Privacy & Data Protection

Privacy Policy

Your privacy and data security are fundamental to our healthcare SaaS platform. This policy outlines how we collect, use, and protect your information.

Last Updated: January 15, 2025 | HIPAA Ready | SOC 2 Type II Pathway

Table of Contents

1. Overview 2. Information We Collect 3. How We Use Your Data 4. Data Sharing & Disclosure 5. Healthcare Data Protection 6. Data Security & Storage 7. Your Rights 8. Regulatory Compliance 9. International Data Transfers 10. Contact Information

1. Overview

Medismo Technologies Private Limited ("Medismo," "we," "us," or "our") is committed to protecting the privacy and security of all information collected through our healthcare SaaS platforms including HealthFlow AI, PatientVoice Pro, and FieldVoice (collectively, the "Services").

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Services. This policy applies to all users of our platform, including healthcare organizations, medical representatives, patients, and other stakeholders.

Our Commitment

We are committed to HIPAA compliance and follow industry best practices for healthcare data protection. Your data is processed and stored in India with bank-grade security measures.

2. Information We Collect

2.1 Account Information

  • Name, email address, phone number
  • Organization details and role information
  • Billing and payment information
  • Login credentials and authentication data

2.2 Healthcare Data (PHI/PII)

  • Patient demographic information (when authorized)
  • Clinical data processed through HealthFlow AI
  • Patient feedback and sentiment data via PatientVoice Pro
  • Medical representative activity data from FieldVoice

2.3 Technical Information

  • IP addresses, device information, browser type
  • Usage patterns and platform analytics
  • API access logs and system performance data
  • Cookies and similar tracking technologies

Data Minimization

We collect only the information necessary to provide our Services effectively. Healthcare data is processed with explicit consent and business associate agreements in place.

3. How We Use Your Data

3.1 Service Provision

  • Providing clinical intelligence and analytics through HealthFlow AI
  • Processing patient sentiment analysis via PatientVoice Pro
  • Enabling voice-powered CRM functionality in FieldVoice
  • Generating reports, insights, and recommendations

3.2 Platform Operations

  • Account management and user authentication
  • Technical support and customer service
  • Platform security monitoring and threat detection
  • Performance optimization and system maintenance

3.3 Legal and Compliance

  • Compliance with healthcare regulations (HIPAA, local laws)
  • Audit trail maintenance and regulatory reporting
  • Legal obligations and law enforcement requests
  • Business continuity and disaster recovery

4. Data Sharing & Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

4.1 Service Providers

  • Cloud infrastructure providers (AWS, Google Cloud)
  • AI/ML service providers (OpenAI, Azure Cognitive Services)
  • Security and monitoring service providers
  • All providers are bound by business associate agreements

4.2 Legal Requirements

  • Court orders and legal process requirements
  • Regulatory investigations and compliance audits
  • Emergency situations involving patient safety
  • Protection of our rights and interests

No Data Selling

We never sell, rent, or trade your healthcare data to third parties for commercial purposes. Your data is used solely to provide our Services as outlined in this policy.

5. Healthcare Data Protection

5.1 HIPAA Compliance

  • Business Associate Agreements (BAAs) with covered entities
  • Administrative, physical, and technical safeguards
  • Minimum necessary standard for PHI access
  • Regular compliance audits and assessments

5.2 Data Processing Principles

  • Purpose limitation: Data used only for specified purposes
  • Data minimization: Collect only necessary information
  • Accuracy: Maintain accurate and up-to-date records
  • Storage limitation: Retain data only as long as necessary

5.3 De-identification and Aggregation

  • HIPAA-compliant de-identification methods
  • Aggregated data for analytics and research
  • Expert determination for complex datasets
  • Safe harbor method compliance

6. Data Security & Storage

6.1 Technical Safeguards

  • AES-256 encryption for data at rest and in transit
  • Multi-factor authentication for all user accounts
  • Role-based access control (RBAC) systems
  • Regular security penetration testing
  • Automated backup and disaster recovery

6.2 Physical Safeguards

  • Data centers in India with ISO 27001 certification
  • 24/7 physical security monitoring
  • Biometric access controls
  • Environmental controls and redundancy

6.3 Administrative Safeguards

  • Designated Privacy and Security Officers
  • Employee background checks and training
  • Incident response and breach notification procedures
  • Regular security awareness programs

SOC 2 Type II Certification

We are pursuing SOC 2 Type II certification to demonstrate our commitment to the highest standards of security, availability, and confidentiality.

7. Your Rights

7.1 Access and Portability

  • Request access to your personal information
  • Download your data in machine-readable formats
  • Receive copies of your healthcare data
  • Audit trail access for your organization

7.2 Correction and Deletion

  • Correct inaccurate or incomplete information
  • Request deletion of personal data (subject to legal requirements)
  • Restrict processing for specific purposes
  • Object to processing based on legitimate interests

7.3 Communication Preferences

  • Opt-out of marketing communications
  • Choose notification preferences
  • Control automated decision-making
  • Set data sharing preferences

8. Regulatory Compliance

8.1 Indian Regulations

  • Digital Personal Data Protection Act (DPDP) 2023
  • Information Technology (IT) Act 2000
  • Clinical Establishments (Registration and Regulation) Act
  • Drugs and Cosmetics Act regulations

8.2 International Standards

  • HIPAA (Health Insurance Portability and Accountability Act)
  • GDPR principles for international clients
  • ISO 27001 information security standards
  • FHIR R4 compliance for healthcare interoperability

8.3 Audit and Monitoring

  • Regular third-party security audits
  • Compliance monitoring and reporting
  • Vulnerability assessments and penetration testing
  • Continuous improvement of security measures

9. International Data Transfers

As a policy, we maintain data residency within India to ensure compliance with local regulations and provide optimal performance. However, for specific service delivery requirements:

9.1 Third-Party Services

  • AI/ML processing may involve secure API calls to international providers
  • All data transfers are encrypted and minimized
  • Business Associate Agreements ensure compliance
  • Data is never permanently stored outside India

9.2 Safeguards

  • Standard Contractual Clauses (SCCs) where applicable
  • Adequacy determinations for specific countries
  • Explicit consent for international transfers when required
  • Regular monitoring of international data flows

10. Contact Information

For questions about this Privacy Policy or to exercise your rights, please contact us:

Privacy Office

Email: privacy@medismo.in

Phone: +91-80-4142-4142

Address: Medismo Technologies Private Limited
4th Floor, Koramangala
Bengaluru, Karnataka 560034
India

Data Protection Officer

For specific privacy concerns or to file a complaint, contact our designated Data Protection Officer at dpo@medismo.in

Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or platform notifications. Continued use of our Services after updates constitutes acceptance of the revised policy.

This Privacy Policy was last updated on January 15, 2025.