Last updated: 3 May 2026
Medixar is operated by Daiviksoft Technologies Pvt. Ltd. ("Medixar", "we", "us", "our"), a private limited company registered in India. This policy explains what data we collect, how we use it, and the rights you have over it. It applies to medixar.ai, app.medixar.ai, our mobile apps, and any related services.
If you are a patient whose data has been entered into Medixar by a clinic or hospital, that organisation is the data controller of your record — Medixar processes the data on their behalf. Please contact your clinic for access, correction, or deletion of your medical record.
1. Data we collect
From you (the practice / clinician)
- Account details — name, email, phone number, role, organisation name, registration / licence numbers.
- Billing details — GSTIN, PAN, billing address. Card numbers are never stored on our servers; we use Razorpay and Stripe for payment processing.
- Audit metadata — login timestamps, IP addresses, browser fingerprint, actions taken inside the app.
From your patients (entered by you)
- Demographics — name, date of birth, gender, contact, government ID (Aadhaar/PAN/passport when provided).
- Medical record — diagnoses, prescriptions, lab and imaging results, vitals, allergies, immunisations, clinical notes, attached documents.
- Insurance information when provided for billing.
- ABHA health ID where the patient elects to link it.
Automatically
- Standard web logs — IP, user agent, referring URL, request path. Retained for 30 days for security and abuse detection.
- Cookies — only essential cookies for session management. We do not use third-party advertising cookies. See section 6.
2. How we use the data
- To provide, maintain, and improve the Medixar service.
- To authenticate users and protect against unauthorised access.
- To bill you for the service and to handle GST compliance.
- To respond to your support requests.
- To meet legal, regulatory, and contractual obligations.
We do not sell your data. We do not use Protected Health Information (PHI) for advertising, analytics resale, or training third-party AI models. AI features inside Medixar (voice-to-SOAP, ICD coding, predictions) run on infrastructure we control and on the patient's record only.
3. Protected Health Information (PHI)
PHI is treated under stricter rules than other data:
- Stored in tenant-isolated databases protected by PostgreSQL row-level security so one customer's data is never exposed to another.
- Encrypted at rest using AES-256 and in transit using TLS 1.3.
- Access is audited — every read or write of a clinical record is logged with user, tenant, timestamp, and reason. Audit logs are append-only.
- "Break-the-glass" emergency access requires a written justification and triggers a privacy-officer review within 72 hours.
- Backups are encrypted and retained for 35 days, then permanently deleted.
A Business Associate Agreement (BAA) is available on request for customers who require it for HIPAA compliance.
4. Sharing with third parties
We share data only with the sub-processors listed below, and only to the extent necessary to deliver the service:
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Application hosting, encrypted backups | India (Mumbai, ap-south-1) |
| Razorpay | Payment processing (Indian customers) | India |
| Stripe | Payment processing (international customers) | USA / EU |
| Anthropic (Claude API) | AI features — voice-to-SOAP, summarisation, ICD suggestion. Patient identifiers are not sent. | USA |
| Twilio / WhatsApp Business / SendGrid | Notifications and reminders | USA / India |
| PostHog | Product analytics. PHI is never used as event properties. | EU |
We disclose data to government or law-enforcement authorities only when compelled by valid legal process, and we notify the affected customer unless the legal process forbids it.
5. Data residency & transfers
Customer data and PHI for Indian customers is hosted in AWS Mumbai (ap-south-1). Some sub-processors (Anthropic for AI inference, Stripe for international payments, PostHog for analytics) operate from outside India; where transfer is necessary, it is governed by Standard Contractual Clauses or equivalent safeguards. PHI sent to AI sub-processors is processed transiently and is not used to train their models.
6. Cookies
We use a small set of essential cookies — session token, CSRF token, language preference. We do not place advertising
or cross-site tracking cookies. If you visit pages on medixar.ai we use first-party privacy-respecting
analytics to understand which pages are read; you can opt out via your browser's "Do Not Track" setting.
7. Your rights
Depending on the law that applies to you:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate or incomplete data.
- Erasure — request deletion (subject to legal record-retention requirements that apply to medical records).
- Portability — export your data in a machine-readable format.
- Withdraw consent — at any time where processing relies on consent.
- Lodge a complaint — with the relevant supervisory authority (Data Protection Board of India under DPDPA 2023, your country's data protection authority, or HHS OCR for HIPAA matters).
To exercise any of these rights, email privacy@medixar.ai. We respond within 30 days. Patients should contact their treating clinic directly — the clinic is the controller of the medical record.
8. Retention
- Account data — kept for the life of the account plus 90 days after closure.
- Medical records — retained as required by Indian medical-records law (typically 3 years for OPD, 10 years for IPD, longer for medico-legal cases). Customers can configure retention per record class within those minimums.
- Audit logs — 7 years (compliance requirement).
- Web access logs — 30 days.
9. Security
Detailed security architecture lives on our security page. In short: tenant isolation via PostgreSQL row-level security, AES-256 at rest, TLS 1.3 in transit, MFA-eligible accounts, BCMA + double-checks on high-risk medication actions, immutable audit logs, daily encrypted backups, and an incident-response plan with 72-hour notification.
10. Children's data
Medixar is used by clinicians who treat patients of all ages, including minors. The clinic, as data controller, is responsible for parental consent under Indian law (DPDPA 2023, §9). We do not knowingly market the service to children directly.
11. Changes to this policy
We will post material changes on this page and notify active customers by email at least 30 days before they take effect. Minor edits (typos, clarifications) take effect immediately and are reflected in the "Last updated" date above.
12. Contact
Privacy / data protection: privacy@medixar.ai
General: hello@medixar.ai
Postal: Daiviksoft Technologies Pvt. Ltd., Kochi, Kerala, India.
We are committed to compliance with HIPAA (Health Insurance Portability and Accountability Act, USA), the Information Technology Act 2000 and SPDI Rules 2011 (India), and the Digital Personal Data Protection Act 2023 (India).