You, as the treating doctor, are the Data Fiduciary. ClinicFlow is the Data Processor — we process patient data only on your instructions and only to provide the service.
ClinicFlow processes patient personal data including names, contact details, demographic information, medical history, diagnoses, prescriptions, investigation reports and appointment records solely to provide the EMR service.
You are responsible for obtaining valid consent from patients before entering their data into ClinicFlow as required under the DPDP Act 2023.
ClinicFlow implements: HTTPS encryption, bcrypt password hashing, two-factor authentication, role-based access control, complete audit logging, daily AES-256 encrypted backups, and secondary backups to an independent server.
We use Google LLC (Gmail for transactional emails, Google Drive for encrypted backups, and Google Analytics 4 for anonymous marketing site analytics), and Hostinger (secondary backups). No patient data is shared with any sub-processor. GA4 only processes anonymous visitor data on the marketing site, never patient or clinical data.
If a patient exercises rights under DPDP Act 2023, you as Data Fiduciary are responsible for fulfilling the request. ClinicFlow will provide necessary data exports within 72 hours of your written request.
ClinicFlow will notify you within 72 hours of becoming aware of any personal data breach affecting your patients data.
All patient data will be securely deleted within 90 days of account termination. You may request a complete data export before deletion at no charge.
You have the right to request information about our data processing activities at any time by contacting clinicflow.emr@gmail.com.