1. BACKGROUND

Republic Act No. 10173 entitled “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes”, or simply, Data Privacy Act of 2012 (“DPA”), is the law that gives form to the declared policy of the State to protect the fundamental human right of privacy and communication. Specifically, it aims to protect personal data in information and communications systems both in the government and the private sector by providing guidelines and measures to ensure that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights.

Under the DPA, a personal information controller (“PIC”) or personal information processor (“PIP”) is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each PIC or PIP is expected to produce a Privacy Manual (“Manual”). The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (“IRR”), and other relevant issuances of the National Privacy Commission (“NPC”). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.

  1. INTRODUCTION

This Manual is hereby adopted in compliance with the DPA, its IRR, and other relevant policies, including issuances of the NPC.

NEITIVITI STUDIOS INC. (“Neitiviti”) respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.

  1. DEFINITION OF TERMS

The DPA and its IRR define the following terms:

  1. Consent of the Data Subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.
  • Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed.
  • Data processing systems refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.
  • Data Sharing refers to the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
  • Personal Data refers to all types of personal information.
  • Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Personal information controller refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
  1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
    1. A natural person who processes personal data in connection with his or her personal, family, or household affairs.

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.

  1. Personal information processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
  • Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
  • Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
  • Privileged information refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;
  • Public authority refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions;
  • Security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
  • Sensitive personal information refers to personal information:
  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    1. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
    1. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    1. Specifically established by an executive order or an act of Congress to be kept classified.

For the purposes of this Manual, reference to the singular form of any of the above-defined terms shall be construed to include the plural and vice-versa, unless the context otherwise requires. Pronouns in masculine, feminine, and neutral genders shall be construed to include any other gender.

  1. SCOPE AND LIMITATIONS

This Manual applies to all Data Subjects: all registered users of ELENA, Your Clinic Assistant (“ELENA”).

This Manual applies to all personal information of the Data Subjects collected and processed by Neitiviti, such as, but not limited to: name, address, email address, contact number, date of birth, gender, civil status, health record including blood type and health insurance number, etc.

This Manual is essentially an internal issuance of Neitiviti. All officers, employees and personnel of Neitiviti, whether regular, contractual or project-based, who are involved in personal information processing. All personnel of Neitiviti, regardless of the type of employment or contractual arrangement, are enjoined to comply with the terms laid down in this Manual.

  • PROCESSING PERSONAL DATA

Under all circumstances, Neitiviti must respect the Rights of the Data Subjects and observe compliance with this Section, among others, in processing the Personal Data of Data Subjects.

  1. Collection
  1. Conditions

Neitiviti shall only collect and process the Personal Data of a Data Subject upon concurrence of the following conditions:

  1. Prior to collection, or as soon as practicable, NEITIVITI shall have informed the Data Subject of the following:
  1. the specific purpose for the collection and Processing of Personal Data;
  2. the extent of Processing of Personal Data; and
  3. the Rights of the Data Subject; and
  • Neitiviti shall have obtained the Consent of the Data Subject to whom the Personal Data relates, unless collection and Processing of the Personal Data is:
  1. pursuant to law and/or government issuances;
    1. necessary to perform a contract to which the Data Subject is a party, or to take steps prior to entering into a contract;
    1. necessary to protect the interest of the Data Subject;
    1. necessary to perform a task in the interest of the public or in the exercise of official authority vested upon NEITIVITI; or
    1. necessary to protect the lawful rights and interests of NEITIVITI in court proceedings, or to establish, exercise, or defend a legal claim.
  • Personal Data collected

Some of the information we collect from you thru ELENA are:

  1. user name and password;
  2. complete name;
  3. address;
  4. email address;
  5. telephone or mobile number;
  6. gender;
  7. work details for doctors such as  hospital, specialization, and license;
  8. health record, including health insurance company, health insurance number, blood type, height and weight;
  9. any other personal information that you voluntarily provide the platform.
  • Mode of Collection

The Personal Data enumerated in the preceding paragraph may be collected by ELENA when the Data Subject performs the following:

  1. Access any of the ELENA digital platforms;
  2. Register an ELENA account;
  3. Fill out ELENA forms; and
  4. Avail of other activities, services, features or resources Neitiviti make available on any of the ELENA digital platform, if applicable.

Personal identification information shall only be collected if the information are voluntarily submitted by the Data Subject. The Data Subject can always refuse to supply personal identification information, but this may prevent him from accessing ELENA.

  • Privacy Notice

Information on collection and Processing of Personal Data of the Data Subject shall be relayed to the Data Subject through a Privacy Notice, which shall substantially be in the form/s prescribed in Annex “A.”

  • Consent

The Consent of the Data Subject shall be evidenced by written, electronic, or any other recorded means. Consent may also be given on behalf of a Data Subject by a lawful representative or an agent specifically authorized by the Data Subject to do so.

  • Use

The Use of the Personal Data shall only be for the purpose/s specified and declared to the Data Subject for the purpose of carrying out the business of operations of Neitiviti, and shall include, among others, the following:

  1. for documentation and management of user records of ELENA;
    1. for business transactions and billings;
    1. for the Data Subject, to have access to ELENA; and/or
    1. for the maintenance of safety and security of the Data Subject.

Neitiviti may also use and process the Personal Data of Data Subjects for government regulatory compliance, company disclosures, and reportorial requirements, and pursuant to a lawful order of any court or tribunal.

  • Storage and Retention and Disposal

Neitiviti shall ensure that Personal Data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. Neitiviti implements appropriate security measures in storing collected Personal Data, depending on the nature of the information.

All information gathered shall not be retained after the lapse of the retention period provided by law, applicable rules or regulations, or as determined by Neitiviti.

  • Access

Due to the sensitive and confidential nature of the Personal Data under the custody of Neitiviti, only the Data Subjects and the authorized representative of Neitiviti shall be allowed to access such Personal Data, for any purpose, except for those contrary to law, public policy, public order or morals.

Data Subjects are likewise enjoined to keep their password and other credentials completely confidential to reduce the risk of user accounts being compromised.

  • Disclosure and Sharing

All employees and personnel of Neitiviti shall maintain the confidentiality and secrecy of all Personal Data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Data under the custody of Neitiviti shall be disclosed only as permitted by applicable law, pursuant to a lawful purpose as set forth in the Terms of Use and Privacy Policy of ELENA, and to authorized recipients of such data.

  • SECURITY MEASURES

As a PIC, NEITIVITI implements a reasonable and appropriate physical, technical and organizational measures for the protection of Personal Data. NEITIVITI’s security measures aim to maintain the availability, integrity and confidentiality of Personal Data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

  1. Organization Security Measures
  1. Data Protection Officer and his Functions

The Data Protection Officer (“DPO”) appointed by the Board of Directors of NEITIVITI monitors NEITIVITI’s compliance with the with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure. The DPO likewise informs and cultivates awareness on privacy and data protection within NEITIVITI, including all relevant laws, rules and regulations, and issuance of the NPC.

  • Conduct of trainings, recording and documentations of compliance

NEITIVITI shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of Personal Data, the management, through the DPO, shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

NEITIVITI will keep a recording and documentation of activities carried out by the DPO, or activities carried within ELENA, to ensure compliance with the DPA, its IRR and other relevant policies or issuances of the NPC.

  • Conduct of Privacy Impact Assessment

NEITIVITI shall conduct a Privacy Impact Assessment relative to all activities, projects and systems involving the processing of Personal Data. It may choose to outsource the conduct a Privacy Impact Assessment to a third party.

