Privacy Policy

This Privacy Notice (the "Privacy Notice") was last modified in April 2025. This Privacy Notice is intended for our customers and website visitors.

By using this website, you acknowledge that you have read and understood this Privacy Notice. Where we rely on your consent for certain data processing activities, we will obtain your consent separately and explicitly.

CG Health Ltd. and its subsidiaries (referred to as "CG", the "Company" or the "Group") are committed to maintaining a robust data privacy and protection framework to ensure compliance with the relevant rules and regulations that govern data privacy and protection in our jurisdictions of operations (i.e. Personal Information Protection Act 2016 in Bermuda

At CG, the privacy and protection of our customers personal information is of utmost importance to us. We understand that when you select CG as your insurance, , or pharmacy provider, you place trust in us to safeguard your personal information. Our commitment is to maintain transparency and honesty by informing you about our practices concerning the collection, utilization, and protection of your data.

Please note that this Privacy Notice may be reviewed and amended as and when CG deems necessary to provide for the continued accuracy and protection of our valued customers' personal information. CG reserves the right to modify this Privacy Notice from time to time without notice. Any amendments to the Privacy Notice will take effect immediately upon posting on this Site. The date of the last update will be clearly indicated at the top of this page. Your continued use of the Site following the posting of any revised Privacy Notice shall be deemed to conclusively indicate your acceptance of such revised Privacy Notice. Accordingly, you should periodically re-review this Privacy Notice.

Depending on the data protection legislation that applies to the processing of your personal data, you may possess certain rights of your Personal Data. The determination of which data protection legislation applies is generally based on your residency and/or the location where your data is being processed. You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. You can make any of the requests set out below using the contact details provided to you in this document. Your rights, subject to relevant laws and regulations, may encompass the following:

Right	Explanation
Right to be informed	This encompasses the obligation for us to be transparent in how we collect and use your personal data.
Right of access	You have the right to access a copy of the personal data and supplementary information we hold about you and certain details of how we use it. Your personal data will usually be provided to you electronically where possible. Where not possible, or where otherwise agreed, we will provide your personal data in another format (i.e. in writing, audio recording etc. where applicable).
Right to rectification	We take reasonable steps to ensure that the personal data we hold about you is accurate and, to the extent necessary, complete. However, if you believe the information we hold on you is inaccurate or incomplete, you can request we correct this. please contact us and you can request us to update or amend it.
Right to erasure	In certain circumstances, you have the right to request we delete or remove personal for example where the personal information we collected is no longer necessary for the purpose for which we have told you we will use it, or where you withdraw your consent if that is our legal ground for processing the information. However, this will need to be balanced against other factors, for example according to the type of personal data we hold about you and why we have collected it. There may be a legal and regulatory reason which means we cannot comply with your request.
Right to restrict processing	In certain circumstances, you have the right to request we cease processing your data, if: You consider it inaccurate or incomplete; You think that we no longer need to process your personal data. Where we don't need the data for the original reason we collected it, but may need us to keep it for legal reasons.
Right to data portability	In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.
Right to object	You have the right to object to our processing under certain circumstances.
Right to stop direct marketing	Right to stop direct marketing: You have the right to ask us to stop using your personal information for direct marketing purposes at any time.
Rights related to automated decision-making	Rights related to automated decision-making: Where we make decisions about you based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, you have the right to: Request human intervention: If you believe that an automated decision has negatively impacted you, you may request a review by a human decision-maker Express your point of view Obtain an explanation of the decision and challenge it: You may contest the outcome of the decision and provide additional information to influence the decision.

To exercise these rights or to find out if these rights will apply then please contact us using the contact details set out in this Privacy Notice.

If you are unhappy with the way we have used your Personal Data or our response to any request by you to exercise any of your rights in the section above, or if you think that we have breached the applicable data protection legislation, then you may have the right to complain to the relevant data protection supervisory authority.

You may exercise your rights as outlined above by utilizing the contact details provided in the Contact Details section below. To ensure the security of your personal information, we may require you to verify your identity before processing your request.

We are committed to responding to all valid requests within the timeframe prescribed by the applicable data protection legislation. For example:

• If you have a data subject access request for the personal information we hold about you, we will provide this information within the legally required timeframe. In Bermuda, under the PIPA, this means within 45 days of receiving a valid request, subject to any applicable exceptions under the legislation.

• If you believe any personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct it. We will respond to such requests within a reasonable timeframe and take appropriate steps to amend the data as required.

We have established the following processes to enable you to exercise your privacy rights:

1. Submitting a Request:

   • Contact us using the details provided in the Contact Details section.

   • Clearly specify your request, whether it is for access, rectification, erasure, restricting processing, data portability or objection and include details to help us identify the relevant data (e.g., your name, account number, line of business, CG company name or relevant interactions).

2. Verification of Identity:

   • To ensure your personal data is secure, we may ask you to provide proof of identity (e.g., a government-issued ID or verifying certain account details). While we require identity verification to protect your data, we will only request information that is necessary and proportionate to process your request.

3. Assessment of Request:

   • Once we receive your request, we will assess it in accordance with applicable legal requirements.

   • Some requests may not be granted due to legal, regulatory, or contractual obligations (e.g., tax compliance or ongoing investigations).

4. Response Time:

   • We will confirm receipt of your request and provide a response within the timeframe required by law (e.g., 45 days under Bermuda's PIPA).

