HomeoAxisHomeoAxis

Privacy Policy – HomeoAxis

This policy governs every part of HomeoAxis.

1. Who We Are

HomeoAxis is a software-as-a-service platform built for homeopathy clinics in India. We provide tools for appointments, patient records, prescriptions, billing, AI assistance, marketing, and integrations with third-party services such as Google, Razorpay, and Shiprocket. This policy explains what data we collect, how we use it, and how we share it with the third-party services listed below.

2. Information We Collect

2.1 Information you provide directly

  • Clinic information: clinic name, address, phone, email, working hours, service offerings, branding assets, payment QR codes.
  • Staff accounts: name, email, phone, role, password hash.
  • Patient information entered by clinic staff: demographics, medical history, case notes, prescriptions, vitals, attachments. The clinic is the data controller for this information; HomeoAxis is the data processor.
  • Billing information: invoice line items, payment receipts, wallet transactions.
  • Communications: support tickets, contact form submissions, in-app messages.

2.2 Information collected automatically

  • Server logs (IP address, user-agent, referrer, request URL, timestamp) for security and rate-limiting.
  • Page-view events written to our internal analytics table for clinic-website visitor counts.
  • Device tokens for push notifications (Firebase Cloud Messaging).

2.3 Information from third parties

  • Google account profile when an admin connects Google My Business or YouTube.
  • Payment confirmation webhooks from Razorpay.
  • Shipment status updates from Shiprocket / Porter.

3. How We Use Your Information

  • To provide and maintain the HomeoAxis service.
  • To process payments and deliver medicines.
  • To send appointment reminders, follow-up notices, and order updates via email, SMS, WhatsApp, and push notifications.
  • To generate AI-assisted suggestions on consultations (anonymised before transmission).
  • To diagnose technical issues and prevent abuse.
  • To comply with legal obligations.

4. Third-Party Integrations

The following third-party services receive data only when an admin enables the relevant feature, and only to the extent required for that feature to work:

4.1 Google services

Google My Business / Business Profile API. When an admin connects their Google account, HomeoAxis stores an encrypted OAuth refresh token and the IDs of selected business locations. We use the API to read reviews, post replies, list and create posts, set the public booking link, and read business profile data on those locations only.

YouTube Data API v3. When an admin grants YouTube permissions, HomeoAxis stores the same encrypted OAuth refresh token and the IDs of selected channels. We use the API to (a) list the doctor's own channels, (b) fetch videos uploaded to those channels, (c) read comments on those videos, (d) post replies authored by the channel owner, and (e) moderate (hide or reject) inappropriate comments. HomeoAxis does not read, modify, upload, or delete any video content, ratings, captions, or playlists. We do not access channels other than those the admin explicitly selected. Comment text and video metadata are fetched live and not persisted to our database.

Use of the YouTube API by HomeoAxis is subject to the YouTube Terms of Service.

Google OAuth. Used as the authentication mechanism for the integrations above. We request the minimum scopes required for each feature and never sell or share access tokens with anyone.

Users can revoke HomeoAxis's Google access at any time via the Disconnect button inside our dashboard or directly at myaccount.google.com/permissions.

4.2 Firebase Cloud Messaging (Google)

Push notifications for appointments, orders, and lead alerts. Firebase receives a device-specific push token only — no patient data.

4.3 Razorpay

Payment processing for subscriptions and patient invoices. We send invoice amount, currency, and a callback URL; Razorpay handles all card / UPI / netbanking data directly under its own PCI-DSS compliance. We never see or store card numbers.

4.4 Shiprocket and Porter

Medicine delivery shipments. We send delivery name, phone, address, pin code, and parcel weight. The courier returns AWB and tracking URL. No medical or patient-history data is shared.

4.5 Sentry

Error monitoring. Captures stack traces, request URL, browser, and OS. We strip personally-identifiable patient data from error reports before transmission.

4.6 Email and SMS providers (admin-configurable)

Each clinic can plug in their own SMTP and SMS gateway (MSG91, Twilio, etc.). Message content (appointment reminders, OTPs) is transmitted to that provider per the clinic's configuration. The provider's own privacy policy applies.

4.7 Google Analytics / Facebook Pixel (admin-configurable)

If a clinic enables analytics or marketing pixels in their CMS settings, page-view events are sent to those vendors with anonymised IPs.

4.8 AI service (internal)

For doctor-initiated AI features (remedy suggestion, formula discovery, medical certificate drafting, YouTube reply drafting), structured case data is sent to our internal AI processing service. Patient names, identifying numbers, and free-text narrative fields are stripped before transmission. Underlying LLM providers (Gemini, Anthropic, Groq, depending on configuration) receive only the anonymised prompt.

5. Data Sharing

We do not sell, rent, or trade your data. We share data only:

  • With the third-party integrations listed in Section 4, only as needed for the feature you enabled.
  • With law-enforcement when legally compelled by valid Indian court order or government notice.
  • With professional advisors (lawyers, accountants, auditors) under confidentiality.

6. Data Security

  • All traffic is encrypted in transit via TLS 1.2+.
  • OAuth refresh tokens, payment credentials, and other secrets are encrypted at rest using AES-256-CBC.
  • Patient portal authentication uses hashed session tokens (SHA-256), not raw bearer tokens.
  • Database is isolated in a private network. Multi-tenant rows are scoped by organisation ID at the query level.
  • Annual security review and continuous error monitoring.

7. Data Retention

Patient records and clinical data are retained for as long as the clinic's account is active. On account closure, clinics may export their data for 30 days. After that, data is deleted within 90 days, except where Indian medical-records-retention law mandates a longer period.

8. Your Rights

You may at any time:

  • Access, correct, or download your data via the dashboard or by emailing support@homeoaxis.tech.
  • Delete your account.
  • Disconnect any third-party integration.
  • Opt out of marketing communications.

9. Children's Data

HomeoAxis is intended for use by registered medical practitioners, not by children. Clinics may store paediatric patient records as part of normal practice; the parent or legal guardian is responsible for consenting to that storage with the clinic.

10. Cookies

HomeoAxis uses essential cookies for session authentication and CSRF protection. We do not use third-party tracking cookies unless a clinic admin opts into Google Analytics or Facebook Pixel through CMS settings.

11. International Transfers

HomeoAxis primary servers are in India. Some third-party services (Google, Sentry, Razorpay) may process data in other countries. Those services are individually responsible for international transfer compliance.

12. Changes to This Policy

We will post any changes here and update the effective date. Material changes will be communicated to admin email addresses on file.

13. Contact

For privacy questions or data requests, email support@homeoaxis.tech.