Privacy Policy
Version: v1.7 (effective 2026-06-15)
Global scope statement. This Privacy Policy applies to all Clients of MediConnex worldwide. It sets out our general privacy commitments. Where a country-specific addendum, informed-consent form, data-transfer document, or engagement document applies to you, that separate document provides the additional terms required for your jurisdiction and engagement.
1. Quick summary
Legal entity (full details): MediConnex HongKong Limited (Traditional Chinese: 四海雲醫香港有限公司). Hong Kong Business Registration Number: 80524054. Company type: Private Company Limited by Shares. Date of incorporation: 2 June 2026. Current status: Live (still registered).
- We are MediConnex HongKong Limited, a Hong Kong company. We are the data controller for personal information you give us in connection with the Services.
- Because medical information is involved, we treat your health data as a sensitive category of personal data and apply stricter handling.
- Your data may need to move across jurisdictions — from you in your country of residence, to MediConnex in Hong Kong, to our appointed Mainland China service operator, and to the Treatment Provider hospital. Cross-border transfer is inherent to the Service you have requested.
- You can ask to see your data, correct it, delete it, or stop us using it. See section 9.
- The Treatment Provider is a separate data controller in respect of your medical care; we are not responsible for how it handles your data once it has it.
- Questions? Email us at info@mediconnex.com.cn for privacy or data-protection enquiries.
2. Who we are
MediConnex HongKong Limited (Business Registration Number 80524054), with its registered office at UNIT 2406B, 24/F, LOW BLOCK, GRAND MILLENNIUM PLAZA, 181 QUEEN'S ROAD CENTRAL, SHEUNG WAN, HONG KONG, Hong Kong SAR, is the data controller of your personal information collected through https://mediconnex.com.cn (the "Website") or in connection with our services (the "Services").
MediConnex complies with the privacy and data-protection laws that apply to our handling of your personal data. For Clients in jurisdictions with additional mandatory privacy requirements, those additional terms are handled through the relevant country-specific addendum, informed-consent form, data-transfer document, or engagement document.
2A. UK ICO Registration
We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our registration details are:
- ICO Reference Number: C1955381
- Registration Date: 9 June 2026
- ICO Public Register: You can verify our registration at https://ico.org.uk/ESDWebPages/Search by searching our registration number or organisation name.
3. What data we collect
We collect the following categories of personal data:
3.1 Identity and contact data
Name, date of birth, gender, nationality, passport details, address, email, phone number, emergency contact.
3.2 Health and medical data (sensitive)
Medical history, current medications, allergies, prior procedures, diagnostic images (where you provide them), pre-procedure assessments, post-procedure outcomes, and any medical records you choose to share with us so we can assist with your trip.
3.3 Financial data
Billing address, payment confirmation, partial payment card details (last 4 digits and expiry; full card details are handled by our payment processor and are not stored on our systems).
3.4 Coordination data
Clinical-appointment schedules, dietary requirements, interpreter requests, and (where you voluntarily share them so we can sequence our coordination services) your planned arrival and departure dates and the name of your hotel. We do not collect or store your flight booking, hotel reservation or insurance policy details as part of any booking we make on your behalf — we do not make such bookings; any such information is provided by you and held only to schedule our own coordination activities.
3.5 Communications data
Records of communications you have with us (emails, calls, messaging apps, support chat), including date, time, and content.
3.6 Technical and usage data
IP address, device type, browser type, operating system, pages visited, time on page, referral source, cookie identifiers. See our Cookie Policy.
3.7 Marketing preferences data
Your subscription status for newsletters and your channel preferences.
4. How we collect your data
We collect your data: - directly from you, when you fill in a form on the Website, contact us, sign a Concierge Agreement, attend a video consultation, or upload documents to our secure portal; - automatically, when you use the Website (via cookies — see Cookie Policy); - from third parties with your consent, including (where applicable) Treatment Providers (e.g. assessment reports), referring clinicians, your insurer, and your primary care physician.
