منصة ميدكونسلت انترناشونال
Medconsult International Platform

MedConsult International (MCI)

Privacy Policy

Effective Date: January 6, 2026
Last Revised: May 18, 2026

1. Who We Are

MedConsult International ("MCI," "we," "us," or "our") operates an online platform and related services that connect patients with hospitals, physicians, and partners to facilitate second opinions, consultations, hospital admission coordination, comprehensive logistics support, medical tourism programs, translations, advisory services, and related healthcare facilitation.

MCI acts as an intermediary and facilitator. Unless expressly stated otherwise, MCI is not your treating clinician and does not provide direct diagnosis or medical treatment.

For privacy inquiries, see Section 14 (Contact Information) below.

2. Scope of This Policy

This Privacy Policy describes how we collect, use, disclose, store, and protect personal data when you:

  • Visit our public website and marketing pages;
  • Use guest booking flows (including verification and payments);
  • Register or sign in as a patient, hospital user, partner (agency/referring organization), or administrative user;
  • Submit requests, medical documents, attachments, eligibility information, consent checkboxes (including acknowledging privacy obligations), communications, invoices, payment details, OTP or contact verification flows, or operational updates through supported channels (web, portals, integrations, APIs where applicable).

This Policy should be read together with our Terms and Conditions, which explain service rules, disclaimers, and limitations.

3. Categories of Individuals

  • Patients and their representatives: individuals requesting or receiving facilitation services;
  • Guests: users booking or paying without a full registered account where offered;
  • Healthcare providers: hospital staff accounts and clinician participation where coordinated;
  • Partners / agencies: referring entities supporting case referrals and collaborations;
  • Visitors: anyone browsing informational content (for example FAQs, blogs, service pages).

4. Categories of Personal Data We May Process

Depending on your interaction with MCI, we may process the following categories of data:

4.1 Identity and contact data

  • Name, nationality or residence details where relevant, identifiers used in portals, telephone numbers, email addresses, messaging identifiers, OTP verification metadata, guardian or representative contacts when applicable;
  • Organization name, licensing or facility identifiers, and operational contacts for institutional users.

4.2 Health and medically related data (special category / sensitive)

  • Medical reports, imaging, pathology notes, diagnoses or suspected diagnoses summaries, procedural history, prescriptions or medication lists where provided, vaccination or screening information you supply, summaries of chronic conditions where entered, clinician notes uploaded by authorized parties;
  • Treatment pathway preferences or hospital/package selections aligned with facilitation programs;
  • Case summaries and coordination notes reasonably needed to facilitate consultation, admission, logistics, visa or travel facilitation where applicable.

4.3 Service, technical, and security data

  • Booking metadata, timestamps, statuses, identifiers for cases or requests;
  • IP address, browser type, device characteristics, coarse location derived from networking where available, diagnostics needed for fraud prevention;
  • Server logs supporting security investigations and uptime monitoring.

4.4 Financial and transactional data

  • Payment confirmation references, payer status, invoicing particulars, refunds or reconciliation records processed through payment partners;
  • We generally do not store full primary account numbers longer than payment partners require; card data is ordinarily handled solely by compliant payment gateways.

4.5 Communications content

  • Support tickets, chats, uploaded correspondence, inbound emails, WhatsApp-oriented operational communications where officially used;
  • Audio or video conferencing metadata strictly as needed where remote consultations occur through coordinated channels.

5. Sources of Personal Data

  • Directly from you via forms, portals, uploads, and telephone or messaging channels;
  • From guardians or lawful representatives assisting minors or legally represented individuals;
  • From partners (for example referral hospitals/clinicians) strictly where lawful consent exists as required;
  • From collaborating hospitals validating eligibility, quotations, admissions, logistics details;
  • From technical partners (payments, OTP delivery, messaging, hosting) arising from service delivery;
  • From automated systems capturing limited technical telemetry needed to operate securely.

6. Purposes and Legal Bases for Processing

We process personal data to:

  • Deliver requested services: evaluate requests; route cases; coordinate timelines; relay documentation to selected providers; orchestrate facilitation workflows including medical tourism, admission, logistics, translation, advisory, remote opinion coordination;
  • Create and maintain accounts: authentication, profile integrity, onboarding, auditing role-based access;
  • Process payments: collect fees aligned with quotations, confirmations, invoicing;
  • Verify identities and mitigate fraud/abuse: OTP/contact checks, anomaly monitoring;
  • Communicate with you: operational notices, confirmations, escalation for clinical logistics;
  • Operate and improve: training staff on generalized patterns (excluding unnecessary re-identification), quality analytics in aggregated fashion where feasible;
  • Compliance and protection: respond to lawful regulatory requests subject to jurisdictional safeguards, safeguard rights, investigate misuse, defend legal claims;
  • Honor consents: where expressly obtained (especially for sensitive medical data).

