MOVO-X

Legal

Privacy Policy

Effective date: 1 January 2026 Β· Last updated: 18 May 2026

This Global Privacy Policy applies to MOVO-X and all country deployments (Malaysia, Canada, Singapore). Country-specific addenda are provided at each country site and incorporate the applicable local data protection law.

1. Who we are

MOVO-X is an AI-powered healthcare kiosk and queue management platform operated by EverestX. Our registered contact is privacy@movo-x.com.

2. Data we collect

At the kiosk, we collect the minimum data necessary for patient identification and queue management:

  • National ID number (MyKad / NRIC / Provincial Health Card) β€” for identity verification only
  • Name and date of birth β€” for matching to existing patient records
  • Contact number or email β€” for queue notifications (WhatsApp / SMS)
  • Visit reason / symptom summary β€” for AI triage (processed on-premise, not sent to cloud)
  • Payment data β€” processed directly by payment provider; MOVO-X does not store card data

3. Data residency

All patient data is stored in the country of collection. Malaysian patient data is stored on infrastructure in Malaysia (or Singapore until MY-region Supabase is available, with contractual MY-jurisdiction protections). Canadian patient data is stored in ca-central-1 (Montreal). Singapore patient data is stored in ap-southeast-1. No patient data crosses national jurisdictional boundaries without explicit consent and legal basis.

4. Legal bases by jurisdiction

πŸ‡²πŸ‡Ύ Malaysia β€” Personal Data Protection Act 2010 (PDPA)

Processing is based on consent collected at the kiosk and contractual necessity. We are registered as a data processor for each healthcare provider. Data is not shared with third parties without explicit consent except as required by the Ministry of Health or court order.

πŸ‡¨πŸ‡¦ Canada β€” PIPEDA / PHIPA / Law 25 (Quebec)

Processing is based on meaningful consent. Ontario deployments comply with PHIPA. Quebec deployments comply with Law 25 (Act 25). We maintain a privacy program compliant with federal PIPEDA and applicable provincial health privacy acts. A Privacy Impact Assessment (PIA) is completed for each new province.

πŸ‡ΈπŸ‡¬ Singapore β€” Personal Data Protection Act 2012 (PDPA SG)

Processing is based on consent and legitimate purpose. MOVO-X complies with the PDPA SG as both data controller and data intermediary. We are registered with and subject to the Personal Data Protection Commission (PDPC).

5. Security measures

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Row-level security (RLS) enforcing tenant isolation
  • Multi-factor authentication for all staff access
  • 7-year immutable audit log retention
  • OWASP ZAP security scanning in CI/CD pipeline
  • SOC 2 Type II certification in progress
  • ISO 27001 certification in progress

6. Retention

Patient visit records are retained for 7 years as required by healthcare regulations in each country, or as directed by the healthcare provider (data controller). De-identified analytics data may be retained indefinitely.

7. Your rights

Depending on your jurisdiction, you have rights including: access to your data, correction, deletion, portability, and the right to withdraw consent. To exercise any right, contact the healthcare provider (data controller) at their facility. For platform-level requests, contact privacy@movo-x.com.

8. Contact our Data Protection Officer

For all privacy-related enquiries: dpo@movo-x.com

← Back to Contact