Patient Privacy Policy

1. Introduction

This Patient Privacy Policy (“Policy”) explains how Sumedy (“Sumedy”, “we”, “our”, or “us”) collects, uses, discloses, stores, and protects patient information, including Protected Health Information (PHI) and other personal data, when you use our clinic platform, telemedicine services, mobile applications, and any related digital tools (collectively, the “Services”). This clinic privacy policy is written for international healthcare platforms and reflects privacy principles inspired by HIPAA‑style privacy protection and GDPR patient data protection requirements.

By accessing or using the Services you acknowledge that you have read and understood this Patient Privacy Policy. If you do not agree with this Policy, you must not use the Services. This Patient Privacy Policy should be read together with our Terms & Conditions, our Data Protection Policy, our Telemedicine Policy, our Cookie Policy, and our Patient Rights & Responsibilities. Together, these policies form our integrated legal and compliance system for protecting clinic privacy and patient data.

2. Definitions

For clarity and consistency, the following definitions apply throughout this Patient Privacy Policy.

2.1 “Patient”, “You”, or “User”

“Patient”, “you”, or “user” means any individual who accesses or uses the Services, including patients, caregivers, legally authorized representatives, and other end‑users who interact with clinics, doctors, laboratories, or other healthcare providers through the Sumedy platform.

2.2 “Protected Health Information (PHI)”

“Protected Health Information” or “PHI” means any information relating to your past, present, or future physical or mental health or condition, the provision of healthcare to you, or payment for such healthcare, that can reasonably identify you. PHI includes, for example, your name, contact details, medical record identifiers, diagnoses, prescriptions, treatment history, and laboratory results.

2.3 “Personal Data” or “Personal Information”

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person, including your name, email address, phone number, IP address, device identifiers, and any information that may be used alone or in combination to identify you.

2.4 “Controller” and “Processor”

Under GDPR and similar regulations, the Controller determines the purposes and means of processing Personal Data, while the Processor processes data on behalf of the Controller. In most cases, the clinic, hospital, or healthcare organization using Sumedy acts as a Controller, and Sumedy acts as a Processor or service provider. For limited platform‑level operations (such as security monitoring or account administration), Sumedy may act as an independent Controller.

3. Scope of Policy

This Patient Privacy Policy governs all processing of Personal Data and PHI that occurs when you use our Services, including when you:

• Access clinic or doctor profiles through the platform;
• Book or manage appointments;
• Participate in telemedicine consultations or remote follow‑ups;
• View or download prescriptions, visit notes, or lab results; or
• Communicate with healthcare professionals or our support team.

This Policy applies in conjunction with other legal documents that govern specific aspects of your relationship with us, including our Terms & Conditions and specialized policies such as our Telemedicine Policy and Data Protection Policy. If any conflicts arise between this Patient Privacy Policy and another policy in relation to the protection of PHI or Personal Data, this Policy will generally take precedence, unless a more protective rule under applicable law requires otherwise.

4. Data Collection Practices

4.1 Information You Provide

We collect information that you voluntarily provide when you register for an account, update your profile, book an appointment, upload health information, participate in telemedicine visits, complete forms, sign consent documents, or communicate with healthcare providers or our support team. This may include identification data, contact details, demographic information, PHI, and payment‑related information processed through secure third‑party payment providers.

4.2 Information Collected Automatically

When you use the Services, we automatically collect technical data such as IP address, device identifiers, browser type, operating system, access times, and pages viewed. We may also use cookies and similar technologies to maintain sessions, remember preferences, secure your account, and generate aggregated analytics; details of these practices are set out in our Cookie Policy.

4.3 Information from Third Parties

We may receive information about you from clinics, hospitals, doctors, laboratories, and other healthcare partners who use our platform to deliver care, as well as from identity verification, insurance validation, or e‑prescription services. We process such data in accordance with our agreements with those parties and with applicable regulatory requirements.

5. Use of Information

We use your Personal Data and PHI to provide, secure, and improve the Services and to fulfil our legal and contractual obligations. Typical uses include:

• Enabling clinics and doctors to deliver diagnosis, treatment, and follow‑up care;
• Supporting telemedicine and remote monitoring workflows;
• Managing appointments, reminders, and notifications;
• Facilitating billing, payments, and refunds as described in our Refund & Billing Policy;
• Protecting the security and integrity of the platform and medical records;
• Complying with record‑keeping, audit, and reporting requirements; and
• Improving platform usability, reliability, and clinical workflow efficiency.

We do not sell your Personal Data or PHI to advertisers. Any use of de‑identified or aggregated information for analytics or research is performed in a way that does not identify you personally.

6. Data Security Measures

Sumedy implements technical, organizational, and physical safeguards intended to protect PHI and Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, logging and monitoring, vulnerability management, and regular security assessments, as described in more detail in our Data Protection Policy.

While we strive to implement industry‑standard security for a modern healthcare SaaS and telemedicine platform, no digital system can be guaranteed to be completely secure. If we become aware of a security incident affecting your data, we will investigate and notify affected parties and regulators in accordance with applicable breach‑notification laws.

7. Patient Rights

Depending on your jurisdiction and the role we play in processing your data, you may have rights of access, rectification, restriction, objection, data portability, and, in some cases, erasure of your Personal Data. Clinical records may be subject to mandatory retention rules that limit the extent to which they can be deleted.

Many of these rights are exercised through the clinic, hospital, or healthcare professional who is the Controller of your PHI. Where appropriate, we will forward or coordinate your request with the relevant healthcare organization. You can find a more detailed description of patient rights in our Patient Rights & Responsibilities.

8. Data Sharing Rules

We share your information only when necessary and in line with this Patient Privacy Policy and applicable healthcare and data protection regulations. Typical disclosures include:

• To healthcare providers and staff directly involved in your care;
• To laboratories, pharmacies, and other medical partners at your direction or as required for treatment;
• To service providers who host our infrastructure, process payments, or provide security and analytics under strict data‑processing agreements; and
• To regulators, authorities, or courts where legally required.

We may also use and share de‑identified or aggregated data that cannot reasonably be used to identify you for analytics, benchmarking, and service‑improvement purposes.

9. International Compliance and Transfers

Because Sumedy is a digital healthcare platform, your data may be processed on servers located in jurisdictions different from your own. Where required by GDPR or similar laws, we implement appropriate safeguards—such as standard contractual clauses, data‑processing agreements, and technical measures—to protect data transferred across borders.

By using the Services, you acknowledge that your information may be transferred to, stored in, and processed in countries that may have different data protection rules than your home country, while we continue to apply protections consistent with this Patient Privacy Policy.

10. Liability Limitations

Nothing in this Patient Privacy Policy is intended to limit or exclude obligations that cannot be limited or excluded under applicable law. Healthcare providers remain independently responsible for clinical decisions, the content of medical records they create, and any professional advice they give through the platform. Sumedy provides technology and infrastructure but does not practice medicine.

Additional limitations of liability, warranty disclaimers, and governing law provisions are set out in our Terms & Conditions and our Medical Disclaimer.

11. Policy Updates and Versioning

We may update this Patient Privacy Policy from time to time to reflect changes in law, technology, or our Services. Our legal and compliance system keeps previous versions for legal history and displays the “Last Updated” date at the top of this page. When updates are material, we will provide additional notice, such as email communication or in‑app banners, and, where required, request renewed patient consent.

For a summary of key historical changes to this Policy and other legal documents, you can visit the Legal Center at /legal.

12. Contact Information

If you have questions, concerns, or requests relating to this Patient Privacy Policy, your Personal Data, or PHI, you may contact us using the details below. We will respond within a reasonable period in accordance with applicable data protection and healthcare regulations.

Customer Support
Email: support@sumedy.com
Phone: +91-7894666662
Address: New Delhi, India