Privacy Policy

Overview

This Privacy Policy applies to anyone whose Personal Data is provided to us. It sets out how and why we collect, store, use and share your Personal Data. It also tells you about your privacy rights and how the law protects you. It tells you how you can contact us if you have any suggestions, questions or concerns about how we handle your Personal Data. 

“We” or “us” means MDBX (MDBX). More information about MDBX can be found on our website at mdbx.health.

MDBX will usually be the Controller in relation to the Processing of your Personal Data. We may sometimes Process Personal Data as a joint Controller, for example where we make joint decisions about Processing Personal Data with other Controllers. Where this happens we will, if necessary, notify or redirect you to the other Controller, in relation to exercising your individual rights.

Certain terms used in this Privacy Policy are explained in the Glossary. To make it easier to read, we may still use or define terms that are defined in the Glossary in full, in the body of this Privacy Policy as well.

The Data Protection Regulations 2021 (DP Regulations) apply to how we approach data privacy. In certain circumstances, other laws may apply to Personal Data we Process. 

Contents 

  1. How we collect Personal Data

  2. What personal information we collect

  3. Ways we use your Personal Data 

    • General

  4. Lawful basis for collection and Processing of Personal Data 

  5. Sharing Personal Data

  6. Where we store your Personal Data 

  7. Data Security 

  8. Data retention 

  9. Cookies & Third-Party Websites

  10. Your rights 

  11. Our Data Protection Officer and how you can contact us

  12. Changes to our Privacy Policy 

  13. Glossary

How we collect Personal Data

We collect Personal Data from individuals (yourself, directly) or your authorised representatives. There are several ways in which we collect this data, including through:

  1. Email and telephone contact with us;

  2. Web-based conference or video calls with us;

  3. Use of our website, including applications, surveys, online forms and systems available on our website; 

  4. Use of our mobile application;

  5. Correspondence and other documents (hand delivered or sent to us by post or courier);

  6. Engagement with governments, regulators, official bodies, authorities and organisations;

  7. Subscriptions (for example, alerts, media releases, consultation papers, discussion papers, publications).

In some circumstances we may collect Personal Data about individuals from third parties in the course of:

  1. Carrying out our supervisory oversight or investigative functions and activities;

  2. Carrying out our authorisation, registration and other statutory functions;

  3. Receiving information from or co-operating with other governmental, regulatory or law enforcement agencies or public bodies.

Where we collect your Personal Data from third parties, we do so on the legal bases set out in sections 3 and 4 of this Policy. 

What personal information we collect

The Personal Data that we collect depends on how or why you are interacting with us, what services we are providing, or what functions we are carrying out. 

In many cases it will be mandatory for you to provide Personal Data to MDBX to enable us to provide services and/or to fulfil our statutory functions. If you do not provide us with the requested Personal Data in these instances, we will not be able to provide you with the relevant services. 

The types of personal information we may collect include:

  • Names,  and contact details such as current and previous email addresses, postal addresses, residential addresses, phone numbers and other contact information; 

  • Nationality, residency, date and place of birth, passport numbers and other information available on copies of identification documents such as passports and ID cards;

  • Records of correspondence;

  • Health information;

  • Device information such as your IP address as well as browsing history; 

  • Data about health, DNA, medical records, FitBit, and similar apps, data held by a hospital or doctor, and other similar data;

  • Passwords, password hints, and similar security information used for authentication and account access;

  • Geo-Location Information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings;

  • Special Categories of Personal Data such as health information, where permitted. 

Minors (i.e. individuals under the age of 18) should not provide us with their Personal Data – it should be provided via their parent or guardian. Where we receive Personal Data relating to a minor, we will assume it has been appropriately provided.

All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information.

Ways we use your Personal Data 

Some of the ways we may use your Personal Data are set out below. 

General

Website and Application Use

We may use Personal Data which you provide to us or we collect from you to maintain and improve our website and application services as well as to develop new features to improve customer experience and support, authenticate users and send administrative messages. We may conduct data analysis, testing, and research and to monitor and analyse usage and activity trends. 

We may use Personal Data to facilitate account creation and enable the logon process. If you choose to link your account with us to a third party account (such as your Google or Facebook account), we use the information you allowed us to collect from those third parties to facilitate account creation and logon process for the performance of the contract.

