Privacy Policy
Your privacy matters to us.
This policy describes how the ACEP Platform collects, uses, stores, protects, and shares your personal data. It covers compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Health Insurance Portability and Accountability Act (HIPAA). Please read this policy carefully.
1. Scope & Applicability
This Privacy Policy applies to all users of the ACEP Platform, including:
- Patients who register and receive healthcare services through hospitals using the platform.
- Hospital Staff including doctors, coordinators, receptionists, role administrators, and super administrators who use the platform for hospital operations.
- Platform Staff from Metagates Innovation Pvt. Ltd. who manage and maintain the platform.
- Visitors who access the platform login page or public-facing website.
This policy covers all personal data processed through the ACEP Platform, regardless of the device or method of access (web browser, kiosk terminal, or mobile-responsive interface).
2. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or can be used to identify a natural person, directly or indirectly. |
| Data Principal | The individual to whom the personal data belongs (you). |
| Data Fiduciary | Metagates Innovation Pvt. Ltd. — the entity that determines the purpose and means of processing personal data. |
| PHI | Protected Health Information — any health-related data that identifies an individual, as defined under HIPAA. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, and deletion. |
3. Data Controller & Data Protection Officer
Metagates Innovation Pvt. Ltd. is the Data Fiduciary (data controller) responsible for the processing of your personal data through the ACEP Platform (Advance Customer Engagement Platform), also referred to as the Mediverse Provider Module.
Data Controller
Metagates Innovation Pvt. Ltd.
Email: contact@metagatesinnovation.com
Website: wekares.in
Data Protection Officer (DPO)
The DPO oversees data protection strategy, compliance monitoring, and acts as the point of contact for data protection authorities.
Email: contact@metagatesinnovation.com
For privacy-related inquiries that are not grievances (e.g., vendor inquiries, partnership questions about data processing), please contact the DPO directly. For individual complaints about data handling, please refer to Section 15 (Grievance Redressal).
4. Data We Collect
The categories and specific data fields we collect depend on your role and how you interact with the platform:
4.1 Data Collected from Patients
| Category | Data Fields | Classification |
|---|---|---|
| Identity | Name, phone number, email, age, sex, registration ID, WhatsApp number | L4 — Highly Restricted |
| Medical Records | Diagnosis, clinical notes, vital signs (BP, weight, temperature, pulse, SpO2, height), prescriptions, medicine details, dosage, frequency | L4 — Highly Restricted |
| Appointments | Appointment dates, time slots, doctor assigned, visit status, cancellation history, notes | L2 — Internal |
4.2 Data Collected from Hospital Staff
| Category | Data Fields | Classification |
|---|---|---|
| Identity | Name, email, phone, role, department, specialization, professional registration ID | L3 — Restricted |
| Professional | OPD fee, consultation history, appointment statistics, leave/schedule records | L2 — Internal |
4.3 Data Collected During Hospital Onboarding
| Category | Data Fields | Classification |
|---|---|---|
| Hospital Identity | Hospital name, type, specialties, number of beds, address, contact details, email, website | L2 — Internal |
| Representative Info | Representative name, designation, department, email, contact number | L3 — Restricted |
| Government IDs | Rohini ID, hospital registration certificate, GST number, PAN number, Aadhaar card, MOU | L4 — Highly Restricted |
4.4 Technical Data Collected Automatically
| Category | Data Fields | Purpose |
|---|---|---|
| Device & Network | IP address, browser type, operating system, device type, screen resolution | Security, analytics, troubleshooting |
| Usage Logs | Page URLs visited, timestamps, features used, actions performed, search queries | Audit trail, performance monitoring, abuse prevention |
| Session Data | Login timestamps, session duration, logout events, idle timeouts | Session management, security monitoring |
5. Purpose of Processing
Your personal data is processed for the following specific purposes. Each purpose is mapped to the applicable legal basis:
Hospital Operations & Patient Care
Patient registration, appointment scheduling, doctor consultations, prescription management, referral coordination, and clinical decision tracking.
Clinical Decision Support
Recording diagnoses, vital signs, treatment plans, and prescriptions to ensure continuity of care and enable informed clinical decisions across visits.
Analytics & Reporting
Aggregated analysis of appointment trends, fee collection, clinical outcomes, doctor workload, and operational performance. Data is aggregated where possible to minimise individual identification.
