1.1 Personal Information

When you register for an account, we collect:

• Full Name: Your complete legal name for identification and record-keeping
• LRN Number: Your official GHNHS identification number
• Email Address: For account verification, communication, and system notifications
• Mobile Phone Number: Philippine mobile number (E.164 format) for contact and emergency notifications
• Role/Affiliation: Your status as student, teacher, or personnel (assigned by admin)
• Registration Date: Date and time of account creation
• Account Status: Pending, active, or inactive status

1.2 Sensitive Personal Information (Health Data)

We collect and maintain:

• Health Appraisal Records: Results from school health checkups and examinations
• Medical History: Pre-existing conditions, chronic illnesses, and past medical treatments
• Allergy Information: Food allergies, drug allergies, and environmental sensitivities
• Current Medications: Prescription and over-the-counter medications you are taking
• Medicine Request History: Record of medicines requested and dispensed through the system
• Clinic Visit Records: Dates, reasons for visits, symptoms reported, and treatments provided
• Vital Signs: Blood pressure, temperature, height, weight, BMI, and other measurements
• Vaccination Records: Immunization history and dates of administration
• Emergency Contact Information: Names and phone numbers of persons to contact in emergencies
• Health Insurance Details: PhilHealth or other health insurance information (if applicable)

1.3 Automatically Collected Information

When you use the system, we may automatically collect:

• Authentication Data: Login timestamps, authentication tokens, and session information
• Device Information: Browser type, operating system, device type (mobile/desktop)
• Usage Data: Pages visited, features used, time spent on the system
• IP Address: Internet Protocol address for security and fraud prevention
• Cookies and Similar Technologies: Session cookies for authentication and preferences

1.4 Information from Third Parties

We may receive information from:

• Google Authentication: If you sign in using Google, we receive your Google account email, name, and profile picture
• School Records: Student enrollment records, grade levels, sections, and academic status from school administration
• Teachers/Personnel: Medicine requests and health concerns submitted on behalf of students

We use your personal and health information for the following purposes:

2.1 Healthcare Services

• Providing medical services and health monitoring within the school clinic
• Processing and managing medicine requests
• Scheduling and conducting health appraisals and checkups
• Maintaining comprehensive digital health records
• Tracking medical inventory and medicine expiration dates
• Identifying health trends and potential outbreaks within the school community

2.2 Account Management

• Creating and managing your user account
• Authenticating your identity and verifying your email address
• Processing account approval by administrators
• Providing customer support and responding to inquiries
• Sending system notifications about account status, appointments, and updates

2.3 Communication

• Sending appointment reminders and health-related notifications
• Communicating important health and safety information
• Facilitating messaging between clinic staff and users
• Sending OTP (One-Time Password) codes for email verification
• Notifying teachers/parents about student health concerns (with appropriate consent)

2.4 System Improvement and Analytics

• Analyzing system usage to improve features and user experience
• Generating statistical reports on health trends (using anonymized data)
• Monitoring system performance and identifying technical issues
• Conducting research for school health programs (with anonymized data)

2.5 Legal and Compliance

• Complying with legal obligations and government regulations
• Responding to legal requests from law enforcement or health authorities
• Protecting the rights, safety, and security of users and the school community
• Enforcing our Terms and Conditions and policies
• Preventing fraud, abuse, and unauthorized access

We implement comprehensive security measures to protect your personal and health information:

3.1 Technical Security Measures

• Encryption: All data transmission uses HTTPS/TLS encryption (256-bit SSL certificates)
• Data Storage: Health records stored on secure Firebase Cloud Firestore with enterprise-grade security
• Authentication: Firebase Authentication with secure password hashing and OTP email verification
• Access Controls: Role-based access control (RBAC) - users only see data they're authorized to access
• Session Management: Automatic session timeouts and secure token-based authentication
• Firewall Protection: Network firewalls and intrusion detection systems
• Regular Security Audits: Periodic security assessments and vulnerability scans

3.2 Organizational Security Measures

• Access Restrictions: Only authorized clinic staff and administrators can access sensitive health data
• Staff Training: Regular training on data privacy, confidentiality, and security best practices
• Confidentiality Agreements: All staff sign confidentiality and non-disclosure agreements
• Data Minimization: We only collect data necessary for healthcare services
• Activity Logging: All access to sensitive data is logged and monitored
• Incident Response Plan: Procedures for detecting, reporting, and responding to data breaches

3.3 Physical Security Measures

• Secure clinic facilities with controlled access
• Locked storage for physical health records and documents
• Secure disposal of outdated physical records (shredding/incineration)
• Restricted access to computers and devices used to access the system

4.1 Within GHNHS

Your health information may be accessed by:

• Clinic Staff: School nurses, doctors, and medical personnel for healthcare delivery
• System Administrators: IT staff for technical support and system maintenance (with strict confidentiality)
• Authorized Teachers/Personnel: Limited access when submitting medicine requests on behalf of students
• School Administration: Only aggregate, anonymized health statistics for program planning

4.2 With Parents/Guardians

For students under 18 years of age:

• Parents/guardians have the right to access their child's health records
• We may contact parents/guardians about significant health concerns or emergencies
• Parents/guardians can request medical reports and summaries

4.3 With Third-Party Service Providers

We may share data with trusted service providers:

• Firebase/Google Cloud: Cloud hosting and database services (compliant with international data protection standards)
• Email Service Providers: For sending verification codes and notifications
• SMS Gateway Providers: For sending mobile notifications (if implemented)

All third-party providers are contractually obligated to maintain confidentiality and use data only for specified purposes.