Communications and Events

When you sign up with us to receive news or information relating to an event or updates to our website(s) (for example: alerts, media releases, discussion papers and publications), we will collect and Process your Personal Data to use in providing that news or information service to you. If you would like to withdraw your consent to receiving these communications, you can contact us at any time. 

We may also use Personal Data to respond to user inquiries/offer support to users. We may use your information to respond to your inquiries and solve any potential issues you might have with the use of our Services.

Recruitment

As part of any recruitment Process we will collect and Process the Personal Data of candidates at various stages. This includes personal details, family details, resume information and interview records. The legal basis for Processing this Personal Data is our legitimate interest in screening and evaluating candidates to work at MDBX, as well as for the purposes of entering into a contract prospectively in due course. Information collected as part of the recruitment Process will be shared with external parties on a ‘need to know’ basis – which includes but is not limited to governmental national security agencies for obtaining security clearances; immigration department for Processing visas; and medical entities conducting medical checks on prospective staff.

Complaints

We collect Personal Data for the purposes of receiving and assessing complaints made against us. We have in place procedures to receive, assess and seek to resolve any formal complaints made in respect of the actions of MDBX, or any of our employees in a regulatory matter. While we try to minimise the Personal Data that we collect and Process for this purpose, we are often required to collect a wide range of information to consider and investigate complaints we receive. That information will include Personal Data relating to the complainant and will often include Personal Data of third parties, such as other individuals involved in the matters giving rise to the complaint. Where you make a complaint to us regarding one of our employees, it may be necessary for the person handling the complaint to contact the employee in question. Although we do not explicitly ask for Special Categories of Personal Data in our complaints form, it is possible that such information may be included in the details of the complaint by the complainant.

Lawful basis for collection and Processing of Personal Data 

We collect Personal Data only where it is relevant to and necessary for specified, explicit and legitimate purposes determined at the time of collection. 

Generally, we Process Personal Data on one or more of the following grounds set out in Section 5 of the DP Regulations:

  1. Consent;

    1. This legal basis applies where you have given consent to the processing of your personal data for one or more specific purposes.

  2. Legitimate interests;

    1. We may process your data when it is reasonably necessary to achieve our legitimate business interests.

  3. Performance of a Contract;

    1. Where we have entered into a contract with you, we may process your personal information to fulfil the terms of our contract.

  4. Special categories of personal data, as MDBX is processing Personal Data of a health nature (age, medication, diagnoses etc.). The lawful bases from Section 5 of the DP Regulations are:

    1. Explicit consent, where you have given consent to the processing of your personal data for one or more specific purposes;

    2. Health purposes, including the following:

      1. preventative or occupational medicine;

      2. the provision of health care or treatment;

      3. the management of health care systems or services.

The DP Regulations identify certain Personal Data Processing which leads to a high risk to the rights and freedoms of individuals by virtue of the nature, scope, context and purposes of the Processing of your Personal Data and imposes specific requirements concerning such activities. We do not ordinarily undertake any of the high-risk Processing activities as described in the DP Regulations.

Sharing Personal Data

We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfil business obligations.

We may also share your Personal Data with our subsidiaries for internal reasons, primarily for business and operational purposes. 

We may share your Personal Data with any other person if we notify you and obtain your consent to the disclosure.

Where we store your Personal Data 

The Personal Data that we collect from you may be securely transferred to and securely stored on our databases, located on our secure servers both in AWS (Amazon Web Services) and in backup locations in the United Arab Emirates. 

Data Security 

We store Personal Data in electronic, digital and paper format. We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only Process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected or actual Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Where a direct communication to you will involve disproportionate effort, we may instead inform you via a public communication or other similar measures that are equally effective. 

Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. Therefore, MDBX cannot guarantee the security of any Personal Data you transmit to us over the internet, and you do so at your own risk. 

If at any point you suspect or become aware of a security incident (e.g. you receive a suspicious communication from someone holding themselves out to be our employee or from a unauthorised website claiming to be affiliated with us), please forward the communication to us or report the incident by email to it@mdbx.health as soon as possible. 

