Privacy Policy

1. Introduction

AyurGate ("we", "us", or "our") is committed to protecting the privacy and security of your personal information and the data of your patients. As a cloud-based clinic management platform serving Ayurveda, wellness, and healthcare practices, we understand the sensitive nature of the data entrusted to us and take our responsibility as a data processor seriously.

This Privacy Policy explains what information we collect, how we use and protect it, and your rights regarding your data. This policy applies to all users of the AyurGate platform, including clinic administrators, practitioners, staff members, and patients who interact with our services through booking portals or communications.

By using AyurGate, you consent to the practices described in this Privacy Policy. We encourage you to read this policy carefully and contact us at privacy@ayurgate.com if you have any questions.

2. Information We Collect

2.1 Account Information

When you sign up for an AyurGate account, we collect information necessary to create and manage your account, including:

• Full name of the account holder and staff members
• Email addresses
• Phone numbers
• Clinic or practice name, address, and registration details
• Professional qualifications and licence numbers (where applicable)
• Role and access level within the organisation

2.2 Patient Data

Patient data is entered into the platform by authorised clinic staff. AyurGate acts as a data processor for this information — the clinic or practice is the data controller. Patient data may include:

• Patient name, contact details, date of birth, and identification information
• Medical history, health conditions, allergies, and clinical notes
• Appointment records and visit history
• Prescriptions and treatment plans
• Billing records and payment history
• Consent forms and communications

We do not access, review, or use patient data except as strictly necessary to provide the Service, maintain system security, or comply with legal obligations.

2.3 Usage Data

We automatically collect certain technical and usage information when you interact with the platform, including:

• Pages viewed, features used, and actions taken within the platform
• Device type, operating system, and browser information
• IP address and approximate geographic location
• Login timestamps and session duration
• Error logs and performance metrics

This data is used in aggregate to improve the Service and is not linked to individual patient records.

2.4 Payment Information

Subscription payments are processed securely through Stripe, our third-party payment processor. When you provide payment details, this information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy. AyurGate does not store, process, or have access to your full credit card number, CVV, or other sensitive payment card details. We retain only a transaction reference, the last four digits of your card, and billing address for record-keeping purposes.

3. How We Use Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the AyurGate platform and its features, including patient management, scheduling, billing, and all other core functionality.
• Account Management: To create and manage your account, verify your identity, and process subscription payments.
• Customer Support: To respond to your enquiries, troubleshoot issues, and provide technical assistance.
• Billing and Invoicing: To process payments, generate invoices, and manage subscription renewals.
• Analytics and Improvement: To analyse usage patterns (in aggregate) to improve the platform, develop new features, and enhance user experience.
• Communication: To send you important notifications about your account, service updates, security alerts, and changes to our terms or policies.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Data Storage and Security

We implement robust technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction:

• Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
• Secure Infrastructure: The Service is hosted on secure cloud infrastructure with enterprise-grade physical and network security controls.
• Regular Backups: We perform automated daily backups of all data to geographically separate locations to ensure data durability and disaster recovery capability.
• Access Controls: Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis, protected by multi-factor authentication, and subject to audit logging.
• Security Monitoring: We employ continuous monitoring, intrusion detection systems, and regular security assessments to identify and address potential vulnerabilities.
• Incident Response: We maintain an incident response plan and will notify affected users promptly in the event of a data breach, in accordance with applicable laws.

5. Healthcare Data and PDPA Compliance

AyurGate processes healthcare data on behalf of clinics and practices. We recognise that patient health information requires the highest level of protection and care. Our handling of healthcare data is guided by the following principles:

• Singapore PDPA Compliance: AyurGate is designed to comply with the Singapore Personal Data Protection Act (PDPA) and the guidelines issued by the Personal Data Protection Commission (PDPC). We support clinics in meeting their obligations as data controllers under the PDPA.
• Data Minimisation: We collect and process only the minimum amount of personal data necessary to provide the Service. We do not request or encourage the collection of unnecessary personal information.
• Purpose Limitation:Patient health data is processed solely for the purposes for which it was collected — namely, to enable the clinic to manage patient care, appointments, billing, and related administrative functions.
• Consent Management: The platform includes tools to help clinics manage patient consent for data collection and processing, in alignment with PDPA requirements.
• Data Protection Officer: Our Data Protection Officer can be reached at privacy@ayurgate.com for any queries related to healthcare data handling.

