Privacy Policy

Compliance & Trust

Privacy Policy

At Medisray, we treat your health data with the same precision as our clinical research. This policy outlines how we safeguard your information across our global ecosystem.

Last Updated

April 01, 2024

Privacy Index

Privacy at a Glance

Who We Are

Cyberx Info System Private Limited, through its brand/platform Medisray.

Why We Collect It

To operate the platform, send notifications, maintain security, comply with law.

Data Stored In

India servers located in India only

Data We Collect

Account data, clinic info, patient records (entered by you), usage & device logs

Data Sharing

Cloud providers, notification services (WA/SMS/Email). We never sell data.

Data Stored In

India servers located in India only

01. Scope

Scope of This Policy

This Privacy Policy explains how Cyberx Info System Private Limited (doing business as “Medisray”) (“we”, “us”, “our”) collects, uses, stores, and protects information when you use the Medisray Platform.”, uses, stores, and protects information when you use our Platform. This Policy is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the SPDI Rules, 2011, and all other Applicable Laws in India.

This Policy applies to:

  • Personal data of Subscribers and Authorised Users collected during account registration, use of the Platform, and related communications;
  • Patient data (including Sensitive Personal Data or Information) that Subscribers enter into the Platform while managing clinical operations;
  • Data collected automatically through your use of the Platform, including usage logs and device information.
For Patient data, the Subscriber acts as the primary Data Fiduciary under the DPDP Act. The Company acts as a Data Processor in respect of such data and processes it solely in accordance with the Subscriber’s instructions. Data Processor in respect of such data.
02. Data Collection

Information We Collect

Information Provided by Subscribers

When you register for and use the Platform, we collect:

  • Clinic/practice information: clinic name(s), address(es), contact details, specialisation, time slot configurations;
  • User preferences and Platform settings.
  • Account registration data: name, email address (optional), mobile phone number, professional registration details;
  • Role and permission configurations set by the Owner.

Information Provided by Subscribers

Subscribers enter the following categories of Patient data into the Platform:
  • Basic demographic information: name, age, gender, mobile phone number, email address (optional);
  • Digital prescriptions: medicines, dosage instructions, diagnoses, clinical notes;
  • Appointment and visit history.
  • Billing and payment records.
  • Follow-up reminders and consultation notes.

Patient medical records and health information constitute Sensitive Personal Data or Information (SPDI) under the SPDI Rules, 2011. The Subscriber, as Data Fiduciary, is responsible for obtaining all necessary consents from Patients before entering their data into the Platform.

Automatically Collected Data

  • Log data: IP address, browser type, pages visited, time and date of access.
  • Device information:  device type, operating system, unique device identifiers;
  • Usage data: features used, clicks, navigation patterns, error logs;
  • Session data: login timestamps, session duration.

Data We Do Not Collect

  • Payment card numbers or full bank account details (handled by PCI-DSS compliant processors);
  • Biometric data;
  • Data from minors directly (all platform users must be 18+);
  • Government ID numbers such as Aadhaar or PAN, except where expressly provided for a specific purpose.
03. Legal Basis

Legal Basis for Processing

We process personal data on the following legal bases under the DPDP Act, 2023 and SPDI Rules, 2011:
Privacy Table
Purpose Data Categories Legal Basis
Providing and operating the Platform Account data, usage data, clinic data Contractual necessity
Processing appointments and consultations Patient data, appointment records Contractual necessity; Subscriber's consent from Patient
Sending notifications (WA/SMS/Email) Phone number, email, appointment details Contractual necessity; TRAI compliance
Security, fraud prevention, compliance Log data, device data, account data Legitimate interests; Legal obligation
Analytics and Platform improvement Aggregated/anonymised usage data Legitimate interests
Responding to support queries Communication data Contractual necessity; Legitimate interests
Compliance with legal obligations Any relevant data Legal obligation (DPDP Act, IT Act)
04. Usage

How We Use Your Information

Data We Do Not Collect

  • To create and manage your account and Subscription;
  • To provide, operate, and maintain the Platform and all its features;
  • To process appointments, walk-ins, prescriptions, billing, and related clinical workflows;
  • To facilitate multi-clinic management and role-based access control.

Communications and Notifications

  • To send appointment confirmations, reminders, and cancellation notices to Patients via WhatsApp, SMS, and email;
  • To send OTPs for user authentication and password reset;
  • To send operational notifications, including daily summaries and subscription alerts;
  • To respond to support requests, queries, and complaints.

Security and Compliance

  • To detect and prevent fraud, unauthorised access, and malicious activity;
  • To enforce our Terms and Conditions;
  • To comply with applicable legal and regulatory obligations;
  • To respond to lawful requests from courts, government authorities, and regulators.

4.4 What We Do Not Do

We will never sell, rent, or trade your personal data or Patient data to any third party for commercial purposes. We will never use Patient data for advertising or marketing purposes.

