Privacy Policy

1. Your Consent

By creating an account, signing in or otherwise using the Services, you confirm that you have read this Privacy Policy and consent to the collection, storage, processing, transfer and disclosure of your information as described below. Where you input information about your patients, you confirm that you have obtained the necessary consent from those patients and that you are acting as the data fiduciary / controller for that information.

2. Information We Collect

2.1 Information you provide directly

• Account & clinic details: name, email, phone number, professional registration / council details, clinic name, branches, designations and roles of staff members.
• Billing information: billing address, GSTIN (where applicable), invoice details and information required to process payments via our payment partners.
• Support & communications: messages you send to our support, sales or grievance channels, including attachments and any context you share.

2.2 Patient and clinical information you input

When you use the Services to manage your practice, you may input or upload personal and sensitive personal data about your patients, including:

• Identifiers (name, age, gender, UHID, contact details, address, photograph).
• Clinical data: chief complaints, LSMC (Complete Symptom) analysis, history, generals, modalities, miasm scores, rubrics, diagnoses, prescriptions and follow-up notes.
• Investigation reports, prescription images, attachments, audio notes and any files you upload.
• Appointment, billing and consent records linked to a patient case.

Important — roles under data protection law: for patient information, you are the data fiduciary / controller. HomeoNetix acts as a data processor and processes such data solely on your documented instructions and as required to operate the Services.

2.3 Information collected automatically

• Device and browser information (device model, operating system, browser type and version, language settings, screen size).
• IP address, approximate location derived from IP, and connection metadata.
• Usage data: pages visited, features used, clicks, session duration, navigation paths, error logs and diagnostic information.
• Cookies, local storage and similar technologies as described in Section 8 below.

2.4 Information from third parties

We may receive information from identity providers (such as Auth0) when you log in, from payment gateways (such as Razorpay) when you transact with us, from analytics and error-monitoring providers, and from referral partners who introduce you to HomeoNetix.

3. How We Use Your Information

We use the information we collect to:

• Create and operate your account, branches and staff users.
• Provide and personalise the Services, including consultations, prescriptions, scheduling, miasm analysis, follow-ups and reporting.
• Process subscriptions, invoices, taxes and other billing operations via our payment partners.
• Send service notifications, security alerts, administrative messages and policy updates.
• Provide customer support and respond to questions, feedback or grievances.
• Improve and develop the Services — including aggregated, de-identified analytics about feature usage and performance.
• Detect, investigate and prevent fraud, abuse, unauthorised access and other harmful or unlawful activity.
• Comply with applicable laws, regulations, lawful requests from authorities and audit obligations applicable to healthcare technology providers.

We do not sell your personal information or your patients' data, and we do not use patient health data for advertising.

4. How We Share Your Information

We share information only as necessary to provide the Services and only with the following categories of recipients:

• Sub-processors and service providers — cloud hosting (Amazon Web Services), database, email (Brevo), SMS/WhatsApp (MSG91 / Meta), payments (Razorpay), authentication (Auth0), file storage (Amazon S3), error monitoring and analytics providers. Each is bound by contractual obligations of confidentiality and security and is permitted to process data only on our instructions.
• Within your clinic / tenant — staff and doctor accounts within your tenant access patient data based on roles and permissions configured by your administrator.
• Legal and regulatory authorities — where required by law, court order or other lawful request, and where necessary to protect rights, safety or property.
• Business transfers — in the event of a merger, acquisition, reorganisation or sale of assets, information may be transferred to the successor entity, subject to commitments at least as protective as this Policy.
• With your consent — for any other disclosure outside of the above.

5. Security of Your Information

We follow industry-standard administrative, technical and physical safeguards to protect your information, including:

• AES-256 encryption for data at rest and TLS 1.2+ for data in transit.
• Logical multi-tenant isolation so that each clinic's data is segregated and access-scoped by tenant identifier.
• Role-based access control (RBAC) and the principle of least privilege for internal access.
• Multi-factor authentication options, hardened password policies and OAuth2 / JWT-based session management.
• Automated daily backups, point-in-time recovery and secure offsite replication.
• Continuous monitoring, vulnerability scanning and periodic penetration testing.
• Confidentiality obligations for employees, contractors and vetted sub-processors.

While we use commercially reasonable measures, no method of transmission or electronic storage is fully secure. You are responsible for protecting your account credentials and for promptly informing us of any suspected unauthorised use.

6. Data Retention

We retain personal and clinical information for as long as your account is active and for the period necessary to comply with our legal, regulatory, accounting and clinical record-retention obligations. Medical records are subject to long retention requirements under HIPAA, GDPR Article 17(3)(c), DISHA and Indian clinical-records guidance. Specifically:

• Active clinical records (cases, consultations, prescriptions) are retained for the duration of your subscription and the legally required period thereafter.
• Billing, tax and audit records are retained for the periods mandated by the Companies Act, GST and Income-tax laws.
• Backups are retained on a rolling schedule and are securely overwritten in the ordinary course of operations.
• After account closure, residual data is deleted or de-identified once retention obligations expire.

7. Data Residency & International Transfers

Production patient data is hosted within India on AWS infrastructure. Where the Services use sub-processors located outside India (for example, certain analytics, error-monitoring or messaging providers), transfers are made under standard contractual safeguards and only for the limited categories of data needed to operate that service. Health records are not exported outside India for routine processing.

8. Cookies & Similar Technologies

We use first-party and approved third-party cookies and similar technologies to authenticate sessions, remember preferences, measure performance and improve the Services. You can control cookies through your browser settings; disabling certain cookies may degrade functionality. Where required by law, we collect consent for non-essential cookies through our cookie banner.

9. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your data, except where retention is required by law (for example, medical record retention or tax records).
• Receive a portable export of your data in a commonly used format.
• Withdraw consent where processing is based on consent.
• Opt out of marketing emails through the unsubscribe link in each message.
• Lodge a complaint with our Grievance Officer (Section 13) or with the data protection authority of your jurisdiction.

Patients should direct their data subject requests to the clinic with which they have a treatment relationship. As a processor, we will support the clinic in responding to such requests.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, we will notify the affected clinic and the relevant authorities within the timelines required by applicable law (including CERT-In and DPDP Act notification requirements in India and GDPR / HIPAA timelines where applicable). We maintain a documented incident response plan and review it periodically.

11. Children's Privacy

The Services are intended for use by registered healthcare practitioners and their authorised clinic staff. We do not knowingly collect personal data directly from children under the age of 18. Where a clinic uses the Services to maintain records of paediatric patients, the clinic is responsible for obtaining the consent of a parent or legal guardian as required by law.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be communicated by in-app notification or email. Your continued use of the Services after the effective date of the updated Policy constitutes acceptance of the changes.

13. Grievance Officer & Contact

If you have questions, requests or complaints regarding this Privacy Policy or our processing of your information, please contact our Grievance Officer:

• Entity: NETIX INFOTECH PRIVATE LIMITED
• Email: privacy@homeonetix.com
• Registered Office: Office 204, Sapphire Chambers, S.No. 2/3/1 & 2/3/2, Rivires, Baner Gaon, Haveli, Pune – 411045, Maharashtra, India

We acknowledge grievances within 48 hours and aim to resolve them within 30 days of receipt, in line with applicable Indian data-protection rules.