Privacy Policy
1. Who we are
This Privacy Policy describes how PhlebCare (“we,” “us,” “our”) collects, uses, shares, and protects personal data when you use the PhlebCare mobile application, related websites (including phlebcare.com), and associated services (collectively, the “Service”). The Service is operated in connection with the coordination of home phlebotomy and related medical testing services.
Important: This Policy is designed to be transparent about our practices. It is not legal advice. If you have questions about your specific situation, consult a qualified professional.
2. Scope
This Policy applies to personal data we process as a controller in operating the Service. Where we process data strictly on behalf of another organization (for example, as a processor), additional terms may apply between that organization and you.
The Service is intended for users in Lebanon and may be available in other regions. If you use the Service from outside Lebanon, you understand that your information may be transferred to and processed in Lebanon and in other countries where our service providers operate (see Section 9).
3. Categories of personal data we collect
Depending on how you use the Service, we may collect:
3.1 Account and authentication data
- Identifiers and credentials processed through our authentication provider (for example email address, account identifiers, and security-related tokens).
- Profile information you provide, such as name, phone number, and email.
3.2 Health and booking-related profile data
- Demographic and health-related fields you choose to provide during onboarding or profile updates, which may include date of birth, gender, blood type, height, weight, allergies, medical conditions, medications, and similar items.
- Insurance-related fields if you provide them (for example insurer name and policy identifiers).
- Saved addresses used for scheduling, and optional latitude/longitude coordinates associated with an address when you pin or confirm a location in the app.
3.3 Booking and service data
- Appointment details such as selected service or panel type, requested date and time, status, notes you add, and pricing or payment-related fields presented in the app (for example payment method type such as cash or card and payment status, where applicable).
- Information about third parties for whom you book, where the feature is available (for example name, contact details, and address for a recipient profile).
3.4 Documents and files
- Files you upload, which may include insurance documents, prescriptions, test-related documents, or other materials permitted by the Service. Metadata may include file names, sizes, MIME types, and storage references.
3.5 Location data
- Service addresses and map-related coordinates you provide or confirm.
- Where enabled for active visits, time-stamped location points (for example latitude, longitude, and related telemetry such as accuracy, heading, or speed) to support routing, arrival, or tracking features tied to a booking.
3.6 Messaging and AI assistant
- Messages in booking-scoped chat threads between patients and assigned professionals, including message content and timestamps.
- Messages you exchange with the optional in-app AI assistant, which are processed by our servers and transmitted to our AI inference provider to generate responses. AI conversations may be subject to rate limits.
3.7 Notifications
- Device push tokens and platform identifiers used to deliver notifications through our push provider.
- In-app notification preferences you set (for example operational updates versus product announcements), where available.
3.8 Technical and operational data
- Standard device and connection data collected by our hosting and application infrastructure (for example IP address, user agent, approximate region derived from network data, timestamps, and diagnostic logs) for security, reliability, and abuse prevention.
4. How we use personal data
We use personal data to:
- Create and maintain accounts and authenticate users.
- Facilitate booking, assignment, routing, and completion of services.
- Display maps, addresses, and optional live location features where enabled.
- Exchange operational messages between patients and assigned professionals in connection with bookings.
- Deliver transactional and operational push notifications (for example booking status, chat, or assignment events), consistent with your settings.
- Operate the optional AI assistant feature (general information only; not a substitute for professional medical advice).
- Operate organization-facing tools for authorized staff (for example scheduling, oversight, and document workflows where applicable).
- Maintain security, prevent fraud and abuse, debug, and improve performance and reliability.
- Comply with legal obligations and respond to lawful requests.
We do not sell your personal data in the conventional sense of selling lists to advertisers. If we introduce analytics or marketing uses beyond what is described here, we will update this Policy and obtain consent where required.
5. Legal bases (Lebanon and general)
Where a specific “legal basis” framework applies, we rely on one or more of the following: performance of a contract with you; your consent (for example optional communications or certain sensitive fields where we ask for it); our legitimate interests in operating, securing, and improving the Service (balanced against your rights); and compliance with legal obligations. Emergency health situations should be directed to local emergency services—not to the Service.
6. Sharing and processors
We share personal data with personnel and systems that need it to provide the Service (for example assigned phlebotomists and authorized organization users). We also use service providers (“processors”) who process data on our behalf under contractual safeguards. Depending on configuration, categories of processors include:
- Cloud backend and database: Supabase (or equivalent) for authentication, database storage, file storage, serverless functions, and related APIs.
- Push notifications: Google Firebase Cloud Messaging (FCM) or similar, for delivering device notifications.
- Maps: Mapbox (or similar) for map display and location UI components.
- Geocoding / address search: OpenStreetMap-based services such as Nominatim (or similar providers) for address lookup and autocomplete where implemented.
- AI inference: Groq (or similar) for generating responses in the optional AI assistant feature; prompts are sent to the provider over encrypted connections for processing.
We may also share information if required by law, to protect rights and safety, or in connection with a merger, acquisition, or asset sale, subject to confidentiality obligations where feasible.
7. International transfers
Our service providers may process data in the European Economic Area, the United States, Lebanon, and other regions. Where transfers occur across borders, we implement appropriate safeguards consistent with applicable law (for example contractual clauses and vendor security reviews) and limit access to what is necessary.
8. Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including legal, accounting, and dispute resolution needs. Retention periods vary by data type (for example account data for the life of the account plus a grace period; booking records for operational and regulatory needs; logs for shorter periods). We may anonymize or aggregate data for analytics where possible.
9. Security
We implement technical and organizational measures appropriate to the risk, including access controls, encryption in transit for network communications, and separation of duties where feasible. No method of transmission or storage is completely secure; you use the Service at your own risk except where liability cannot be limited by law.
10. Your rights and choices
Subject to applicable law, you may have rights to access, correct, delete, or restrict processing of your personal data, and to object to certain processing. You may also have the right to lodge a complaint with a supervisory authority where one exists.
You can manage some information directly in the app (profile, documents, notification preferences, and device permissions). For other requests, contact us using the email below. We may need to verify your identity before fulfilling requests.
If you disable push notifications or location permissions, certain features may not function as intended.
11. Children
The Service is not directed to children under the age required by applicable law (typically under 13, or higher where local law requires). We do not knowingly collect personal data from children without appropriate parental authority. If you believe we have collected data from a child without proper authority, contact us and we will take appropriate steps.
12. Cookies and similar technologies (web)
If you use our websites, we may use cookies or similar technologies that are strictly necessary for operation, security, and basic analytics. You can control cookies through your browser settings.
13. Changes to this Policy
We may update this Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Where required by law, we will provide additional notice (for example in-app). Continued use after the effective date constitutes acceptance of the updated Policy, except where your express consent is required.
14. Contact
For privacy requests or questions about this Policy, contact privacy@phlebcare.com.
Data controller: PhlebCare (operator of the Service). Correspondence address may be provided upon verified request for legal or regulatory purposes.