Updated Privacy Notice
Version 3 — Effective 2 July 2026
1. Why we are updating this Privacy Notice
Kindred Health Pte. Ltd. (“Kindred,” “we,” “us,” or “our”) is updating this Privacy Notice to reflect changes in how your personal information may be processed in the near term, including in connection with the potential designation of GoRocky Medical, Inc. (“Designated Operating Entity”) as Kindred’s operating entity of its BGC Clinic pursuant to its purchase of selected Kindred assets.
For non-sensitive personal information, such processing may be undertaken where necessary for the legitimate interests pursued by Kindred and/or the Designated Operating Entity, including continuity of services, customer support, account administration, appointment coordination, payment or refund administration, and orderly transition of selected BGC Clinic-related assets.
Sensitive personal information, including health information, will be processed or transferred only with your specific consent or where another lawful basis under Republic Act No. 10173 or the Philippine Data Privacy Act of 2012 (“DPA”) applies.
This update is intended to comply with our obligations under the DPA, its Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission (“NPC”).
This notice will replace the version of our Privacy Policy dated September 2025 once this updated notice takes effect.
2. What is changing
The substantive change in this version concerns the disclosure of personal and sensitive personal information to the Designated Operating Entity.
The previous version of our Privacy Policy did not contemplate the disclosure of customer personal and sensitive personal information to a proposed asset purchaser in the event of an asset purchase transaction involving selected Kindred assets, merger, reorganization, or similar transaction.
This Updated Privacy Notice introduces a new processing purpose. The selected BGC Clinic-related personal information will be disclosed and transferred to the Designated Operating Entity to allow the continuation of services you have been receiving through Kindred in its BGC Clinic.
For non-sensitive personal information, this may be based on legitimate interests under the DPA.
Sensitive personal information, including health information, will be transferred only where you have separately consented or where another lawful basis under the DPA applies.
All other provisions of our prior Privacy Policy — including the categories of information we collect, the purposes for which we use it, your rights, and how we protect it — remain in effect, restated below for clarity.
3. Information we collect
3.1 Personal information
“Personal information” refers to any information that identifies you, or from which your identity can be reasonably and directly ascertained. The personal information we collect includes (but is not limited to) your name, postal address, email address, contact phone numbers, date of birth, billing and shipping information, device ID, IP address, web log-in information, details of services and Partners you inquire about, written consents related to services we facilitate, and, where applicable, employment information.
3.2 Sensitive personal information
“Sensitive personal information” includes information about your race, ethnic origin, marital status, age, religion, philosophical or political affiliations; your health, education, genetic or sexual life; any criminal proceeding; government-issued identifiers; and information classified by law.
We collect sensitive health information about you only with your separate consent, or otherwise as permitted by the DPA.
3.3 Sensitive health information specifically
This includes your medical history, height, weight, current medications, menstrual or reproductive history, symptoms, smoking and sexual-health history, family planning goals and history, fertility status, consultation notes from Partner Practitioners, test and diagnostic results, prescriptions, and other information you provide in the course of receiving services.
3.4 Technical and analytics data
We also collect non-identifiable session data such as browser type, device type, anonymized or truncated IP address, pages visited, duration of visits, click behavior, and general interaction data. This is collected through cookies and similar technologies, including Microsoft Clarity. This information is used to analyze usage, diagnose technical issues, and improve the Platform.
4. How we use your information
We use your personal information for the following purposes:
- To offer and provide you with our goods and services, and to manage and administer those goods and services;
- To enable Partner Practitioners, Partner Companions, and Partner Providers to deliver consultations, treatments, and related professional services to you;
- To communicate with you about services you have sought, dispatch and tracking, returns and exchanges, follow-ups requested by Partners, and tax invoices;
- To send you marketing or promotional information about Kindred or our group companies and business partners (you may opt out of marketing at any time);
- To improve the Platform, products, and services, including research, analytics, and product development;
- To comply with our legal, regulatory, and contractual obligations;
- To consider applications for employment, where applicable; and
- To otherwise manage and operate our business, including in connection with a potential designation of the Designated Operating Entity, as further described in Section 7.
