Privacy Policy

We collect information in two categories:

a) Account and clinic information

When you create a CareQ account you provide: your name, email address, password, clinic name, clinic address, phone number, and specialty. This information is required to create and operate your account.

b) Patient data entered by your clinic

When your staff uses CareQ, they enter patient records on your behalf. This includes: patient names, mobile numbers, dates of birth, gender, visit history, clinical notes, billing records, and any other fields your staff chooses to populate. You — the clinic — are the data controller for all patient data. CareQ acts as a data processor on your behalf.

c) Usage data

We automatically collect: IP address, browser type, pages visited, time of access, and error logs. This data is used to maintain service stability and improve the platform. It is never used to profile or market to your patients.

d) Payment information

We do not store credit card numbers or banking details. All payment processing is handled by our payment gateway partners (Razorpay, Stripe, PayU). We store only a transaction ID and payment status for your records.

We use the information we collect to:

• Provide, operate, and maintain the CareQ platform
• Process your subscription payments and issue invoices
• Send transactional emails (account confirmation, password reset, billing receipts)
• Respond to your support requests
• Monitor and improve platform performance and reliability
• Comply with applicable legal and regulatory obligations

We do not use your data or your patients' data for advertising, profiling, or sale to third parties.

Patient data entered into CareQ belongs to your clinic. We process it solely to deliver the platform's features to you. Specifically:

• Isolation: Each clinic's data is stored in logically isolated partitions. No patient records are accessible to any other clinic.
• No secondary use: We do not analyse, aggregate, or otherwise use patient records for any purpose other than delivering the features you have purchased.
• Export: You may export your clinic's data at any time from your settings.
• Deletion: If you close your account, your data is deleted within 30 days subject to any statutory retention obligations.
• Sub-processors: Patient data may be processed by infrastructure sub-processors (e.g., cloud hosting) solely for the purpose of hosting and storing the data on our behalf. These sub-processors are bound by confidentiality obligations no less protective than this policy.

We do not sell your data or your patients' data to anyone. We share data only in these limited circumstances:

• Payment processors: Razorpay, Stripe, and PayU receive transaction data to process payments. Their respective privacy policies govern that processing.
• Infrastructure providers: Our hosting and database infrastructure providers process data to operate our servers. They act only on our instructions.
• WhatsApp / Twilio: If your clinic enables WhatsApp booking, patient name and appointment details are transmitted to WhatsApp Business API to send booking confirmations. By enabling this feature you confirm you have the patient's consent to receive WhatsApp messages from your clinic.
• Legal compliance: We may disclose information if required by applicable Indian law, court order, or government authority, and only to the extent required.

We retain your account and clinic data for as long as your subscription is active. After account closure:

• Patient records and clinic data are deleted within 30 days.
• Billing and transaction records are retained for 7 years as required by Indian tax law (GST Act).
• Server access logs are retained for 90 days for security purposes.

You may request earlier deletion by emailing info@amdcode.com. We will comply within 30 days except where retention is required by law.

We take security seriously given the sensitive nature of patient data. Our measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Patient records and sensitive clinic data are encrypted at rest in our database.
• Access control: Only authorised CareQ engineers can access production systems, via multi-factor authentication and audit-logged sessions.
• Role-based access: Within your clinic, staff members can only access data permitted by the role you assign them (Owner, Doctor, Receptionist, Viewer).
• Regular backups: Your data is backed up daily to geographically redundant storage.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability in CareQ, please report it responsibly to info@amdcode.com.

CareQ uses cookies and similar technologies to operate the platform:

• Session cookies: Required to keep you logged in. Deleted when you sign out or close your browser.
• Security cookies: Used to prevent cross-site request forgery (CSRF) attacks.
• Preference cookies: Remember your settings (e.g., billing toggle on the pricing page).

We do not use third-party advertising cookies or tracking pixels. We do not share cookie data with advertisers.

Under the Digital Personal Data Protection Act, 2023 (India) and other applicable laws, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data (subject to legal retention obligations).
• Data portability: Export your clinic's data at any time from your account settings.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email info@amdcode.com from the email address associated with your account. We will respond within 30 days.

Patient rights: If you are a patient whose data has been entered by a clinic using CareQ, your rights over that data should be exercised with the clinic directly. The clinic is the data controller for your records. CareQ will cooperate with any valid legal request from a clinic acting on a patient's behalf.

CareQ accounts may only be created by individuals aged 18 or older. Clinics routinely manage records of patients of all ages as part of their medical practice — this is covered under the clinic's responsibility as data controller.

If you believe a CareQ account has been created by a minor, contact info@amdcode.com and we will investigate promptly.

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this page.
• Send an in-app notification for material changes.
• For significant changes affecting how we use patient data, we will email all account owners at least 14 days before the change takes effect.

Your continued use of CareQ after the effective date of any changes constitutes acceptance of the revised policy.

For privacy-related questions, data access requests, or to report a concern:

• Privacy email: info@amdcode.com
• General support: info@amdcode.com
• Registered address: amdcode solution, India

We aim to respond to all privacy enquiries within 5 business days.