Privacy Policy

1. Introduction

Welcome to MedCrypt (also known as MedVault or HealthCrypt). We are committed to protecting your privacy and ensuring the security of your personal and medical information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical practice management platform.

By using MedCrypt, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

• Name, email address, phone number
• Medical license number and specialty
• Clinic or practice information
• Professional credentials and certifications
• Billing and payment information

2.2 Patient Information (PHI)

As a healthcare provider using our platform, you may input Protected Health Information (PHI) including:

• Patient demographics (name, contact information, date of birth)
• Medical history, conditions, and diagnoses
• Prescription information and medication lists
• Lab results and test findings
• Clinical notes and treatment plans
• Medical images and prescription scans

2.3 Usage Data

We automatically collect certain information when you use our services:

• IP address and device information
• Browser type and version
• Pages visited and features used
• Time and date of access
• Diagnostic and performance data

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To provide, maintain, and improve our medical practice management platform
• AI Features: To power AI-driven features such as prescription OCR, medical insights, and intelligent assistant capabilities
• Communication: To send you technical notices, updates, security alerts, and support messages
• Analytics: To understand usage patterns and improve user experience
• Security: To detect, prevent, and address technical issues and security threats
• Compliance: To comply with legal obligations and applicable healthcare and data-protection regulations
• Integration Services: To facilitate integrations with Google Meet, Google Calendar, and Google Drive as authorized by you

4. How We Share and Disclose Your Information

We do notsell your personal information, your patients' Protected Health Information (PHI), or any Google user data. We share information only with the limited categories of third-party service providers (“sub-processors”) listed below, strictly to the extent needed to operate and improve the platform, and only under contractual confidentiality and data-protection obligations.

• Cloud hosting & database: Your data is hosted and stored on cloud infrastructure located in India. We are consolidating all hosting and data processing on Microsoft Azure data centres in India, so that your data is processed and stored within the country.
• AI and machine-learning processing: AI features (consultation transcription and scribe, prescription OCR, lab-report analysis, clinical insights, the in-app assistant, and medical search) are currently powered by OpenAI. We are moving AI processing to Microsoft Azure's India region so that this processing also takes place within India. The clinical content you submit is processed solely to return results to you and is not used to train any third party's models. Google user data is never processed by these AI services (see Section 5).
• Payment processing: Razorpay, to process subscription and credit-pack payments. We do not store full card numbers.
• Email delivery: Resend, SendGrid, or a configured SMTP provider, to send transactional, account, and support emails.
• Patient messaging: Meta Platforms (the WhatsApp Business / Cloud API), to deliver the appointment reminders and patient messages you initiate.
• Google Workspace APIs: Google Calendar, Google Meet, and Google Drive, used only at your direction to schedule video consultations and to export documents you choose to export.
• Legal and safety: Government authorities, regulators, or professional advisers, where we are required to disclose information by law or court order, or to protect the rights, property, safety, or security of our users, the public, or MedCrypt.
• Business transfers: An acquirer or successor entity in the event of a merger, acquisition, financing, or sale of assets, subject to the protections of this Policy.

Each sub-processor receives only the minimum data necessary for its specific function and is contractually prohibited from using it for any unrelated purpose.

5. Google User Data and Limited Use

When you connect your Google account, MedCrypt requests only the access needed for the features you choose to use:

• Basic profile and email: to identify your connected Google account.
• Google Calendar and Google Meet (calendar.events): to create, update, and manage Google Meet links for the video consultations you schedule.
• Google Drive: to export the documents and records you explicitly choose to export to your own Drive.

We use this Google user data solely to provide these user-facing features at your request.

MedCrypt's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We do not sell Google user data.
• We do not use Google user data for advertising.
• We do not use Google user data to train, develop, or improve generalised artificial-intelligence or machine-learning models, and Google user data is never transmitted to OpenAI or any other third-party AI service.
• We do not transfer or disclose Google user data to others except as necessary to provide or improve these features, to comply with applicable law, or as part of a merger or acquisition with adequate notice to you.
• We do not permit humans to read Google user data unless (a) you give explicit consent for specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymised for internal operations.

You may disconnect the Google integration at any time from your in-app Settings, or revoke MedCrypt's access directly at myaccount.google.com/permissions.

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Authentication: Multi-factor authentication (2FA) available for enhanced security
• Access Control: Role-based access controls ensure users only see their own data
• Rate Limiting: Protection against brute force attacks and unauthorized access attempts
• Regular Audits: Security assessments and penetration testing conducted regularly
• Secure Infrastructure: Hosted on enterprise-grade cloud infrastructure located in India, consolidating on Microsoft Azure data centres in India for in-country data residency

7. Data Retention

We retain your information for as long as necessary to:

• Provide our services and fulfill the purposes outlined in this policy
• Comply with legal, regulatory, and professional obligations (typically 7 years for medical records)
• Resolve disputes and enforce our agreements

Upon account deletion, we will securely delete or anonymize your personal information within 30 days, unless retention is required by law.

8. Your Rights

Under applicable privacy and data-protection laws, you have the following rights:

• Access: Request access to your personal information we hold
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Export: Download your data in portable formats (CSV, PDF, Excel)
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing of your personal information
• Breach Notification: Be notified of any data breaches affecting your data

To exercise these rights, please contact us at medcryptsoftware@gmail.com

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your session and keep you logged in
• Remember your preferences and settings
• Analyze usage patterns and improve our services
• Ensure security and prevent fraud

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our platform.

10. Children's Privacy

MedCrypt is designed for use by healthcare professionals. Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your account and patient data is stored on infrastructure located in India. Certain AI features currently use OpenAI, which may process the clinical content you submit outside India, including in the United States. We are moving AI processing to Microsoft Azure's India region so that this processing also takes place within India. Where data is processed outside India, we ensure appropriate safeguards are in place in accordance with this Privacy Policy and applicable laws. As stated in Section 5, Google user data is processed only to provide the features you authorise and is never used for AI processing.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. For material changes, we will provide prominent notice or obtain your consent as required by law.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

14. Acknowledgment

By using MedCrypt, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. You also acknowledge your responsibilities as a healthcare provider under applicable laws and regulations when using our platform to handle patient information.