Who We Are

Zamqan Al-Hakeem ("Zamqan", "we", "us") is the Data Controller responsible for the personal data we collect and process. We operate patient support programs and healthcare services in Jordan.

What Data We Collect

Depending on the program or service, we may collect:

• Personal data: name, phone number, email, national ID, address, geographic location.
• Sensitive personal data: health records, medical prescriptions, diagnosis information, treatment details, and Diagnostic data: laboratory results and medical imaging reports.
• Healthcare professional data: name, phone, email, medical specialty, license number, clinic address, stamp, and signature.

Sensitive personal data is classified under Article (2) of the Law and is subject to additional protections.

How We Collect Your Data

We collect data directly from you when you sign a consent form, enroll in a program, or communicate with our team. We may also receive data from your treating physician with your consent.

We do not collect data without your prior consent, except where permitted by Article (6) of the Law.

Why We Process Your Data

We process your data only for specific, lawful, and clearly defined purposes, which include:

• a) Verifying your eligibility and enrolling you in a patient support program.
• b) Coordinating your care within the program, including appointment reminders and follow-ups.
• c) Facilitating medication dispensing through authorized distributors/pharmacies/hospitals.
• d) Reporting adverse events in anonymized form (pharmacovigilance).
• e) Preparing anonymized statistics for program evaluation.
• f) Delivering health awareness messages.

We do not use your data for marketing purposes. Your data is not subject to automated processing or profiling.

Legal Basis for Processing

We process your data based on your explicit prior consent as required by Article (5) of the Law. In limited cases, processing may occur without consent where permitted under Article (6), such as compliance with legal obligations or protection of vital interests.

Who We Share Your Data With

We share identifiable data only where strictly necessary:

• Authorized distributors: limited data required to dispense supported medication. Distributors/pharmacies/hospitals are bound by the same legal obligations as the Controller under Article (14/D) of the Law.

We share anonymized and aggregated data (which cannot identify you) with:

• Program sponsors (pharmaceutical companies): for program evaluation, statistics, and pharmacovigilance reporting.
• The Ministry of Health: for statistical purposes and health awareness programs.
• Jordan Food and Drug Administration (JFDA): as required for pharmacovigilance & for program evaluation.

We do not sell your data to any third party.

All data processing is carried out by Zamqan's authorized team members. No external party is engaged to process identifiable personal data on our behalf, except for authorized distributors/pharmacies/hospitals as described above.

Cross-Border Data Transfer

Your data is stored on Google Workspace servers located in the European Union. This transfer is protected by Google's data processing agreements and the safeguards provided under the European General Data Protection Regulation (GDPR), which provide a level of protection no less than that required by Jordanian law.

In accordance with Article (15) of the Law, we inform you of this transfer and confirm that adequate protection is in place. Your consent form includes a specific acknowledgment of this transfer.

How Long We Keep Your Data

We retain your data only as long as necessary for the purposes described above. Specific retention periods are defined in each program's consent form. As a general rule:

• Active participants: data is retained for the duration of your enrollment.
• Lost contact: data is deleted within three (3) months of last contact.
• Consent withdrawal: data is deleted within three (3) months of your request.
• Program conclusion: data may be retained for up to one (1) year for regulatory record-keeping, after which it is permanently deleted.

We do not retain data after its purpose has been fulfilled, unless required by law per Article (6/B).

How We Protect Your Data

We implement appropriate security, technical, and organizational measures to protect your data in accordance with Articles (8) and (13) of the Law, including:

• Encryption in transit and at rest through Google Workspace infrastructure.
• Multi-factor authentication for all system access.
• Role-based access controls — only authorized personnel can access your data.
• Regular staff training on secure data handling.

All data is treated as confidential. Our employees are bound by non-disclosure agreements.

Your Rights

Under Article (4) of the Law, you have the following rights:

• a) Access: You may request a copy of the data we hold about you.
• b) Withdraw consent: You may withdraw your consent at any time. This does not affect the lawfulness of processing that occurred before withdrawal.
• c) Correction: You may request that we correct, update, or complete your data.
• d) Restrict processing: You may limit the scope of how we process your data.
• e) Erasure: You may request that we delete or anonymize your data.
• f) Object: You may object to processing that is unnecessary or excessive.
• g) Portability: You may request that we transfer a copy of your data to another controller.
• h) Breach notification: You have the right to be informed if your data is compromised.

Exercising any of these rights will not result in any financial or contractual consequences to you.

To exercise your rights, contact us at DL@zamqan.com. We will respond in accordance with Article (8/C) of the Law.

How to Withdraw Consent

You may withdraw your consent at any time by submitting a written or electronic request to DL@zamqan.com. Upon withdrawal, we will delete your data within three (3) months unless a legal obligation requires us to retain it. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Data Breach Notification

In the event of a breach of the security and integrity of your data that could cause significant harm to you, we commit to:

• Notifying you within twenty-four (24) hours of discovering the breach, along with measures to mitigate any consequences.
• Notifying the Personal Data Protection Unit at the Ministry of Digital Economy and Entrepreneurship within seventy-two (72) hours of discovery.

These obligations are in accordance with Article (20) of the Law.

Children and Persons Lacking Legal Capacity

Where a data subject is under 18 years of age or otherwise lacks legal capacity, we require the written consent of a parent or legal guardian before processing any personal data, in accordance with Article (5/A-4) of the Law.

Complaints

If you believe your data has been processed in violation of this policy or the Law, you may:

• a) Contact our Data Protection Officer at DL@zamqan.com.
• b) File a complaint with the Personal Data Protection Council through the Ministry of Digital Economy and Entrepreneurship.

We take all complaints seriously and will respond in accordance with Article (8/C) of the Law.

Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The updated version will be published on www.zamqan.com with the revised date. We encourage you to review this policy periodically.

Contact Us

For any questions about this policy or to exercise your data protection rights: