When you entrust your health to us, you give us more than a medical record or a set of data. You place deep trust in us. At Chengdu UNI-ASIA Hospital ("the Hospital" or "we"), we understand the weight of that trust. It concerns your privacy, dignity, and sense of security throughout every appointment, consultation, and conversation with us.
Guided by the belief "protect privacy as we protect health," we have built an information protection system covering the full diagnosis and treatment process. This policy explains, in clear and sincere language, how we collect, use, store, share, and protect your personal information, and what rights you have in relation to it.
The Hospital strictly complies with the Personal Information Protection Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Measures for Cybersecurity Management of Medical and Health Institutions, the Personal Information Security Specification (GB/T 35273), and other applicable laws, regulations, and standards. For cross-border medical services, we also refer to relevant requirements such as the EU GDPR and personal data or data privacy laws in Thailand, Vietnam, the Philippines, Singapore, Indonesia, Malaysia, and other jurisdictions.
Special notice: Before first using the Hospital website, mobile application, online appointment system, or before visiting the Hospital, please read and understand all terms of this policy carefully. If you do not agree with any part of this policy, please stop using the relevant services and contact us promptly. Continuing to use our services means you have read and agreed to this policy.
We follow the minimum necessary principle: we collect personal information only within the scope required to achieve specific and lawful diagnosis, treatment, or service purposes, and we do so in an open and transparent manner.
Appointments and registration: We may collect identity and contact information such as name, gender, date of birth, ID or passport number, phone number, email address, and emergency contact information to create your medical profile and keep in touch with you.
Diagnosis and treatment services: During medical services, we generate and collect health and medical information, including symptoms, past medical history, family history, allergy history, medication records, physical examination reports, laboratory results, imaging materials, diagnoses, surgical records, rehabilitation plans, and nursing records.
Fee settlement: To complete payment and insurance claims, we may process financial and insurance information such as bank account details, credit or debit card information, policy numbers, and claim records.
Online access: When you browse our website or use our mobile application, the system may automatically record device and behavior information such as IP address, device model, operating system, browser type, pages visited, stay duration, clicks, and referral channels.
Satisfaction feedback: After receiving services, you may provide ratings, written comments, complaints, suggestions, and customer service communication records, which help us improve service quality.
Sensitive personal information: Health and medical information is sensitive personal information. We collect and process it only after obtaining your separate and explicit consent and only for specific purposes necessary for diagnosis and treatment. The same strict consent mechanism applies to sensitive data such as identity documents and financial accounts.
Information may come from what you actively provide, records automatically generated during diagnosis and treatment, third-party sources authorized by you, and technical information automatically collected by websites or applications through Cookies, SDKs, and similar technologies.
Under applicable laws, we may process your personal information without additional consent where necessary to conclude or perform a medical service contract with you, respond to public health emergencies or protect life, health, and property safety, fulfill statutory reporting obligations, process information you have lawfully disclosed, or in other circumstances permitted by laws and administrative regulations.
We use collected personal information for clear and legitimate purposes, including providing diagnosis and treatment services, safeguarding medical quality, managing fees and insurance, communicating with you and supporting services, meeting compliance and security obligations, and conducting research or teaching only after authorization and anonymization.
If we intend to use your information for purposes not described in this policy, or for scenarios not directly and reasonably related to the original collection purpose, we will notify you in advance and obtain your separate explicit consent.
Some services may involve algorithm-based assisted diagnosis or health risk assessment tools. We promise that we will not make decisions that have a significant impact on your rights solely based on automated decision-making results. Any AI-assisted recommendation must be reviewed and confirmed by a licensed physician before being used in clinical decision-making.
Personal information collected and generated during operations in the People's Republic of China is generally stored in data centers within China. Our core business systems are hosted on professional medical cloud platforms certified under Level 3 classified cybersecurity protection, with continuous monitoring, power redundancy, and disaster recovery capabilities.
We follow common medical industry retention standards. Outpatient medical records are retained for at least 15 years from the patient's last visit, and inpatient medical records for at least 30 years from the patient's last discharge. Other non-medical-record personal information is retained only for the shortest period necessary to achieve the processing purpose, unless otherwise required by law.
After the statutory retention period expires, we will irreversibly delete or fully anonymize the information after completing internal approval procedures.
As a medical institution serving international patients, your personal information may be transferred across borders when you actively contact overseas partner institutions or international insurers, request overseas referral services, or ask us to send medical records to a designated overseas medical institution.
