VeloMed OS
Sign inBook a demo
VeloMed OS · Legal

Privacy Policy

v1Effective 2026-06-28Updated 2026-06-28 EN

1. Introduction

VeloMed Infrastructure Group ("VeloMed", "we", "us", "our") operates the VeloMed OS platform — an API-first emergency response, remote clinic, ambulance rental, and clinical training infrastructure serving the Kingdom of Saudi Arabia and the wider Gulf Cooperation Council (GCC) region. We are committed to protecting the privacy and confidentiality of patients, providers, paramedics, drivers, learners, call-center agents, and business administrators.

This Privacy Policy explains what personal data and protected health information ("PHI") we collect, how we use it, the legal bases on which we process it, who we share it with, and the rights you have. It is published under and aligned with:

  • KSA Personal Data Protection Law (PDPL) issued by Royal Decree M/19 of 1443H and its Implementing Regulations administered by the Saudi Data & Artificial Intelligence Authority (SDAIA).
  • National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC-1) and Cloud Cybersecurity Controls (CCC-1).
  • Council of Health Insurance (CHI) and Saudi Health Information Exchange (SHIE) data-handling standards.
  • GCC national data protection statutes including UAE PDPL (Federal Decree-Law 45/2021), Bahrain PDPL (Law 30/2018), Oman PDPL (Royal Decree 6/2022), Qatar PDPPL (Law 13/2016), and Kuwait CITRA Data Privacy Protection Regulation.
  • HIPAA (U.S. Health Insurance Portability and Accountability Act, 45 CFR Parts 160 & 164) where VeloMed acts as a Business Associate to U.S.-regulated covered entities.

2. Who is the data controller

The data controller is VeloMed Infrastructure Group, registered in the Kingdom of Saudi Arabia. Our Data Protection Officer (DPO) is reachable at dpo@velomedos.com.

3. Information we collect

We collect only what is necessary to deliver, secure, and improve our services:

3.1 Identity & contact data — full name, national ID or Iqama (last four digits stored), passport number, date of birth, gender, nationality, mobile number, email address.

3.2 Health & clinical data ("PHI") — chief complaint, vitals captured by crews, allergies, chronic conditions, medications, immunisation status, blood type, medical history disclosed during triage, telehealth consultation notes, prescriptions, lab results, vaccination records, and ambulance run sheets.

3.3 Insurance & eligibility data — payer name, policy number, coverage class, CHI/Nphies eligibility responses.

3.4 Location & telemetry data — pickup and drop-off coordinates, live GPS of dispatched units, driver duty status, route polylines, ETA computations.

3.5 Account & device data — hashed credentials, session tokens, OAuth identifiers (Google), device model, OS, IP address, browser fingerprint, push tokens.

3.6 Operational data — call recordings (when explicitly disclosed), chat transcripts with agents, support tickets, satisfaction ratings.

3.7 Training & certification data — course enrolment, attendance, examination scores, issued certificates (BLS, ACLS, PHTLS, ITLS).

We do not knowingly collect data from children under 13 without verified parental consent.

4. Lawful bases for processing

We process personal data on the following bases recognised under KSA PDPL Article 6 and equivalent GCC instruments:

  • Vital interest — to dispatch emergency care when life or health is at risk.
  • Performance of a contract — to deliver subscribed services (rental, remote clinic, training).
  • Legal obligation — to comply with MoH reporting, CHI claims, NCA logging, and tax requirements.
  • Explicit consent — for marketing communications, optional telemetry, and secondary research.
  • Legitimate interest — to secure the platform, prevent fraud, and improve service quality, balanced against your rights.

5. How we use your data

  • Coordinate emergency response and route the nearest qualified unit.
  • Conduct telehealth and remote-clinic encounters and issue prescriptions.
  • Verify insurance eligibility and submit Nphies-compliant claims.
  • Issue, deliver, and verify training certificates.
  • Provide tenant administrators with operational dashboards and audit trails.
  • Detect, investigate, and prevent security incidents and fraud.
  • Comply with regulatory reporting obligations.

We do not sell personal data. We do not use PHI for behavioural advertising.

6. International transfers

Primary processing occurs inside the Kingdom of Saudi Arabia. Where data must transit to a sub-processor outside the GCC, we rely on (a) SDAIA-approved adequacy decisions, (b) Standard Contractual Clauses, and (c) explicit informed consent where required. A current list of sub-processors is maintained at /Privacy/Subprocessors (on request).

7. Data retention

  • Active clinical encounter records: minimum 10 years from last service, per MoH archival standards.
  • Ambulance run sheets and dispatch logs: minimum 10 years.
  • Telemetry and GPS breadcrumbs: 90 days in hot storage, 24 months in cold archive.
  • Account & authentication logs: 24 months.
  • Marketing consent records: until withdrawn, then 36 months for evidentiary purposes.
  • Pseudonymised analytics: indefinitely.

8. Security measures

We apply NCA ECC-1 and ISO/IEC 27001-aligned controls including AES-256 at-rest encryption, TLS 1.3 in transit, role-based access control, least-privilege service accounts, hardware-backed key management, immutable audit logging, 24×7 SOC monitoring, quarterly penetration testing, and continuous vulnerability scanning. PHI access is restricted by the minimum-necessary principle.

9. Your rights

Subject to applicable law you may at any time:

  • Request access to a copy of your personal data and PHI.
  • Request correction of inaccurate or incomplete data.
  • Request erasure ("right to be forgotten") where no overriding legal obligation applies.
  • Object to or restrict certain processing.
  • Withdraw consent for processing based on consent.
  • Request portability of data you provided.
  • Lodge a complaint with SDAIA (KSA) or your national supervisory authority.

To exercise any of these rights, write to privacy@velomedos.com. We will respond within 30 days.

10. Cookies & similar technologies

The marketing site uses strictly necessary cookies and, with consent, analytics cookies. The clinical applications use first-party session storage only.

11. Children's privacy

Care delivered to minors is provided under the consent of a parent or legal guardian recorded at intake.

12. Changes to this policy

We will notify subscribers and account administrators of material changes by email and in-app banner at least 30 days before they take effect. The current version number and effective date appear at the top of this page.

13. Sub-section index

14. Contact

Data Protection Officer — dpo@velomedos.com General Privacy — privacy@velomedos.com Security Incident Reporting — security@velomedos.com

Related documents
Terms of Service HIPAA Notice Patient Rights
We've updated our document (v1, effective 2026-06-28).