Skip to main content

Privacy Policy

Last updated: April 9, 2026

MedOS Health Technologies Pvt. Ltd. ("MedOS", "we", "us") operates the MedOS Hospital Management System. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform.

1. Information We Collect

1.1 Clinic & Staff Information

When a clinic registers, we collect: clinic name, address, GSTIN, phone number, email, and staff details (name, phone, role). This is necessary to provide the service and generate GST-compliant invoices.

1.2 Patient Health Information

Patient data is entered by clinic staff and may include: name, phone, Aadhaar last 4 digits, ABHA ID, medical history, prescriptions, lab results, vitals, and billing records. This data is classified as Sensitive Personal Data under the IT Act 2000 SPDI Rules.

1.3 Usage & Analytics Data

We use Google Analytics 4 on our marketing website (med-os.in) to understand how visitors discover and use our site. This is only on the public marketing pages — Google Analytics is NOT installed on the HMS application (app.med-os.in) where patient health data is processed. When you visit the marketing site, we collect:

  • Page views, session duration, scroll depth, and referral source (which site sent you to us)
  • Aggregated device and browser type, approximate geographic location (city-level)
  • Clicks on call-to-action buttons, pricing plan views, and form submissions (without the form content)
  • A non-personal random identifier (_ga cookie) that lets Google Analytics recognize returning visits

Consent-based: Under the Digital Personal Data Protection Act 2023, we set these analytics cookies only after you accept them via our cookie consent banner. If you reject or do not decide, Google Analytics runs in "cookieless ping" mode — no cookies are set, and only aggregate modeled data is collected. You can change your decision anytime via the Cookie Policy page.

What we never send to Google: no patient health data, no clinical records, no names, phone numbers, email addresses, Aadhaar numbers, ABHA IDs, or any personally identifiable information. We also disable Google Ads personalization signals entirely (ad_storage, ad_user_data,ad_personalization are set to "denied" permanently).

Additionally, when a clinic subscribes via Razorpay, we send a server-side purchase event to Google Analytics containing only: the Razorpay payment ID, the amount paid, the plan name (Starter / Professional / Enterprise), and an internal random clinic identifier. This lets us measure marketing effectiveness without exposing personal data. No names, emails, or patient data are ever included.

2. How We Use Your Data

  • To provide and maintain the MedOS platform services
  • To generate appointments, invoices, lab reports, and prescriptions
  • To send appointment reminders via WhatsApp/SMS (with patient consent)
  • To comply with ABDM requirements (with patient consent)
  • To generate GST invoices and NIC e-invoices as required by law
  • To send service-related communications to clinic staff
  • To improve product quality through anonymized usage analytics

3. Data Storage & Security

Our database is hosted in the AWS Mumbai region (ap-south-1) via Turso. Application compute runs on Cloudflare Workers with India placement. We implement:

  • Field-level AES-256-GCM encryption for sensitive patient identifiers (phone, Aadhaar, ABHA)
  • TLS 1.3 encryption for all data in transit
  • Role-based access control (RBAC) with 7 distinct roles
  • Automatic session timeout after 30 minutes of inactivity
  • Audit trail for data creation, modification, deletion, and access events
  • Data retention with automated cleanup after account closure

4. ABDM & Health Information Exchange

When patients link their ABHA (Health ID), MedOS acts as a Health Information Provider (HIP) on the ABDM network. Health records are shared only with explicit patient consent through the ABDM consent manager. Patients can revoke consent at any time.

5. Data Sharing

We do not sell patient data. We share data only in these circumstances:

  • With the patient (via patient portal, WhatsApp, or ABDM)
  • With insurance TPAs for claim processing (with patient consent)
  • With government schemes (PM-JAY, CGHS, ESI) for claim submission
  • When required by law or court order
  • With our infrastructure providers (Turso for database hosting, Cloudflare for compute and file storage) who process data under contract
  • With communication providers (email, SMS, WhatsApp) configured by the clinic for patient notifications
  • With Razorpay for payment processing (limited to billing identifiers)
  • With Google Analytics 4 (Google LLC) on our marketing website only (med-os.in) for visitor analytics and marketing attribution — strictly no patient data, strictly after consent. See Section 1.3 and our Cookie Policy.

6. Patient Rights

Under the IT Act 2000 and applicable regulations, patients have the right to:

  • Access their complete health records
  • Request correction of inaccurate data
  • Request deletion of their data (subject to legal retention requirements)
  • Withdraw consent for data sharing
  • Receive a copy of their data in a standard format

7. Data Retention

Medical records are retained for the duration required by applicable laws (minimum 3 years under the Indian Medical Council regulations). Clinics may request data export or deletion of their account data, subject to regulatory retention requirements.

8. Cookies

Essential cookies (always on): session cookies for authentication (medos_session), CSRF protection (medos_csrf), and security checks. These are strictly necessary for the site to function and are exempt from consent requirements under the DPDP Act.

Analytics cookies (consent required): when you accept via the cookie consent banner, Google Analytics sets _ga and _ga_G-9ZDWR4F4TZ cookies to measure site usage. These expire after 2 years or when you reject consent. We do not use advertising or retargeting cookies of any kind.

For the complete inventory of every cookie we set, what it does, and how long it persists, see our dedicated Cookie Policy.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered clinic administrators at least 30 days before taking effect.

10. Contact

For privacy-related inquiries or to exercise your data rights:
Data Protection Officer: [email protected]
Phone: +91 40 4567 8900
Address: WeWork Rajapushpa Summit, Financial District, Hyderabad 500032