GoSlim Logo

GoSlim Data Privacy Policy

Updated: October 15, 2025

We at GoRocky Medical Inc. ("GoRocky") respect your privacy. We are committed to complying with Republic Act No. 10173 otherwise known as the Data Privacy Act of 2012 and its Implementing Rules and Regulations, and other issuances of the National Privacy Commission ("NPC") of the Philippines. GoRocky intends to safeguard this right by ensuring that your information is protected.

This Data Privacy Policy explains how GoRocky and all its departments/units process your information when using the GoRocky and GoSlim platforms. By sharing your personal information to us, you agree to its processing in accordance with the standards set forth in this Data Privacy Policy. It is intended for public disclosure to customers/patients, employees, vendors, and other Data Subjects. Internal implementing procedures are issued in the companion Privacy Manual.

Definitions

Personal Information

As defined by the Data Privacy Act of 2012, refers to "any information, from which, the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify the individual."

Sensitive Personal Information

As defined by the Data Privacy Act of 2012, it refers to any personal information that is "(1) about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or (4) specifically established by an executive order or an act of Congress to be kept classified."

Data subject

As defined by the Data Privacy Act of 2012, refers to an individual whose personal information is processed. GoRocky's data subjects include but are not limited to the following:

  • Customers and Patients – persons who accomplish the GoRocky Assessment Form and avail of GoRocky's services. This term shall likewise include persons who commence with accomplishing the Assessment Form but do not complete the same.
  • Employees – persons who are employed in GoRocky.
  • Doctors – persons who are employed by GoRocky or are engaged on a contractual basis.

Scope and Applicability

This Policy covers all processing of personal data performed by GoRocky and its personnel, whether manually or automated through websites, mobile forms, electronic medical record (EMR) systems, productivity suites (e.g., Google Workspace), and/or paper records. It applies to customers/patients, prospective customers/patients, website users, employees and job applicants, consultants, vendors/suppliers, and visitors captured by CCTV.

Types of Information We Collect

Personal Information

GoRocky assures that all information you provide will be confidential and will be used within the bounds of applicable Philippine laws, rules, and regulations. When a) accomplishing our Assessment Form as a prerequisite to avail of our products and services, and/or b) engaging GoRocky for purposes of employment and/or lawful business transactions, your personal information will be collected to facilitate the necessary assessments by our healthcare providers and actions by our Operations Team to process and fulfill your transaction and pursuant to Section 12 (a), (b), (c), and (f). The personal information which we will collect from you and process may include:

Data Subjects' personal details including but not limited to:

  • Name
  • Address
  • Occupation
  • Email and
  • Telephone/mobile number

Sensitive Personal Information

The following shall be classified as sensitive personal information which may be collected by our institution pursuant to Section 13 (a), (b), and (e):

  • Age
  • Current health conditions
  • Past medications
  • Medical History
  • TIN
  • SSS
  • Philhealth
  • HMO

Privileged Information

The following shall be classified as privileged information which may be collected by our institution pursuant to Section 13 (a) and (e):

  • Health Declarations
  • Family Health History
  • Client Orders

Information with Third Parties

When necessary, we may seek to verify information obtained from you with third-party entities, such as government regulators, judicial, supervisory bodies, or other authorities.

Usage and Technical Data

In the course of using our GoRocky and GoSlim platforms, we may collect non-personal information such as your IP address, operating system, and other machine identifiers.

Other Data

Our platforms may utilize cookies to understand how data subjects use the same and improve their experience. Those that are necessary for communication applications such as Viber, Messenger, and the like, may likewise be collected and shall remain confidential and will be subject to the policy laid down in this Policy.

How We Collect Data

  • Directly from you (forms, portals, clinics, email/phone).
  • Automatically via our website/app (cookies, logs).
  • From authorized third parties (e.g., referring physicians, insurers) pursuant to consent, contract, or law.
  • We do not obtain personal data from undisclosed sources.

Use of Information

We may use the information collected for the following purposes:

Identity Verification and Communication

  • Verify identities and address individuals appropriately.
  • Contact data subjects to confirm their purchase of goods or services.
  • Contact data subjects who do not complete the assessment form.
  • Notify designated persons about incidents or emergencies affecting data subjects.
  • Provide communications regarding GoRocky's products, services and health-related information.

