PRIVACY POLICY

1. Introduction

Medclara ("we," "us," "our," or "Company") operates a medical transcription and healthcare management platform accessible at medclara.in ("Platform"). We are committed to protecting the privacy and security of personal and health data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable Indian laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data, including sensitive health information. By using our Platform, you consent to the practices described herein.

2. Data Fiduciary Status

Medclara is registered as a Data Fiduciary under the DPDP Act 2023 and accepts full legal responsibility for lawful processing of all personal data collected through our services.

3. Information We Collect

3.1 Personal Information

• Name, contact details (email, phone number, address)
• Date of birth, age, gender
• Government-issued identification (Aadhaar, PAN, etc.) for verification purposes
• Professional credentials for healthcare providers

3.2 Health Information

• Medical records, diagnoses, treatment plans, prescriptions
• Audio recordings of medical consultations for transcription purposes
• Laboratory test results, imaging reports, clinical notes
• Medical history, allergies, medications, and vital signs
• Insurance information and billing records

3.3 Technical Information

• IP addresses, device identifiers, browser type, operating system
• Log files, cookies, and usage analytics
• Access timestamps and audit trail data

4. Legal Basis and Purpose of Processing

We process your data based on:

4.1 Explicit Consent

You provide clear, specific, informed, and freely given consent for each purpose of data processing. Consent can be withdrawn at any time through your account settings or by contacting us.

4.2 Legitimate Medical Purposes

• Providing medical transcription services to healthcare providers
• Enabling hospital management and patient care coordination
• Medical emergencies where obtaining consent may delay critical care (as permitted under DPDP Rules 2025)
• Compliance with legal obligations under applicable health regulations

4.3 Contractual Necessity

To fulfill our service agreements with healthcare providers and patients

5. How We Use Your Information

• Medical Transcription: Converting audio/voice recordings of medical consultations into accurate written records
• Healthcare Management: Maintaining electronic health records (EHRs), appointment scheduling, billing, and analytics
• Quality Assurance: Reviewing transcription accuracy and service quality
• Communication: Sending service notifications, appointment reminders, and important updates
• Legal Compliance: Meeting regulatory requirements and responding to lawful requests
• Research & Development: Improving our AI transcription models using de-identified data only with explicit consent

6. Data Security Measures

We implement reasonable security safeguards mandated by DPDP Rules 2025, including:

6.1 Technical Safeguards

• End-to-end encryption of all health data in transit and at rest using industry-standard protocols (AES-256)
• Data masking and tokenization for sensitive identifiers
• Access controls with role-based permissions ensuring only authorized personnel access specific data
• Multi-factor authentication (MFA) for all user accounts
• Secure API gateways with JWT authentication and rate limiting

6.2 Organizational Safeguards

• Comprehensive audit trails logging all data access, modifications, and sharing events
• Mandatory one-year retention of access logs for investigation purposes
• Regular security audits and vulnerability assessments
• Employee training on data protection and confidentiality obligations
• Incident response and disaster recovery procedures
• Continuous monitoring systems for unauthorized access detection

6.3 Infrastructure Security

• Data stored on secure cloud infrastructure (Google Cloud Platform) with contractual data protection obligations
• Geographic data residency within India as required by law
• Regular backups with encrypted storage
• Network security through firewalls and intrusion detection systems

7. Data Retention

• Active Medical Records: Retained for the duration of the patient-provider relationship plus applicable statutory periods (minimum 5 years as per Medical Council of India guidelines)
• Transcription Audio Files: Deleted within 90 days after transcription completion unless required for quality assurance
• Billing Records: Retained for 7 years as per tax and accounting regulations
• Audit Logs: Retained for minimum 1 year as mandated by DPDP Rules
• Inactive Accounts: Data anonymized or deleted after 3 years of inactivity following user notification

8. Data Sharing and Disclosure

8.1 With Your Consent

We share your data with third parties only with your explicit consent, including:

• Your designated healthcare providers and medical facilities
• Laboratories, pharmacies, and diagnostic centers as directed
• Insurance companies for claims processing (with explicit authorization)

8.2 Service Providers (Data Processors)

We engage third-party vendors for cloud hosting, analytics, and technical support. All vendors:

• Execute Data Processing Agreements with security and confidentiality obligations
• Are contractually prohibited from using data for purposes beyond our instructions
• Must comply with DPDP Act requirements and maintain equivalent security standards

8.3 Legal Obligations

We may disclose data when required by:

• Court orders, subpoenas, or legal processes
• Government authorities under lawful investigation
• Medical emergency situations where disclosure prevents serious harm

8.4 Business Transfers

In the event of merger, acquisition, or asset sale, your data may be transferred subject to the same privacy protections and with advance notice.

9. Your Rights Under DPDP Act 2023

You have the following rights:

9.1 Right to Access

Request copies of your personal data we hold

9.2 Right to Correction

Request correction of inaccurate or incomplete data

9.3 Right to Erasure

Request deletion of your data (subject to legal retention requirements)

9.4 Right to Data Portability

Receive your data in machine-readable format for transfer to another provider

9.5 Right to Withdraw Consent

Withdraw consent at any time (may limit service availability)

9.6 Right to Grievance Redressal

Lodge complaints with our Data Protection Officer or the Data Protection Board of India

9.7 Right to Nominate

Designate a nominee to exercise your rights in case of death or incapacity

10. Consent Management

• You will be presented with clear, granular consent options for each data processing purpose
• Consent can be managed through your account dashboard
• You may opt-out of non-essential communications while continuing essential healthcare services
• Withdrawal of consent will be processed within 72 hours

11. Children's Privacy

For users under 18 years, we require verifiable parental/guardian consent before processing data. Parents have the right to review, modify, or delete their child's information.

12. Cookies and Tracking

We use cookies for:

• Essential website functionality and security
• Analytics to improve user experience (anonymized)
• Session management and authentication

You can manage cookie preferences through browser settings. Disabling essential cookies may impact Platform functionality.

13. Data Breach Notification

In the event of a data breach compromising your personal or health information, we will:

• Notify affected users within 72 hours of discovery
• Report to the Data Protection Board of India as required by law
• Provide details of the breach, affected data, and remedial measures taken
• Offer credit monitoring or identity protection services if applicable

14. Cross-Border Data Transfers

All personal data is stored within India. Any international transfers will occur only:

• With your explicit consent
• To countries approved by the Indian government
• Under Standard Contractual Clauses ensuring equivalent protection

15. Contact Information

Data Protection Officer

Grievance Officer

16. Updates to This Policy

We may update this Privacy Policy to reflect legal changes or service enhancements. Significant changes will be notified via email and Platform notifications at least 30 days before taking effect. Continued use after changes constitutes acceptance.

17. Governing Law

This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023, and applicable Indian laws. Disputes will be subject to the exclusive jurisdiction of courts in India.

18. Compliance Certifications

Medclara maintains the following compliance standards:

• ISO 27001:2022 (Information Security Management)
• DPDP Act 2023 Registration Number: [To be updated]
• Regular Data Protection Impact Assessments (DPIA)