Skip to content
Legal

Privacy Policy

How we handle the information you and your hospital entrust to MedOps.

Last updated:

This Privacy Policy explains how MedOps (“MedOps”, “we”, “us”) collects, uses, discloses and safeguards information when you visit our website or use the MedOps Hospital Management System (the “Service”). We've written it to be readable — but it is a real policy, and your continued use of the Service means you accept the practices described here.

Template notice. This document is provided as a thorough starting point for the MedOps product site. Before you rely on it in production, have it reviewed by qualified legal counsel and tailored to the laws that apply to your organisation (for example the DPDP Act in India, GDPR in the EU/UK, or HIPAA in the US).

1. Scope & our role

MedOps is a multi-tenant platform. A tenant — the hospital administration organisation — owns one or more hospitals, and every record in the Service is scoped to that tenant. Our role depends on the type of data:

  • For account and website data (the people who sign up, log in and administer MedOps), we act as a data controller.
  • For patient and clinical data that a hospital processes inside the Service, the hospital (our customer) is the controller and MedOps acts as a data processor, handling that data only on the customer's documented instructions under our customer agreement.

2. Information we collect

Information you provide

  • Account information — name, work email, role, hospital/organisation name, and (for invited users) a password you set.
  • Demo & contact requests — details you submit through forms such as “Book a demo”.
  • Customer content — records your team creates in the Service, which may include patient demographics, appointments, consultations, prescriptions, admissions, pharmacy and billing data.

Information collected automatically

  • Session & security data — an encrypted authentication cookie, sign-in events and activity timestamps used to enforce inactivity logout.
  • Usage & device data — IP address, browser type, pages viewed and similar diagnostics used for security, rate limiting and improving the Service.
  • Audit logs — tenant-scoped records of significant actions (for example creating a patient or updating a bill), retained for security and compliance.

3. How we use information

We use information to:

  • Provide, operate and maintain the Service and your account;
  • Authenticate users and enforce capability-based (feature.action) access control;
  • Detect, prevent and investigate security incidents, fraud and abuse;
  • Respond to demo requests, support queries and other communications;
  • Comply with legal obligations and enforce our agreements.

We do not sell personal information, and we do not use patient/clinical content for advertising or to train models.

4. Cookies & sessions

MedOps uses a strictly necessary authentication cookie rather than browser storage for tokens. Specifically:

  • The AuthToken session cookie is AES-256 encrypted, httpOnly and SameSite-restricted — it is never readable by client-side JavaScript and is not stored in localStorage.
  • Sessions automatically expire after 15 minutes of inactivity.
  • A small preference cookie/local value remembers your light or dark theme choice.

You can clear cookies in your browser at any time, but doing so will sign you out of the Service.

5. How we share information

We share information only as needed to run the Service:

  • Sub-processors — vetted infrastructure and service providers (for example hosting, database and email delivery) that process data under contract and on our instructions.
  • Within your tenant — data is visible to authorised users of your organisation according to their role and permissions.
  • Legal & safety — where required by law, regulation or valid legal process, or to protect the rights, safety and security of users and the public.
  • Business transfers — in connection with a merger, acquisition or sale of assets, subject to this Policy.

6. Protected health information (PHI)

When your hospital uses MedOps to process patient information, that information belongs to your organisation. As a processor we:

  • Process PHI only to provide the Service and only on the customer's documented instructions;
  • Make a Data Processing Agreement (DPA) available to customers on request;
  • Apply the technical and organisational safeguards described in Section 7;
  • Assist customers, where reasonable, in responding to data-subject and regulatory requests.

Customers are responsible for obtaining any consents and establishing the lawful basis required to process patient data in their jurisdiction.

7. How we protect data

Security is built into the platform. Measures include:

  • AES-256 encrypted, httpOnly session cookies and encryption in transit;
  • Capability-based role-based access control across all six roles;
  • Tenant-scoped audit logging of significant actions;
  • Per-IP rate limiting, hardened HTTP security headers and API versioning;
  • 15-minute inactivity auto-logout and two-step login (email then OTP or password).

No method of transmission or storage is perfectly secure, but we work to protect your information using industry-standard practices. End-to-end encrypted PHI with zero-knowledge keys is on our roadmap.

8. Data retention

We retain account and customer data for as long as your account is active or as needed to provide the Service, then delete or anonymise it within a reasonable period unless a longer retention is required by law. Customer content is handled in accordance with your customer agreement; on termination, you may request export or deletion of your tenant's data.

9. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict or port your personal information, and to object to certain processing. Because much of the data in the Service is controlled by your hospital, please direct requests about patient data to that organisation; we will assist them as their processor. For account data you can contact us using the details below.

10. International transfers

We may process and store information in countries other than your own. Where we transfer personal data across borders, we use appropriate safeguards (such as standard contractual clauses) consistent with applicable law.

11. Children's privacy

The Service is intended for use by hospital staff and administrators, not by children, and we do not knowingly collect personal information directly from children through the website. Patient records (which may relate to minors) are processed on behalf of, and under the responsibility of, our hospital customers.

12. Changes & contact

We may update this Policy from time to time. Material changes will be reflected by updating the “Last updated” date and, where appropriate, by additional notice. Questions or requests? Contact us at privacy@medops.in or through our contact form.

See also our Terms & Conditions.

Get started

Ready to modernise your hospital?

See MedOps on your own workflows. Book a 30-minute demo and we'll spin up a seeded environment for your team to explore.

  • Full feature walkthrough
  • Seeded demo data for your roles
  • Security & compliance Q&A

Book your demo

No credit card. We'll reach out within one business day.

By submitting you agree to be contacted about MedOps. This demo form is front-end only.