4.4 With Government Authorities

We may disclose information when required by law:

• Department of Health (DOH) - for disease surveillance and outbreak investigations
• Department of Education (DepEd) - for educational health programs and compliance
• National Privacy Commission (NPC) - for data privacy investigations
• Law enforcement agencies - with valid court orders or legal warrants
• Philippine Health Insurance Corporation (PhilHealth) - for insurance claims

4.5 In Emergency Situations

We may disclose health information without consent in life-threatening emergencies to:

• Emergency medical responders and hospitals
• Parents/guardians of minor students
• Emergency contacts listed in your profile
• Public health authorities during disease outbreaks or epidemics

We retain your personal and health information as follows:

5.1 Active Accounts

• Personal information is retained while your account is active
• Health records are maintained throughout your affiliation with GHNHS
• Medicine request history is retained for inventory and tracking purposes

5.2 After Account Termination or Graduation

• Medical Records: Retained for 5 years after graduation/separation as required by Philippine medical record-keeping laws
• Account Information: Basic account data retained for 1 year for administrative purposes
• Authentication Logs: Retained for 2 years for security audits
• Statistical Data: Anonymized health statistics may be retained indefinitely for research

5.3 Data Deletion

After retention periods expire, or upon your request (subject to legal requirements), we will:

• Permanently delete personal information from active databases
• Remove data from backups during the next backup cycle
• Anonymize health data if retained for statistical purposes
• Securely destroy physical copies of documents

Under the Philippine Data Privacy Act, you have the following rights:

6.1 Right to Access

You have the right to:

• Access your personal and health information stored in the system
• Request copies of your medical records
• Know what data we collect and how it is used
• Receive information about data sharing and disclosures

6.2 Right to Rectification

You have the right to:

• Update or correct inaccurate personal information
• Add missing information to your health profile
• Request amendments to medical records (subject to clinical verification)

6.3 Right to Erasure/Deletion ("Right to be Forgotten")

You have the right to request deletion of your data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the basis for processing)
• The data was unlawfully processed
• Legal obligation requires deletion

Note: This right is not absolute. We may be required to retain certain health records by law or for legitimate medical purposes.

6.4 Right to Object

You have the right to:

• Object to processing of your data for direct marketing
• Object to automated decision-making (if applicable)
• Opt-out of non-essential communications

6.5 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, commonly used format
• Transfer your data to another healthcare provider (if applicable)
• Request export of your health records

6.6 Right to File a Complaint

You have the right to:

• File complaints with the National Privacy Commission (NPC)
• Lodge concerns with school administration
• Seek legal remedies for data privacy violations

The GHNHS MedTrack system uses cookies and similar technologies:

7.1 Essential Cookies

• Authentication Cookies: Maintain your login session
• Security Cookies: Protect against unauthorized access and CSRF attacks
• Session Cookies: Remember your preferences during a session

These cookies are necessary for the system to function and cannot be disabled.

7.2 Analytics and Performance

• We may use Firebase Analytics to understand system usage patterns
• Analytics data is anonymized and aggregated
• No personally identifiable health information is included in analytics

7.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may affect system functionality and prevent you from using certain features.

We recognize the importance of protecting the privacy of minors:

• Students under 18 must have parental/guardian consent to use the system
• Parents/guardians have the right to access their child's health records
• Parents/guardians can request corrections or deletion of their child's data
• We do not knowingly collect information from children under 13 without parental consent
• Enhanced security measures protect minors' sensitive information
• School counselors and guidance personnel may access records with consent for student welfare

In the unlikely event of a data breach affecting your personal or health information:

• We will notify you within 72 hours of discovering the breach (as required by the Data Privacy Act)
• Notification will be sent via email and/or mobile SMS
• We will inform the National Privacy Commission as required by law
• The notification will include: nature of the breach, data affected, potential consequences, and remedial measures
• We will provide guidance on steps you can take to protect yourself
• We will conduct a thorough investigation and implement corrective measures

Your data is stored on Firebase/Google Cloud servers, which may be located in data centers outside the Philippines. We ensure:

• All data transfers comply with Philippine Data Privacy Act requirements
• Cloud service providers maintain adequate security standards
• Data is encrypted during transfer and at rest
• Service providers are bound by data protection agreements
• Your data receives equivalent protection as required by Philippine law

We may update this Privacy Policy from time to time to reflect:

• Changes in legal or regulatory requirements
• New features or services offered by the system
• Improvements in data protection practices
• Feedback from users and privacy advocates

We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending email notifications for significant changes
• Requiring acknowledgment of the updated policy upon your next login (for major changes)

Your continued use of the system after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and may request account deletion.

For privacy-related questions, concerns, or to exercise your data rights, please contact: