Privacy Policy

Effective date: 9 May 2026 · Last updated: 9 May 2026

1. Who we are

MediCare HIS ("we", "us", "our") provides hospital information system software to healthcare providers. This Privacy Policy explains how we handle personal data on our marketing website (medicarehis.com) and in the course of providing our services to hospitals (the "Service").

For the Service itself, the hospital that licenses MediCare HIS is the data controller for the patient and staff data stored in their tenant. We act as a data processor on the hospital's instructions, under a separate Data Processing Agreement.

2. Scope of this policy

This policy covers:

• Personal data of visitors to our marketing site (medicarehis.com).
• Personal data of staff at hospitals who use the Service (administrators, clinicians, other authorised users).
• How we, as a processor, handle patient data on behalf of hospital customers.

3. What we collect

3.1 Marketing site visitors

• Information you submit through the contact form: name, hospital name, email, optional phone, and your message.
• Server logs containing IP address, user agent, page URL and timestamp, kept transiently for security and abuse prevention.

3.2 Hospital staff using the Service

• Account identifiers: username, full name, role, department, email, phone (where provided).
• Authentication data: password hashes (we never store plaintext passwords) and, where enabled, passkey credentials.
• Audit logs: every action a user takes inside the Service is recorded for security, regulatory and dispute-resolution purposes.

3.3 Patient data (handled as processor)

The Service stores patient health information on behalf of hospital customers. This may include demographics, clinical history, diagnoses, prescriptions, lab and imaging results, billing and insurance information. We process this data only on the hospital's documented instructions.

4. How we use it

• To provide and operate the Service.
• To respond to enquiries submitted through the contact form.
• To send service-critical notifications (security incidents, downtime, billing).
• To improve product reliability through aggregated, non-identifying telemetry.
• To meet our legal and regulatory obligations.

We do not sell personal data. We do not use patient data for advertising or for training third-party AI models.

5. Legal basis

Where applicable data protection law (such as GDPR or comparable national law) requires a legal basis, we rely on:

• Contract: to provide the Service to hospital customers and to respond to their enquiries.
• Legitimate interests: to keep the Service secure, prevent abuse, and improve reliability.
• Legal obligation: to retain records where law requires.
• Consent: for any optional communications you specifically opt into.

6. When we share data

We share personal data only with:

• Sub-processors who help us operate the Service, under contractual data-protection commitments. Current sub-processors include our hosting provider (Fly.io), our managed database provider, our email delivery provider (Resend) and our DNS / CDN provider (Cloudflare).
• Authorities, where compelled by valid legal process, after notifying the affected hospital where lawfully possible.
• Successors, in the event of a merger, acquisition or asset sale, subject to confidentiality and equivalent privacy protections.

7. How long we keep it

• Contact form messages: up to 24 months from receipt, unless they form part of an active customer relationship.
• Server logs: typically 30–90 days, longer for security investigations.
• Hospital staff accounts: for the lifetime of the customer's subscription, plus a short retention period afterwards for audit.
• Patient data: retained for as long as the hospital customer's contract with us continues, then deleted or returned per the customer's instructions and applicable medical-records retention laws.

8. Security

We protect personal data with administrative, technical and physical safeguards, including:

• TLS encryption for all data in transit.
• Encryption at rest for our managed database.
• Role-based access control inside the Service, with full audit logging.
• Regular automated backups.
• Production access limited to a small number of personnel with multi-factor authentication.

No system can guarantee absolute security. If we become aware of a personal-data breach affecting hospital customers, we will notify them without undue delay so they can meet their own breach-notification obligations.

9. Your rights

Depending on the law that applies to you, you may have the right to access, correct, delete, restrict or port your personal data, and to object to processing. To exercise these rights:

• If you are a patient: please contact the hospital that holds your record. We act as the hospital's processor and will support them in responding.
• If you are a marketing site visitor or hospital staff member: email us at [email protected].

10. International transfers

Our hosting and supporting services may be located outside your country. Where we transfer personal data internationally, we use safeguards required by applicable law (such as EU Standard Contractual Clauses or equivalent). Hospital customers may request that their tenant be hosted in a specific region, subject to availability.

11. Children

Our marketing site is not directed at children under 16 and we do not knowingly collect personal data from children through it. Patient records held in the Service may include minors; that data is handled under the relevant hospital's clinical-care responsibilities and the law that applies to them.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify hospital customers in advance through the Service or by email.

13. Contact us

Questions, requests or complaints? Email [email protected]. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

← Back to home