5. Implementation:

   • If approved:

     • Access: We will provide you with a copy of your personal information and any relevant details regarding its use and processing, as required by law.
     • Rectification: We will correct or update any inaccuracies in your personal information and confirm the amendments.
     • Erasure: We will securely delete your personal information and provide confirmation of the deletion.
     • Data Portability: Where applicable, we will provide your personal information in a structured, commonly used, and machine-readable format, or transfer it directly to another organization as per your request and subject to technical feasibility.
     • Objection: cease processing for the stated purposes and provide confirmation.
     • Deletion: We will securely delete your personal data and confirm completion.
     • Restricting: We will limit access to or processing of your data as specified and confirm the restrictions in place.

   • If denied, we will provide a written explanation and information on your right to escalate to the relevant supervisory authority.

6. Documentation:

   • You will receive written confirmation of the action taken or the reasons for denial.

7. Fees:

   • We will provide this information free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either:

     • Charge a reasonable fee taking into account the administrative costs; or

     • Refuse to act on the request. We will demonstrate the manifestly unfounded or excessive character of the request if we decide to refuse it.

If you are dissatisfied with how we have handled your personal information or our response to any request to exercise your data protection rights, you have the right to lodge a complaint:

1. Direct Complaint or Appeal to Us:

   • Contact us using the information provided below, and we will do our best to address your concerns promptly and resolve the issue to your satisfaction.

2. Escalate to the Relevant Data Protection Authority:

   • If you believe we have breached the applicable data protection legislation or if you are dissatisfied with our response, you may lodge a complaint with the relevant data protection supervisory authority.

   • For Bermuda, this is the Privacy Commissioner's Office. You can find their contact details in the Complaints and How to Contact the Appropriate Authority section below.

CG has adopted internal policies and procedures to comply with the data protection laws in the jurisdiction we operate, including PIPA in Bermuda. These measures include processes for safeguarding personal information, responding to data subject requests, and addressing complaints promptly.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal information we act in accordance with all applicable data protection laws. Where necessary, we will notify you and depending on jurisdiction the appropriate data privacy authority.

We collect personal and sensitive health information necessary to provide pharmacy-related services. This may include:

• Full name, address, phone number, email

• Date of birth, gender

• Government-issued identification numbers

• Prescription information

• Medical history relevant to your prescriptions

• Insurance details for billing purposes

• Payment and transaction information

We take additional precautions when collecting and using personal information about children. For information society services directed at children, we will obtain parental consent before collecting or using a child's personal information.

We may process your personal data for several different purposes, including:

• Dispense prescription medications and manage repeat prescriptions.

• Communicate with your healthcare providers (e.g., physicians, insurers.)

• Process insurance claims and payments.

• Provide medication advice and patient counselling.

• Ensure compliance with legal, regulatory, and professional obligations.

• Maintain pharmacy records and monitor usage for clinical or safety purposes.

• Under data protection laws we can only process your information where we have a lawful basis for doing.

We only share your information where necessary and in accordance with PIPA. Your information may be disclosed to:

• Your prescribing physician or healthcare provider.

• Insurance companies for claims processing.

• Regulatory authorities where required by law.

• Law enforcement or other competent authorities in accordance with legal obligations.

In circumstances where there is a lawful basis to transfer your personal information to overseas third parties, we take steps to ensure that your information receives an adequate level of protection, as required by data protection laws. This may include using contractual clauses or only transferring data to countries deemed to have adequate data protection laws.

We keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply or demonstrate compliance with our legal and regulatory obligations. The time period we retain your personal information for will differ depending on the nature of the personal information and what we do with it. We do retain certain documents for extended periods, if necessary or advisable to comply with our legal, regulatory, tax or accounting requirements. Retention of documents allows either you or us to commence or defend legal claims in relation to the insurance or related product.

You may obtain more information as to the retention periods or the criteria used by us to determine the retention periods by contacting us (refer to the Contact Details section below).

CG places great importance on the security of all personally identifiable information associated with our customers. We have security measures in place to attempt to protect against the loss, misuse and alteration of customer data under our control. While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur, we use our best efforts to prevent this through implementing the following:

• IT Security Policy and Procedures.

• IT Risk and Control Register.

• Active directory group policy with access control, password complexity/history controls, patching, windows updates and auditing policies.

• Physical protection of CG Data Center and workplace.

• Data center monitoring and notification system

• Firewalls with limited and controlled access

• File server access controls.

• Hardware and software Vendor SLAs, signed NDA when required.

• Security Penetration testing and venerability assessment by a third party.

• Backup data encryption.

• Employee training.

• Periodic security audits.

CG has appointed Gregory Rose as the Privacy Officer (PO). The PO is responsible for overseeing CG's privacy program and ensuring compliance with this Privacy Policy and applicable all data privacy and protection laws. Any questions or queries please utilize the Contact Details section below.

In the event that you wish to make a complaint about how your personal data is being processed by CG (or third parties as described in our Data Protection Policy), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority, and/or CG's PO at privacy@cgcoralisle.com.

How to contact us

We recognize that you may have questions on how we process and/or store your data, or may want to change either the data we hold on you or how we communicate with you in the future. If you have given consent for processing, you are free to withdraw that consent. To do so, please contact the PO at privacy@cgcoralisle.com.

If you have any questions in respect of this Privacy Notice, or would like to exercise your rights as a data subject (for example, to correct data or to exercise your right to access) please contact the PO at privacy@cgcoralisle.com.

Country	Competent Authority	Contact Information
Bermuda	Office of the Privacy Commissioner	Maxwell Roberts Building, 4th Floor 1 Church Street Hamilton, HM 11 Bermuda Tel: +441 543 7748 Email: PrivCom@privacy.bm Website: www.privacy.bm