  • Duty of Confidentiality


All employees and officers of NEITIVITI shall be required to sign confidentiality and non-disclosure agreement, which may be incorporated in their respective employment or engagement contracts, as the case may be. All NEITIVITI employees and officers with access to Personal Data shall operate and hold Personal Data under strict confidentiality if the same is not intended for public disclosure, or unless such disclosure is required under the applicable laws, rules and regulations, or with the consent of the Data Subject. This obligation shall apply even after the employee or officer has left NEITIVITI for whatever reason/s. Alternatively, a separate Non-Disclosure Agreement may be executed by NEITIVITI to protect confidential information given to an employee or any other party.

  • Review of Privacy Manual

This Manual shall be reviewed and evaluated periodically. Privacy and security policies and practices within NEITIVITI shall be updated to remain consistent with current data privacy best practices.

  • Physical Security Measures
  1. Format of data to be collected


Personal Data in the custody of NEITIVITI may be in digital/electronic format and paper-based/physical format.

  • Storage type and location

All Personal Data being processed by NEITIVITI thru ELENA shall be stored in a secure facility, whether virtual or physical. Papers or physical documents bearing Personal Data shall be kept in locked filing cabinets, access keys to which shall be entrusted only to authorized personnel. Digital or electronic documents containing Personal Data shall be stored in computers, portable disks, and other devices provided and installed by NEITIVITI, provided, that the document or the device where it is stored is either encrypted with the most appropriate encryption standard or protected by passwords or passcodes.

  • Access

Only authorized personnel may access the Personal Data stored by NEITIVITI or ELENA, subject to the rules prescribed on access in Section IV, Paragraph E.

  • Monitoring and Limitations of Access

Access of Personal Data by all authorized personnel and employees whose request to access Personal Data were approved shall be monitored by the DPO. All authorized personnel or employees who seek to access the stored Personal Data must fill out and register access details in a logbook, which shall indicate, among others, the date, time, duration and purpose of each access.

  • Design of office space

For purposes of ensuring privacy and security of Personal Data, the computers used by NEITIVITI personnel are positioned with considerable spaces between them to maintain privacy and protect NEITIVITI processing of Personal Data. A nightly closing protocol requires employees and officials of NEITIVITI to log out of all computers.

  • Persons involved in processing, and their duties and responsibilities

Persons involved in processing of Personal Data shall always maintain confidentiality, security, and integrity of Personal Data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room. Moreover, all employees and officers of NEITIVITI with access to Personal Data shall operate and hold Personal Data under strict confidentiality if the same is not intended for public disclosure or unless such disclosure is required under the applicable laws, rules and regulations.

  • Modes of transfer of Personal Data within NEITIVITI, or to third parties

Transfer of personal data via electronic mail shall use a secure e-mail facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing Personal Data, unless with the consent of the Data Subjects concerned.

  • Retention and disposal procedure

NEITIVITI shall retain the Personal Data for a period allowed by law, rules and regulations. Upon expiration of such period, all physical and electronic copies of the Personal Data shall be destroyed and disposed of using secure technology.

  • Technical Security Measures
  1.       Monitoring for security breaches

NEITIVITI may use an intrusion detection system to monitor security breaches and alert NEITIVITI of any attempt to interrupt or disturb the system. NEITIVITI installs anti-virus software to computers and laptops that regularly access the internet and uses firewalls and antivirus/anti-spyware software to protect systems that are accessible from the internet. The systems that are exposed to the Internet such as the web servers and their software or servers supporting sensitive applications are removed or disabled of unnecessary services and applications and with properly configured user authentication. NEITIVITI regularly reads the firewall logs to monitor security breaches or any unauthorized attempt to access the network of NEITIVITI.

  • Security features of the software/s and application/s used

NEITIVITI shall review and evaluate software applications before the installation thereof in computers and devices of NEITIVITI to ensure the compatibility of security features with overall operations of ELENA and to ensure privacy protection of Personal Data stored in said computers and devices.

  • Process for regularly testing, assessment and evaluation of effectiveness of security measures

NEITIVITI shall review security policies, conduct vulnerability assessments and perform penetration testing within NEITIVITI on regular schedule to be prescribed by the DPO.