05. Sharing

Data Sharing and Disclosure

Service Providers and Data Processors

We share data with trusted third-party service providers who process data on our behalf and under our instructions, subject to appropriate data processing agreements. These include:
  • Cloud infrastructure and hosting providers (servers located in India);
  • WhatsApp Business API providers (BSP partners) for notification delivery;
  • SMS gateway providers (DLT-registered) for SMS notifications;
  • Email delivery service providers;
  • Payment processing providers (PCI-DSS compliant) for Subscription fee collection;
  • Analytics and monitoring tools (processing anonymised/aggregated data only).

Legal Disclosures

We may disclose your information where required by law or in response to valid legal process, including compliance with court orders, subpoenas, requests from law enforcement authorities under Applicable Law, or protection of the rights, property, or safety of the Company, our users, or others.

5.3 No Cross-Border Transfers

All personal data and Patient data is stored and processed in India. We do not transfer personal data outside the territory of India except to the extent required by Applicable Law and subject to appropriate safeguards.

06. Retention

Data Retention

Data Category Retention Period
Subscriber account data Duration of Subscription + 90 days post-termination
Patient records and prescriptions Duration of Subscription + 90 days; thereafter on request or as required (typically 7 years under MCI guidelines)
Billing and financial records 7 years (GST and accounting compliance)
Communication logs 90 days
Security and access logs 1 year
Support communications 3 years from resolution
After the applicable retention period, data is permanently deleted using industry-standard secure deletion methods, or anonymised such that it can no longer be linked to an identifiable individual.
07. Security

Security Measures

Encryption

Encryption of data in transit using TLS 1.2 or higher; at rest.

Multi-factor Auth

Role-based access controls to limit internal access to data;

Security Audits and Assessments;

Regular security audits and vulnerability assessments;

Access Control

Encryption of sensitive data at rest;

Audit & Testing

Multi-factor authentication (OTP-based) for Platform access;

Incident Response

Incident response procedures aligned with DPDP Act requirements;

Despite these measures, no security system is impenetrable. In the event of a personal data breach, we will notify affected Subscribers and, where required, the Data Protection Board of India, in accordance with the DPDP Act, 2023.
08. Rights

Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

Right to Access

Obtain a summary of the personal data we hold about you and how it is being processed.

Right to Correction & Erasure

Request correction of inaccurate data and erasure of data no longer necessary for its original purpose.

Right of Grievance Redressal

Have your grievances regarding processing addressed by us in a timely and effective manner.

Right of Nomination

Nominate another individual to exercise your rights in the event of your death or incapacity.

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

Patient Rights

Patients should direct rights requests to the Subscriber (Data Fiduciary). We assist Subscribers in fulfilling valid requests.

To exercise any of the above rights, please contact our Data Protection Officer at dpo@medisray.com. We will respond to all valid requests within 30 days. We may require you to verify your identity before processing your request.

09. COokies

Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to maintain login sessions, remember preferences, analyse Platform usage (using aggregated/anonymised data), and detect and prevent fraudulent activity.

We use the following types of cookies:

  • Essential cookies: necessary for the Platform to function; cannot be disabled;
  • Functional cookies:  remember your preferences and improve your experience;
  • Analytics cookies: collect anonymised data to help us understand Platform usage.
You may control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Platform.
10. Childrens

Children's Privacy

The Platform is intended solely for use by adults (18 years and above). We do not knowingly collect personal data directly from individuals under the age of 18.
Patient data relating to minors may be entered by Subscribers in their capacity as healthcare providers; in such cases, the Subscriber is responsible for obtaining all necessary parental or guardian consents as required by Applicable Law.
If we become aware that we have inadvertently collected personal data directly from a child without appropriate consent, we will take prompt steps to delete such data.
11. Third-Party

Third-Party Links and Services

The Platform may contain links to third-party websites and services. This Policy does not apply to such third-party platforms. We encourage you to review the privacy policies of any third parties before sharing your personal data with them. The Company accepts no responsibility or liability for the privacy practices of third parties.
12. Privacy

Changes to This Privacy Policy

The Platform may contain links to third-party websites and services. This Policy does not apply to such third-party platforms. We encourage you to review the privacy policies of any third parties before sharing your personal data with them. The Company accepts no responsibility or liability for the privacy practices of third parties.

  • Sending an email notification to your registered email address (if provided);
  • Displaying a prominent notice on the Platform;
  • Updating the "Effective Date" at the top of this Policy.
Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the revised Policy. If you do not agree, you must discontinue use of the Platform and contact us to request deletion of your data.
13. Data

Grievance Officer and Data Protection Officer

After the applicable retention period, data is permanently deleted using industry-standard secure deletion methods, or anonymised such that it can no longer be linked to an identifiable individual.

Field Details
Designation Data Protection Officer / Grievance Officer
Organisation Cyberx Info System Private Limited
DPO Email dpo@medisray.com
Support Email support@medisray.com
Response Time Within 30 days of receipt of grievance
Jurisdiction India
If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India, once constituted under the DPDP Act, 2023.
14. Governing

Governing Law

This Privacy Policy is governed by the laws of India. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of competent jurisdiction in India.