5. Why we use your data — purpose-based summary
We process your personal data only for the purposes listed below and only for as long as needed for those purposes:
| # | Purpose | Categories of data |
|---|---|---|
| 1 | Responding to enquiries before you become a Client | Identity, contact, communications |
| 2 | Performing the Concierge Agreement (coordinating your clinical visit) | Identity, contact, health, financial, coordination, communications |
| 3 | Sharing your medical information with the Treatment Provider | Identity, contact, health |
| 4 | Processing payments and accounting | Identity, contact, financial |
| 5 | Complying with our legal, regulatory, and tax obligations | All as required |
| 6 | Managing complaints, disputes, and legal claims | All as required |
| 7 | Improving the Website (analytics) | Technical, usage |
| 8 | Direct marketing (newsletters), subject to your consent and your right to opt out | Identity, contact, marketing |
| 9 | Detecting fraud, abuse, or cyber-attack | Technical, identity |
Health data — explicit consent. Because health data is sensitive, we will obtain your explicit written consent before we process health data for purposes 2 and 3 above. You can withdraw this consent at any time by emailing info@mediconnex.com.cn, but please note that without health-data processing we will not be able to deliver the Services.
For Clients in jurisdictions with mandatory data-protection laws that require additional legal-basis disclosures, those disclosures are set out in the relevant country-specific addendum or engagement document.
6. Who we share your data with
6.1 Inside the MediConnex group
- MediConnex HongKong Limited (Hong Kong) — your contracting party and the data controller.
- our appointed Mainland China service operator — appointed by MediConnex as our service operator. Acts as a data processor under a written intra-group data processing agreement requiring substantially equivalent protections.
6.2 Treatment Providers — separate data controllers
The hospital, clinic, or medical professional you choose. The Treatment Provider is a separate, independent data controller in respect of the medical care it provides. We share with the Treatment Provider only what is needed for it to assess and treat you.
Due-diligence statement. When selecting Treatment Providers we work with, we apply reasonable due diligence and only contract with providers that represent to us that they comply with the data-protection laws of the People's Republic of China and, where relevant, internationally recognised hospital data-security standards (such as ISO/IEC 27001 or HIMSS information-security maturity benchmarks). We do not, however, audit, monitor, or guarantee the Treatment Provider's data-handling practices on an ongoing basis, and we make no warranty about the level of protection the Treatment Provider applies. Once the Treatment Provider has your data, its handling is governed by the Treatment Provider's own privacy notice and by the laws of the People's Republic of China. MediConnex is not responsible for, and accepts no liability for, the Treatment Provider's data-handling practices.
6.3 Other recipients
- Payment processors — currently Airwallex. Subject to their own privacy notices.
- Insurers and assistance providers — only where you have separately authorised us in writing to liaise with your insurer on a specific matter, or where we need to make a claim under our own complications-cover policy.
- Professional advisers — lawyers, accountants, auditors.
- Authorities and regulators — where required by law.
- A buyer or investor — if we sell or restructure the business, subject to confidentiality protections.
We do not sell your personal data. We do not share your data with advertising networks for behavioural advertising.
7. International transfers of your data
7.1 Cross-border transfer is inherent to the Service
The Service you have requested is, by its nature, cross-border medical concierge. You acknowledge and accept that providing the Service may require the transfer of your personal data outside your country of residence to Hong Kong, Mainland China, and the Treatment Provider you have chosen. Without such transfers we may not be able to deliver the Service.
Separate informed consent at engagement. Before we begin work involving your health data or medical records, we will ask you to sign a separate written consent form or engagement document in which you specifically acknowledge the countries, recipients, purpose, and sensitive-data categories involved in your engagement.
We will not begin work that requires health-data transfer until the required consent or engagement document has been received.
7.2 Country-specific safeguards
Where the law of your country of residence requires additional privacy notices, legal-basis disclosures, data-transfer terms, representative details, or other safeguards, MediConnex will address those requirements through the relevant country-specific addendum, informed-consent form, data-transfer document, or engagement document. This Privacy Policy is the global baseline and does not by itself list every country-specific mechanism.