5. Disclosure of personal information
We disclose personal information to the following recipients, where permitted by the DPA and for the purposes set out in this Notice:
- Partner Practitioners providing services to you;
- Partner Companions assisting in your care;
- Partner Providers (including pathology, diagnostic, and pharmacy providers);
- Cloud service providers and other technical service providers supporting the Platform;
- Payment system operators;
- Our professional advisors (legal, accounting, audit, insurance);
- Law enforcement, regulators, or courts where disclosure is required by law or legal process; and
- The Designated Operating Entity, in the circumstances and on the terms described in Section 7.
Any third party to which we disclose personal information is required to protect that information to at least the same standard we apply, including by way of contractual confidentiality and data-protection commitments.
6. Information about minors
Our services are intended for users eighteen (18) years of age and older.
Where we knowingly collect personal information about a minor (with the verifiable consent of a parent or legal guardian), the parent or guardian provides consent on the minor’s behalf and may exercise the rights set out in this Notice on the minor’s behalf.
The asset-purchase-related transfer described in Section 7 will be undertaken only for minors whose parent or legal guardian has consented to this Updated Privacy Notice.
7. Asset purchase and transfer of selected customer information
Kindred is currently preparing for a proposed asset purchase transaction involving the transfer of certain selected Kindred assets in relation to its BGC Clinic. These may include the customer-facing assets and customer-related records needed to support the continued provision of services to customers, subject to the applicable lawful basis under the DPA.
For clarity, the proposed transaction is not a merger, consolidation, corporate acquisition, or acquisition of Kindred as a legal entity. The Designated Operating Entity will acquire only selected assets of Kindred in relation to the BGC Clinic and will not be treated, by reason of this Privacy Notice, as Kindred’s corporate successor or as assuming Kindred’s liabilities or obligations, except to the extent expressly agreed in the definitive transaction documents.
In connection with the proposed transaction, selected non-sensitive personal information may be disclosed and transferred to the Designated Operating Entity where necessary for the legitimate interests pursued by Kindred and/or the Designated Operating Entity. These legitimate interests include continuity of services, customer support, account administration, appointment coordination, payment or refund administration, operational transition, and orderly implementation of the selected BGC Clinic asset transfer.
Sensitive health information, including consultation notes, test results, prescriptions, treatment history, reproductive-health information, and other medical information, will be transferred only where you have given the required consent or where another lawful basis under the DPA applies.
The Designated Operating Entity will be required, by binding contractual commitment, to handle transferred personal information in accordance with the DPA and on terms at least as protective as those described in this Notice.
Once the transfer takes effect, the Designated Operating Entity will become a personal information controller with respect to the transferred information under its custody and control and will be responsible for providing its own privacy notice and honoring your rights under the DPA.
Until the BGC Clinic asset transfer takes effect, Kindred remains the personal information controller and continues to be responsible for your personal information.
8. Protection of personal information
We hold your personal information as secure physical records, electronically on our internal systems and on cloud storage, and in some cases on third-party servers (which may be located overseas, as described in Section 9).
We maintain appropriate physical, procedural, and technical safeguards to prevent loss, misuse, unauthorized access, disclosure, or modification of personal information, including access controls, encryption where appropriate, and confidentiality obligations on personnel and service providers.
We will destroy or de-identify personal information once it is no longer needed for a valid purpose or required to be retained by law.
9. Overseas transfers
From time to time, we engage overseas recipients (such as cloud-based storage providers) to provide services to us.
By using our services and providing us with your personal information, you consent to the storage of such information on overseas servers, on the understanding that we will require those recipients to handle your personal information in compliance with the DPA.
If we propose to disclose personal information overseas other than for storage and processing on our behalf, we will inform you and, where required, seek your further consent.
If the Designated Operating Entity (or any of its service providers) is located outside the Philippines, we will inform you of this fact, including the country of location, before the transfer takes effect.
