Privacy Policy for SMRP Automator (Dietetics)

Last Updated: April 26, 2026
Version: 2.2

1. Introduction

The SMRP Automator (Dietetics) ("we", "us", or "the Extension") is a productivity tool designed strictly for authorized use within the Malaysia Ministry of Health (MOH) ecosystem. It automates data entry for Dietetic modules within the SMRP Portal (MyHDW).

We are committed to protecting the sensitive data handled by this tool. This Privacy Policy explains what information is processed, how it is used, and the strict account requirements for operation.

2. Data Collection, Usage, and Sharing

The Extension processes data solely for the purpose of automating form entries and verifying software licenses. We do not collect, store, sell, or transmit your medical or patient data to any external servers or third parties.

A. Types of Data Processed

The Extension accesses and processes the following types of information:

• Account Information: Your authenticated Google account email address (used strictly for license verification).
• User Inputs: Therapist Name, AHP Number, Spreadsheet ID, and Sheet Names.
• Google Sheets Data: Patient information (IC Number, Diagnosis, Diet Type, Visit Date) retrieved from the Google Sheet you explicitly link.
• SMRP Portal Data: Visit information (Registration Numbers, Dates) visible on the myhdw.moh.gov.my page.

B. How Data is Used

All medical data processing occurs locally within your browser instance.

1. Read: The Extension reads a specific row of data from your Google Sheet using the Google Sheets API.
2. Store (Temporarily in RAM): Patient data is temporarily saved strictly within your browser’s volatile session memory (chrome.storage.session). This ensures Protected Health Information (PHI) never touches your computer's hard drive.
3. Write: The Extension automatically types this data into the SMRP Portal forms on your behalf.
4. Clear & Auto-Wipe: Temporary patient data in the session memory is instantly destroyed upon completion of the automation task. Additionally, if manual review is enabled, the extension employs a 60-second failsafe that automatically wipes patient data from the screen if left unattended.

C. Data Sharing and Disclosure

We strictly adhere to the following data sharing policies:

• No Third-Party Sharing: We do not share, transfer, or disclose your Google User Data (including spreadsheet contents) to any third parties, advertisers, data brokers, or external servers.
• No Human Access: The developer has no access to your spreadsheet or patient data.
• No AI Training: Your data is not used to train or improve any Artificial Intelligence (AI) or Machine Learning (ML) models.
• Sole Transfer Target: The only transfer of medical data occurs locally on your device, moving text from your Google Sheet directly into the Malaysia Ministry of Health SMRP Portal (myhdw.moh.gov.my) as initiated by your specific command.

3. Permissions and Justification

The Extension requests the following permissions to function:

• identity: Required to authenticate your Google Account securely using OAuth2, allowing the Extension to read the Google Sheet you specified.
• identity.email: Required to securely retrieve your account email address to verify your software license tier and ensure compliance with authorized organizational account requirements.
• storage: Required to save your configuration (e.g., Spreadsheet ID, RN Prefix) and to temporarily hold patient data while the automation moves between tabs.
• scripting & activeTab: Required to inject the automation script into the SMRP Portal (myhdw.moh.gov.my) to fill forms automatically.
• host_permissions:
  • https://sheets.googleapis.com/*: To fetch data from your spreadsheet.
  • https://myhdw.moh.gov.my/*: To perform automation actions on the SMRP portal.

4. Data Retention and Security

• Strict Patient Data Isolation: No patient data, Protected Health Information (PHI), or spreadsheet content is ever transmitted to developer-controlled servers, analytics services, or external databases. The developer has zero access to your medical data.
• License Verification & Registration: The only data transmitted externally is your authorized Google email address. This is sent securely via HTTPS and stored in our licensing database strictly to register your account, enforce daily usage limits, and verify your software access tier (Free vs. PRO). This email is not shared, sold, or used for marketing.
• Zero-Trust Storage Isolation: User configuration settings (e.g., Spreadsheet ID, RN Sequence) are stored locally on your device. However, all sensitive patient data payloads and session-specific identifiers (Therapist Name) are strictly isolated in volatile memory (chrome.storage.session) and are completely erased when the batch finishes or the browser is closed.
• Secure Transmission: All communication between the Extension and Google APIs occurs directly via HTTPS using standard OAuth2 protocols.

5. Google API Services User Data Policy

The SMRP Automator (Dietetics) use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Handling of Health / Medical Data

This Extension is designed to process Protected Health Information (PHI).

• No Data Persistency: The Extension acts strictly as a data conduit (copy-paste tool). It does not retain medical records after the automation action is complete.
• Local Processing Only: All processing occurs on the client-side (your local computer). No patient data is sent to the cloud other than the direct, encrypted connection between your browser and your authorized Google Sheet.

7. User Responsibility & Account Governance

• Authorized Google Workspace Account: You MUST use an official government-issued Google Workspace account (e.g., @moh.gov.my under MyGovUC).
  • Prohibition of Personal Accounts: You are strictly prohibited from using personal Gmail accounts (e.g., @gmail.com) with this extension. Using a personal account to store or process patient data is a violation of Ministry of Health data governance policies.
• SMRP Portal Authorization: You explicitly warrant that you possess valid, government-authorized credentials to access and enter data into the SMRP Portal (myhdw.moh.gov.my).
  • This extension does not bypass any authentication mechanisms. It is intended solely to assist users who already have legitimate, authorized access to perform data entry.
• Enterprise Management: By using an @moh.gov.my account, you ensure that the data access remains under the administration, audit, and security policies of the MyGovUC administrators.
• Liability: The developer is not liable for data breaches resulting from the user's failure to adhere to these account security requirements. You are responsible for ensuring you have the legal authorization to access the patient data in the linked Google Sheet and the target SMRP Portal.

8. Changes to This Policy

We may update our Privacy Policy from time to time. You are advised to review this page periodically for any changes. These changes are effective immediately after they are posted on this page.

9. Contact Us

If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at:

hooyf@moh.gov.my