Data retention 

We Process Personal Data for such periods as is necessary to fulfil our statutory functions and for the purposes set out in this Policy, unless a longer period for the retention of Personal Data is required by law. 

We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

The Registration Authority and FSRA retain all records of companies for as long as the company is registered. Records of dissolved companies are currently retained for the duration of time that the relevant information is required for legal and statutory purposes, including personal information related to company directors and officers.  

Personal Data Processed based on consent will be retained for the period specified in the consent, or where not specified, until you withdraw your consent. 

Cookies & Third-Party Websites

Our website uses cookies. A cookie is a small piece of data that a website stores on a visitor’s computer or mobile device. 

Our website may from time to time contain links to and from other websites. This includes websites owned or controlled by independent parties not controlled or authorised by MDBX. If you follow a link to any of these websites, please note that these websites have their own privacy policy, data collection practices and security measures and we do not accept any responsibility or liability for these policies. Please ensure you check these policies before submitting any Personal Data. If you decide to access linked third-party websites, you do so at our own risk. 

Your rights 

Under the DP Regulations you have the following rights as an individual which you can exercise in relation to the Personal Data we hold about you. 

RightWhat does this mean?
The right to object to processingYou have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be contacted with potential opportunities).
The right to be informedYou have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Policy.
The right of accessYou have the right to obtain access to your information (if we’re processing it), and certain other information (similar to that provided in this Policy). This is so you’re aware and can check that we’re using your information in accordance with applicable law.
The right to rectificationYou are entitled to have your information corrected if it’s inaccurate or incomplete.
The right to erasureThis is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
The right to restrict processingYou have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for no further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
The right to data portabilityYou have rights to obtain and reuse your personal information for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability.
The right to lodge a complaintYou have the right to lodge a complaint about the way we handle or process your personal information with the ADGM Commissioner of Data Protection.
The right to withdraw consentIf you have given your consent to anything we do with your personal information, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal information with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal information for marketing purposes.

If you wish to exercise any of the rights set out above, please contact it@mdbx.health

Note: your right of access can be exercised in accordance with DP Regulations and other applicable laws. There are circumstances where we may not be able to comply with your request, such as where we have a legal duty to retain Personal Data, or where access to Personal Data would prejudice the proper function of MDBX’s statutory duties.

Our Data Protection Officer and how you can contact us

We have appointed a Data Protection Officer (DPO) who oversees data privacy and data protection compliance across MDBX and informs and advises us on our data protection obligations. The DPO acts as our contact point with the MDBX Office of Data Protection. 

If you have any questions or requests or wish to make a complaint, you can let us know by email to it@mdbx.health, or contact us for a mailing address. 

If you want to file a complaint with or contact the data protection officer at MDBX, you may do so by email to it@mdbx.health.

Changes to our Privacy Policy 

MDBX may amend this Policy from time to time to meet changes in the regulatory environment, business needs, or to satisfy the needs of our customers and service providers. Any changes we make to this Policy will be posted on our website and date stamped so that you are always aware of the latest update. You should check this page from time to time to ensure you are happy with any changes. 

Glossary

This glossary sets out various terms we use in the Policy and what they mean. It doesn’t matter if we use them capitalised or not.

MDBXMeans MDBX (Med Box).
ControllerIs defined in the DP Regulations. At the date of and in the context of this Privacy Policy, it means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data SubjectIs defined in the DP Regulations. At the date of this Privacy Policy, it means an identified or identifiable living natural person.
DP RegulationsMeans the ADGM’s Data Protection Regulations 2021, as amended from time to time. You can find these here
FSRAMeans the Financial Services Regulatory Authority.
Personal DataIs defined in the DP Regulations. At the date of this Privacy Policy, it means any information relating to a Data Subject.
Process or Processing Is defined in the DP Regulations. At the date of this Privacy Policy, it broadly means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, storage, use, disclosure or destruction.
RAMeans the Registration Authority.
Special Categories of Personal DataIs defined in the DP Regulations. At the date of this Privacy Policy, it means (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; (b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person’s sex life or sexual orientation; and (c) Personal Data relating to criminal convictions and offences or related security measures.
“We” or “us”Means MDBX.