If the use of any software application is found to be a security risk such that it may disturb or interrupt the normal operations of ELENA or NEITIVITI, the DPO shall notify the end users of such risk and the software application shall immediately be uninstalled.

  • Encryption, authentication process, and other technical security measures that control and limit access to personal data

NEITIVITI employee or officer with access to Personal Data shall verify his identity using a secure encrypted link and multi-level authentication. NEITIVITI shall also use such other technical security measures to keep its security software tools updated.

  • BREACH AND SECURITY INCIDENTS
  1. Creation of a Data Breach Response Team

A Data Breach Response Team, consisting of three (3) officers of NEITIVITI, shall be constituted, which shall be responsible for ensuring immediate action in the event of a Security Incident or Personal Data Breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

The DPO shall lead the Data Breach Response Team.

  • Measures to prevent and minimize occurrence of breach and security incidents

The Data Breach Response Team shall periodically conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. The team shall likewise periodically review the existing policies and procedures of NEITIVITI with regard to data privacy, including this Manual and its implementation.

  • Procedure for recovery and restoration of personal data

NEITIVITI shall always maintain a backup file for all Personal Data under its custody. In the event of a security incident or data breach, it shall always compare the backup file with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

  • Notification protocol

The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the Data Subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.

A data breach shall be subject to notification requirements under the following conditions:

  1. the compromised data involves sensitive personal information or other information that may be used to enable identity fraud;
  2. there is reason to believe that the information may have been acquired by an unauthorized person; and
  3. the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The Notice shall contain, among others, the description of the nature of the breach, the sensitive personal information possibly involved, measures taken by the entity to address the breach, measures taken to reduce the harm or negative consequences of the breach, and the contact details of the authorized personnel from whom the Data Subject can obtain additional information about the breach and any assistance to be provided to the said Data Subject.

  • Documentation and reporting procedure of security incidents or a personal data breach

The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.

In case of Personal Data breaches, the report shall include, among others, the facts surrounding an incident, the effects of such incident, and the remedial actions taken by NEITIVITI. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the NPC. A general summary of the reports shall likewise be submitted to the NPC annually.

  • INQUIRIES AND COMPLAINTS

If a Data Subject have any inquiries or concerns related to the Manual, Privacy Policy, or NEITIVITI’s data privacy protection practices, or if a Data Subject need additional assistance or have complaints, he may contact the DPO through any of the following modes:

  1. Mail at Blk 3 Lot 5 Makahiya St. MambogVille, Mambog I, Bacoor City, Cavite 1402;
  2. Call at (046) 458-9005; or
  3. E-mail at hello@elena-clinicassistant.com.
  1. EFFECTIVITY

This Manual shall take effect on 14 December 2020, until revoked or amended by NEITIVITI.

ANNEX “A”

PRIVACY NOTICE

PLEASE READ THIS PRIVACY POLICY CAREFULLY.

BY CLICKING OR CHECKING “SIGN UP”, “I AGREE TO ELENA’S PRIVACY POLICY”, “I AGREE AND CONSENT TO THE COLLECTION, USE, DISCLOSURE, STORAGE, TRANSFER AND/OR PROCESSING OF MY PERSONAL DATA FOR THE PURPOSE STATED IN, AND UNDER THE TERMS OF, ELENA’S PRIVACY POLICY” OR SIMILAR STATEMENTS AVAILABLE AT THE ELENA REGISTRATION PAGE OR IN THE COURSE OF PROVIDING YOU WITH THE SERVICES OR ACCESS TO THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE TERMS OF THIS PRIVACY POLICY AND THAT YOU HAVE AGREED AND CONSENTED TO THE COLLECTION, USE, DISCLOSURE, STORAGE, TRANSFER AND/OR PROCESSING OF YOUR PERSONAL DATA AS DESCRIBED AND UNDER THE TERMS HEREIN.

