Welcome to Amgen Care (the “Company”, “we”, “our”, or “us”). We value your privacy and are committed to protecting your personal information. This Privacy Policy (“Policy”) describes the types of information we may collect from you or that you may provide when you access or use our website located at https://amgen-admin.tati.digital/ and related services (collectively, the "Services"), as well as our practices for collecting, using, maintaining, protecting, and disclosing that information.

By accessing or using the Services, you consent to the practices described in this Policy. If you do not agree with our practices, your choice is not to use the Services. We encourage you to read this Policy carefully to understand our policies and practices regarding your information.

Compliance with POPIA (Protection Of Personal Information Act)

• Lawful Processing: We adhere to the 8 conditions for lawful processing of personal information under POPIA, including Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness/Transparency, Security Safeguards, and Data Subject Participation.
• Data Minimization: We only collect the minimum amount of personal information needed for the intended purpose, in accordance with POPIA’s principles.
• Storage Requirements: We securely store sensitive information (especially health and race-related data) and take extra care to protect such “special personal information” as defined under POPIA.
• Encryption and Access Control: We use encryption for data in transit and at rest. We limit access to sensitive data to authorized personnel only and maintain audit trails for accountability.
• Data Subject Rights: Under POPIA, you have the right to access, correct, or request deletion of your personal information. We respect these rights and provide mechanisms for you to exercise them.
• Consent for Special Personal Information: Where sensitive data (health and race) is involved, we require explicit consent and implement higher standards for security and disclosure, adhering strictly to POPIA’s requirements.
• Data Breach Protocols and Audits: We have protocols to notify data subjects and the Information Regulator in the event of a breach. Regular audits ensure ongoing compliance and address gaps promptly.
• Employee Training and Third-Party Processors: All staff with access to personal data undergo training on POPIA compliance. Third-party service providers must also meet POPIA’s data protection standards, enforced through contracts and oversight.

Information We Collect

We collect both personal and non-personal information to provide, maintain, and improve our Services. The types of information we collect include, but are not limited to:

• Personal Information: This may include your name, email address, phone number, and physical address. You may provide this information when creating an account, subscribing to newsletters, contacting us, or using features that require your geographic location for accessing nearby health resources.
• Health-Related Data: If you interact with our symptom checker chatbot, “Impilo Health Bot,” you may choose to provide details about your health concerns or symptoms. This information allows us to deliver relevant guidance and maintain a history of your inquiries for reference within your user profile. We encourage you to share only the minimum information necessary to help us provide the desired service.
• Location-Based Information: When you request health resources in your area, we collect the address you provide. We use this information to perform location-based searches and return a list of nearby healthcare services. This data helps us fulfill your requests more accurately and maintain a record of the resources accessed per user profile.
• Non-Personal Information: We collect non-personal information such as browser type, device details, operating system, and usage patterns. We also track search queries and general platform interactions. This data helps us understand how users engage with the Services, improve user experience, and enhance overall performance and security. Non-personal information does not identify you as an individual and is generally used for analytics, troubleshooting, and service optimization.

How We Use Your Information

We use your personal and non-personal information for a range of purposes, always aiming to enhance your experience, protect your data, and comply with relevant laws and regulations. Specifically, we may use the information we collect to:

• Provide and Maintain the Services: We rely on your personal information to create and manage your account, facilitate login and authentication, deliver requested features (such as location-based health resource searches), and ensure the overall functionality and reliability of our platform.
• Respond to Inquiries and Support Requests: If you contact us with questions, comments, or requests, we use your provided details to respond promptly, troubleshoot issues, and offer customer support tailored to your specific situation.
• Communicate with You: With your consent, we send newsletters, updates, and other communications to keep you informed about new features, services, health-related educational content, and relevant offers. You can opt out of these communications at any time.
• Personalize Your Experience: We analyze usage patterns and any data you provide (e.g., health symptoms, location) to tailor our recommendations, search results, and educational materials, ensuring that the information presented is as relevant and beneficial to you as possible.
• Improve Performance, Security, and Compliance: We use non-personal data (like browser type and usage patterns) to diagnose technical issues, optimize site performance, enhance security measures, and maintain compliance with applicable laws, regulations, and industry standards. This includes adhering to POPIA requirements for data protection and securing sensitive health and race-related data.
• Legal and Contractual Obligations: We may use your information to fulfill contractual obligations, meet legal requirements, and enforce our Terms and Conditions. This could involve using your data to investigate and prevent fraud or other unlawful activities, or responding to lawful requests from law enforcement or regulatory authorities.

