Privacy Policy

Last Updated: October 6, 2025

1. Introduction

Seraya Health Sdn Bhd (“Seraya Health”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our services, website, or communicate with us. Telemedicine and online consultations are provided on a platform Powered by FEV3R.

2. Scope & Definitions

  • “Personal Data”: information that identifies you directly or indirectly.
  • “Sensitive Personal Data”: health information (including CGM readings), medical history, lab results (e.g., HbA1c), genetic data, medications, and similar data.
  • “Services”: Seraya Health programs, packages, and related clinical, nutritional, and telehealth support.

3. What We Collect

  • Contact & Identifiers: name, NRIC/passport, date of birth, contact details, demographic info.
  • Health & Medical Data: medical history, diagnoses, lab results (HbA1c, blood tests), CGM data, allergies, medications, supplement usage, treatment notes.
  • Genetic Data: results of genetic profiling where included in your plan or requested.
  • Account, Billing & Transactions: subscription details, invoices, payment method (tokenized), and related records.
  • Technical & Usage Data: device, IP address, browser, app logs, cookies/analytics data.
  • Communications: messages, emails, teleconsult notes, support interactions.

4. How We Collect Data

  • Directly from you during sign‑up, consultations, assessments, or when you contact us.
  • Automatically through our website/app via cookies and similar technologies.
  • From partners: FEV3R (telehealth), panel clinics, labs, and genetics providers.

5. How We Use Data

  • Deliver and manage care, including diagnosis, monitoring, and treatment planning.
  • Schedule and conduct teleconsults (Powered by FEV3R).
  • Personalize diet, lifestyle, and supplement recommendations based on CGM and lab data.
  • Operate and improve our services, including analytics and quality assurance.
  • Billing, subscriptions, account management, and fraud prevention.
  • Regulatory compliance and responding to lawful requests.
  • Research & statistics using de‑identified or aggregated data, where permitted.

6. Legal Bases (incl. PDPA)

  • Consent, where required (e.g., for certain health/marketing uses).
  • Performance of a contract, to provide requested services.
  • Medical purposes and public interest in the area of public health.
  • Legal obligations and vital interests.

7. Sharing & Disclosure

  • FEV3R: to provide telemedicine on its platform, including licensed clinicians and support teams.
  • Panel Clinics & Affiliate Doctors: for blood tests, HbA1c, and physical examinations.
  • Laboratories & Genetics Providers: for tests included in or requested under your plan.
  • Vendors: secure hosting, analytics, communications, payments, logistics.
  • Authorities: where required by law or to protect safety and rights.

We do not sell personal data. Third parties are bound by confidentiality and data‑processing agreements.

8. International Transfers

If data is transferred or stored outside Malaysia, we implement appropriate safeguards consistent with applicable law (e.g., contractual protections, technical measures).

9. Retention

We retain medical records for as long as necessary to provide care and as required by law or regulation (often up to seven years, subject to local requirements). When no longer needed, data is securely anonymized or deleted.

10. Security

We apply multiple layers of security to protect your data, including encryption in transit and at rest where appropriate, access controls, staff training, monitoring, and routine risk assessments.

11. Your Rights

  • Access: request a copy of your data.
  • Correction: request updates to inaccurate or incomplete data.
  • Deletion: request deletion where permitted by law and clinical requirements.
  • Restriction/Objection: limit or object to certain processing activities.
  • Portability: request a machine‑readable copy where applicable.
  • Withdraw Consent: for processing based on consent.

To exercise rights, contact privacy@serayahealth.com. We may need to verify identity.

12. Cookies & Tracking

  • Strictly Necessary Cookies for core site/app functions.
  • Performance & Analytics Cookies to understand usage and improve services.
  • Functional Cookies to remember preferences.
  • Marketing Cookies only with consent where applicable.

See our Cookie Notice for controls and preferences.

13. Children’s Privacy

Services are intended for adults (18+). Where minors receive care, we obtain consent from a parent/guardian and follow applicable laws.

14. Automated Decisions / Profiling

We do not make solely automated decisions that produce legal or similarly significant effects without human review. Personalized insights (e.g., CGM‑based recommendations) involve clinician oversight.

15. Changes to This Policy

We may update this policy periodically. Material changes will be notified via email or website notice.

16. Contact

Data Protection / Privacy Contact: privacy@serayahealth.com

Let's chat