This Privacy Policy explains how Cyborian Tech Labs Pvt Ltd (“HealoPlus,” “we,” “us”) collects, uses, stores, and protects personal data when you use our platform — whether you are a clinic, a doctor, a staff member, or a patient. We are committed to full compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and all applicable Indian medical data laws.
1. Who We Are
Cyborian Tech Labs Pvt Ltd is the developer and operator of HealoPlus, a clinic management software platform for outpatient clinics, dental clinics, and dermatologists in India.
Under the DPDP Act 2023, the Doctor or Clinic that registers on HealoPlus is the Data Fiduciary — they own and control patient data. HealoPlus acts as the Data Processor, processing data only on their instructions to deliver the service.
2. Data We Collect
2.1 Patient Data (collected by clinics using HealoPlus)
- Identity: Full name, date of birth, gender, phone number, email address
- Clinical: Chief complaint, appointment history, prescriptions, diagnosis notes, vitals (BP, pulse, temperature, SpO₂, weight, height)
- Consent records: What you consented to, when, and how (web checkbox, WhatsApp reply, or guardian consent for minors)
- Guardian details (for patients under 18): guardian name and phone number
- Uploaded documents: Lab reports, imaging, and other files you share with your clinic
2.2 Clinic & Doctor Data
- Clinic name, address, GST number, registration number (Karnataka Clinical Establishments Act)
- Doctor name, qualification, NMC registration number
- Login credentials (password stored as a bcrypt hash — never plain text)
- Payment and billing metadata (processed via PayU)
2.3 Automatically Collected Data
- IP address (used for rate limiting and security; not stored in patient records)
- Browser type and device information
- Platform usage telemetry — de-identified and aggregated only
We practice data minimisation. We collect only what is necessary to deliver the service. Patient phone numbers and names are never written to Cloudflare edge logs. No PII appears in any error messages returned to users.
3. How We Use Your Data
| Purpose | Data Used | Who It Applies To |
|---|---|---|
| Book and manage appointments | Name, phone, concern, time slot | Patients |
| Generate and store prescriptions | Patient identity, doctor identity, clinical notes | Patients, Doctors |
| Send appointment confirmations & reminders | Phone number (WhatsApp), email — only if consented | Patients |
| Process clinic subscription billing | Clinic name, GST number, payment metadata | Clinics |
| Maintain audit logs for compliance | User ID, action type, timestamp, IP address | All users |
| Respond to patient rights requests | Patient identity and medical records | Patients |
| Improve platform performance | De-identified, aggregated telemetry only | All users |
We do not use patient data for advertising, profiling, or any purpose beyond delivering the HealoPlus service to the clinic that holds the patient relationship.
4. Legal Basis for Processing
Under the DPDP Act, 2023, all processing of patient personal data requires either explicit consent or a legitimate use recognised by law. HealoPlus processes patient data under the following bases:
- Explicit consent (§6 DPDP Act): Patients provide consent at booking via a plain-language, unticked checkbox. Consent is recorded with the exact text shown, a version number, timestamp, and method. Consent cannot be bundled with other agreements.
- Medical necessity: Prescription records and vitals are processed as necessary for the provision of medical care under the Drugs & Cosmetics Act, 1940 and NMC Telemedicine Guidelines, 2020.
- Legal obligation: Audit logs and certain records are retained to satisfy mandatory statutory retention periods (IT Act 2000, MCI guidelines, GST Act 2017).
Consent can be withdrawn at any time by submitting an erasure or correction request via the Patient Data Rights page. Withdrawal does not affect the lawfulness of processing before withdrawal.
6. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Patient health records | Minimum 7 years from last interaction | MCI record-keeping standards, DPDP Act |
| Prescriptions | Minimum 7 years | Drugs & Cosmetics Act, 1940 |
| Billing & invoices | Minimum 8 years | GST Act, 2017 |
| Audit logs | Minimum 7 years (append-only, cannot be deleted) | IT Act, 2000 §43A |
| Consent records | Duration of patient relationship + 7 years | DPDP Act, 2023 |
| OTP verification data | 5 minutes (Cloudflare KV with TTL) | Security — never stored in the database |
Data is never hard-deleted while within its retention period. After a clinic account is terminated, patient records are held in a locked, non-accessible state until the statutory retention period expires. Following expiry, data is irreversibly deleted.
7. Your Rights Under the DPDP Act, 2023
As a patient whose data is held through a clinic using HealoPlus, you have the following rights under the Digital Personal Data Protection Act, 2023. These rights are exercised through the clinic (Data Fiduciary) or directly via HealoPlus where noted.
Access Your Data
Download a full copy of your personal and medical data held by any clinic you’ve visited through HealoPlus.
Export my data →Correct Your Data
Request a correction to any inaccurate personal information (name, phone, date of birth, address).
Correct my data →Delete Your Data
Request erasure of your personal identifiers. Medical records are anonymised and the clinical skeleton is retained as required by law.
Delete my data →File a Grievance
If you believe your data rights have been violated, file a formal grievance. You will receive a response within 30 days.
File a grievance →If you are unsatisfied with our response, you may escalate to the Data Protection Board of India once established under the DPDP Act.
8. Data Localisation
All patient personal data processed through HealoPlus is stored exclusively within India. Our primary database is hosted on Supabase Mumbai (ap-south-1), ensuring compliance with applicable Indian data localisation requirements under the DPDP Act, 2023.
Patient data is not transferred to servers outside India. Where third-party sub-processors (listed in Section 5) are involved, data is shared only to the minimum extent necessary and subject to contractual data protection obligations.
10. Minor Patients
For patients under 18 years of age, HealoPlus requires the collecting clinic to obtain consent from a parent or legal guardian before creating a patient record. Guardian name and phone number are stored alongside the patient record and marked with a is_minor = true flag.
Consent for minor patients is recorded with method guardian_web_checkbox or verbal_recorded. Clinics are prohibited from creating records for minor patients without guardian consent — the platform enforces this at the API level.
11. Data Breach Response
In the event of a confirmed or suspected unauthorised access to patient data, Cyborian Tech Labs will:
- Notify the affected clinic (Data Fiduciary) without undue delay
- Report the incident to the Data Protection Board of India within 72 hours of detection, as required by the DPDP Act, 2023
- Log the incident in the append-only audit log with action
breach.detected - Provide tooling to assist the Data Fiduciary in individually notifying affected patients via WhatsApp and email
Patients are individually notified by the clinic (Data Fiduciary). HealoPlus provides the notification infrastructure and incident record; the legal notification obligation rests with the Data Fiduciary.
12. Contact & Grievance Officer
For privacy queries, data rights requests, or to reach our Grievance Officer as required under the IT Act, 2000, please contact:
We will acknowledge all privacy requests within 7 business days and resolve them within 30 days as required by the DPDP Act, 2023.
Governed by Indian Law
- DPDP Act, 2023
- NMC Telemedicine Guidelines, 2020
- IT Act, 2000 + SPDI Rules, 2011
- Drugs & Cosmetics Act, 1940
- GST Act, 2017
- Karnataka Clinical Establishments Act, 2007