Privacy Policy — ClinicFlow

Last updated: 22 May 2026 · Version 1.0 · Effective immediately

1. Who we are

ClinicFlow ("we", "us", "our") is an Electronic Medical Records (EMR) platform built for Indian doctors and clinics, operated by ClinicFlow (contact: clinicflow.emr@gmail.com). This Privacy Policy explains how we collect, use, store and protect information when you use our platform at app.clinicflowemr.com.

2. What data we collect

Doctor account data: Name, email address, phone number, clinic name, clinic address, medical registration number, qualification, specialization, and profile photo.

Patient data (entered by doctors): Patient names, dates of birth, contact details, addresses, medical history, diagnoses, prescriptions, investigation reports, clinical photographs, and visit records. This constitutes Sensitive Personal Data under the IT (Amendment) Act 2008 and the DPDP Act 2023.

Usage data: Login times, IP addresses, browser type, and activity logs for security and audit purposes.

Cookie data: Session cookies, preference cookies, and analytics cookies. See our Cookie Policy for details.

3. How we use your data

To provide and operate the ClinicFlow EMR service
To send appointment reminders and transactional emails
To maintain audit logs for compliance and security
To create encrypted backups to prevent data loss
To communicate service updates, billing, and support
We do NOT sell, rent or share your data with third parties for marketing purposes

4. Legal basis for processing

We process doctor account data on the basis of contractual necessity (to provide the service you signed up for). Patient data is processed on your instructions as a Data Fiduciary under the DPDP Act 2023 — you are responsible for obtaining patient consent before entering their data into ClinicFlow.

5. Data storage and security

All data is stored on secured VPS servers. We implement the following security measures:

HTTPS encryption for all data in transit (TLS 1.2+)
bcrypt password hashing
Two-factor authentication for all doctor accounts
Role-based access control
Complete audit logging of all data access and modifications
Daily AES-256 encrypted backups to secure cloud storage
Secondary backups to an independent server

6. Data retention

Doctor account data is retained for the duration of your subscription and for 90 days after termination, after which it is permanently deleted. Patient records are retained as long as your account is active. Upon account termination you may request a full data export before deletion at no charge.

7. Your rights under DPDP Act 2023

As a doctor using ClinicFlow you have the right to:

Access your personal data held by us
Correct inaccurate personal data
Request deletion of your account and associated data
Export your data in a portable format
Withdraw consent for non-essential processing

To exercise any of these rights, contact us at clinicflow.emr@gmail.com. We will respond within 72 hours.

8. Third party services

We use the following third-party services to operate ClinicFlow:

Google LLC — Gmail for transactional emails, Google Drive for encrypted backup storage, and Google Analytics 4 (GA4) for anonymous website analytics on our marketing site only
Hostinger — Secondary backup storage
Cloudflare — DNS, DDoS protection and SSL

No patient health data is shared with any third party. GA4 is only active on clinicflowemr.com (marketing site) and only after cookie consent is given. The ClinicFlow app (app.clinicflowemr.com) uses no third party analytics.

9. Data breach notification

In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware of the breach, as required under the DPDP Act 2023.

10. Contact us

For any privacy-related queries, requests or complaints, contact us at clinicflow.emr@gmail.com. We aim to respond within 72 hours.