Privacy Policy of PhysioCare PMS

PhysioCare PMS is the brand name under which DND SOFTWARE PRIVATE LIMITED ("Company", "we", "us", "our") publishes and operates the website physiocarepms.com, the practitioner/clinic portal at portal.physiocarepms.com, the associated Patient Portal, and the mobile application "PhysioCarePMS" (together, the "Platform" or "Services").

Our registered office is at 608, Alpha Plus, 150 Feet Ring Road, Rajkot – 360005, Gujarat, India.

This Privacy Policy is published in compliance with, among other applicable laws, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act") of India, to the extent applicable. It explains what personal data we collect, why, how it is used and shared, and the rights available to you.

BY ACCESSING OR USING THE PLATFORM, YOU AGREE TO THIS PRIVACY POLICY AND OUR TERMS OF USE. IF YOU DO NOT AGREE, PLEASE DO NOT USE THE PLATFORM OR PROVIDE US WITH ANY INFORMATION. Capitalized terms not defined here have the meaning given in our Terms of Use.

1. DEFINITIONS

• "Clinic" means a clinic, hospital, rehabilitation centre, or allied healthcare practice that subscribes to the Platform.
• "Practitioner" means a physiotherapist, chiropractor, or other allied healthcare professional, and includes Clinic staff and administrators, who use the Clinic/Practitioner Portal.
• "Patient" means an individual who receives care from a Clinic and whose records are maintained on the Platform, including those who use the Patient Portal.
• "User" means any Practitioner, Patient, Clinic staff member, or visitor who accesses the Platform.
• "Personal Data" means any data about an individual who is identifiable by or in relation to such data.
• "Sensitive Personal Data" has the meaning given under the SPDI Rules and includes, without limitation, passwords, financial information, and physical, physiological, and mental health condition data.
• "Health Information" means clinical notes, EMR/EHR records, treatment history, diagnoses, assessments, and any other health-related data recorded on the Platform in relation to a Patient.
• "Data Fiduciary" and "Data Principal" have the meanings given under the DPDP Act.

2. OUR ROLE: CLINICS ARE DATA CONTROLLERS FOR PATIENT DATA

1. PhysioCare PMS is a technology service provider. For all Health Information and other Patient Personal Data entered into the Platform by a Clinic or its Practitioners, the Clinic is the data controller / Data Fiduciary, and PhysioCare PMS acts solely as a data processor / technology platform processing such data on the Clinic's behalf and instructions.
2. Each Clinic is independently responsible for: (a) obtaining all consents required by applicable law from its Patients before entering their data on the Platform or sending them communications; (b) the accuracy, lawfulness, and appropriateness of the Health Information it records; and (c) complying with all healthcare, medical ethics, and data protection laws applicable to its practice.
3. PhysioCare PMS is not a healthcare provider and does not practice medicine, provide medical advice, or participate in clinical decision-making. We do not review, verify, or take responsibility for the clinical accuracy of any Health Information entered by a Clinic or Practitioner. Patients should direct all clinical questions to their Clinic/Practitioner, not to us.
4. We process Personal Data only to provide, maintain, and improve the Platform, in accordance with this Policy and our agreements with Clinics.

3. INFORMATION WE COLLECT

3.1 From Practitioners and Clinic staff:

• Name, mobile number, email address, password, date of birth, and gender
• Clinic/hospital name, address, registration, and branch details
• Staff role and permission levels within the Clinic's account
• Billing and subscription information (processed via our payment gateway, see Section 7)

3.2 From or about Patients (entered by Clinics, or by Patients themselves on the Patient Portal):

• Contact details: name, phone number, email address
• Demographic details where recorded by the Clinic (e.g., age, gender, address)
• Appointment, booking, and referral records
• Health Information: clinical notes, EMR/EHR entries, treatment plans, assessments, and uploaded files (e.g., scans, reports) entered by the Clinic
• Authentication data for Patient Portal login (OTP via SMS/email)

3.3 From all Users:

• Usage data: app/portal interactions, feature usage, login activity
• Device and technical data: IP address, browser type, operating system
• Communication data shared through support, messaging, or feedback features

3.4 From website visitors who are not registered Users, we collect only limited analytics data as described in Section 10 (Cookies and Tracking); we do not require registration to browse our public website.

