This Privacy Policy describes how CareO collects, uses and protects personal data when you and your patients use the Service. We comply with the Digital Personal Data Protection Act 2023 (DPDP Act), Information Technology Act 2000 and applicable NABH norms.
Strictly to deliver and improve the Service: clinical documentation, billing, appointment reminders, statutory reports, support, fraud prevention and security incident investigation. We do not sell, rent or share patient data with advertisers.
Processing of patient data is performed on behalf of the hospital as a data processor; the hospital is the data fiduciary under DPDP Act and is responsible for obtaining valid patient consent. Processing of hospital/user data is on the basis of contract performance.
Under the DPDP Act every individual ("Data Principal") has the right to access, correct, erase or port their personal data. Patients should make such requests directly to their hospital (the data fiduciary). Hospitals may write to info@stewardindia.com for help.
Patient medical records are retained as long as the hospital subscription is active, plus the statutory minimum (Indian Medical Council requires 3 years after last consultation; for medico-legal cases 10 years). On account closure we offer a 60-day export window before purging.
All data transmitted over TLS 1.2+. Passwords hashed with bcrypt. 2FA available (and required for super-admin / hospital-admin roles). TOTP secrets encrypted at rest with Fernet. Multi-tenant isolation enforced at every API call. Audit logs are immutable. Backups encrypted and stored in a separate region.
We use only essential cookies (session, CSRF, language preference). No third-party tracking or advertising cookies are set.
Grievance Officer / Data Protection Officer: info@stewardindia.com. We respond to verified requests within 30 days.