For clinics operating in India, Malaysia, Sri Lanka, or the UAE, we also endeavour to comply with the applicable data protection regulations in those jurisdictions, including India's Digital Personal Data Protection Act (DPDPA), Malaysia's Personal Data Protection Act (PDPA), and the UAE's Federal Data Protection Law.

6. Data Sharing

AyurGate does not sell, rent, trade, or otherwise disclose your personal data or patient data to third parties for marketing, advertising, or any other commercial purpose. We share data only with the following categories of service providers, and only to the extent necessary to operate the Service:

• Stripe(payment processing) — receives payment details necessary to process subscription charges. Stripe is PCI DSS Level 1 certified.
• Resend(email delivery) — receives email addresses and message content necessary to deliver transactional emails such as appointment confirmations, password resets, and account notifications.
• Railway / Cloud Hosting(infrastructure) — hosts our application and databases. Data is stored on their secure infrastructure in accordance with their security policies.

All third-party service providers are bound by contractual obligations to protect your data and use it only for the purposes specified by AyurGate. We regularly review our service providers to ensure they maintain adequate security standards.

We may also disclose data if required to do so by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of AyurGate, our users, or the public.

7. Data Retention

We retain your data in accordance with the following policies:

• Active Accounts: All data associated with your account is retained for as long as your subscription remains active. We do not delete or archive data from active accounts unless you specifically request it.
• After Cancellation or Termination:Following the cancellation or termination of your account, your data will remain accessible for export for 30 days. During this period, you may download your data using the platform's built-in export tools or by contacting support.
• Permanent Deletion: After the 30-day grace period, all account data, including patient records, will be permanently deleted from our production systems.
• Backup Purge: Copies of your data that exist in our backup systems will be purged within 90 days of account termination.
• Legal Obligations: We may retain certain data for longer periods if required by applicable law or regulation (for example, financial records for tax or audit purposes).

8. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Deletion: You may request the deletion of your personal data, subject to any legal obligations that require us to retain it.
• Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format (such as CSV or JSON) so that it can be transferred to another service.
• Right to Withdraw Consent: Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at privacy@ayurgate.com. We will respond to all legitimate requests within 30 days.

For patient data rights: patients should contact the clinic or practice that entered their data into AyurGate, as the clinic is the data controller. We will assist clinics in fulfilling data subject requests upon instruction.

9. Cookies

AyurGate uses a minimal number of cookies that are strictly necessary for the operation of the Service:

• Authentication Cookies: We use secure, HTTP-only cookies to manage your login session using JSON Web Tokens (JWT). These cookies are essential for keeping you securely logged in while you use the platform.
• Preference Cookies: We may store minimal preferences (such as language or timezone settings) to improve your experience.

We do not use:

• Third-party tracking cookies
• Advertising or retargeting cookies
• Analytics cookies from third-party providers (such as Google Analytics)
• Social media tracking pixels or widgets

Because we only use strictly necessary cookies, no cookie consent banner is required under most jurisdictions. However, you can configure your browser to block or delete cookies at any time, though this may prevent you from using the platform.

10. Children's Privacy

AyurGate is a business-to-business service designed for use by licensed healthcare professionals and clinic administrators. The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal data from a person under 18 who is not a patient record entered by an authorised clinic user, we will take steps to delete that information promptly. If you believe that a child has provided us with personal data directly, please contact us at privacy@ayurgate.com.

Note: Clinics may store records of minor patients within the platform as part of standard healthcare practice. Such records are managed by the clinic in accordance with applicable healthcare regulations and parental consent requirements.

11. International Data Transfers

AyurGate serves clinics in Singapore, India, Malaysia, Sri Lanka, and the UAE. Your data may be processed and stored in Singapore or in other regions where our cloud infrastructure providers operate data centres.

• Where data is transferred across borders, we ensure that appropriate safeguards are in place, including contractual protections with our service providers that require them to protect data in accordance with applicable data protection laws.
• We endeavour to store data in the region closest to the clinic's primary location where feasible, and we will work with clinics that have specific data residency requirements.
• All cross-border data transfers are conducted in compliance with the Singapore PDPA and its requirements for the transfer of personal data outside of Singapore.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will:

• Provide at least 30 days' advance notice via email to the address associated with your account.
• Post the updated Privacy Policy on the AyurGate website with a revised "Last updated" date.
• Display a prominent notice within the platform upon your next login following the update.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Data Protection Officer: privacy@ayurgate.com
• General Support: support@ayurgate.com
• Website: www.ayurgate.com

We aim to respond to all privacy-related enquiries within 30 days of receipt.