Privacy Policy

1. Introduction

This Policy explains:

• What personal data we collect;
• How and why we process that data;
• Who we share data with;
• Your rights and how to exercise them;
• How we secure personal and health data; and
• How to contact us with questions or complaints.

2. Scope

This Policy applies to data collected through:

• Our website: humantics.in
• Our Applications and platforms: huEMR, SehatMitra, huRAD;
• APIs, integrations (e.g., PACS, labs, FHIR/HL7 connections), and offline interactions with Humantics;
• Other services provided by Humantics where this Policy is referenced or linked.

Third-party websites and services linked from our Applications are not covered by this policy. Check their privacy notices before sharing personal data.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable person.
• Health Data / PHI: Special category personal data relating to physical or mental health, medical records, diagnostics, lab results, prescriptions, or treatment information.
• Controller: The entity that determines purposes and means of processing personal data.
• Processor: The entity that processes personal data on behalf of a controller.

4. Controller / Processor roles

Depending on the relationship and service:

• Healthcare providers and institutions using huEMR/huRAD generally act as Data Controllers for patient medical records entered into the Applications;
• Humantics typically acts as a Data Processor when providing platform, hosting, and technical services to those customers;
• Where Humantics collects personal data for its own purposes (e.g., job applicants, sales leads, analytics), Humantics acts as a Data Controller for that data.

We document roles in contracts (e.g., Data Processing Agreements or Business Associate Agreements) as required by law or customer request.

5. Information we collect

We collect and process different categories of personal data depending on your interactions. Categories include:

6. How we collect data

• Directly from users, patients, clinicians, and administrators via forms, uploads or API integrations;
• Automatically through cookies, server logs, analytics and monitoring tools for operational purposes;
• From third parties and partners (e.g., identity providers, labs, PACS vendors) where integrations are configured by the customer;
• From public sources when permitted by law (e.g., company directories for sales outreach).

7. Purposes of processing & lawful basis

We process personal and health data for the following purposes:

• Service delivery: Provide huEMR, huRAD, SehatMitra and related services (performance of a contract).
• Clinical care: Support care delivery, diagnostics and treatment coordination (legal/medical necessity, explicit consent where required).
• Security & fraud prevention: Protect systems, detect abuse (legitimate interest).
• Legal & regulatory compliance: Fulfil legal obligations such as record retention or audit requests (legal obligation).
• Product improvement: Analytics and feature development (legitimate interest or consent where required).
• Marketing & communications: With consent for promotional messages; mandatory service-related messages may be sent without marketing consent.

Where we rely on consent, you may withdraw it at any time (withdrawal does not invalidate prior processing).

8. Special category data — Health data protections

Health data (PHI) is treated as sensitive. We apply heightened safeguards:

• Encryption: Data is encrypted in transit (TLS) and at rest using industry-standard encryption;
• Access control: Role-based access, least privilege, multi-factor authentication for privileged accounts;
• Audit logging: All access and clinical actions are logged for traceability and compliance;
• Data minimization: We collect only data necessary for clinical and product purposes;
• No profiling for unrelated marketing: PHI is not used for profiling or third-party marketing;
• Processing only on instruction: When acting as a Processor, we process PHI only per documented instructions from the Controller (customer).

9. Cookies & tracking technologies

We use cookies and similar technologies to operate the site and Applications, for analytics and to improve the user experience:

• Essential cookies — required for security and core functionality;
• Functional cookies — remember preferences and settings;
• Analytics cookies — aggregate usage data to improve products.

You can control cookies through browser settings or via any cookie consent tool we display. Disabling non-essential cookies may degrade some functionality.

10. Data sharing & disclosures

We do not sell personal or health data. We may share data with:

• Healthcare providers & institutions: For clinical care and record keeping (as directed by the Controller);
• Service providers: Cloud hosting, backups, analytics, communications, payment processors (we contractually require safeguards);
• Integrations: PACS, labs, or third-party systems you authorize;
• Legal & regulatory authorities: To comply with legal obligations or respond to lawful requests;
• Business transfers: In the context of a merger or sale of assets (with safeguards and notice to affected customers where required).

11. International transfers

Humantics is headquartered in India and may store or process data in India or in cloud regions outside India. When personal data is transferred internationally, we apply appropriate safeguards (e.g., contractual protections, standard contractual clauses, or other lawful transfer mechanisms) to protect rights of data subjects.

12. Data retention

We retain personal data only as long as necessary for the purposes for which it was collected, and to meet legal or contractual obligations. Typical retention practices:

• Account, billing, and support records: retained for the duration of the contract + 2–7 years for legal and tax requirements;
• Clinical records / PHI: retained in accordance with applicable medical record retention laws and customer instructions (commonly 7–10 years or more depending on jurisdiction);
• Audit logs: retained for the period required for security and compliance (commonly 3–7 years);
• Analytics data: aggregated or anonymized data retained for product improvement; identifiable analytic data retained only as needed.

When retention periods expire, data is securely deleted or irreversibly anonymized unless required to be retained by law.

13. Security measures

We maintain reasonable administrative, technical and physical safeguards to protect personal data, including but not limited to:

• Encryption in transit (HTTPS/TLS) and at rest;
• Role-based access control and MFA for privileged roles;
• Network protections, firewalls, intrusion detection and monitoring;
• Regular security assessments, vulnerability scanning, and patch management;
• Backups and disaster recovery plans;
• Employee training, least-privilege policies, and background checks where appropriate.

No security system is perfect. In the unlikely event of a data breach that creates a risk to data subjects, we will follow applicable laws for notification to affected individuals and regulators.

14. Your rights & how to exercise them

Subject to applicable law, data protection and medical record laws, you may have rights including:

• Access: Request copies of personal data we hold about you;
• Rectification: Correct inaccurate or incomplete data;
• Erasure: Request deletion where legal grounds allow (note: medical/legal retention obligations may limit deletion of PHI);
• Restriction: Ask us to restrict processing in certain situations;
• Portability: Receive a machine-readable copy of your data where applicable;
• Objection: Object to certain processing, including direct marketing;
• Lodge a complaint: File a complaint with us or with your local data protection authority.

To exercise rights, contact us at [email protected]. We may require identity verification and will respond as required by local law.

15. Children & vulnerable users

Our Applications are intended for use by healthcare professionals, patients and community programs. We do not knowingly collect personal data directly from children under 16 without parental or guardian consent. If you believe we have collected data about a child without appropriate consent, contact us to request removal.

16. Marketing & communications

We may send operational, transactional and service-related messages about the Applications without marketing consent. For marketing communications (newsletters, product updates), we will obtain consent where required and provide an easy way to opt out of such communications.

17. Third-party services & integrations

The Applications may integrate with third-party services (PACS, labs, payment gateways, messaging APIs). These services have their own privacy policies; Humantics is not responsible for third-party practices. When enabling integrations, you authorize the data exchange between systems as configured by you or your organization.

18. Responsibilities of Healthcare Providers (Customers)

Healthcare providers and institutions using our Applications typically act as Data Controllers for patient data they enter. Responsibilities include:

• Obtaining lawful consents where required for collection and processing of patient data;
• Ensuring accuracy and lawfulness of data entered;
• Configuring integrations and access controls appropriately;
• Requesting contractual safeguards (e.g., Data Processing Agreement or Business Associate Agreement) where required by local law or the customer’s obligations.

19. Compliance frameworks & contractual safeguards

We design our product and contracts to support compliance with applicable laws and standards, including (where applicable):

• India: Digital Personal Data Protection Act (DPDP) and applicable health laws;
• European Union: General Data Protection Regulation (GDPR) — we can implement appropriate safeguards such as Standard Contractual Clauses for international transfers;
• United States: Health Insurance Portability and Accountability Act (HIPAA) — Humantics can enter into Business Associate Agreements (BAAs) with covered entities where required;
• Other regional or sectoral requirements (we will cooperate to implement reasonable contractual and technical measures upon customer request).

20. Data breach notification

If we discover a security incident affecting personal data, we will:

• Assess the risk and scope of the incident;
• Notify affected customers or individuals and regulators as required by applicable law;
• Take reasonable steps to contain and remediate the incident;
• Cooperate with investigations and provide required information to customers acting as Controllers.

21. Changes to this policy

We may update this Policy to reflect changes in our practices, legal requirements, or product features. Material changes will be posted with an updated effective date and, when appropriate, communicated through the Applications or email.

22. Contact, grievance redressal & DPO

If you have questions, requests, or complaints about this Policy or our data practices, contact:

Humantics Software Technologies Pvt. Ltd.
Website: https://humantics.in
Email: [email protected]
Address: 06, 1st Floor, S. P. Griham, Ram Nagri, Khajpura, Ashiyana Nagar,
Patna, Bihar 800025, India

If you wish to designate a Data Protection Officer or Grievance Officer for your region, please email [email protected] with the subject “DPO / Grievance — Humantics”.

23. Governing law & jurisdiction

This Policy and any disputes are governed by the laws of India, unless otherwise required by applicable mandatory laws where we operate.

24. Effective date & versioning

Effective date: September 18, 2025. We maintain version history and prior versions are available on request by contacting [email protected].