Compliance & Audit
Maintaining comprehensive audit logs of all data access, creation, modification, and deletion events. Records are retained to comply with HIPAA (45 CFR § 164.312(b)) and DPDPA requirements.
Communication & Notifications
Sending appointment reminders, OTP verification codes, administrative notifications, and account-related communications via the platform interface. No marketing communications are sent.
Security & Fraud Prevention
Rate limiting on authentication endpoints, monitoring for suspicious access patterns, IP-based anomaly detection, and enforcement of role-based access controls.
6. Legal Basis for Processing
Under the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable healthcare regulations, we process your personal data based on the following legal grounds:
Consent (DPDPA Section 4)
We obtain your explicit, informed consent at the time of patient registration and hospital onboarding. Consent is specific to the purposes described in this policy. You have the right to withdraw consent at any time by contacting the hospital administration or our Grievance Officer. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Contractual Necessity
Processing is necessary for the performance of healthcare services that you or the hospital have requested through the platform, including appointment booking, consultation recording, and prescription management.
Legal Obligation
Processing is necessary for compliance with applicable legal obligations, including: HIPAA (45 CFR § 164), DPDPA 2023, the Indian IT Act, 2000, and healthcare regulations governing the storage and retention of medical records.
Legitimate Interest
Aggregated analytics, platform security monitoring, and performance optimisation are processed based on our legitimate interest in maintaining a secure, efficient platform. We balance this against your privacy rights and ensure minimal intrusion.
Consent Withdrawal
You may withdraw consent at any time by contacting the hospital administration or our Grievance Officer (contact@metagatesinnovation.com). Upon withdrawal, we will cease processing your data for the purposes that required consent, subject to legal retention requirements. Certain processing (e.g., medical record retention required by law) may continue on other legal bases.
7. Data Retention & Deletion
We retain personal data only as long as necessary for the purposes described in this policy or as required by law. The following retention schedules apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Patient Records | Duration of hospital relationship + 6 years | HIPAA 45 CFR § 164 |
| Medical Records (Diagnosis, Prescriptions) | 6 years from date of creation | HIPAA + Clinical practice guidelines |
| Audit Logs | 6 years | HIPAA 45 CFR § 164.312(b) |
| User Accounts | Until account deactivation/deletion + 1 year | Contractual + Security |
| OTP Verification Records | 30 days | Operational |
| Hospital Compliance Documents | Duration of hospital relationship + 6 years | Regulatory |
| Session / Technical Logs | 90 days | Operational |
After the retention period expires, data is securely and permanently purged from our systems. Automated purging is performed periodically. Deleted data cannot be recovered.
8. Your Data Protection Rights (DPDPA)
Under the Digital Personal Data Protection Act, 2023 (DPDPA), you have the following rights regarding your personal data. These rights are exercisable by contacting the hospital administration or our Grievance Officer.
Right of Access (Section 8(1))
Request a summary of personal data we hold about you, the purposes of processing, categories of data, and recipients with whom data has been shared. We will provide this information in a structured, machine-readable format within a reasonable timeframe.
Right of Correction (Section 8(2))
Request correction of inaccurate or incomplete personal data. You can update certain information directly through the platform (e.g., contact details). For clinical data corrections, please contact the hospital administration.
Right of Erasure (Section 8(3))
Request deletion of your personal data. This right is subject to legal and regulatory retention requirements — medical records may need to be retained for the minimum period prescribed by applicable healthcare laws. We will inform you of any restrictions.
Right of Data Portability (Section 8(4))
Request transfer of your personal data to another data fiduciary in a structured, commonly used, and machine-readable format. This applies to data processed on the basis of consent or contract.
Right to Grievance Redressal (Section 8(5))
Submit a complaint regarding the processing of your personal data. We will acknowledge receipt within 24 hours and resolve the grievance within 30 days. If unsatisfied, you may lodge a complaint with the Data Protection Board of India.
How to Exercise Your Rights
Submit your request to your hospital administration or email our Grievance Officer at contact@metagatesinnovation.com. We may need to verify your identity before processing your request. We will respond within 30 days of receiving a complete request.
10. Cross-Border Data Transfer
All personal data collected through the ACEP Platform is stored and processed within India, specifically in the AWS ap-south-1 region (Mumbai, India).