NEITIVITI STUDIOS INC. (“Neitiviti” or “We”) respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. This Privacy Policy will help ensure that you are empowered to control what kind of information you give to us, and how we use it.

What is Personal Information?

For purposes of this policy, personal information is any information about you, such as your name, birthdate, address, and gender.

It is our policy to ensure that the personal information are:

  1. Processed and collected for specified and legitimate purposes only;
  2. Processed fairly and lawfully;
  3. Accurate, relevant, and necessary for purposes for which it is to be used;
  4. Kept up-to-date;
  5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was collected and processed, for the establishment, exercise or defense of legal claims, for legitimate business purposes, or as provided by law; and
  6. Preserved with adequate safeguards.

What does the Privacy Policy Apply To?

This Privacy Policy applies to personal information collected by NEITIVITI in connection with the products and services it offers through ELENA, Your Clinic Assistant – an online platform operated by or NEITIVITI (“Elena”) This Privacy Policy is hereby incorporated into and forms part of the Terms of Use of ELENA.

This Privacy Policy does not apply to information collected by third party websites, platforms and/or applications (“third party sites”) which are not controlled by neitiviti because these third party sites may have their own privacy policies and terms of use. Users are highly encouraged to read the terms and conditions of the third party sites before using and giving personal information through the third party sites.

What Are the Information You Share With Us?

We require certain personal information in order to provide our services to you. When you choose to share your information with us, we collect and use it to operate our services.

Some of the information we collect from you are:

  1. user name and password;
  2. complete name;
  3. address;
  4. email address;
  5. telephone or mobile number;
  6. gender;
  7. work details for doctors such as  hospital, specialization, and license;
  8. health record, including health insurance company, health insurance number, blood type, height and weight;
  9. any other personal information that Users voluntarily provide the platform.

We will only collect and process the information above in connection with your registration with ELENA and in the course of providing you with the services or access to the platform.

How Will We Collect the Personal Information From You?

These information may be collected by NEITIVITI when you:

  1. Access any of the ELENA digital platforms;
  2. Register an ELENA account;
  3. Fill out ELENA forms; and
  4. Avail of other activities, services, features or resources Neitiviti make available on any of the ELENA digital platform.

Personal identification information shall only be collected if the information are voluntarily submitted by you. You can always refuse to supply personal identification information, but this may prevent you from accessing ELENA.

Are We Collecting Other Information About You?

In addition to the personal information above, we may also collect and process non-personal identification information about you whenever you access ELENA or use the products or services of ELENA.

Non-personal identification information may include the browser name, name of the domain from which the internet was accessed, the type of computer, pages entered accessed and exited, and the technical information of the users’ means of connection to ELENA, such as the operating system, and the internet service providers utilized and other similar information.

The above information would be used to count the number and types of visitors to the different pages in ELENA for statistical analyses to assist in improving the platform’s usefulness.

When Will We Collect Personal Information From You?

We will process personal information only when not prohibited by law and when at least one of the following conditions exists:

  1. You have given consent to the collection of the information;
    1. The processing of personal information is necessary and is related to the fulfillment of a contract between NEITIVITI and the User/s, or in order to take steps, at the request of NEITIVITI, prior to entering into a contract;
    1. The processing is necessary to protect your interest;
    1. The processing is necessary to perform a task in the interest of the public or in the exercise of official authority vested upon NEITIVITI; or
    1. The processing is necessary to protect the lawful rights and interests of NEITIVITI in court proceedings, or to establish, exercise, or defend a legal claim.

How Is Your Personal Information Used?

