Legal

Privacy Policy

Last updated: 17 June 2026

NF MediPath (“NF MediPath”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal information with care. This Privacy Policy explains what information we collect, how we use and protect it, when and with whom we share it, and the choices and rights you have.

This policy is issued and implemented in accordance with the Personal Information Protection Law of the People's Republic of China ("PIPL"), the Data Security Law, the Cybersecurity Law, as well as other applicable laws and regulations.

This policy applies to the information we collect through this website, when you request a case review or contact us, and in the course of providing our coordination services. It does not apply to information collected and held by the partner hospitals, physicians, or other providers who treat you — those providers are responsible for their own handling of your information under the laws and professional obligations that apply to them.

By using this website or our services, you agree to the practices described in this policy. If you do not agree, please do not use the website or our services. If you provide information about another person (for example, a family member or someone in your care), you confirm that you are authorised to do so and to agree to this policy on their behalf.

Information we collect

We collect information that you provide directly, information collected automatically when you use this website, and, in some cases, information from third parties.

Information you provide to us, which may include:

  • Contact details — such as your name, email address, phone number, country of residence, and preferred language and method of contact;

  • Demographic details — such as your age, date of birth, gender, and nationality;

  • Medical and health information — such as your diagnosis, medical history, current and previous treatments, symptoms, medical records, test results, and diagnostic imaging that you choose to share with us so that we can coordinate your care;

  • Insurance information — such as your insurer, plan, and policy or member details, where relevant to your care or payment;

  • Travel and logistical information — such as passport and visa details, travel preferences, and accommodation needs, where you ask us to assist with travel and logistics; and

  • Any other information you choose to provide in messages, forms, or correspondence with us.

Some of this information — in particular your medical, health, and insurance information — constitutes sensitive personal information under PIPL Article 28 ("sensitive personal information"). We collect and handle sensitive personal information only where there is a specific purpose and sufficient necessity, and we adopt strict protective measures. For more detail, see the "Sensitive personal information" section below.

Information we collect automatically when you use this website, which may include your IP address, device and browser type, the pages you visit, referring website, approximate location derived from your IP address, and similar usage data, collected through cookies and similar technologies (see “Cookies and tracking technologies” below).

Information from third parties, such as a referring physician, a family member acting on your behalf, or your insurer, where they provide information to us in connection with your care. We treat information received from third parties in accordance with this policy.

Lawful basis for processing

Under PIPL, we process your personal information on the following legal bases:

  • Consent of the individual (PIPL Article 13(1)) — where you have given your consent, which you may withdraw at any time;

  • Necessary for concluding or performing a contract (PIPL Article 13(2)) — where processing is necessary to provide our coordination services to you;

  • Necessary for fulfilling statutory duties or obligations (PIPL Article 13(3)) — where we are required to process information by applicable laws and regulations;

  • Necessary for responding to public health emergencies or protecting life, health, or property safety in an emergency (PIPL Article 13(4)) — in limited emergency situations;

  • Personal information that you have publicly disclosed within a reasonable scope (PIPL Article 13(6));

  • Other circumstances provided by laws or administrative regulations (PIPL Article 13(7)).

For the processing of sensitive personal information, we additionally rely on one or more of the specific bases set out in PIPL Article 29, primarily your explicit, separate consent, obtained through a dedicated consent process.

How we use your information

We use your information to provide and coordinate your care and to operate and improve our services. Specifically, we may use your information to:

  • review your case and assess how we can help;

  • match you with an appropriate hospital and specialist and arrange remote multidisciplinary consultations;

  • share relevant information with your chosen or matched providers so they can review your case and deliver care;

  • translate and prepare your medical records and imaging;

  • coordinate travel, visas, accommodation, insurance documentation, and other logistics at your request;

  • communicate with you, respond to your enquiries, and provide follow-up after treatment;

  • send you updates or information you have requested, such as our newsletter (you can unsubscribe at any time);

  • maintain, improve, and secure our website and services, and understand how they are used;

  • detect, prevent, and address fraud, security issues, and misuse; and

  • comply with our legal and regulatory obligations and enforce our terms.

We use your sensitive medical and health information only for the purpose of coordinating your care and for closely related purposes. We do not use sensitive personal information for marketing or automated decision-making.

How we collect information

We collect information when you submit a case review or contact form, send us an email or message, speak with our team, provide records or imaging, or otherwise interact with us, and automatically when you browse this website through cookies and similar technologies.

Cookies and tracking technologies

This website uses cookies and similar technologies to operate the site, remember your preferences, understand how the site is used, and improve our services. Cookies are small files stored on your device.

We use the following categories of cookies:

  • Strictly necessary cookies — These are essential for the website to function and cannot be switched off. They enable core features such as security, network management, and accessibility.

  • Preference cookies — These enable the website to remember your preferences (such as language selection or region) to provide enhanced, personalised features.

  • Analytics cookies — These help us understand how visitors interact with our website by collecting and reporting information anonymously. We use this information to improve the site.

  • Marketing cookies — These may be used to deliver relevant advertisements and track the effectiveness of marketing campaigns.

When you first visit our website, a cookie banner will ask you to consent to the use of non-essential cookies (preference, analytics, and marketing). You can choose to accept or reject each category. You can change your preferences at any time through the "Cookie Settings" link in the footer of our website. Most browsers also let you refuse or delete cookies through their settings; if you block certain cookies, some features of the site may not work properly.

We use cookies only with your consent (where required by applicable law) or where they are strictly necessary for the operation of the website. Your consent is recorded, including the date, time, and scope of consent granted, so that we can demonstrate compliance if required.

How we share your information

We share your information only as needed to deliver our services and as described below. We do not sell your personal information.

  • With partner hospitals, physicians, and other providers — we share the medical and personal information necessary for them to review your case, advise on treatment, and deliver care, where you are matched with or choose to proceed with a provider. These providers are independent of NF MediPath and are responsible for protecting your information under the laws applicable to them.

  • With service providers — we work with trusted third parties who perform services on our behalf, such as hosting, IT and data storage, translation, travel and logistics arrangements, and communications. They are permitted to use your information only to provide services to us and are required to protect it.

  • With United Family Healthcare — as the organisation providing operational and administrative support to NF MediPath, subject to appropriate safeguards.

  • Where required by law — we may disclose information when we believe in good faith that it is necessary to comply with a legal obligation, court order, or lawful request; to protect the rights, property, or safety of you, our patients, our staff, or others; or to detect, prevent, or address fraud or security issues.

  • In a business transfer — if NF MediPath is involved in a merger, acquisition, reorganisation, or transfer of assets, your information may be transferred as part of that transaction, subject to this policy.

Sensitive personal information

Your medical and health information, including your diagnosis, medical history, treatments, symptoms, medical records, test results, diagnostic imaging, and insurance details, constitutes sensitive personal information under PIPL Article 28.

In accordance with PIPL Articles 28–32, we process your sensitive personal information only where:

  • there is a specific purpose;

  • it is sufficiently necessary;

  • strict protective measures have been adopted; and

  • your explicit, separate consent has been obtained.

Before you provide sensitive personal information, we will inform you of:

  • the specific types of sensitive information we are requesting;

  • the specific purpose for which each type is required (for example, diagnostic imaging is necessary for the hospital radiology team to assess your condition);

  • the necessity of processing your sensitive personal information;

  • the impact that the processing of your sensitive personal information may have on your rights and interests (for example, potential discrimination in insurance or employment contexts if information is disclosed without authorisation); and

  • the protective measures we have adopted.

We obtain your explicit, separate consent for the processing of sensitive personal information through a dedicated consent process. This consent is separate from your general acceptance of this Privacy Policy. You provide consent by actively selecting the relevant option in our case submission form or by signing a separate Sensitive Personal Information Processing Consent Form.

You may withdraw your consent to our processing of your sensitive personal information at any time by contacting us. Withdrawal will not affect the lawfulness of processing carried out before you withdrew consent. Where we cannot comply with a request to delete sensitive information because we are required to retain it by law or for the continuity of your care, we will explain the reason and the retention period.

International transfers of your information

Our services connect international patients with hospitals and providers in mainland China. To coordinate your care, your information — including your personal information and sensitive medical and health information — will be transferred to and processed in mainland China. Where you are located outside mainland China, this involves a cross-border transfer of your personal information into mainland China.

Data protection laws in these countries may differ from those in your home country. We take steps to ensure your information is protected in accordance with this policy and applicable law, and we share it only to the extent necessary to provide our services to you.

Retention in mainland China

Once your information is transferred to a partner hospital in mainland China, that hospital will retain and process your information in accordance with its own privacy practices and the applicable laws of the People's Republic of China, including PIPL, the Data Security Law, the Cybersecurity Law, and the Regulations on the Administration of Human Genetic Resources (where human genetic resource information is involved). We encourage you to review the privacy policy of any partner hospital before proceeding with treatment.

Medical confidentiality and data security

We treat your medical information as confidential and share it only with the team and providers involved in your care, or as otherwise described in this policy.

In accordance with PIPL and the Cybersecurity Law, we use appropriate technical and organisational measures designed to protect your information against unauthorised access, use, alteration, loss, or disclosure. These measures include:

  • encryption of data in transit;

  • encryption of sensitive data at rest;

  • access controls limiting access to your information to authorised personnel directly involved in your care coordination;

  • regular security assessments, vulnerability scanning, and staff training on data protection and confidentiality;

  • confidentiality obligations binding all staff, contractors, and service providers who may access your information;

  • compliance with the graded protection system for cybersecurity as applicable to our information systems.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. In particular, information you send to us by email or web form may not be secure in transit.

