MedEase — Privacy Policy

Effective Date: 24 Oct 2025   |   Last Updated: 24 Oct 2025

1. Introduction

Welcome to MedEase, a Hospital Management Information System developed and operated by Datasavant Software Solutions Pvt. Ltd. (“we”, “our”, “us”). We are committed to protecting the privacy and security of personal data processed through MedEase in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Clinical Establishments (Registration & Regulation) Act, 2010 (CE Act), and other applicable Indian laws.

2. Scope & Applicability

This policy applies to :

  • All hospitals, clinics, laboratories, pharmacies, and other healthcare institutions that use MedEase;
  • All individuals whose personal data is collected, stored, or processed through MedEase (patients, guardians, doctors, staff, vendors); and
  • All MedEase modules: Patient, Appointments, In-Patient/Out-Patient, Lab, Pharmacy, Billing, HR, Reports, and Administration.
It does not apply to anonymised or aggregated data that cannot identify an individual, or to purely domestic/personal use excluded by law.

3. Key Definitions

  • Personal Data: Data about an identifiable individual.
  • Data Principal: The person the data is about (e.g., patient, staff).
  • Data Fiduciary: The hospital/clinic using MedEase that determines processing purposes.
  • Data Processor: MedEase or authorised service providers processing data on behalf of a Data Fiduciary.
  • Processing: Any operation performed on personal data (collect, store, use, delete).

4. Data We Collect

A. Patients

Identity & contact (name, DOB, gender, address, phone, email); IDs & insurance (Aadhaar if provided, ABHA, insurance details); clinical data (diagnoses, prescriptions, lab reports, imaging, allergies, vitals, treatment history); administrative & billing records.

B. Healthcare Professionals & Staff

Personal & professional details (name, contact, qualifications, registration numbers); HR data (attendance, payroll); system logs and audit trails.

C. Vendors & Contractors

Business contact, contract and billing details.

D. System Users & Visitors

Login credentials, IP address, browser/device metadata, support logs.

We follow data minimisation — collecting only what is necessary for the stated purposes.

5. Purposes of Processing

We process personal data for clear, lawful, and specific purposes including:

  • Delivering healthcare and clinical services;
  • Registration, appointments, diagnosis, treatment, prescriptions, lab and imaging workflows;
  • Billing, claims processing and insurance coordination;
  • Maintaining medical records and regulatory compliance (CE Act);
  • HR, payroll and vendor management;
  • Security, system monitoring, audit trails and fraud prevention;
  • Public health reporting and anonymised research/statistics where permitted.

We follow the DPDP Act principles of purpose limitation and data minimisation.

We process data to deliver healthcare services, manage appointments and clinical workflows, maintain medical records, perform billing and insurance processing, meet statutory reporting obligations under the CE Act, operate HR and vendor modules, and support system security and analytics (using anonymised data where possible).

6. Lawful Basis for Processing

MedEase (and the Data Fiduciaries using it) rely on one or more lawful grounds under the DPDP Act, including:

  • Consent of the Data Principal;
  • Processing necessary to perform a contract (e.g., patient care or employment);
  • Processing necessary to comply with legal obligations (e.g., CE Act record-keeping);
  • Processing based on legitimate interests of the Data Fiduciary, provided these do not override the rights of the Data Principal.

Where consent is used, we maintain records and provide mechanisms for withdrawal.

Processing grounds include explicit consent, performance of contracts, compliance with legal obligations, and legitimate interests (balanced against individual rights).

7. Consent & Withdrawal

  • Explicit, informed consent is obtained for collection/processing where required (especially for sensitive health data).
  • Consent requests clearly state what data is collected, why, retention periods, and any disclosures.
  • Data Principals may withdraw consent at any time by contacting their hospital’s DPO. Withdrawal does not invalidate prior lawful processing, and may limit services that require the data.

We obtain explicit consent where required and keep consent records. You may withdraw consent at any time by contacting the DPO; withdrawal will not affect prior lawful processing and may limit certain services.

8. Data Retention

  • Personal data is retained only as long as required for the purposes collected or as required by applicable law (e.g., CE Act retention rules — typically a minimum period such as 3 years; state rules may vary).
  • After retention periods, data is securely deleted or irreversibly anonymised.
  • Retention schedules are reviewed periodically.

9. Data Security & Storage

MedEase implements appropriate technical and organisational measures:

  • Encryption in transit and at rest;
  • Role-based access control and least-privilege principles;
  • Audit logs and monitoring of access and administrative actions;
  • Regular security assessments and vulnerability testing;
  • Hosting in secure data centres located within India (unless explicit, lawful cross-border transfer is authorised).

In the event of a personal data breach, we will assist the Data Fiduciary to notify affected Data Principals and the competent authority as required by law.

10. Data Sharing & Disclosure

MedEase only permits sharing personal data in the following circumstances:

  • With authorised healthcare professionals for treatment;
  • With government/regulatory authorities as legally required (e.g., statutory reporting under CE Act);
  • With insurers or laboratories where required for service delivery (usually with consent);
  • With authorised vendors and processors under written contracts and confidentiality obligations;
  • In medical emergencies where consent cannot reasonably be obtained.

MedEase do not sell or lease personal data for marketing/commercial purposes..

11. Cross-Border Transfers

MedEase stores and processes personal data primarily within India. Cross-border transfers will only occur:

  • Where permitted by law and applicable government rules; and
  • With appropriate safeguards (e.g., explicit consent, contractual protections), in accordance with applicable DPDP Act rules.

Until the Central Government notifies specific rules, MedEase treats cross-border transfers conservatively and documents safeguards.

12. Rights of Data Principals

Under the DPDP Act, Data Principals have the right to:

  • Access their personal data;
  • Correct or update inaccurate/incomplete data;
  • Withdraw consent;
  • Request erasure or anonymisation (subject to legal retention obligations);
  • Nominate a representative to exercise rights in case of incapacity or death;
  • Lodge complaints with the Data Protection Board (as per procedure in the Act).

Requests to exercise rights should be made to the hospital’s DPO or via MedEase’s Privacy Office. Identity verification may be required before fulfilling requests.

13. Children & Minors

For Data Principals under 18 years, MedEase requires verifiable consent from a parent or legal guardian and applies additional safeguards.

14. Public Health, Research & Statistics

We support authorised public health reporting and research using anonymised data where feasible. Identifiable data is used/disclosed only on lawful bases or with consent.

15. Compliance with Clinical Establishments Act

MedEase is designed to support hospitals’ compliance with the Clinical Establishments Act by:

  • Enabling maintenance of medical records and registers in required formats;
  • Supporting digital submission of required statistics and reports to authorities;
  • Preserving logs and audit trails for inspections and quality checks.

MedEase will not delete data necessary for regulatory reporting and audits.

16. Data Protection Officer (DPO)

Each hospital using MedEase should also appoint its own DPO or point-of-contact for internal privacy compliance and requests.

17. Grievance Redressal

If you believe your data has been misused or you have privacy concerns:

  • Contact your hospital’s DPO for privacy complaints.
  • If not resolved, you may escalate complaints to the Data Protection Board of India in accordance with the DPDP Act.

We endeavour to acknowledge and respond to complaints promptly and in good faith.

18. Changes to this Policy

We may update this Policy to reflect legal, technical, or operational changes. Material changes will be notified through the MedEase dashboard, email, or prominent notices. Continued use of MedEase after updates constitutes acceptance of the revised policy.

19. Contact

For privacy queries or rights requests: privacy@medease.in
MedEase — Datasavant Software Solutions Pvt. Ltd.
Address: Satna, Madhya Pradesh, 485001]