3.5 Information we receive from other sources We may receive information about you from third parties, such as other users, partners (including ad partners, analytics providers, search information providers), or our affiliated companies or if you use any of the other websites/apps we operate or the other Services we provide. Users of our Ad Services and other third-parties may share information with us such as the cookie ID, device ID, or demographic or interest data, and information about content viewed or actions taken on a third-party website, online services or apps. For example, users of our Ad Services may also be able to share customer list information (e.g., email or phone number) with us to create customized audience segments for their ad campaigns.

Sensitive Personal Data and Health Information are collected only where necessary to provide the Services, and only with the consent of the Clinic/Practitioner (and, where the Clinic obtains it, the Patient).

4. HOW WE USE INFORMATION

• To provide, operate, and maintain the Platform, including patient, appointment, billing, and referral records
• To enable Patient Portal access, appointment booking, and viewing, where enabled by the Clinic
• To send appointment reminders, confirmations, and notifications via WhatsApp and SMS
• To authenticate Users, including via OTP
• To provide customer support and respond to queries
• To improve Platform performance, reliability, and usability
• To detect, prevent, and investigate fraud, abuse, or security incidents
• To comply with applicable law, legal process, or governmental request
• Where a Clinic opts in, to send Clinics (not Patients) information about new features or product updates

We do not sell Personal Data, and we do not use Patient Health Information for advertising.

5. THE PATIENT PORTAL

1. Where enabled by a Clinic, Patients may register for or be invited to the Patient Portal to view and, if the Clinic permits, book or manage their own appointments.
2. Patient Portal access is authenticated using a password and OTP sent via SMS or email.
3. The data visible to a Patient on the Patient Portal (e.g., appointment history, certain clinical notes) is determined by the Clinic's configuration. PhysioCare PMS does not decide what a Clinic chooses to share with its Patients.
4. Patients cannot create, book, or manage appointments through the Patient Portal unless their Clinic has enabled that functionality.
5. Each Clinic is responsible for managing its Patients' access permissions and for responding to Patient requests regarding their own records, since the Clinic is the controller of that data. PhysioCare PMS will assist Clinics in fulfilling such requests where technically required.

6. COMMUNICATIONS: WHATSAPP, SMS, AND META PLATFORMS

1. The Platform allows Practitioners to select or enter contact details to create Patient records, referrals, or to send communications. Contact access on a Practitioner's device occurs only when actively initiated by the Practitioner; we do not access device contacts in the background.
2. We use SMS and the WhatsApp Business API (provided by Meta Platforms, Inc. and its affiliates, and/or our messaging infrastructure providers) to deliver appointment reminders, confirmations, and notifications initiated by a Clinic or by configured system workflows.
3. For WhatsApp delivery, Meta Platforms, Inc. acts as a technical service provider. Meta processes message content and metadata under its own applicable terms and policies as the provider of the WhatsApp Business API; we encourage Users to review Meta's policies.
4. We use third-party SMS gateway providers (such as MSG91) to deliver SMS communications. Users should review such providers' privacy policies, available on their respective websites, before opting in to SMS communications.
5. Clinics and Practitioners are responsible for obtaining appropriate consent from their Patients before sending them messages through the Platform, including under the Telecom Commercial Communications Customer Preference Regulations and any applicable consent requirements for health-related communications.
6. We do not use Patient or Practitioner contact data for advertising or marketing to Patients. PhysioCare PMS may, with a Clinic's consent, send the Clinic (not its Patients) product-related communications; Clinics may opt out at any time by contacting us.
7. When a Clinic deletes a Patient record, associated contact data used for messaging is deleted immediately from active systems, subject to the backup retention period described in Section 10.

7. THIRD-PARTY SERVICE PROVIDERS

We engage the following categories of third-party providers to operate the Platform. These providers process data only as necessary to perform their function for us, under contractual confidentiality and data-protection obligations:

• Cloud hosting: DigitalOcean. Personal Data of Users and Patients located in India is hosted on servers located in India. Personal Data of Users and Patients located outside India is hosted on servers located in Singapore. In either case, your data is not moved across this India/Singapore boundary except as described in this Section.
• Payment gateway: Razorpay, for processing Clinic subscription billing and payments. We do not store full payment card details; these are handled directly by Razorpay under its own security standards and privacy policy.
• Messaging providers: Meta Platforms, Inc. (WhatsApp Business API) and SMS gateway providers (such as MSG91), for delivering reminders and notifications as described in Section 6.
• Analytics providers:
  • Google Analytics – used on our public marketing website only (not within the Clinic/Practitioner Portal or Patient Portal)
  • Microsoft Clarity – used only on the admin registration page, to help us understand and improve the sign-up experience
  • Mixpanel – used within the Portal for a limited set of product usage events, to help us understand feature usage and improve the product

These services operate under their own privacy policies, which Users should review. Links to or features from third-party websites accessed through the Platform are governed by those third parties' own policies; we do not control and are not responsible for their content or practices.

8. DATA SHARING AND DISCLOSURE

We do not sell or rent Personal Data. We may share Personal Data only:

• With the third-party service providers described in Section 7, strictly to operate the Platform
• Within a Clinic's own account, with its authorised staff, based on permissions configured by the Clinic
• When required by law, regulation, court order, or governmental or law enforcement request
• To establish, exercise, or defend our legal rights, or to investigate and prevent fraud, security incidents, or harm to any person
• In connection with a merger, acquisition, financing, or sale of business assets, subject to confidentiality protections
• With a Patient's own Clinic, since the Clinic is the controller of that Patient's records

9. CROSS-BORDER DATA TRANSFER

As described in Section 7, the location where your Personal Data is hosted depends on whether you (or, in the case of a Patient, the Clinic's location) are based in India or outside India:

• Personal Data of Indian Users and Patients is hosted exclusively on servers located within India.
• Personal Data of Users and Patients located outside India is hosted on servers located in Singapore, to provide acceptable performance and comply with applicable local requirements.

Where Personal Data is hosted in Singapore, we take reasonable steps to ensure it continues to be protected in a manner consistent with this Policy, including through contractual obligations with our hosting provider. The DPDP Act permits transfer of personal data outside India except to countries specifically restricted by the Central Government; as of the date of this Policy, no such restriction applies to Singapore. If you have questions about where your specific data is hosted, please contact us using the details in Section 19.

10. DATA RETENTION

• Active accounts: Personal Data and Health Information are retained for as long as the Clinic's account remains active and as needed to provide the Services.
• Deleted records: When a Clinic deletes a Patient record or closes its account, the corresponding data is deleted from our live, production systems immediately.
• Backups: Deleted data may persist in routine system backups for up to 90 days before being permanently purged, as is standard practice for disaster-recovery purposes. Backup data is not used for any active processing and is accessed only if needed to restore service.
• Anonymized/aggregated data: We may retain data in anonymized or aggregated form, which can no longer identify any individual, for analytics and product improvement, for as long as necessary for that purpose.
• We retain data only as long as necessary for the purposes described in this Policy or as required by applicable law (including any statutory retention requirements applicable to healthcare or financial records).

11. COOKIES AND TRACKING

We use cookies and similar technologies for session management, authentication, analytics, and to improve Platform performance. The specific analytics tools in use on each part of the Platform are described in Section 7. Users can control cookies through their browser settings; disabling cookies may affect Platform functionality.