If we become aware that the security of your information may have been compromised, we will take appropriate remedial steps without undue delay. Where required by PIPL Article 57, we will notify the relevant regulatory authority and affected individuals of a personal information breach.

How long we keep your information

We retain your information for the minimum period necessary for the purposes described in this policy, and in accordance with the retention limits prescribed by applicable laws and regulations. When your information is no longer needed for these purposes, we will delete it or anonymise it promptly.

Upon expiry of the retention period, we will delete or anonymise your personal information, unless deletion is technically unfeasible, in which case we will cease all processing other than storage and take necessary security measures.

Your rights and choices

Under PIPL, you have the following rights in relation to your personal information:

  • Right to know and decide: you have the right to know how your personal information is being processed and to decide whether to consent to such processing;

  • Right to access and copy: you have the right to access and obtain a copy of your personal information held by us, unless otherwise provided by laws or regulations;

  • Right to rectification or supplementation: you have the right to request that we correct or supplement inaccurate or incomplete personal information;

  • Right to deletion: you have the right to request deletion of your personal information where (a) the processing purpose has been achieved or is no longer necessary, (b) we have ceased to provide services, or (c) the retention period has expired, unless retention is required by law;

  • Right to request explanation: you have the right to request that we explain our personal information processing rules;

  • Right to withdraw consent: you have the right to withdraw your consent at any time (this will not affect the lawfulness of processing carried out before withdrawal);

  • Right to request transfer: where the conditions prescribed by the national cyberspace administration authority are met, you have the right to request that we transfer your personal information to another personal information processor of your designation.

If you are located in the European Economic Area or the United Kingdom, you have these rights under the GDPR and UK GDPR, and you may also lodge a complaint with your local data protection authority. If you are located in mainland China, you have rights under the Personal Information Protection Law (PIPL), including in relation to the cross-border transfer of your information. Residents of other regions may have additional rights under local law.

Exercising your rights

To exercise any of these rights, please contact us using the details in the "Contact us" sections below. We will respond to your request within 15 working days of receipt (as required by PIPL), or within one month. If we cannot comply with your request within that timeframe, we will inform you of the reasons and provide an estimated response date.

We may need to verify your identity before acting on your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive. Some requests may be limited where the information must be retained for legal or care-related reasons; where this applies, we will explain the limitation and the basis for it.

If we refuse to act on your request, we will inform you of the reasons for our refusal and of your right to lodge a complaint with the relevant supervisory authority and to seek judicial remedy.

You can unsubscribe from our newsletter and marketing communications at any time using the link in those messages.

Children's privacy

Our services may be used to coordinate care for children, including paediatric and children's cancer care. We recognise that children's personal information requires enhanced protection under PIPL, the Law on the Protection of Minors, and applicable international standards.

Information collected from guardians

Where we collect information about a child under the age of 14, we do so from a parent or legal guardian acting on the child's behalf, and we obtain the explicit consent of the parent or guardian. This website is not directed at children to use on their own, and we do not knowingly collect information directly from children under 14 without the involvement of a parent or guardian.

Age-specific safeguards

  • Children under 14: Under PIPL Article 31, we obtain the explicit consent of the child's parent or other guardian before processing the personal information of a child under 14. If we learn that we have collected personal information from a child under 14 without verified parental consent, we will delete that information as soon as possible.

  • Children aged 14 to 17: For children aged 14 to 17, we seek the consent of the child where they have the capacity to provide it, while also notifying the parent or guardian of the processing activities. Where sensitive personal information or cross-border transfers are involved, we additionally obtain guardian consent.

Guardian verification

Before processing a child's sensitive personal information, we take reasonable steps to verify that consent has been given by a person with parental responsibility. This may include requesting a copy of a government-issued identification document, a birth certificate, household registration booklet (hukou), or court documentation establishing guardianship. We handle such verification documents securely and delete them once verification is complete, unless retention is required by law.

Children's information use

We use a child's personal information solely for the purpose of coordinating the child's care. We do not use children's personal information for profiling, automated decision-making, or marketing purposes. We apply the same technical and organisational security measures to children's information as we do to adult patients' information.

Children's rights requests

If you are a parent or guardian and wish to exercise data protection rights on behalf of your child, or if you have concerns about our handling of your child's information, please contact us.

Third-party websites

This website may contain links to websites operated by third parties. We are not responsible for the content or privacy practices of those websites. We encourage you to review the privacy policy of any third-party website you visit.

Changes to this policy

We may update this Privacy Policy from time to time. The date of the most recent update is shown at the top of this page. If we make material changes, we will take appropriate steps to let you know. Your continued use of this website or our services after the changes take effect constitutes acceptance of the updated policy.

Contact us

If you have any questions about this Privacy Policy or our data protection practices, please contact us or reach us at:

NF MediPath · Powered by United Family Healthcare