10. Retention
We retain your personal data for as long as necessary to fulfill the purposes set out in this Notice, including:
- (a) compliance with legal, regulatory, or contractual obligations (including medical-record retention requirements under applicable Department of Health and other regulations);
- (b) processing and completing services you have requested; and
- (c) the period required to honor your rights under the DPA.
Once retention is no longer required, we will securely destroy or de-identify the information.
11. Your choices and withdrawal of consent
11.1 Processing based on legitimate interests
Where processing is based on legitimate interests, including the disclosure or transfer of selected non-sensitive personal information described in Section 7, you may object to the processing by contacting our Data Protection Officer. We will assess your objection in accordance with the DPA, the purposes of the processing, the legitimate interests pursued, the potential impact on your rights and freedoms, and any overriding legitimate grounds that may apply.
11.2 Giving, declining, or withholding consent
Where processing is based on consent, including the transfer of sensitive personal information where consent is the applicable lawful basis, you may give, decline, or withhold consent by following the instructions in the email or in-platform notice we have sent you. If you decline or withhold consent for the transfer of sensitive personal information, such sensitive personal information will not be transferred to the Designated Operating Entity unless other lawful basis under the DPA applies. This may affect the ability of Kindred or the Designated Operating Entity to continue providing certain healthcare-related services to you.
11.3 Withdrawing consent after it has been given
Your consent is not irrevocable. You may withdraw your consent at any time by writing to our Data Protection Officer at dpo@mykindred.co. Withdrawal of consent will be effective from the date we receive your request and will not affect the lawfulness of processing carried out before the withdrawal. Once your consent is withdrawn:
- If withdrawal is received before the transfer to the Designated Operating Entity has taken effect, your information processed on the basis of consent will not be transferred;
- If withdrawal is received after the transfer has taken effect, we will forward your withdrawal request to the Designated Operating Entity, who will be contractually obliged to act on it in accordance with the DPA; and
- Withdrawal of consent may mean we (or the Designated Operating Entity) can no longer continue to provide certain services to you. We will inform you of any such consequences before withdrawal takes effect.
12. Your rights under the Data Privacy Act
Subject to the conditions and exceptions in the DPA, you have the right to:
- Be informed about the processing of your personal information;
- Reasonable access to your personal information held by us;
- Object to the processing of your personal information, including for direct marketing;
- Have inaccurate or erroneous personal information corrected or updated;
- Have your personal information erased or blocked from our systems, where the legal grounds in the DPA apply;
- Be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information;
- Data portability, where applicable; and
- Lodge a complaint with the National Privacy Commission (https://privacy.gov.ph).
13. Contact us
Questions, concerns, complaints, or requests in respect of this Notice or the handling of your personal information should be directed to our Data Protection Officer:
Email: dpo@mykindred.co
Email: dpo@gorocky.ph
Subject line: “Privacy Notice v3 — [your inquiry]”
You may also lodge a complaint with the National Privacy Commission at https://privacy.gov.ph.
14. Changes to this Notice
We may update this Notice from time to time to reflect changes in our practices, services, or legal obligations. Where any change is material — including any change to the categories of recipients of your personal information or the purposes of processing — we will notify you and, where required, seek your renewed consent.
15. Your acknowledgement and consent
By clicking “I consent” in the email or platform notice, by replying “CONSENT” to the consent email, or by otherwise providing affirmative consent in the manner specified in the notice, you confirm that:
- You have read and understood this Updated Privacy Notice;
- You acknowledge that selected non-sensitive personal information may be disclosed or transferred to the Designated Operating Entity where necessary for legitimate interests under the DPA, as described in Section 7;
- Where you provide consent, you consent freely and specifically to the disclosure and transfer of your sensitive personal information, including health information, to the Designated Operating Entity for the purposes described in this Notice;
- Where you are providing consent on behalf of a minor, you confirm that you are the parent or legal guardian of the minor and have the authority to give consent on the minor’s behalf; and
- You understand that you may withdraw your consent at any time as set out in Section 11.3.