Your personal information will be collected, processed, used and stored to:

  1. Allow you to register, create, process and finish ELENA user registration forms;
  2. Allow you to avail of all products, services, and promotions through ELENA;
  3. Enforce the contract/s entered into between you, the other users, and/or NEITIVITI;
  4. Improve services in order to provide an efficient response and support to doctor-patient-related requests;
  5. Personalize user experience using the collective information;
  6. Improve the services and the website using users’ activities on ELENA and voluntary feedback;
  7. Allow us to contact you and to send information and updates pertaining to services you purchased or availed of. It may also be used to respond to your inquiries, questions, and/or other requests. If you decide to opt-in to the mailing list, you will receive emails that may include news, updates, or service-related information. If you later opt to unsubscribe from receiving future emails, a detailed instruction for unsubscribing in each email is included;
  8. Identify you as a client for the purpose of preventing the unauthorized use of the user’s account;
  9. Detect, prevent and protect against fraud and any technical or security vulnerabilities; and
  10. Comply with applicable laws and regulations, cooperate in any legal investigation and meet enforceable governmental requests.

Do We Share Your Information To Other People?

As a general rule, NEITIVITI does not share personal information with any entity not related to the services offered. However, personal information may be shared with the following:

  1. Third parties required to deliver a product or service to the Users, such as Partner Doctors or subcontractors of NEITIVITI;
    1. Law enforcement or government authorities that have requested for the disclosure of the information following due process; and
    1. Third parties that have requested to send information to the Users about their products and services provided the Users have consented to such feature.

Personal information may also be shared for the following purposes:

  1. To enforce applicable terms of use of the website;
    1. To detect, prevent and protect against fraud and any technical or security vulnerabilities; and
    1. To comply with applicable laws and regulations, cooperate in any legal investigation meet enforceable governmental requests.

Should we share your personal information with a third party, we will use our best effort to ensure that such personal information are secure, and we shall take all reasonable steps to ensure that the use of the personal information is consistent with the Privacy Policy and applicable data privacy protection laws and regulations.

Do We Sell Your Information to Third Parties?

No. We do not sell, trade, or rent your personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our partners and trusted affiliates to prevent system vulnerabilities, or to comply with laws, but we will not sell any of your personal information.

Are We Monitoring Your Accounts?

Should ELENA be used, you should understand that all activities may be monitored and recorded. If such monitoring reveals possible evidence or information of criminal or suspicious activity, monitoring records may be provided to law enforcement officials without any prior notice to the suspected user.

We use software programs to monitor network traffic and identify unauthorized attempts to upload or change information, or cause damage to ELENA and to other users. These programs do not collect information that would directly identify individuals, disclose their entity, or in any way, access such individuals. However, such programs may collect information that could help identify someone tampering, attempting to tamper with ELENA.

How Is Your Information Protected?

We have adopted physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. We also adopt reasonable and appropriate measures to protect your personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

We likewise ensure that third parties allowed to access and/or process information on our behalf will implement security measures that match our own.

Our employees, agents, or representatives involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure.

In case of a personal data breach, we shall notify you within Seventy Two (72) hours from knowledge of the breach.

Can You Request Your Data To Be Erased?

You have the right to ask for the erasure of the personal information we gathered about you. Furthermore, we have the obligation to erase personal information when one of the following grounds applies:

  1. the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    1. you withdraw consent on which the processing is based and where there is no other legal ground for the processing;
    1. the personal information have been unlawfully processed;
    1. the personal information have to be erased in compliance with Philippine law.

If the personal information was previously made public and we are required to erase the personal information, we will take reasonable steps to inform third parties that are processing your personal information to erase any links to, or copy of, those personal information.

Please note that we may be unable to erase your personal information in case of the following circumstances:

  1. for exercising the right of freedom of expression and information;
    1. for compliance with a legal obligation which requires processing to which NEITIVITI is subject or for the performance of a task carried out in the public interest;
    1. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to ask for the erasure of personal information is likely to render impossible or seriously impair the achievement of the objectives of said processing purposes; or
    1. for the establishment, exercise or defense of legal claims.

Changes to the Privacy Policy

We may update this privacy policy at any time. The most current version of this privacy policy will govern our processing of your personal data and will always be at (https://elena-clinicassistant.com/policies/privacy-policy). You are encouraged to frequently check ELENA for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.