Privacy Policy

ARICU is a clinical software product owned and operated by Easy Medical Solutions ("we", "us", "our"), founded by Dr. Atul Rai, M.D. (Physician), based in Hyderabad, India.

This Privacy Policy describes how we collect, use, store, and protect information when you use ARICU's services accessible at aricu.easymedicalsolutions.in and easymedicalsolutions.in (collectively, the "Services").

By using the Services, you agree to this Privacy Policy.

1. Information We Collect

1.1 Account Information

When a hospital staff member registers, we collect:

• Full name, professional designation, medical registration number (if applicable)
• Email address, phone number
• Hospital affiliation, role (doctor, nurse, admin, etc.)
• Password (stored encrypted using industry-standard hashing)

1.2 Patient Health Information (PHI)

ARICU enables hospitals to record patient clinical data, including demographics (name, age, sex, MRN), clinical observations (vital signs, examinations, notes), diagnoses, medications, procedures, lab results, imaging studies (chest X-rays, ECGs, ultrasounds), discharge summaries, and audit logs.

1.3 Usage Data

We automatically collect IP address, browser type, device type, operating system, pages visited, features used, time spent, error logs (with patient information masked), and performance metrics.

1.4 Communications

If you contact us via email, WhatsApp, or in-app chat, we retain those communications for support and quality improvement.

2. How We Use Information

2.1 To Deliver the Services

• Authenticate users and authorize access
• Display patient data to authorized hospital staff
• Generate AI-assisted clinical analysis (see Section 5)
• Send notifications (code blue alerts, doctor orders, etc.)
• Maintain audit trails for NABH compliance

2.2 To Improve the Services

We analyze usage patterns to improve features, debug technical issues, and develop new clinical decision support tools.

2.3 To Communicate

We send service updates, bug fixes, downtime notices, respond to support requests, send invoices and payment confirmations, and marketing communications (only with explicit consent; opt-out anytime).

3. Information Sharing

3.1 With AI Service Providers

To deliver AI-assisted clinical analysis, we send relevant clinical context to OpenAI (USA-based) via API. OpenAI's enterprise tier guarantees zero data retention beyond response generation, data not used to train OpenAI models, and SOC 2 Type II certified infrastructure.

3.2 With Authorized Hospital Staff

Hospital admins control access. Each hospital staff member sees only patients assigned to their role/unit (enforced via Row Level Security).

3.3 With Service Providers

We use trusted third parties: Supabase (database hosting, AWS Mumbai region), Vercel / Lovable (web hosting), Razorpay (payment processing), Sentry (error monitoring with PHI masking), OpenAI (AI processing). All providers are bound by Data Processing Agreements ensuring DPDP-aligned protections.

3.4 Legal Requirements

We disclose information if required by law, court order, or to protect against fraud or security threats, defend our legal rights, or comply with NABH/MCI regulations.

3.5 Business Transfers

If ARICU is acquired or merges with another company, your information may transfer to the new entity, subject to the same protections.

4. Data Storage and Security

4.1 Location

• Primary database: AWS Mumbai region (India)
• Backup storage: AWS Mumbai (separate region for disaster recovery)
• AI processing: OpenAI USA infrastructure (in-transit encrypted)

4.2 Security Measures

• TLS 1.3 encryption in transit
• AES-256 encryption at rest
• Row Level Security (per-hospital data isolation)
• Daily automated backups (10-year retention per NABH MOM.10)
• Mandatory 2-Factor Authentication for admin accounts
• Audit logging of all data access
• Annual penetration testing

4.3 Retention

• Active patient data: retained for the duration of the hospital's subscription
• Discharged patient records: retained for 10 years per NABH MOM.10
• Account data: retained while account is active + 90 days after deletion request
• Audit logs: retained for 10 years (NABH requirement)
• Error logs: retained for 90 days

5. AI Processing

5.1 What We Process

When a user clicks "Senior Consultant Analysis" or similar AI features, we send the following to our AI provider: relevant patient clinical context (vitals, notes, labs), our system prompt instructions, and the clinical question being asked.

5.2 What We DO NOT Send

• Patient identifying information beyond first name + age + sex
• MRN, phone, email, address
• Family member identities
• Insurance information

5.3 Doctor Responsibility

6. Your Rights (DPDP Act 2023)

Under India's Digital Personal Data Protection Act 2023, you have the right to:

• Access: Request a copy of your personal data
• Correction: Correct inaccurate information
• Erasure: Request deletion of your data
• Portability: Export your data in machine-readable format
• Grievance Redressal: File complaints with our Data Protection Officer

To exercise any right, email: privacy@easymedicalsolutions.in

Response time: 30 days as per DPDP Act.

7. Children's Privacy

ARICU is intended for use by adult healthcare professionals. Patient data for minors is processed only at the hospital's direction, with guardian consent governed by the hospital's own policies.

8. International Users

ARICU is currently designed for Indian hospitals. If you access ARICU from outside India, your data may be transferred to and processed in India. By using ARICU, you consent to this transfer.

9. Changes to This Policy

We may update this Privacy Policy occasionally. Material changes will be:

• Posted at the top of this page with new "Last updated" date
• Notified via email (for registered users)
• For significant changes, require re-acceptance

10. Contact