Privacy Policy

We collect the minimum information necessary to provide you with safe, effective healthcare services:

• Account Information — name, email address, password (hashed), and role within your clinic.
• Clinical Data — patient demographics, medical history, diagnoses, prescriptions, lab results, and appointment records entered by authorised clinical staff.
• Usage Data — login timestamps, page views, feature interactions, and IP addresses collected for security and audit purposes.
• Billing & Payment — invoice records and subscription data. Payment card details are processed by PCI-DSS-compliant third-party processors and are never stored on our servers.
• Communications — support tickets, emails, and in-app messages you send to us.

Your data is used exclusively for the following purposes:

• Providing, operating, and improving the Medisphere platform.
• Facilitating clinical workflows — appointments, prescriptions, lab requests, and billing.
• Generating de-identified analytics and aggregate statistics (no individual identification).
• Sending security notifications, system alerts, and administrative communications.
• Complying with legal obligations including HIPAA reporting requirements.
• Preventing fraud, abuse, and unauthorised access.

We never sell, rent, or trade your personal or health information to third parties for advertising or marketing purposes.

As a Business Associate under HIPAA, Medisphere maintains comprehensive administrative, physical, and technical safeguards to protect PHI. Our compliance framework includes:

• Signed Business Associate Agreements (BAAs) with all covered entities using our platform.
• Role-based access controls ensuring staff see only the data they are authorised to access.
• Complete audit logging of all access, modifications, and deletions of PHI.
• Automatic session timeouts and multi-factor authentication options.
• Breach notification procedures complying with the HIPAA Breach Notification Rule (within 60 days).

For full HIPAA details, see our HIPAA Compliance page →

We implement industry-leading security measures:

• AES-256 encryption for all data at rest.
• TLS 1.3 for all data in transit between your browser and our servers.
• Database servers that are never exposed to the public internet.
• Regular penetration testing and vulnerability assessments by independent third parties.
• Automated backups with point-in-time recovery capabilities.
• 24/7 intrusion detection and security monitoring.

Depending on your jurisdiction, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Correction — request that inaccurate or incomplete data be corrected.
• Deletion — request erasure of your data (subject to legal retention requirements).
• Portability — receive your data in a machine-readable format.
• Objection — object to certain processing activities.
• Restrict — request limitation of how we process your data.

To exercise any of these rights, contact us at privacy@medisphere.com. We will respond within 30 days.

We retain personal and clinical data for the period required by applicable law and our contractual obligations, typically:

• Clinical records — 7 years from the date of last service (or as required by local regulation).
• Audit logs — 6 years in accordance with HIPAA requirements.
• Account data — retained while your account is active, then 90 days after termination.
• Anonymised analytics — indefinitely (cannot be re-identified).

We use strictly necessary session cookies to maintain your authenticated session and prevent cross-site request forgery (CSRF). We do not use tracking, advertising, or third-party analytics cookies. No third-party scripts track your behaviour on our platform.

We engage a limited number of sub-processors who assist in delivering our services, each bound by appropriate data protection agreements:

• Cloud Infrastructure — servers hosted in SOC 2 Type II certified data centres.
• Payment Processing — PCI-DSS Level 1 certified payment gateway.
• Email Delivery — transactional email provider for system notifications only.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify all account holders by email at least 30 days before the changes take effect. Continued use of Medisphere after that date constitutes acceptance of the updated policy.

If you have questions or concerns about this policy or our data practices: