Privacy Policy

1. Who We Are

MediNITS is a Software-as-a-Service (SaaS) platform for clinic management, developed and operated by Marketers Data Solution Pvt Ltd, a company incorporated under the Companies Act, 2013 in India.

Registered Address: India (contact us at admin@medinits.com for full address)
CIN: [Company Registration Number]
GST: [GSTIN]
Support: admin@medinits.com | +91 9663769576

2. What Data We Collect

2.1 Account & Subscription Data (We collect and store)

• Clinic/Hospital name, doctor name, specialty
• Email address and WhatsApp/phone number (for credentials and support)
• City/address and GSTIN (for invoice generation)
• Razorpay/Instamojo payment confirmation and Payment ID (we do not store card numbers or UPI credentials)
• Subscription plan, billing cycle, license expiry date

2.2 Patient Clinical Data (We do NOT collect or have access to)

All patient records — names, contact details, medical history, diagnoses, prescriptions, invoices, appointments — are stored exclusively on your device's local storage (browser localStorage and IndexedDB). MediNITS servers never receive, process, or store any patient clinical data.

If you enable optional Supabase cloud backup, your data is stored in your own Supabase project, which you fully control. We have no access to it.

2.3 Usage Data (Anonymised)

• Browser type and version (for compatibility)
• General usage patterns (which features are used) — fully anonymised
• Error logs (no personal or clinical data included)

3. How We Use Your Data

• Account creation: To provision your MediNITS account and send login credentials
• Communication: To send credentials, subscription reminders, and support responses via WhatsApp and email
• Billing: To process payments and generate GST invoices for your subscription
• Product improvement: Anonymised usage analytics to improve features
• Legal compliance: To comply with applicable laws including Income Tax Act, GST Act, and DPDP Act 2023

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Patient Data — Special Protections

• All patient records are encrypted in your browser's local storage
• Prescription PDFs are generated entirely in your browser — nothing is sent to our servers
• WhatsApp messages sent to patients are transmitted directly from your device to WhatsApp — we do not see message content
• ABHA health IDs entered by you are stored only on your device
• Patient data is DPDP Act 2023 compliant — you (the clinic) are the Data Fiduciary; your patients are Data Principals

As the clinic operator, you are responsible for obtaining patient consent before collecting their data. MediNITS provides a consent checkbox in the patient registration form to help you comply.

5. Data Storage & Security

5.1 Technical Measures

• AES-256 equivalent encryption for all session data
• SHA-256 hashing for all passwords (never stored in plain text in cloud systems)
• Session expiry and automatic logout after 30 minutes of inactivity
• Rate-limited login (5 attempts → 15 minute lockout)
• HTTPS enforced on all MediNITS domains via Cloudflare
• HTTP security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• 6-layer local data backup (IndexedDB + 3× localStorage + sessionStorage + optional Supabase)

5.2 Organisational Measures

• Access to subscription data is restricted to authorised staff only
• We conduct periodic security reviews
• No employee has access to your clinical/patient data (it remains on your device)

5.3 Data Breach Notification

In the unlikely event of a breach affecting your subscription data, we will notify you at the email address registered with us within 72 hours of becoming aware, as required by applicable law.

6. Third-Party Services

MediNITS integrates with the following third-party services. Each has their own privacy policy:

• Razorpay / Instamojo: Payment processing. They handle card/UPI data — we never see your payment credentials. (Razorpay Privacy | Instamojo Privacy)
• Supabase (optional): Cloud database backup — only if you configure it. Your data is in your own Supabase account. (Supabase Privacy)
• Google Gemini / Groq (optional AI): Your prompts for AI prescriptions are sent to these APIs when you configure your own free API key. We do not handle or log this data. (Google Privacy)
• CallMeBot / Twilio (optional): WhatsApp/SMS messaging — only if you configure these. (Twilio Privacy)
• Cloudflare: We use Cloudflare Pages for hosting. They may log basic access data. (Cloudflare Privacy)

Where these services process data on our behalf, we ensure appropriate Data Processing Agreements are in place.

7. Your Rights under DPDP Act 2023

Under India's Digital Personal Data Protection Act, 2023, you have the following rights regarding your subscription and account data held by us:

• Right to Access: Request a copy of your personal data we hold — email admin@medinits.com
• Right to Correction: Request correction of inaccurate data — email admin@medinits.com
• Right to Erasure: Request deletion of your account and all associated data within 30 days
• Right to Grievance Redressal: Contact our Grievance Officer (see Section 13)
• Right to Nominate: You may nominate a person to exercise your rights in case of death or incapacity

For patient data rights under DPDP Act 2023: since all patient data is stored on your device, your patients' requests (right to access, erasure) should be directed to you as the Data Fiduciary. MediNITS provides a "DPDP Patient Data Export" and "Right to Erasure" tool in the Compliance section of the app.

8. Data Retention

• Subscription data: Retained for 7 years after subscription end (GST and tax compliance requirements)
• Payment records: Retained for 8 years (Income Tax Act requirements)
• Support correspondence: Retained for 3 years
• Patient clinical data: Stored only on your device — retained until you delete it

To request earlier deletion of your account data, contact admin@medinits.com with subject "Data Deletion Request."

9. Cookies

The MediNITS app (app.medinits.com) does not use tracking cookies. It uses browser localStorage and sessionStorage exclusively to store your session and clinic data — this data stays on your device and is not sent to us.

Our marketing website (medinits.com) may use minimal session cookies for basic functionality. We do not use advertising or analytics tracking cookies.

10. Children's Data

MediNITS is a professional platform intended for use by medical practitioners. It is not directed at children under 18. Patients under 18 may have their health records managed within MediNITS by their treating doctor, who is responsible for obtaining parental/guardian consent as required by applicable medical and data protection laws.

We do not knowingly collect personal data from children under 18 as account subscribers.

11. International Data Transfers

Subscription and payment data may be processed by services located outside India (e.g., Razorpay processes data in India; Cloudflare has global servers). Where data is transferred outside India, we ensure appropriate safeguards are in place as required by the DPDP Act 2023 and applicable regulations.

12. Changes to this Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email (to the address registered with your subscription) and update the "Last Updated" date above. Continued use of MediNITS after changes constitutes acceptance of the updated policy.

13. Contact & Grievance Officer