Where Saudi Arabia's Personal Data Protection Law (PDPL) and related regulations apply, we rely primarily on lawful bases such as:
your consent where required,
performance of our contract with you or steps prior to contracting,
compliance with legal obligations,
our legitimate operational interests,
balanced against your fundamental rights unless an exemption applies.

7. Sensitive Health Data Handling

Health data receives heightened protection. Processing occurs only where necessary to facilitate the clinically relevant services you pursue, aligned with lawful consent regimes. We discourage uploading extraneous clinically irrelevant files. Uploaded records should only include what reasonably supports your care pathway facilitation.

Where you refuse necessary medical data submissions, certain services cannot be responsibly coordinated.

8. Disclosures & Recipients

We share personal data only as needed—not for unsolicited marketing resale of identifiable medical dossiers—with categories such as:

  • Hospitals, physicians, boards, interpreters, coordinators you select or logically require for progressing your facilitation;
  • Partners / referring institutions where they remain lawfully entitled to continuity information relevant to referrals;
  • Payments, fraud screening, OTP/SMS/email delivery, cloud hosting, and professional cybersecurity monitoring vendors under strict contracts;
  • Insurance, visa, embassy, lodging, aviation, logistics providers only when clinically relevant travel facilitation requires it and you authorize or contractually embark on pathways needing such disclosures;
  • Authorities if legally compelled via valid process, or to safeguard life-critical circumstances where ethically and legally permissible.

Recipients in other countries—common in cross-border tourism programs—receive only what is proportional. We endeavor to impose appropriate safeguards consistent with contractual mechanisms and prevailing law.

9. International Transfers

Because MCI facilitates global collaborations, transfers outside your residence country may occur. We undertake reasonable measures (contractual protections, minimized datasets, pseudonymisation where workable) acknowledging PDPL overseas transfer frameworks and analogous standards.

10. Retention

We retain:

  • Case and medical facilitation records: as required for continuity, dispute periods, payer reconciliation, auditing, lawful clinical record retention horizons—often extending years depending on jurisdictional mandates;
  • Technical logs: shorter rolling windows absent security investigations elongating justified retention;
  • Marketing contact records (limited): until opt-out honored or campaigns sunset.

Destruction timelines respect legal freezes (litigation, investigations).

11. Security Measures

We adopt layered safeguards including HTTPS transport protections, hardened infrastructure practices, layered access privileges, cryptographic protections where standardized, auditing of administrative actions supporting clinical governance, backups for resilience, periodic review of subcontractor certifications where relevant.

No online service is unconditionally risk-free. Protect your credentials.

12. Automated Decision Making

We do not use fully automated profiling that juridically replaces human medical judgment affecting your bodily treatment decisions. Routine fraud heuristics and workflow routing tooling may classify priority operationally—but clinicians or trained coordinators maintain oversight.

13. Your Rights

Subject to law, you may request:

  • Access or copies of categories of processed data;
  • Correction of inaccurate factual elements;
  • Deletion or anonymization unless retention lawfully required;
  • Restriction or cessation of unnecessary processing scenarios;
  • Objection grounded in legitimate-interest balancing tests;
  • Portability structured output where feasible and technically standard;
  • Withdraw previously granted consent impacting future processing—not retroactively wiping earlier lawful archives if retention duties persist.

Submit requests via the contact mechanisms below verifying identity responsibly to prevent spoofing breaches.

If unsatisfied after internal review, escalate to regulator pathways available in Saudi Arabia respecting PDPL escalation procedures timelines.

14. Minors

Services for minors rely on lawful guardian oversight. Guardians guaranteeing submission accuracy remain accountable where applicable statutory frameworks assign responsibility.

15. Cookies & Similar Technologies

The website may use operational cookies/session tokens essential for localization, authenticated sessions post-login gateways, analytical cookies understanding aggregate traffic uplift, remembering cookie preferences when presented. Manage browser controls to limit non-essential storage if supported.

16. Links to External Sites

Outbound partner hospital or payment pages maintain independent policies—we cannot govern them; review externally.

17. Policy Updates

We may revise wording reflecting legal, technical, operational evolution—posting materially meaningful changes conspicuously dated. Continued use after effective publication beyond reasonable notice signifies acknowledgment unless law demands fresh explicit consent regimes.

18. Contact Information

Questions about this Privacy Policy or data handling:

Book as guest
Chat with Expert
1
Online