12. DATA SECURITY

1. We implement reasonable technical and organizational security measures appropriate to the nature of the data we process, including access controls, authentication (including OTP-based verification), and restricting data access on a need-to-know basis among our personnel, who are bound by confidentiality obligations.
2. We continually work to improve our security practices, including data encryption, as our Platform and infrastructure evolve.
3. No method of transmission or storage is completely secure. While we strive to protect Personal Data, we cannot guarantee absolute security, and we are not liable for unauthorized access resulting from circumstances beyond our reasonable control, including User negligence, compromised User devices or credentials, or third-party breaches outside the scope of our direct control.
4. Users are responsible for safeguarding their account credentials and for promptly notifying us at info@physiocarepms.com of any suspected unauthorized access to their account.
5. We do not represent or warrant that the Platform is HIPAA-compliant or compliant with any specific foreign healthcare data protection framework; our practices are designed with reference to applicable Indian law and general international best practices.

13. USER RIGHTS

Subject to applicable law and the role of Clinics as data controllers for Patient data, Users may:

• Access their Personal Data held on the Platform
• Correct inaccurate or outdated Personal Data
• Request deletion of their Personal Data, subject to legal and operational retention requirements
• Export their data – Clinics can self-serve export their Patient and account data from within the Portal at any time
• Withdraw consent for non-essential communications (e.g., product updates to Clinics) at any time

Patients should generally direct requests regarding their Health Information to their Clinic in the first instance, as the Clinic controls that data. Requests may also be sent to us at info@physiocarepms.com, and we will coordinate with the relevant Clinic as needed, or assist directly where we are able to.

14. CHILDREN'S PRIVACY

The Platform is intended for use by adult Practitioners, Clinic staff, and Patients (or by minors only under the supervision and consent of a parent, guardian, or treating Clinic, where a minor receives care). We do not knowingly collect Personal Data directly from children without appropriate parental or guardian consent obtained by the Clinic. Clinics are responsible for obtaining any consent required by law before entering a minor Patient's data on the Platform.

15. ACCOUNT TERMINATION

Clinics may close their account at any time by contacting info@physiocarepms.com. On termination, data will be handled in accordance with Section 10 (Data Retention). We may also suspend or terminate access where we reasonably believe a User has violated this Policy or our Terms of Use, or where required by law.

16. LIMITATION OF LIABILITY

To the maximum extent permitted by applicable law, PhysioCare PMS is not responsible or liable for:

• Unauthorized access arising from User negligence, compromised devices, or compromised credentials
• The accuracy, completeness, or lawfulness of any Health Information or other data entered by a Clinic or Practitioner
• A Clinic's or Practitioner's failure to obtain Patient consent required by law before recording or sending communications about a Patient
• Breaches, outages, or failures caused by third-party service providers, internet service providers, or events beyond our reasonable control, including force majeure events
• Service interruptions, including those caused by maintenance, third-party infrastructure failure, or circumstances outside our reasonable control
• Any clinical, medical, or treatment decision made by a Clinic or Practitioner; we provide technology infrastructure only and do not provide medical advice or services

17. PRIVACY COMPLAINTS

If you have concerns about how your Personal Data has been handled, please contact us first at info@physiocarepms.com, and we will make reasonable efforts to address your concern promptly. Where applicable law provides for escalation to a regulatory authority (such as the Data Protection Board under the DPDP Act, once operational), you may also exercise that right.

18. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified via the Platform or by email to registered Users. Continued use of the Platform after such updates constitutes acceptance of the revised Policy.

19. CONTACT US

For any questions about this Privacy Policy or our data practices, please contact:
DND SOFTWARE PRIVATE LIMITED
608, Alpha Plus, 150 Feet Ring Road, Rajkot – 360005, Gujarat, India
Email: info@physiocarepms.com

Last updated: June 26, 2026