Legal

Privacy Policy

Last updated: May 25, 2026 · Data hosted in India
Transparent collection
We only collect what we need to run the service.
Never sold
We do not sell your data to third parties. Ever.
Hosted in India
Encrypted backups on Indian data centres.

1Introduction

HIMS is a Software-as-a-Service (SaaS) Hospital Information Management System used by hospitals, clinics, pathology labs, and pharmacies (the “Service”). This Privacy Policy explains how personal information of your organisation and the individuals it serves — patients, doctors, staff, vendors — is collected, used, stored, and shared when you use the Service.

By using the Service, you agree to the practices described in this policy. If you do not agree, please discontinue using the Service.

2Information we collect

We collect information in three categories:

a. Information you provide

  • Account details — organisation name, contact number, your name, email, and password (stored as a one-way hash).
  • Operational records you enter into the Service — patients, visits, lab orders and reports, pharmacy bills, prescriptions, vitals, uploads.
  • Billing details — addresses, GSTIN, payment instrument details processed via our PCI-compliant payment partners (we never store full card numbers).

b. Information collected automatically

  • Technical telemetry — IP address, device and browser type, pages visited, timestamps, and the duration of your session.
  • Cookies and similar technologies — small data files stored on your device to keep you signed in, remember preferences, and detect abuse.
  • Diagnostic logs — application errors and performance metrics needed to keep the Service reliable.

c. Information from third parties

  • Linked services you choose to connect — for example, WhatsApp Business APIs for report delivery, payment gateways for invoices, or analyser bridges for lab results.
Sensitive health data Patient health records you store in the Service are processed on your behalf as a data processor. You remain the data controller for that information.

3How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Service for your organisation.
  • Authenticate users and prevent unauthorised access.
  • Calculate usage, generate invoices, and process payments.
  • Send transactional emails such as password resets, receipts, and security alerts.
  • Diagnose, debug, and improve the Service.
  • Comply with applicable laws and respond to lawful requests.

We do not use patient health records for advertising, profiling, or training general-purpose AI models.

4How we share information

We do not sell or rent your information. We share it only in the following limited circumstances:

  • With service providers (cloud hosting, email delivery, payment processing, WhatsApp Business APIs) that we engage to operate the Service, under contractual confidentiality and data-protection obligations.
  • With your own users and recipients you instruct the Service to send to — for example, sharing a lab report with the patient who ordered the test.
  • With law enforcement or regulators when required by a valid legal order, after we have reviewed the request and, where permitted, notified you.
  • In connection with a corporate transaction (merger, acquisition, financing), in which case the acquiring entity will be bound by this policy.

5How we protect it

  • Encryption in transit (TLS) and at rest for stored data and backups.
  • Role-based access control inside the Service so staff only see what their role requires.
  • Tamper-evident audit trail of consequential actions.
  • Regular vulnerability scanning, patching, and access reviews of our own staff.
  • Daily encrypted backups retained on Indian data centres.

No system can be guaranteed 100% secure. If we ever experience a security incident that affects your data, we will notify you without undue delay and assist with regulatory reporting.

6Data retention

We retain your data for as long as your subscription is active. After cancellation, we keep it for an additional 90 days so you can export or migrate it. After that period it is permanently deleted from our production systems; encrypted backups age out within 90 further days.

Some records (for example, GST invoices, tax filings, and audit logs) may be retained for longer where required by law.

7Your rights

Subject to applicable law (including India's DPDP Act, the EU GDPR, and UK GDPR), you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your personal information.
  • Object to or restrict certain processing activities.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

For patient-record requests, please contact the hospital or clinic that operates the account — they are the data controller for that information. We will assist them in fulfilling your request.

8Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal or operational reasons. When we make a material change, we will update the “Last updated” date at the top of this page and, where appropriate, notify you in the Service or by email.

9Contact us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please reach out:

Still have questions?

Our team is happy to walk you through how we handle your data.

Email our DPO