Privacy Policy

Last updated: 17 May 2026

This policy explains how DocOS handles data on behalf of clinics that subscribe to our service. It is not legal advice. Clinics remain the data fiduciary for patient records under India's Digital Personal Data Protection Act, 2023; DocOS is the data processor.

1. Who we are

DocOS Technologies Pvt Ltd (legal entity pending final registration confirmation), with its registered office in India. You can reach us at hello@docospro.com for any privacy questions or grievances. We will respond within 7 business days.

2. What we collect

When a clinic subscribes to DocOS, we collect and store the operational data the clinic generates while using our software, plus authentication and telemetry data necessary to keep the service running. Specifically:

• Patient operational data entered by clinic staff: demographics, contact details (including WhatsApp number), clinical notes, prescriptions, procedures, billing records, signed consent forms and certificates.
• Authentication data for clinic staff users: name, email, hashed password, role, last sign-in.
• Service telemetry: server access logs (IP address, user-agent, request path, response code), error reports, performance metrics. Retained for security and reliability investigations.
• WhatsApp message metadata: when the clinic enables WhatsApp messaging, we relay messages through the Meta Cloud API. We store message IDs, delivery status, timestamps, and (for two-way conversations) message bodies. Media attachments are stored encrypted in our object storage.
• Subscription and billing: clinic name, contact, GSTIN, billing address, payment method tokens issued by our payment processor (Razorpay). We do not store full card numbers.

We do not collect biometric data, location beyond city/state, or behavioural advertising signals. We do not run third-party trackers on this website.

3. Legal bases

DocOS acts as a data processor as defined under India's Digital Personal Data Protection Act, 2023. The clinic that subscribes to DocOS is the data fiduciary for the patient records it stores within our platform. We process data on the clinic's documented instructions, embodied in the DocOS Subscription Agreement and these policies.

For our direct relationship with clinic staff (subscription, support, security), we rely on legitimate interest and contract performance as the legal basis for processing.

4. How we use it

We use the data we collect to:

• Operate the DocOS service — store and retrieve records the clinic creates, send WhatsApp messages, generate PDFs, run scheduled reminders.
• Secure the service — detect abuse, debug failures, maintain backups.
• Provide customer support — respond when a clinic admin contacts us with a question or issue.
• Generate aggregated analytics for our internal product decisions. These aggregates do not identify individual patients or clinics.

We do not use clinic or patient data to train external machine-learning models. The AI features within DocOS (clinical decision support, analytics summaries) run on infrastructure where the clinic's data remains scoped to that clinic and is not used to improve models for other users.

5. Sharing

We share data only with the following categories of subprocessors, all under written agreements that bind them to confidentiality and security:

• Meta Platforms, Inc. — for WhatsApp message delivery through the WhatsApp Cloud API. Subject to Meta's privacy policy.
• Cloudflare R2 — for encrypted storage of file uploads (consent PDFs, certificate PDFs, prescription PDFs, profile photos).
• MongoDB Atlas — for primary database hosting, in the Mumbai (ap-south-1) region.
• Razorpay — for subscription billing.
• Resend — for transactional email (e.g., password resets, contact form replies).
• Sentry — for application error logging. We disable user-identifier beacons; only stack traces and request paths are sent.

We will publish and maintain a current subprocessor list at https://docospro.com/subprocessors (URL to be activated). We do not sell data. We do not share data with third-party advertising networks.

6. Storage location

Operational data (patient records, clinical notes, billing) is stored in MongoDB Atlas, in the Mumbai (ap-south-1) region. File uploads are stored in Cloudflare R2, India region. Backups are encrypted and stored in the same region.

WhatsApp message content is stored by Meta on their infrastructure (United States) per their Cloud API architecture. DocOS retains its own copies of message metadata in the India region.

7. Retention

• Clinical records — retained per India's Ministry of Health and Family Welfare guidelines: 10 years for adult patient records, longer for minor patient records as required by law.
• Audit logs — 90 days.
• WhatsApp message bodies — 90 days, unless a clinic has flagged a conversation for longer retention for clinical or legal reasons.
• Subscription and billing records — retained for the duration of the GST records retention period applicable to the clinic's jurisdiction (typically 8 years).

When a clinic disconnects from DocOS, we follow the data-deletion procedure described at https://docospro.com/data-deletion.

8. Patient rights

Patients have rights under India's DPDP Act 2023, sections 11–14, including the right to access, correct, erase, and port their personal data. Because DocOS is the processor and the clinic is the fiduciary, patients should direct these requests to the clinic that holds their records. The clinic can use DocOS tools to fulfil the request, and we will support them.

If a clinic is unresponsive or out of business, patients may contact us directly at hello@docospro.com and we will work with them to honour their rights.

9. Children

DocOS is not directed at consumers under 18 as service users. Clinics may store records of patients of any age — including minors — as part of their clinical practice. Where applicable law requires consent of a parent or guardian for processing a minor's data, the clinic is responsible for obtaining that consent before recording the data in DocOS.

10. Security

We take the following measures to protect data:

• Encryption at rest — operational data is encrypted with AES-256 at the storage layer. Sensitive secrets (WhatsApp tokens, third-party API credentials) are additionally encrypted with AES-256-GCM at the application layer.
• Encryption in transit — all client connections use TLS 1.3 (or 1.2 minimum).
• Access controls — DocOS staff access to production data is restricted by role and audited. Direct database access is reserved for incident response.
• Audit logging — every privileged action is logged for at least 90 days.
• Vulnerability management — dependencies are scanned, security patches are applied within standard SLAs based on severity.

No system can be made perfectly secure. If you become aware of a security issue, please report it to security@docospro.com.

11. International transfers

Where data is transferred outside India (notably to Meta's WhatsApp Cloud API), we minimise the data shared and rely on contractual safeguards equivalent to standard contractual clauses, where applicable. We do not transfer bulk clinical records out of India.

12. Changes

We may update this policy from time to time. Material changes will be notified to clinic admin users in the DocOS application. The "Last updated" date at the top of this page is authoritative. Older versions are kept in our public git history.

13. Contact

For any privacy questions, complaints, or grievances:

• Email: hello@docospro.com
• Postal: DocOS Technologies Pvt Ltd, [postal address to be finalised]

Once we have appointed a Data Protection Officer, their contact details will be published here.