Privacy Policy
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
- Version
- v1
This Privacy Policy explains how OGA Care (“OGA Care”, “we”, “us”, or “our”) collects, uses, shares, and protects information when you use the OGA Careplatform, including our websites, web applications, APIs, and related services (the “Services”).
OGA Careis a multi-tenant healthcare management platform used by clinics, healthcare providers, administrators, and their staff. We take privacy seriously because we know the data you trust us with — including information about patients, appointments, and billing — is sensitive.
Questions? Email support@ogacare.in.
1. Who This Policy Applies To
- Customers (Tenants). Clinics, healthcare organisations, and individual providers who subscribe to OGA Care.
- Authorised Users.Administrators, staff, clinicians, and other users invited by a Customer to use the platform on the Customer’s behalf.
- End Patients. Individuals whose health, contact, or billing information is processed in the platform by a Customer.
For Authorised Users and visitors to our marketing site, OGA Care is the controller of your personal data. For information about End Patients processed within a Customer workspace, we act as a processor (or, where applicable, a Business Associate) on behalf of the Customer. See our Data Processing Agreement for the controller/processor terms.
2. Information We Collect
2.1 Information You Provide
- Account information — name, email, phone, role, profile details.
- Tenant information — organisation name, address, billing contact, tax IDs.
- Authentication data via our identity provider Clerk. We do not store raw passwords.
- Patient and clinical data entered by Authorised Users (name, date of birth, contact details, appointment history, clinical notes, attachments).
- Billing data — plan, billing address, tax IDs. Card data is processed by Razorpay.
- Communications you send us via support or contact channels.
2.2 Information Collected Automatically
- Usage data — pages visited, features used, timestamps.
- Device and log data — IP, browser, OS, device IDs, crash diagnostics.
- Cookies and similar technologies — see our Cookie Policy.
2.3 Information from Third Parties
- Clerk— profile and authentication metadata.
- Razorpay— subscription status, invoice metadata, payment outcomes.
- Invite flows — inviter identity and invitee email address.
3. How We Use Information
- Provide the Services — accounts, tenant workspaces, subscriptions, workflows.
- Onboard and support tenants — invitations, role assignment, support.
- Process payments through Razorpay.
- Send transactional communications — invitations, password resets, appointment confirmations, billing receipts, security alerts.
- Improve and secure the platform — diagnostics, abuse prevention, integrity.
- Comply with legal obligations — tax, accounting, lawful requests.
- Send product updates — only where permitted and subject to your preferences.
We do not sell personal information, and we do not use patient or clinical data to train generalised machine-learning or advertising models.
Where our optional AI Clinical Assistant is used, it processes only the de-identified clinical context the clinician provides (such as complaints, vitals, and examination findings). Direct patient identifiers are never sent to the AI provider.
Note: AI analysis is performed without collecting or processing patient personal information such as name, email address, phone number, or other identifying details.
4. Legal Bases for Processing (GDPR / UK GDPR / DPDP Act)
- Contract: Providing the Services to Customers and Authorised Users.
- Processor instructions: Processing patient data on behalf of Customers.
- Legal obligation: Billing, tax, and accounting records.
- Legitimate interests: Security, fraud prevention, product improvement.
- Consent: Optional marketing communications, withdrawable any time.
5. How We Share Information
- Within a tenant, scoped by the user’s role.
- With service providers (sub-processors) listed in Section 7.
- In a merger, acquisition, or asset sale, subject to the same protections.
- Where required by law or to protect rights, property, or safety.
- With your direction (e.g. integrations you enable).
We do not disclose patient or clinical data for advertising, profiling, or unrelated commercial purposes.
6. International Data Transfers
We host primary patient and tenant data, file storage, and database backups in India (ap-south-1, Mumbai). Patient records are not transferred outside India in the ordinary course of providing the Services.
A limited number of supporting services (listed in Section 7) operate outside India and process only scrubbed, de-identified, or non-patient data — for example, error diagnostics with identifiers redacted, the optional AI Clinical Assistant (which receives de-identified clinical text only), and transactional email delivery. Where such transfers occur, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, vendor data-processing agreements, or other lawful mechanisms.
7. Sub-Processors
We engage the service providers below to deliver the Services. The current authoritative list is available on request via support@ogacare.in.
| Vendor | Purpose | Data Categories | Processing Region |
|---|---|---|---|
| Supabase | Primary database, file/object storage, and point-in-time backups | Tenant, patient, clinical, and billing records; uploaded files | India (ap-south-1, Mumbai) |
| Amazon Web Services (EC2) | Application hosting and compute | Hosted application data in transit and on the host | India (ap-south-1, Mumbai) |
| Clerk | Authentication, session management, invite delivery | Account, profile, and authentication metadata | United States |
| Razorpay | Subscription billing and payment processing | Billing contact, payment metadata, invoice data | India |
| Anthropic (Claude AI) | AI clinical-assistant text analysis and note drafting | De-identified clinical text only — no patient name, email, phone, or other direct identifiers | United States |
| Resend | Transactional email delivery (account, billing, security notices) | Recipient email address and message content | United States |
| Sentry | Error monitoring and performance diagnostics | Diagnostic data with PHI/PII redacted before transmission | United States / European Union |
Primary patient data, file storage, and database backups are hosted in India (ap-south-1, Mumbai). A limited number of supporting services process scrubbed, de-identified, or non-patient data outside India under the safeguards described in Section 6.
8. Data Retention
- Tenant and patient data are retained while the Customer’s subscription is active, plus an export window of up to 30 days after termination.
- Records subject to statutory or contractual retention (including clinical and billing records) are retained for up to 2555 days (approximately 7 years), or longer where the law requires.
- Audit and security logs are retained for 1 year (365 days).
9. Security
We implement administrative, technical, and physical safeguards, including:
- Encryption in transit (TLS 1.2+) and at rest.
- Role-based access control and least-privilege provisioning.
- Authentication via Clerk with multi-factor support.
- Network isolation, secrets management, dependency scanning.
- Continuous monitoring, audit logging, and routine backups.
- Vendor due diligence for sub-processors.
Report a vulnerability to support@ogacare.in. How we handle confirmed incidents is set out in our Breach Notification Policy.
10. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data, subject to legal exceptions.
- Restrict or object to certain processing.
- Receive a portable copy of data you provided.
- Withdraw consent, where processing is based on it.
- Lodge a complaint with your local data-protection authority.
To exercise these rights, contact support@ogacare.in. If we process your data on behalf of a Customer (as a processor), we will refer your request to that Customer.
11. HIPAA Considerations (US Customers)
Where a Customer is a HIPAA Covered Entity and uses OGA Careto store Protected Health Information (“PHI”), OGA Carewill act as a Business Associate under a signed Business Associate Agreement (“BAA”). The BAA governs our handling of PHI and supersedes any conflicting terms in this policy for that data. Request a BAA via support@ogacare.in.
12. Children’s Privacy
OGA Care is not directed to children under 18. Patient records that include information about children are collected by our Customers under their own legal basis to provide healthcare; we process that information solely on the Customer’s documented instructions.
13. Grievance Redressal
If you are in India, you may contact our Grievance Officer regarding any privacy concern or the exercise of your rights as a data principal. Details and timelines are on the Grievance Officer page.
14. Changes to This Policy
We may update this Privacy Policy. Material changes are announced by email or in-product notice before they take effect. The “Last updated” date reflects the most recent revision.