7.3 Hong Kong, Mainland China, and Treatment Providers
Data needed for delivering the Service may be shared with our appointed Mainland China service operator and the Treatment Provider. We use reasonable organisational and technical safeguards for transfers, including written data-handling terms with relevant service operators where appropriate, access controls, encryption where practicable, and role-based access limits.
7.4 Mainland China → Treatment Provider
The Mainland Operator shares with the Treatment Provider only the data needed for your medical assessment and treatment. The Treatment Provider is regulated under PRC law. As stated in clause 6.2, the Treatment Provider is a separate, independent data controller; MediConnex's role ends at this hand-off.
7.5 Your acknowledgement of residual risk
You acknowledge that: - legal protections in Hong Kong and Mainland China for personal data may differ from those in your country of residence; - foreign authorities may, in limited circumstances, have access rights under their domestic law; - no transfer mechanism can guarantee that no incident will ever occur; - MediConnex's obligation is to take reasonable steps to protect your data in transit and at rest, applying the safeguards in this clause 7, and not to guarantee any particular outcome.
To the maximum extent permitted by applicable mandatory law, MediConnex's liability for any breach occurring in transit or at the receiving party (the Mainland Operator or the Treatment Provider) is subject to the liability cap in clause 11.3 of the Terms of Use (GBP 3,000 or the concierge fee actually paid, whichever is lower).
7.6 Your rights regarding transfers
You may at any time request: - further information about the safeguards in place; - a copy of any transfer agreement applicable to your jurisdiction (with commercial terms redacted); - to withdraw your consent to specific transfers — please note this may make it impossible for us to deliver the Service.
8. How long we keep your data
We keep your data only as long as we need to for the purposes set out above. Indicative periods:
| Data type | Retention period | Reason |
|---|---|---|
| Enquiry-stage data (you did not become a Client) | 12 months from last contact | Respond if you return |
| Concierge Agreement and related records | 7 years from completion of the Services | Tax law in our jurisdiction of incorporation; possible legal claims |
| Health data shared with us | 7 years from completion of the Services | Limitation period for medical-adjacent claims; you may request earlier deletion subject to overriding legal obligations |
| Marketing data | Until you unsubscribe + 6 months | Audit trail for consent records |
| Website analytics (cookie-based) | See Cookie Policy |
After the retention period we securely delete or anonymise your data.
9. Your rights
You may exercise the following rights by emailing info@mediconnex.com.cn with proof of identity:
- Right of access — get a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure — where the request meets the conditions under applicable law.
- Right to restriction — limit how we use your data while a dispute is resolved.
- Right to portability — receive your data in a structured, machine-readable format.
- Right to object — to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent — for processing relying on consent.
- Right not to be subject to solely automated decision-making — we do not make decisions about you that are based solely on automated processing.
We respond within 30 days of receiving a verified request. There is no fee unless the request is manifestly unfounded or excessive.
Additional or modified rights that apply in your country of residence are set out in the relevant Jurisdiction-Specific Addendum.
Right to lodge a complaint with the UK ICO
If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
We strongly encourage you to contact us first so we can address your concerns directly, but you may approach the ICO at any time.
10. How we protect your data
We apply organisational and technical security measures appropriate to the risk, including: - TLS 1.2+ in transit; AES-256 at rest for sensitive data; - role-based access; access reviews; staff training; - vendor due diligence and contractual data-protection obligations; - a documented breach response plan.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. Our obligation is to take reasonable steps proportionate to the risk.
11. Children
The Services are intended for adults (18+). We do not knowingly process data of children. If you believe we have collected data from a child without proper consent, contact us and we will delete it.
12. Cookies
This policy is supplemented by our Cookie Policy.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email to active Clients where reasonably practicable and highlighted on the Website.
14. Contact us
Privacy and data-protection enquiries: info@mediconnex.com.cn Postal: MediConnex HongKong Limited, UNIT 2406B, 24/F, LOW BLOCK, GRAND MILLENNIUM PLAZA, 181 QUEEN'S ROAD CENTRAL, SHEUNG WAN, HONG KONG, Hong Kong SAR
For country-specific data-protection contacts (such as a UK Representative or an EU Representative), please see the relevant Jurisdiction-Specific Addendum.