Disclosure of Your Information

We take the confidentiality of your personal information seriously. We only share your information when necessary and in ways that respect your privacy, comply with the law, and uphold our commitment to protecting your data. Circumstances under which we may disclose your information include:

• Affiliates, Partners, and Service Providers: We may share your data with trusted third parties who assist us in delivering our Services, such as hosting providers, analytics services, customer support tools, or health resource databases. These partners are required to follow stringent data protection standards and use your information solely for the purposes we specify.
• Legal Requirements and Protection of Rights: We may disclose your information if required by law, regulation, court order, or other legal process. We may also share information if we believe it is necessary to protect the rights, property, or safety of our users, our organization, or others. This can include cooperating with law enforcement agencies or regulators investigating potential wrongdoing.
• Handling Sensitive Health and Race Data: Health and race-related information is considered special personal information under POPIA. We only disclose such sensitive data with your explicit consent or when legally mandated. When sharing this data with approved partners (for example, healthcare referral services), we ensure they meet the same stringent security and privacy standards we uphold.
• Business Transfers: In the event of a merger, acquisition, or sale of our assets, your personal information may be transferred to the new entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

Outside of these circumstances, we do not sell or rent your personal information to third parties. Any sharing of your information is carried out with your privacy and rights in mind, and with appropriate measures to safeguard the data at all times.

Security Measures

We are committed to safeguarding your personal information against unauthorized access, loss, theft, disclosure, or modification. To this end, we implement a combination of industry-standard technical and organizational safeguards:

• Encryption: We use encryption protocols (such as TLS/SSL) to protect data in transit, ensuring that information exchanged between your browser and our servers remains confidential. Sensitive data at rest may also be encrypted to add an extra layer of security.
• Access Controls: We employ strict access controls and role-based permissions, allowing only authorized personnel to view or modify sensitive data. Multi-factor authentication and regular access audits help ensure that only the right individuals can access your information.
• Regular Security Reviews: Our team conducts periodic security assessments, vulnerability scans, and penetration tests to identify and address potential weaknesses. We stay informed about emerging threats and incorporate best practices and security patches to maintain a robust defense.
• Secure Development Practices: When creating or updating our platform and services, we follow secure coding guidelines and employ development best practices. This reduces the likelihood of introducing vulnerabilities and ensures a stable, secure environment for your data.
• Employee Training and Accountability: We train employees on data protection principles, POPIA requirements, and the importance of maintaining confidentiality. Staff are held accountable for adhering to security protocols, and we take swift action if violations occur.

Despite our best efforts, no security system is entirely foolproof. In the unlikely event of a data breach, we have incident response plans in place to mitigate harm and notify affected individuals and regulatory authorities as required by law.

Data Retention and Disposal

We follow a strict data retention policy that aligns with our legal obligations under POPIA, as well as industry standards and best practices. Our data retention and disposal processes include:

• Purpose-Driven Retention: We keep your personal information only for as long as it is needed to fulfill the purposes outlined in this Policy. For example, we may retain your information while your account remains active or for as long as is necessary to provide the requested services, comply with legal obligations, or resolve disputes.
• Secure Disposal Methods: When personal information is no longer required, we take steps to securely delete electronic data using methods that prevent recovery (e.g., secure wiping) and shred or otherwise irreversibly destroy physical records. These measures ensure that your data cannot be reconstructed or accessed after disposal.
• Regular Policy Reviews: We periodically review our retention schedules to ensure they remain appropriate and lawful. Adjustments may be made in response to changes in legal requirements, industry standards, or evolving business needs.

By adhering to these data retention and disposal practices, we ensure that your personal information is handled responsibly throughout its lifecycle, maintaining compliance with POPIA and protecting your privacy at every stage.

