Effective Date: 11 June 2026
This Privacy Policy explains how [Company Legal Name] ("Arogya", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when people visit our website, use the Arogya platform, interact with patient or doctor portals, submit forms, book appointments, make payments, upload files, or communicate through email, SMS, calls, or video consultations.
This policy is a template based on the current Arogya backend features. Replace bracketed placeholders with your real company, contact, hosting, and jurisdiction details before publishing. Healthcare privacy laws can vary by country and state, so this should be reviewed by legal counsel before it goes live.
Arogya is a healthcare operations platform used by clinics, hospitals, medical practices, doctors, staff, administrators, patients, and prospective patients. Depending on the relationship, Arogya may act as:
Healthcare providers using Arogya remain responsible for their own clinical services, patient relationships, notices, consents, and legal obligations.
We may collect the following categories of information:
We use personal information to:
Where laws such as the UK GDPR or GDPR apply, we process personal information based on one or more legal bases, including performance of a contract, legitimate interests, consent, compliance with legal obligations, and, where applicable for health information, the provision or management of health or social care through authorised healthcare users.
Where HIPAA or similar healthcare privacy laws apply, healthcare providers are responsible for determining whether they are covered entities or otherwise regulated organisations. If Arogya enters into a required business associate, data processing, or similar agreement, we process protected health information according to that agreement and applicable law.
We may share information with:
We do not sell personal health information. We do not use patient medical information for third-party advertising.
The platform may connect to third-party services. Based on the current project, these may include AWS S3 for file storage, Stripe for payments, Twilio for SMS/voice, Agora for video, Google/Gmail and Microsoft Outlook for email integrations, SendGrid or Nodemailer for email delivery, OpenAI for AI-assisted features, and geocoding/timezone services.
When a third-party integration is enabled, information may be sent to or received from that provider to deliver the requested feature. Those providers may process information under their own terms and privacy policies, and administrators should review them before enabling integrations.
Our website and platform may use cookies, local storage, tokens, and similar technologies for authentication, session management, security, preferences, analytics, and performance. Some cookies are necessary for the service to work. Where required by law, we will request consent for optional cookies.
We use reasonable administrative, technical, and organisational safeguards designed to protect personal information, including authentication, role-based access, password hashing, token-based access controls, tenant separation, access logging, secure third-party services, and restricted access to production systems.
No system is perfectly secure. Users must protect their login credentials, use strong passwords, restrict access to authorised staff, and notify us promptly of suspected unauthorised access.
We retain information for as long as needed to provide the services, maintain accounts, comply with legal and healthcare record obligations, resolve disputes, enforce agreements, and maintain security. Healthcare providers may configure, export, delete, or request deletion of certain records subject to applicable law, patient safety, audit, and retention obligations.
Depending on hosting, support, and third-party providers, information may be processed in countries other than where the user or patient is located. Where required, we use appropriate safeguards for international transfers, such as contractual protections or approved transfer mechanisms.
Depending on your location and role, you may have rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or information about how your data is used. Patients should usually direct medical record and clinical-data requests to their healthcare provider, because the provider controls the patient relationship and record.
To make a privacy request, contact us at [privacy@yourdomain.com]. We may need to verify your identity and may decline or limit requests where allowed by law, including where retention is required for healthcare, legal, safety, security, or audit reasons.
The platform is intended for use by healthcare organisations and their patients. It is not directed to children for independent use unless allowed by the healthcare provider and applicable law. Where a child patient's information is processed, the healthcare provider is responsible for obtaining any required parental or guardian consent.
If we become aware of a security incident affecting personal information, we will investigate and take appropriate steps. Where legally required, we will notify affected customers, users, regulators, or individuals within applicable timeframes.
We may update this Privacy Policy from time to time. The updated version will be posted on our website with a new effective date. Material changes may be communicated through the platform, email, or other reasonable means.
Company Legal Name
Company Address
Email: contact@openarogya.com
Website: www.openarogya.com/