Privacy policy

Last updated: 8 June 2026

Co.Lab Health (“we”, “us”) collects and processes personal and healthcare-related information to deliver home healthcare. We are committed to protecting your privacy and comply with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, the “DPA”) and its Implementing Rules and Regulations. This policy explains what we collect, why, how we protect it, and the rights you have over your information.

1. Information we collect

• Identification & contact details — full name, date of birth, email, mobile number, and service address.
• Healthcare information you choose to share — medical concerns, symptoms, prescriptions, lab requests, and the laboratory results generated from your visits.
• HMO information — when you submit an HMO application: card number, provider, and photos of your HMO card and a valid ID.
• Senior Citizen / PWD details — your ID number (and, where required, a photo of the ID) when you claim the mandated discount.
• Booking & payment metadata — appointment details, service selection, and payment method. We do not store full card numbers — only opaque references from our payment processor.
• Technical data — IP address, browser type, and the session cookies required for the site to function.

2. How we use your information

• To schedule and deliver the appointments you book.
• To process direct payments through our certified payment partners, or to coordinate with your HMO provider for covered services.
• To apply and verify Senior Citizen / PWD discounts where you claim them.
• To send transactional notifications — booking confirmations, status changes, and result availability — by email and WhatsApp.
• To keep the platform secure, prevent fraud and abuse, and meet our legal and regulatory obligations.
• To improve service quality and respond to your inquiries.

3. Legal basis for processing

Under the DPA, we process your information on the basis of:

• Your consent — recorded when you accept this policy and submit sensitive information such as health, HMO, or PWD/Senior details;
• Performance of a contract — to deliver the service you booked;
• Legal obligation — to comply with tax, healthcare, and regulatory requirements; and
• Legitimate interests — to secure the platform and prevent fraud, balanced against your rights.

4. Storage & security

Patient data is stored on secured infrastructure with encryption in transit and at rest. Particularly sensitive identifiers — such as your HMO card number and Senior/PWD ID number — are additionally encrypted at the application layer, access to records is logged for accountability, and administrative access is restricted on a need-to-know basis. No method of storage or transmission is perfectly secure, but we maintain organizational, physical, and technical safeguards appropriate to the sensitivity of the data.

5. Sharing & disclosure

We share your information only with:

• accredited reference laboratories running the tests you order;
• your HMO provider when you submit an HMO application;
• payment processors, strictly to complete your transaction;
• communication and infrastructure providers that operate the platform under confidentiality obligations; and
• government authorities when legally compelled.

We do not sell or rent your personal information, and we do not use it for third-party advertising.

6. Where your data is processed

Your data is processed to serve patients in the Philippines. Some of our service providers — for example, cloud hosting and communication platforms — may process or store data on infrastructure located outside the Philippines. Where that happens, we require safeguards consistent with the DPA so your information remains protected to the same standard.

7. Data retention

We retain personal and healthcare data only for as long as needed to deliver the service and to meet legal requirements — for example, tax and accounting records (kept for the period required by the Bureau of Internal Revenue) and clinical records (kept in line with Department of Health and professional retention rules). When data is no longer required, we securely delete or anonymize it. See Deleting your account for what is retained after a right-to-erasure request.

8. Your rights under RA 10173

• Right to be informed about how your data is processed.
• Right to object to or withdraw consent for processing.
• Right to access and to rectify your data.
• Right to data portability.
• Right to erasure or blocking, subject to legal retention requirements.
• Right to file a complaint and to be indemnified for damage.

To exercise any of these rights, reach us through our contact form. We may need to verify your identity before acting on a request.

9. Deleting your account

Logged-in users can permanently delete (anonymize) their account from Dashboard → Profile → Delete my account. The form requires confirming your current password, and account deletion is irreversible.

Section 16 of the DPA permits retaining personal information where required by law. After your account is deleted we retain the following, with the personal identifiers anonymized:

• Booking records — for healthcare record-keeping and clinical accountability.
• Payment and refund records — for BIR / tax compliance and dispute resolution.
• Audit log and notification delivery history — for security and operational accountability.

Everything else — name, email, mobile, birthdate, password, active sessions, OAuth connections, password-reset and verification tokens, and free-text health notes — is removed or scrubbed immediately on deletion.

10. Cookies

We use essential cookies for sessions and to remember your consent choice. We do not use third-party advertising cookies. Where analytics are enabled, they collect aggregated, non-identifying data only.

11. Children & dependents

Co.Lab Health accounts are for adults. Services for a minor or another dependent are booked by a parent or legal guardian, who is responsible for providing and consenting to the processing of that patient's information. We do not knowingly collect data directly from children.

12. Automated processing & AI

Our chatbot provides general, AI-assisted guidance only — it does not make medical or eligibility decisions. Discount and HMO eligibility decisions that affect you are reviewed by our staff; we do not make decisions producing legal or similarly significant effects based solely on automated processing without human involvement.

13. Data breach notification

If a personal data breach occurs that is likely to put your rights and freedoms at risk, we will notify the National Privacy Commission and the affected data subjects within the timelines required by the DPA, and we will take steps to contain and remediate the incident.

14. Changes to this policy

We may update this policy from time to time. Material changes will be highlighted on this page with an updated “Last updated” date and, where appropriate, communicated to you directly or via a renewed consent prompt.

15. Contact & Data Protection Officer

For privacy questions, to exercise your rights, or to reach our Data Protection Officer, use our contact page. You also have the right to lodge a complaint with the National Privacy Commission (privacy.gov.ph).