers

Process billing, insurance claims, and financial transactions

Maintain comprehensive audit logs documenting all access to PHI, including user identity, date, time, and actions performed — retained for a minimum of six (6) years as required by HIPAA

Send administrative communications, appointment reminders, and service updates

Comply with applicable laws, regulations, and accreditation requirements, including HIPAA, GDPR, and CCPA

Detect, prevent, and respond to fraud, security incidents, and technical issues

Conduct de-identified analytics to improve clinical and operational outcomes

We do not sell, rent, or trade your personal or health information to third parties for marketing purposes.

4. Legal Basis for Processing

We process your information on the following legal grounds:

**Contractual necessity:** To provide the services you or your organisation has engaged us to deliver

**Legal obligation:** To comply with applicable healthcare regulations, including HIPAA, GDPR, CCPA, and local data protection laws

**Legitimate interests:** To maintain platform security, prevent fraud, generate audit trails, and improve our services

**Consent:** Where required by law, we obtain explicit consent before processing sensitive health data

For EU/EEA data subjects, we also rely on Article 9(2)(h) GDPR (processing necessary for the purposes of preventive or occupational medicine and the provision of health care) where applicable.

5. Data Sharing and Disclosure

We may share your information with:

Healthcare Providers: Authorised clinicians, hospitals, and facilities involved in a patient's care, strictly on a need-to-know basis.

Subprocessors and Service Providers: Third-party vendors (cloud infrastructure, analytics, payment processors) operating under Data Processing Agreements (DPAs) or equivalent contractual obligations that prohibit independent use of your data. Where subprocessors handle PHI, we require them to enter into BAAs and maintain equivalent safeguards.

Regulatory Authorities: Government bodies, law enforcement, or accreditation agencies when required by law or court order.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred subject to equivalent privacy protections and advance notice to affected users.

We maintain an up-to-date register of subprocessors and will notify you of material changes to our subprocessor list.

6. Data Security

We implement technical and organisational safeguards aligned with the HIPAA Security Rule (45 CFR Part 164) and industry best practices, including:

AES-256 encryption for data at rest

TLS 1.3 encryption for all data in transit

Mandatory multi-factor authentication (MFA) for all accounts accessing ePHI

Role-based access controls (RBAC) with least-privilege principles

Automatic session timeout after periods of inactivity

Comprehensive audit logs for all PHI access, retained for a minimum of six (6) years

Regular penetration testing, vulnerability assessments, and security code reviews

Business continuity and disaster recovery protocols with tested recovery objectives

We conduct annual verification of deployed technical safeguards by qualified subject-matter experts, in alignment with the 2025 HIPAA Security Rule proposed updates. No method of electronic transmission is 100% secure; we encourage you to use strong, unique credentials and to report any suspected security incidents immediately.

7. Breach Notification

In the event of a data breach involving PHI or personal data:

HIPAA: We will notify affected covered entities without unreasonable delay and no later than sixty (60) days following discovery of a breach, as required under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

GDPR: Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach.

Individual Notification: Where required by applicable law, we will notify affected individuals directly, including a description of the breach, the categories of data involved, and recommended protective steps.

8. Data Retention

We retain personal and health information for as long as necessary to:

Provide the services outlined in your service agreement

Comply with HIPAA's minimum six (6) year retention requirement for PHI and related documentation

Meet applicable local regulatory retention obligations, which may extend this period

Resolve disputes and enforce our agreements

Upon termination of your service agreement, we will retain your data for ninety (90) days to allow you to request an export. Following that period, data is securely deleted or anonymised in accordance with our data lifecycle policy, unless a longer retention period is required by law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

**Access:** Request a copy of the personal data we hold about you

**Correction:** Request correction of inaccurate or incomplete data

**Deletion:** Request deletion of your data, subject to legal retention obligations

**Portability:** Receive your data in a structured, machine-readable format (GDPR/CCPA)

**Objection:** Object to certain types of processing, including profiling

**Restriction:** Request that we restrict processing of your data in certain circumstances

**Opt-out of Sale (CCPA):** California residents have the right to opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at privacy@medteqpro.com. We will respond within thirty (30) days (or forty-five (45) days for CCPA requests). Identity verification will be required before we process your request.

10. Cookies and Tracking Technologies

The Platform uses strictly necessary cookies to maintain session state and authentication. We do not use third-party advertising cookies or cross-site tracking technologies. Analytics cookies, where used, collect anonymised, aggregated data and are subject to your consent preferences configured at first access.

11. Children's Privacy

The Platform is not directed to individuals under the age of 18 except where a minor is a registered patient under the care of an authorised healthcare provider. We do not knowingly collect personal information directly from minors without verifiable parental or guardian consent, in compliance with applicable laws including COPPA (where applicable). If you believe a minor's information has been collected without proper authorisation, please contact us immediately at privacy@medteqpro.com.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, wish to exercise your data rights, or wish to request a Business Associate Agreement, please contact our Data Protection Officer:

Teqcare — by Medteqpro | Data Protection Office

Email: privacy@medteqpro.com

Website: medteqpro.com

We aim to acknowledge all privacy-related enquiries within five (5) business days.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify registered users of material changes via email or an in-platform notice at least fourteen (14) days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy. We maintain a version history of this Policy available upon request.

© 2026 Medteqpro. All rights reserved.