Privacy Policy

FlexCare HMS is a product of Flexonixs ("Company", "we", "us", or "our"). We operate a Software-as-a-Service (SaaS) platform that provides hospital and clinic management tools to healthcare providers in India. Our registered office is in India.

This Privacy Policy applies to all users of the FlexCare platform — including clinic administrators, doctors, staff members, and patients accessing the Patient Portal.

We collect the following categories of data:

**Clinic & Account Data** - Clinic name, address, contact details - Clinic owner / admin name, email address, phone number - Medical Council registration number (for doctor profiles) - Subscription and billing information

**Staff Data** - Name, role, phone number, email - Login credentials (passwords stored as bcrypt hashes — never in plain text)

**Patient Data (collected on behalf of the clinic)** - Name, age, gender, phone number - Medical history, diagnoses, prescriptions, lab results, visit notes - Payment and billing records - Aadhaar number (if voluntarily provided for identity purposes — stored encrypted)

**Technical Data** - IP address, device type, browser - Session and login timestamps - Audit logs (who accessed what, when)

We use the data collected for the following purposes:

- To provide and operate the FlexCare platform - To authenticate users and maintain session security - To generate prescriptions, invoices, reports, and other clinic documents - To send appointment reminders, prescription delivery, and notifications via SMS/WhatsApp - To provide customer support - To improve the platform (aggregated, anonymised analytics only) - To comply with legal obligations under Indian law

We do not sell your data to third parties. We do not use patient health data for advertising or marketing purposes.

Patient data entered into FlexCare belongs to the clinic (tenant) that created it. FlexCare acts as a data processor on behalf of the clinic, which is the data fiduciary under the DPDP Act 2023.

Clinics retain full ownership and control of their data at all times. You can export all your data at any time from the dashboard.

FlexCare is a multi-tenant platform. Each clinic's data is strictly isolated from other clinics using PostgreSQL Row Level Security (RLS) policies enforced at the database level.

No clinic can access another clinic's patient records, billing data, or any other information. This isolation is enforced at the infrastructure level — not just the application level.

We implement healthcare-grade security measures including:

- All data transmitted over HTTPS/TLS 1.3 - Data at rest encrypted with AES-256 - Sensitive fields (phone, email, Aadhaar) encrypted at the field level - Daily encrypted backups stored in a separate geographic location - Immutable audit logs for every data access and modification - Role-Based Access Control (RBAC) — staff see only what their role permits - No direct production database access for any employee without approval and logging

We use the following third-party services to operate FlexCare:

- **Razorpay** — payment processing for clinic subscriptions - **MSG91** — SMS OTP and notification delivery - **WhatsApp Business API** — prescription and notification delivery to patients - **Cloudflare R2** — encrypted file storage for prescriptions, reports, scans - **Resend** — transactional email delivery

Each of these services has their own privacy policy and data processing agreements with us. We share only the minimum data required for each service to function.

When a patient registers on the Patient Portal, we obtain explicit consent before collecting and processing their personal health data.

Patients may withdraw consent at any time by contacting their clinic or emailing us at privacy@flexcare.in. Upon consent withdrawal, patient data will be anonymised. Note: medical records may be retained in anonymised form to comply with legal record-keeping requirements under Indian law.

- Active clinic data is retained for the duration of the subscription plus 90 days after cancellation - Patient health records are retained for 7 years after the last visit, in line with standard medical record-keeping requirements under Indian law - Audit logs are retained for 7 years - After the retention period, data is permanently and securely deleted - You may request earlier deletion by contacting us — subject to legal retention obligations

Under the Digital Personal Data Protection Act 2023, you have the right to:

- **Access** — request a copy of your personal data we hold - **Correction** — request correction of inaccurate data - **Erasure** — request deletion of your data (subject to legal retention requirements) - **Grievance redressal** — raise a complaint with our Data Protection Officer

To exercise these rights, email: privacy@flexcare.in

We will respond within 30 days.

In the event of a data breach that is likely to cause harm to affected individuals, we will:

- Notify affected clinic administrators within 24 hours of discovery - Notify CERT-In as required under the DPDP Act 2023 - Provide a full incident report within 72 hours

We maintain an incident response plan and conduct regular security reviews.

FlexCare uses the following cookies:

- **Session cookie** — required for login and authentication. HttpOnly, Secure, SameSite=Strict. - **Preference cookie** — stores UI preferences (light/dark mode, language)

We do not use advertising cookies or third-party tracking cookies. We do not use Google Analytics or any external analytics platform that shares data.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify clinic administrators via email and in-app notification at least 14 days before the changes take effect.

Continued use of FlexCare after the effective date constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or complaints:

**Data Protection Officer / Grievance Officer** Flexonixs Email: privacy@flexcare.in Phone: +91 98765 43210 Response time: Within 30 days as required by law