Before any cross-border transfer, we will separately inform you of the overseas recipient's name, contact method, processing purpose and method, and categories of information transferred, and obtain your separate consent. We will also take measures such as signing standard contracts and conducting data security assessments to ensure comparable protection.
The Hospital will not sell or rent your personal information to any third party. We share information only in limited circumstances and only to the extent necessary.
We may share necessary information for multidisciplinary diagnosis and treatment collaboration, third-party laboratory or imaging services, insurance and claims, technical system support, or when clearly required by law, judicial authorities, administrative authorities, or statutory regulators.
Before sharing personal information with any third party, we assess its data security capability and qualifications, sign written agreements containing data protection clauses, minimize the data delivered, and record and audit the sharing process.
We generally do not publicly disclose your personal information. In exceptional cases required by law, competent government authorities, or necessary to protect major interests of you or the public, we will strictly limit the disclosure scope and notify you where permitted by law.
The Hospital has established a Data Security and Patient Privacy Protection Committee led directly by the responsible hospital leadership, with a Data Protection Officer (DPO) responsible for coordinating the construction, operation, and continuous improvement of the information security management system.
We protect information through TLS 1.3/SSL transmission encryption, AES-256 storage encryption for sensitive database information, role-based access control (RBAC), access logs, next-generation firewalls, IDS/IPS, EDR, continuous monitoring, penetration testing, vulnerability scanning, and independent information security audits.
Medical and administrative staff must sign patient privacy confidentiality commitments, receive annual information security and privacy training, follow data classification and grading rules, and participate in data security emergency response drills.
If a personal information security incident occurs, we will immediately activate emergency response procedures, take remedial measures, report to competent authorities within the required period, and notify affected individuals through phone, SMS, email, website announcement, or other appropriate methods where the incident may materially affect their rights.
Under applicable laws, you have rights including the right to know, access, copy, correct, supplement, delete, restrict processing, data portability, withdraw consent, and request explanations of personal information processing rules.
You may exercise these rights through official channels, by submitting requests to customer service, your attending physician, the online medical record inquiry system, or the Data Protection Officer as applicable. We will process your request and provide feedback within 15 working days after receiving it and completing identity verification.
We do not charge for reasonable requests. For repeated or excessive improper requests, we may charge necessary costs or refuse the request according to law.
For child patients under the age of 14, collection and processing of personal information must be carried out after their parents or other guardians have read and agreed to this policy, and with the guardian's full knowledge and authorization.
Before collecting children's personal information, we will verify the guardian's identity and guardianship relationship. Guardians may access, correct, or withdraw consent for the personal information of the children under their guardianship. If we discover collection without valid guardian consent, we will delete the relevant data promptly after verification.
For minors aged 14 or above but under 18, we also recommend that they read this policy with a guardian. For major medical decisions, we will require written informed consent from the guardian in accordance with law.
Cookies are small text files stored in your device browser when you visit a website. They identify your browser, remember preferences, and analyze website usage. Cookies do not read other data on your device and do not spread viruses.
We may use strictly necessary Cookies for website operation, functional preference Cookies for language and regional settings, analytics Cookies such as Google Analytics for anonymous traffic statistics, and limited preference-based Cookies for relevant health education content. The Hospital does not use advertising delivery Cookies.
You can adjust Cookie preferences through browser settings, the website privacy preference center, or by clearing stored Cookie history. Please note that disabling certain Cookies may affect website functions such as login status or language preferences.
As laws and regulations improve and our services evolve, we may revise this policy from time to time. The updated version will be published on this page with the version number and update date shown at the top.
For material changes, such as changes to personal information processing purposes or methods, major changes in sharing or disclosure recipients, significant adjustments to how you exercise your rights, or major changes to security safeguards, we will notify you through prominent methods such as website pop-ups, SMS notifications, or notices during visits.
We recommend that you review this policy regularly to understand our latest privacy protection commitments and practices.
If you have any questions about personal information processing or wish to exercise the rights described above, you may contact us through the following channels. We will treat every item of feedback seriously and arrange dedicated follow-up.
Data Protection Officer (DPO): Privacy Protection Office
Email: service@uniasiacancer.com
Phone: 86-15828178542 (Chengdu UNI-ASIA Hospital privacy protection line, working days 9:00-17:30)
Address: No. 268, Attached to No. 40, Shududian, Chenghua District, Chengdu, Sichuan Province
We will complete identity verification and provide a substantive response within 15 working days after receiving your message. If you are not satisfied with our response, you have the right to complain to the relevant data protection regulator.
