Privacy Policy

1. Introduction

Medabase ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Clinical Memory Platform.

By using Medabase, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

• Account Information: Name, email address, phone number, date of birth, gender
• Professional Information (Doctors): Medical license number, specialization, qualifications, years of experience, clinic details (name, address, phone, email), consultation fees
• Identity Verification: Government-issued ID numbers (for doctor verification only)

2.2 Protected Health Information (PHI)

For patients, we collect and store sensitive medical information:

• Medical History: Blood group, height, weight, allergies, current medications, medical conditions
• Vital Signs: Blood pressure, blood sugar levels, SpO2, pulse rate, temperature, BMI
• Medical Records: Prescriptions, lab reports, radiology reports, consultation notes, diagnostic images
• Emergency Contact: Name, phone number, relationship
• Insurance Information: Provider name, policy number, group number
• Doctor's Notes: Clinical observations, treatment plans, follow-up instructions

2.3 Appointment Information

• Appointment dates, times, and locations
• Reason for visit
• Appointment status (requested, confirmed, completed, cancelled)
• Doctor-patient relationship history

2.4 Usage and Technical Information

• Device Information: IP address, browser type, operating system
• Log Data: Access times, pages viewed, features used
• Cookies: Authentication tokens, session management, user preferences

2.5 File Uploads

• Medical documents (PDFs, images)
• Lab reports and test results
• Prescription scans
• Doctor clinic logos (for branding)

3. How We Use Your Information

3.1 Primary Healthcare Services

• Clinical Memory Platform: Store and organize patient medical history for continuity of care
• Doctor-Patient Collaboration: Enable doctors to access patient records, create prescriptions, and track treatment history
• Appointment Management: Schedule, confirm, and manage medical appointments
• Vitals Tracking: Monitor patient health trends over time

3.2 AI-Powered Features

• Medical Record Summarization: Generate concise summaries of patient history using AI (data is anonymized before processing)
• Clinical Insights: Provide doctors with relevant patient information at a glance
• Medication Search: Help doctors find and prescribe medications efficiently

3.3 Service Operations

• Verify doctor credentials and medical licenses
• Authenticate users and maintain secure sessions
• Send notifications about appointments and updates
• Provide customer support and respond to inquiries
• Improve platform performance and user experience

3.4 Analytics and Improvement

• Analyze usage patterns to improve features (all analytics are aggregated and anonymized)
• Monitor platform security and prevent fraud
• Conduct research to enhance healthcare delivery (only with explicit consent and anonymized data)

4. How We Share Your Information

4.1 With Your Explicit Consent

• Doctor-Patient Access: Patients grant doctors access to their medical records when they book appointments or add doctors to their care team
• Patient Record Sharing: Doctors can share patient records with patients (optional feature)

4.2 Service Providers

We share data with trusted third-party service providers who help us operate our platform:

• Supabase: Database hosting, authentication, and file storage (AWS infrastructure, HIPAA-compliant, encrypted storage buckets)
• Vercel: Frontend application hosting (AWS/Google Cloud infrastructure, enterprise-grade security)
• OpenAI: AI-powered summarization (data is anonymized before transmission, zero data retention policy)

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes
• Government or regulatory requests
• Protection of rights, property, or safety
• Medical emergencies requiring immediate disclosure

4.4 We Do NOT Sell Your Data

We will never sell, rent, or trade your personal health information to third parties for marketing purposes.

5. Data Security

5.1 Security Measures

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Secure JWT-based authentication with Supabase
• Access Controls: Role-based access control (RBAC) ensures users only see authorized data
• Row-Level Security: Database-level security policies prevent unauthorized data access
• Secure File Storage: Medical documents stored in isolated, encrypted storage buckets
• Regular Audits: Ongoing security assessments and vulnerability testing

5.2 Data Retention

• Medical Records: Retained for 7 years from last activity (as per medical record retention guidelines)
• Account Information: Retained while account is active, deleted 90 days after account deletion request
• Log Data: Retained for 12 months for security and debugging purposes

6. Your Privacy Rights

6.1 Access and Portability

• Request a copy of all personal data we hold about you
• Export your medical records in standard formats (PDF, JSON)
• View access logs showing who accessed your records and when

6.2 Correction and Updates

• Update your personal information through your account settings
• Request correction of inaccurate medical records (doctors retain final authority on clinical data accuracy)

6.3 Deletion and Deactivation

• Request account deletion at any time
• Choose to deactivate account temporarily while preserving data
• Revoke doctor access to your medical records

6.4 Consent Management

• Grant or revoke doctor access to specific records
• Opt out of non-essential communications
• Control data sharing preferences

6.5 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at: privacy@medabase.com
• Use the account settings within the Medabase platform
• Contact your healthcare provider if you have concerns about clinical data

7. Children's Privacy

Medabase is not intended for use by individuals under 18 years of age without parental consent. If a parent or guardian creates an account for a minor, they are responsible for all data entered and must provide consent for data collection.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information.

8. International Data Transfers

Your information may be transferred to and processed in countries other than India. We ensure that such transfers comply with applicable data protection laws and that your data receives an adequate level of protection.

Our service providers (Supabase, Vercel) maintain compliance with international data protection standards including GDPR and HIPAA where applicable.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying an in-app notification upon login

Your continued use of Medabase after changes are posted constitutes acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

11. Compliance and Certifications

Medabase is committed to maintaining compliance with:

• Information Technology Act, 2000 (India)
• Digital Personal Data Protection Act, 2023 (India)
• Clinical Establishment Act (as applicable to healthcare platforms)
• HIPAA principles (for infrastructure providers)