Techbus Private Limited ("Medbus", "we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Medbus clinic management software platform ("Platform") and the Medbus website at medbus.in ("Website").
This policy applies to clinic owners, administrators, healthcare professionals, staff, and any individual who visits our Website or uses our Platform. By using either the Website or Platform, you consent to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, phone number, clinic name, address, and professional registration details when you register for Medbus.
- Clinic Data: Patient records, appointment details, medical history, diagnoses, prescriptions, billing information, and clinical notes entered into the Platform.
- Payment Information: Billing address and payment card details (processed securely through PCI-DSS certified payment gateways; Medbus does not store raw card numbers).
- Website Enquiry Data: Name, email, phone number, and message submitted through contact forms, demo request forms, and newsletter subscriptions on the Website.
- Support Communications: Records of communications with our support team.
1.2 Information Collected Automatically
- Device & Browser Information: IP address, browser type, operating system, device identifiers.
- Usage Data: Pages visited, features used, session duration, click paths, and error logs.
- Cookies & Tracking: Session cookies, persistent cookies, and analytics pixels. See Section 8 for details.
2. How We Use Your Information
2.1 Platform Data (Clinic Data)
- To provide, operate, maintain, and improve the Medbus Platform.
- To enable features such as appointment scheduling, EHR management, billing, and teleconsultation.
- To send system notifications, appointment reminders, and service communications.
- To provide technical support and resolve issues.
- To comply with legal obligations including court orders or regulatory requirements.
2.2 Website Enquiry Data
- To respond to your enquiry and provide information about Medbus products and services.
- To send you relevant marketing communications (you may unsubscribe at any time).
- For targeted advertising on platforms including Facebook (Meta) and Google — see Section 5 for details.
3. Data Sharing — Medbus Platform (Clinic Data)
🔒 Your Clinic Data is yours. We do not sell it. We do not share it.
Patient records, clinical notes, appointment data, prescriptions, billing information, and all other data stored within the Medbus application platform are never shared with, sold to, or disclosed to any third party for commercial purposes, advertising, or any purpose other than delivering the Platform services to you.
Clinic Data is shared only in these strictly limited circumstances:
- Your explicit instruction: When you initiate integrations (e.g., Razorpay for payments, Zoom for teleconsultation), only the minimum data necessary for that integration is shared with the relevant provider.
- Legal obligation: When required by a valid court order, law enforcement request, or applicable regulation.
- Infrastructure providers: Our hosting and cloud infrastructure providers (subject to strict data processing agreements) who process data solely to run our servers.
- Business transfers: In the event of a merger or acquisition, Clinic Data will remain subject to this Privacy Policy and users will be notified.
Medbus does not use Clinic Data for any advertising, marketing, or analytical purposes beyond what is necessary to operate the Platform.
4. Data Sharing — Website Enquiry Data
📢 Important notice regarding website marketing activities:
Information you submit through enquiry forms, demo booking forms, contact forms, and newsletter sign-ups on the Medbus website (medbus.in) is collected for marketing purposes and may be shared with third-party advertising platforms, specifically:
- Facebook / Meta: Enquiry data (name, email, phone) may be uploaded to Facebook Custom Audiences to show targeted advertisements to you and similar users on Facebook and Instagram. This is governed by Meta's Privacy Policy.
- Google Ads: Enquiry data may be shared with Google Customer Match to display relevant ads across Google Search, YouTube, and the Google Display Network. This is governed by Google's Privacy Policy.
- Email Marketing Platforms: Your email address may be added to our email marketing list managed through platforms like Brevo or Mailchimp.
This sharing applies exclusively to data collected on the Medbus marketing website. It does NOT apply to any data within the Medbus clinic management application.
You may opt out of this marketing data sharing at any time by:
5. Data Security
Medbus implements comprehensive technical and organisational security measures to protect your data:
- Encryption: All Clinic Data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3).
- Access Controls: Role-based access control (RBAC) ensures that users can only access data they are authorised to view.
- Audit Trails: Every action on the Platform is logged with timestamps and user attribution for complete accountability.
- Two-Factor Authentication: Available for all accounts; strongly recommended for administrators.
- Regular Security Audits: We conduct penetration testing and vulnerability assessments regularly.
- Data Backups: Automated daily backups with geographically distributed storage.
- Secure Development: Our development practices follow OWASP security guidelines.
Security Risks & User Responsibility
⚠️ Despite our robust security measures, certain data security risks are outside Medbus's control. You acknowledge and accept that:
- If you share your login credentials, password, or OTP codes with any unauthorised person — whether a family member, colleague, vendor, or any other party — Medbus is not responsible for any resulting data breach or unauthorised access.
- If you fail to log out of active sessions on shared or public devices, Medbus is not responsible for subsequent unauthorised access.
- If you connect unapproved or malicious third-party applications to your Medbus account, Medbus is not responsible for data exposed through those applications.
- If an employee or former employee with legitimate credentials accesses data after their access should have been revoked, Medbus is not responsible for delays in your revoking access.
- If you fall victim to phishing or social engineering attacks that result in credential theft, Medbus is not responsible for the resulting breach.
- If devices used to access Medbus are compromised by malware, keyloggers, or other threats, Medbus is not responsible for data accessed through those compromised devices.
No security system is impenetrable. While Medbus maintains the highest industry standards, we cannot guarantee that determined attackers will never successfully breach our systems. We commit to detecting, responding to, and communicating any breach that originates from within our infrastructure.
6. Data Retention
- Active Accounts: Clinic Data is retained for the duration of your active subscription.
- Post-Termination: After subscription termination, Clinic Data is retained for 30 days to allow data export. After 30 days, data is permanently and securely deleted from all systems.
- Website Enquiry Data: Retained for up to 2 years for marketing purposes, unless you opt out earlier.
- Audit Logs: System activity logs are retained for 1 year for security and compliance purposes.
- Legal Hold: If required by law, data may be retained beyond standard retention periods.
7. Your Rights
Depending on your jurisdiction and applicable law (including India's DPDP Act 2023), you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal retention obligations.
- Portability: Request your Clinic Data in a machine-readable format.
- Objection: Object to processing of your data for marketing purposes.
- Withdrawal of Consent: Withdraw consent for marketing communications at any time.
To exercise any of these rights, contact us at admin@techbus.org. We will respond within 30 days.
8. Cookies & Tracking Technologies
- Essential Cookies: Required for the Platform to function (session management, authentication). Cannot be disabled.
- Analytics Cookies: We use Google Analytics to understand how visitors use our Website. This data is anonymised and aggregated.
- Marketing Cookies: We use Facebook Pixel and Google Tag Manager on our Website to measure the effectiveness of our advertising campaigns.
- You can control non-essential cookies through your browser settings. Disabling cookies may affect certain Website functionality.
9. Children's Privacy
The Medbus Platform is designed for use by healthcare professionals and clinic operators. We do not knowingly collect personal data directly from children under 18. Patient data relating to minors that is entered into the Platform by healthcare professionals is processed as Clinic Data under the control of the healthcare provider.
10. International Data Transfers
Medbus primarily stores and processes data on servers located in India. If data is transferred internationally (e.g., through third-party integrations), such transfers are conducted under appropriate safeguards including standard contractual clauses or equivalent data transfer mechanisms.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email and an in-app notice at least 14 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