Your Rights

As a data subject under POPIA, you enjoy certain rights regarding the personal information we hold about you. We are committed to respecting and facilitating the exercise of these rights to ensure that you maintain control over your data. The specific rights you may have include:

• Right of Access: You have the right to request details about the personal information we hold about you. This includes asking us to confirm whether we are processing your data and, if so, obtaining a copy of that information in a commonly used electronic form.
• Right to Correction: If you believe that the personal information we have about you is inaccurate, incomplete, or outdated, you can request that we correct or update it. We take reasonable steps to verify and rectify any inaccuracies promptly.
• Right to Deletion: In certain circumstances, you may request that we delete or remove your personal information, for instance, if it is no longer necessary for the purposes for which it was collected or if it was processed unlawfully. While there may be legal or operational reasons we need to retain certain information, we will evaluate each request on a case-by-case basis.
• Right to Object or Restrict Processing: Under certain conditions, you may object to our processing of your personal data or request that we restrict certain forms of processing (for example, while you are contesting the accuracy of your information).

To exercise any of these rights or make inquiries about your personal data, please contact us at: hello@amgen-care.com. We will respond to your request within a reasonable timeframe and take steps, where appropriate, to assist you in exercising your rights.

International Data Transfers

As part of our business operations, your personal information may be transferred to and processed on servers located outside of South Africa. This can occur, for example, if our data storage solutions, service providers, or partners are based in other jurisdictions. We recognize that data protection laws vary between countries, and we are committed to ensuring that your personal information receives a level of protection that is consistent with the safeguards required under POPIA.

• Appropriate Safeguards: When we transfer data internationally, we use mechanisms such as contractual clauses, industry-standard encryption, and adherence to recognized data protection frameworks to ensure your information remains secure and protected to a high standard.
• Ongoing Compliance: We continually review the legal requirements and industry best practices regarding international data transfers. If necessary, we will update our processes and agreements with third parties to align with any new or revised data protection regulations and ensure that your information is handled in a compliant manner, regardless of where it is processed.

By using our Services and providing your personal information, you acknowledge and agree that your data may be transferred, stored, and processed outside of South Africa. If you have concerns about any aspect of these international data transfers, please feel free to contact us for more information.

Third-Party Links

Our Services may occasionally include links to external websites or resources that are not owned, operated, or controlled by us. These links are provided for your convenience or as supplementary sources of information. It is important to understand that when you click on these links and navigate away from our platform, our Privacy Policy no longer applies.

• Independent Privacy Policies: Each third-party site has its own privacy policies and data handling practices. We strongly recommend reviewing these policies before you provide any personal information. This helps you understand how your data may be collected, used, and shared by that third party.
• No Liability for Third Parties: Since we do not control these external sites, we cannot be responsible for their actions, privacy practices, security measures, or how they use the information you choose to share. If you have concerns or questions, consider contacting the third-party site’s administrator or reviewing reputable consumer protection resources for guidance.

Children’s Privacy

Our Services are intended for an adult audience (18 years or older) and are not designed or directed toward children. We do not knowingly collect personal information from individuals under the age of 18. If you are a parent or guardian and believe that your child may have provided us with personal information without your consent, please contact us as soon as possible.

• Taking Action: Upon receiving a verifiable request, we will promptly investigate the issue and remove the child’s personal information from our records. Our commitment to protecting children’s privacy helps ensure that the Services remain appropriate and secure for all users.
• Maintaining a Safe Environment: We consistently review our content, features, and user interactions to prevent the inadvertent collection of information from minors. Should we identify any vulnerabilities or areas for improvement, we will take corrective steps promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect evolving laws, industry standards, or changes in our data handling practices. When we make modifications, we will post the revised Policy prominently on our Services and update the “Last updated” date at the top of this document.

• Notice of Significant Changes: If we make substantial changes that may affect your rights or the way we use your personal information, we may provide additional notice (e.g., by email or a prominent announcement within our Services) so that you are aware of and can review the updates before continuing to use our platform.
• Ongoing Review and Acceptance: Your continued use of the Services after any changes are posted will signify your acceptance of the updated Policy. We encourage you to periodically review this section to stay informed about how we protect and handle your personal information.

Contact Us

If you have questions or concerns about this Policy, please contact us at: hello[at]amgen-care.com.