Operations, Services and Medical Consultations

  • Approve, facilitate, administer, and process transactions.
  • Provide telehealth services, including consultations, prescriptions, and related healthcare products.
  • Process payments for services and products.
  • Enhance the user experience.
  • Analyze usage trends and improve our services.
  • Respond to inquiries and provide customer support.
  • Provide tailored support addressing customer/patient needs.
  • Provide updates on order tracking via delivery or pick-up.

Health and Safety Management

  • Maintain comprehensive medical records and provide individualized care.
  • Determine health risks of customers/patients and manage medical history for appropriate action.
  • Monitor patient safety and conditions following the use of GoRocky's products or services.

Employment and Personnel Management

  • Identify individuals for employment records and personnel actions including hiring, timekeeping, and performance evaluations.
  • Identify the personnel involved in workplace concerns and issues, allowing for a thorough investigation, resolution, and implementation of appropriate measures to address and prevent future grievances.
  • Track work hours and ensure compliance with labor laws.
  • Process salaries and manage mandatory benefits in accordance with labor laws.

Financial Administration

  • Process transaction records for bookkeeping under tax laws.
  • Collection of unpaid balances.

Legal Compliance and Safety

  • Comply with applicable local and international laws.
  • Establish accountability and ensure compliance with safety regulations.
  • Establish proper information security.
  • Monitor incident reports and safeguard the Data Subjects' rights.

Marketing and Promotional Use (should Data Subjects consent to the same)

  • Promote new products, newsletters and services as well ongoing or future promotions.

You can opt-out of marketing communications at any time by contacting us or through the unsubscribe link in our communications.

Miscellaneous

  • Perform acts in furtherance of GoRocky's obligations with the data subjects.
  • Perform any other legally permitted activities or those with the explicit consent of data subjects.

Data Sharing and Disclosures

Relevant information may be shared to persons/entities outside of our organization in the following instances:

  • With concerned/designated individuals and/or persons in authority to facilitate proper communications with partner doctors and health providers for the provision of safe and effective services.
  • With our trusted third-party service providers who assist us in operating our business, such as IT services, workspace services, and data storage. These providers are contractually obligated to protect your information and use it solely for the services they provide to us.
  • Insurers upon your instruction/consent;
  • Affiliates/partners only where necessary and lawful.
  • With the banks for financial administration purposes; and
  • If required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

We assure you that internal guidelines will be in place to protect your data. The data we will collect from you will be restricted, and no unauthorized person will be able to see your personal information.

While not legally required, third-party processing may be based on Data Sharing Agreements (DSAs), with security, confidentiality, and breach duties. Cross-border transfers are allowed only if compliant with DPA/IRR requirements and with adequate safeguards and transparency.

Rights of Data Subjects

You shall have the following rights under the law with respect to your personal data:

  • Object to the processing of your personal information;
  • Option to refuse sharing your information with our affiliates, or third parties unless such sharing is mandated by law or necessary for legal obligations between you and GoRocky;
  • Access your personal information;
  • Modify/Correct inaccurate personal information;
  • Update your personal information, as necessary;
  • Request for deletion or suppression of your personal information
  • Limit the personal information shared to GoRocky;
  • Right to receive copies of the personal information stored; and
  • Right to file a data privacy complaint.

To exercise the abovementioned rights, you may reach out to our Data Protection Officer, as listed in this Policy. You will receive an email confirming receipt of your request and a follow-up email with feedback regarding said request.

Storage, Retention and Secure Disposal

Any information collected by GoRocky is primarily stored virtually, utilizing trusted third-party service providers. These third parties are carefully selected and required to adhere to strict data protection standards to ensure the security and confidentiality of your information.

GoRocky ensures that your personal information shall be retained for the period necessary to fulfill the purpose/s for which it was collected and such other purposes that you may have consented from time to time or until such time that it is no longer necessary to keep your information for any legal, regulatory, or business reason. Unless a longer statutory period applies, our default schedule includes:

Record TypeRetention ClockPeriodDisposal Method
Patient clinical recordsFrom last encounter10 yearsEMR secure purge; paper shredding (when applicable)
Inactive customer accounts (no medical data)From last activity2 yearsSecure deletion/anonymization
CCTV footageFrom capture30 days (longer if incident)Overwrite; restricted export if needed
HR/personnel filesFrom separation5 years (or longer if legally required)Secure deletion/shredding
Recruitment records (unsuccessful)From application close1 yearSecure deletion
Contracts, billing, taxFrom transaction/fiscal year-end10 years (BIR)Secure deletion/shredding
Access/security logsFrom log date1 year (min), 2 years (systems of record)Secure deletion

Security Measures

We maintain organizational, physical, and technical measures to ensure confidentiality, integrity, and availability of personal data, aligned with DPA principles and current NPC guidance, including Password Policy and Access Control Policy requirements:

Organizational

  • DPO appointment and NPC registrations/notifications as required.
  • Privacy by design/default in new systems; Privacy Impact Assessments (PIAs) for new or high-risk processing (e.g., EMR, CCTV, AI tools).
  • Access governance: role-based access control (RBAC), least privilege, segregation of duties; no access to patient health data by non-clinical staff (Sales, General Ops, Tech).
  • Implementation of internal policies for data protection.
  • Training & awareness: onboarding and annual refreshers, confidentiality undertakings for all personnel.
  • Processor oversight: due diligence, DSAs, security audits where appropriate.

Physical

Controlled facilities; visitor logs; locked storage for paper records with limited key custody; clean desk policy; secured shredding and media destruction; CCTV in common areas only.

Technical

  • EMR: All patient records are stored in a secure EMR with audit trails, unique user accounts, session timeouts, encryption in transit and at rest, and export controls.
  • Google Workspace hardening interim and ongoing: domain-restricted sharing, link-sharing disabled by default, DLP rules for health/ID data, 2-factor authentication (2FA/MFA), context-aware access, drive labels, and periodic permission reviews.
  • Identity & access: strong passwords, MFA, periodic rotation; prompt de-provisioning on role change/exit; admin accounts segregated.
  • Endpoint security: device encryption, screen-lock, anti-malware/EDR, auto-patching; MDM for corporate and BYOD.
  • Network security: firewalling, secure configs, TLS, restricted ports, no public data buckets; logging and monitoring of privileged actions.
  • Backups & recovery: encrypted, versioned backups; periodic restore tests; separate from production to prevent ransomware impact.
  • Vulnerability & change management: regular patching; change approvals; periodic penetration tests or vulnerability scans; remediation tracking.

Online Services, Cookies, and Tracking

We use strictly necessary cookies for site functionality and optional analytics with consent, where applicable. The cookie banner links to our detailed Cookie Notice and offers opt-out controls.

We may use third-party analytics services (e.g., Google Analytics) to monitor and analyze the use of the Service. These services may collect information such as your device, browser type, and browsing patterns.

CCTV Policy (NPC Circular 2024-02; Legitimate Interests)

The use of CCTV Systems shall be limited to the common areas (e.g., reception, entrances, hallways, storage) for security and protection of employees and GoRocky's records. No CCTV Systems shall be allowed to operate in areas where individuals may reasonably expect privacy such as restrooms, and exam/consult rooms. Data derived from the use of CCTV Systems shall only be retained by GoRocky for a period not exceeding 30 days, unless otherwise necessary for any valid legal purpose.

International Transfers

Your information may be stored and processed in the Philippines or other countries where we or our service providers operate. By using the services within our platform, you consent to the transfer of your data to these locations. Where data is transferred outside the Philippines, we use lawful mechanisms and safeguards (e.g., contracts ensuring adequate protection).

Changes to This Policy

We may update this Policy to reflect legal, technical, or operational changes. Material changes will be communicated through our website/app or email notices. The version and effective date appear at the top of this document.

Contact

You may contact us for any questions or comments about this Data Privacy Policy. For any requests, queries, and clarifications, or exercise of your rights pertaining to your personal information, the contact details of our Data Protection Officer are as follows:

DATA PROTECTION OFFICER