In the event that data needs to be transferred outside India (e.g., for disaster recovery or if required by international healthcare partnerships), we will ensure:
- Adequate safeguards are in place consistent with DPDPA Section 16 requirements.
- Standard contractual clauses or equivalent transfer mechanisms are executed.
- You are notified of any cross-border transfer and the safeguards applied.
- The destination country's data protection adequacy is assessed (where applicable).
12. Security Measures
We implement a multi-layered security architecture to protect your personal data:
Encryption at Rest
AES-256-GCM column-level encryption for all sensitive data (L3/L4 classified fields). RDS storage volumes are encrypted. File uploads are encrypted before storage.
Encryption in Transit
TLS 1.2+ for all network communication. HTTPS between user, CloudFront, ALB. Internal VPC traffic is within AWS private network.
Access Control
14 distinct RBAC roles. Hospital-level tenant isolation via unique hospital codes. Field-level access restrictions (e.g., receptionists cannot view clinical notes).
Authentication
bcrypt password hashing. JWT tokens with 60-minute expiry. Rate-limited login (5 attempts/min/IP). Account deactivation on doctor status change.
Audit Logging
Every create, update, and delete operation on personal data is logged with actor ID, timestamp, IP address, old/new values, and changed fields. Logs are immutable.
Infrastructure Security
AWS VPC with private subnets. Security groups restrict traffic. RDS in private subnet. ALB with WAF for common web attack patterns. Regular security updates.
13. Data Breach Notification
In the event of a data breach that compromises your personal data, we will follow our incident response procedure:
- Detection & Containment: Identify the breach, contain the impact, and secure affected systems.
- Assessment: Evaluate the scope, severity, and types of personal data affected.
- Notification to DPB India: Notify the Data Protection Board of India within 72 hours as required under DPDPA Section 11.
- Notification to Data Principals: Inform affected individuals without delay, providing details of the breach, potential impact, and steps taken to mitigate.
- Remediation: Implement measures to prevent recurrence and strengthen security posture.
We maintain a breach register and conduct post-incident reviews for all security incidents.
14. Children's Privacy
The ACEP Platform is intended for use by healthcare professionals, hospital staff, and patients of all ages. Where personal data of a minor (under 18 years of age) is processed, we obtain verifiable consent from the parent or lawful guardian, as required under DPDPA Section 9.
Patient records for minors are created and managed by the parent/guardian or by hospital staff during the registration process, who are responsible for obtaining necessary parental consent.
15. Grievance Redressal
If you have any questions, concerns, or complaints regarding this Privacy Policy or the processing of your personal data, please contact our Grievance Officer:
Grievance Officer
Name: Grievance Officer
Entity: Metagates Innovation Pvt. Ltd.
Email: contact@metagatesinnovation.com
Response Commitment: Acknowledgement within 24 hours. Resolution within 30 days from receipt of complete information.
Escalation to Data Protection Board of India
If you are not satisfied with our response to your grievance, you have the right to lodge a complaint with the Data Protection Board of India, as provided under DPDPA 2023. Details for filing a complaint are available on the DPB India website.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes in our data processing practices, legal requirements, or platform features. The version number and “Last Updated” date at the top of this page will reflect the most recent revision.
Version History
| Version | Date | Description |
|---|---|---|
| 1.0 | 3 June 2026 | Initial policy — DPDPA + HIPAA compliance baseline |
For material changes that affect your rights or the purposes of processing, we will:
- Notify you through an in-platform notification or email.
- Seek fresh consent where required by applicable law.
- Maintain an archived copy of previous policy versions.
17. Applicable Law & Jurisdiction
This Privacy Policy is governed by the laws of the Republic of India. Any disputes arising out of or related to this policy or the processing of personal data shall be subject to the exclusive jurisdiction of the courts in Mumbai, India.
This policy is designed to comply with:
- The Digital Personal Data Protection Act, 2023 (DPDPA)
- The Health Insurance Portability and Accountability Act (HIPAA) — 45 CFR § 164
- The Information Technology Act, 2000 (India) and IT Rules, 2011
- Applicable Indian healthcare regulations governing medical record-keeping
18. Contact Information
For any questions about this Privacy Policy or our data protection practices, you can reach us through any of the following channels:
Data Protection Officer
Grievance Officer
General Inquiries
Website
By using the ACEP Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you have any questions, please contact our Grievance Officer at contact@metagatesinnovation.com.