Privacy Policy
Last Updated: June 2026
This Privacy Policy describes how Hwadi Clinic ("we", "our", or "us") collects, uses, protects, and discloses personal and medical information in accordance with the Saudi Arabia Personal Data Protection Law (PDPL) and Meta Platform Policies.
1. Compliance & Legal Framework
We are committed to securing the personal data of our patients and users. This Privacy Policy is structured to meet:
- The Personal Data Protection Law (PDPL) issued under Royal Decree No. (M/19) in the Kingdom of Saudi Arabia.
- Meta Platform Terms and Developer Policies, specifically governing the use of Meta API integrations (including the WhatsApp Business API for OTP code verification).
2. Data We Collect
We collect and process the following categories of personal data:
| Category | Data Elements | Purpose of Collection |
|---|---|---|
| Identity Data | Full Name, National ID/Iqama, Patient Number, Gender, Date of Birth. | To confirm identity and match records securely. |
| Contact Data | Mobile Phone Number, Email Address. | To send WhatsApp OTP verification codes and portal notifications. |
| Medical & Consent Data | Medical history notes, declarations, and feedback survey responses. | To complete clinical pre-checks and improve our healthcare services. |
| Technical & Session Data | IP address, browser cookies (e.g. PatientPortalToken). |
To manage logged-in sessions securely and prevent unauthorized access. |
3. Meta/WhatsApp Integration Transparency
To allow secure passwordless access to your patient dashboard, we request your National ID or Patient Number and verify it by sending a 6-digit One-Time Password (OTP) via WhatsApp.
- Data Processed by Meta: Only your phone number and the text of the OTP code message are transmitted through Meta’s APIs.
- Clinical Data Isolation: Your medical records, survey responses, and clinical files are never shared with or transmitted through Meta. All medical and clinical data remains fully hosted on our secure, local servers in Saudi Arabia.
4. Data Hosting & Security
All personal data, medical records, and session information are stored on secure database servers located physically inside the Kingdom of Saudi Arabia, in strict compliance with the localized hosting guidelines of the PDPL. We employ industry-standard encryption protocols (SSL/TLS) for data in transit and AES-256 encryption for data at rest.
5. Your Rights Under Saudi PDPL
As a data subject in Saudi Arabia, you have the following rights regarding your personal data:
- Right to be Informed: To know the purpose, legal basis, and methods used to process your data.
- Right to Access: To request a copy of the personal data we hold about you.
- Right to Rectification: To request correction of any inaccurate or outdated information.
- Right to Destruction: To request deletion of your personal data when the purpose of collection has ceased, subject to statutory medical retention periods.
- Right to Withdraw Consent: To withdraw consent to process your data at any time.
6. Data Deletion & Opt-Out Instructions (Meta Compliant)
We provide simple and direct mechanisms for users to delete their accounts or request that we stop processing their personal information.
How to Request Data Deletion:
If you wish to delete your portal data or request erasure under Meta Platform Policies or Saudi PDPL, please contact our Data Protection Officer:
- Email: privacy@hwadi.com
- Phone: +966 11 000 0000
- SLA: We review and process deletion requests within 14 business days, notifying you once complete.
7. Contact Information
For any inquiries or concerns regarding this policy, please contact us at:
Hwadi Company Limited (Clinic Operations Team)
Riyadh, Kingdom of Saudi Arabia
Email: support@hwadi.com