Privacy PolicyOctor Background LogoOctor Background Logo

Last Updated On: 28/11/25

1. Introduction

1.1 Purpose of This Policy

This Privacy Policy explains how Octor Health Tech Private Limited collects, uses, processes, stores, transfers, shares, protects, and deletes Personal Data and Protected Health Information (PHI) across our digital health services.

1.2 Commitment to Compliance

Octor complies with:

  • Digital Personal Data Protection Act (DPDP), India
  • GDPR (EU)
  • CCPA / CPRA (California)
  • Singapore PDPA
  • UK GDPR
  • HIPAA-aligned safeguards (administrative, technical, physical)

1.3 Services Covered

This Policy applies to:

  • Octor Website (octor.health)
  • Octor Mobile Applications
  • Clinic & Hospital Portal
  • Doctor Dashboard
  • Teleconsultation System
  • APIs, SDKs, Webhooks
  • Device Integrations (Bluetooth, BLE, USB, Wi-Fi)
  • AI-assisted clinical documentation tools

1.4 Acceptance

By accessing or using the Services, you acknowledge and agree to this Privacy Policy.

2. Definitions

2.1 Personal Data

Information that identifies or relates to an individual. Examples:

  • Name, phone number, email
  • Identification numbers
  • IP address, location
  • Device metadata

2.2 Protected Health Information (PHI)

Health-related information that identifies or can identify a patient. Examples:

  • Symptoms, diagnoses, vitals
  • Prescriptions and history
  • Uploaded reports, radiology images
  • Consultation notes and recordings

2.3 Sensitive Personal Data

Includes:

  • Health information
  • Disabilities
  • Sexual life or orientation
  • Biometric identifiers (excluding medical vitals)

2.4 Data Fiduciary / Data Controller

Determines purpose and means of processing. Octor is Controller for:

  • Account information
  • Authentication metadata
  • Support request data
  • Usage analytics

2.5 Data Processor

Processes data on behalf of Controller. Octor is Processor for:

  • PHI from clinics/hospitals
  • Device vitals
  • Reports & clinical documentation
  • Teleconsultation data

2.6 User

Any authorized individual (doctor, staff, administrator, patient).

2.7 Customer

Hospitals, clinics, healthcare networks licensing Octor.

2.8 Sub-Processor

Third parties engaged to process data on behalf of Octor.

2.9 AI Output

Any summary, note, or suggestion generated by Octor’s AI systems.

2.10 Processing

Includes collecting, recording, storing, structuring, retrieving, transmitting, erasing, or destroying data.

3. Scope & Applicability

3.1 Where This Policy Applies

This Policy applies to Personal Data processed:

  • On the Octor platform
  • Through mobile applications
  • During teleconsultations
  • Through BLE/Wi-Fi medical devices
  • Via HIS/EMR integrations
  • Through Octor APIs

3.2 Who This Applies To

  • Doctors
  • Nurses
  • Clinic administrators
  • Patients using teleconsultation
  • Hospital IT teams
  • Sub-processors

3.3 Exceptions

This Policy does not apply to:

  • External third-party websites
  • Clinic/hospital internal systems
  • Third-party HIS/EMR systems

4. Roles & Responsibilities (Controller + Processor)

4.1 Octor as Data Controller

For account-level data, analytics.

4.2 Octor as Data Processor

For PHI controlled by clinics/hospitals.

4.3 Shared Responsibility Model

| Component | Responsibility | |---|---| | PHI accuracy | Clinics/Hospitals | | PHI storage security | Octor | | Device reading accuracy | Device manufacturer | | Consent for teleconsultation | Clinic/Doctor | | AI output verification | Doctor |

4.4 Customer Responsibilities

Healthcare providers must:

  • Ensure legal basis for PHI collection
  • Obtain patient consent
  • Configure role-based access
  • Not misuse or export PHI

5. Categories of Personal Data Processed

5.1 Personal Identification Information

  • Name
  • Email
  • Phone number
  • Credentials
  • Role/Designation

5.2 PHI (Clinical Data)

5.2.1 Vitals

  • Temperature
  • BP
  • Heart rate
  • ECG
  • SpO₂
  • Respiratory rate

5.2.2 Clinical Documentation

  • SOAP notes
  • Differential diagnoses
  • AI-generated summaries
  • Medical impressions

5.2.3 Uploaded Content

  • Prescriptions
  • Lab reports
  • Radiology images
  • PDFs

5.3 Teleconsultation Data

  • Audio/video metadata
  • Chat transcripts
  • Shared files
  • AI-assisted transcription

5.4 Technical & Behavioral Data

  • IP address
  • Browser metadata
  • Device identifiers
  • App analytics
  • Crash logs

6. Lawful Basis for Processing

6.1 Consent

  • Obtained voluntarily
  • Withdrawable anytime
  • Required for teleconsultation recordings

6.2 Contractual Necessity

Required for:

  • Account creation
  • Authentication
  • Device connectivity
  • Teleconsultation
  • Reporting
  • Billing

6.3 Legitimate Interest

Used for:

  • Security and incident detection
  • Fraud prevention
  • Analytics
  • Optimization
  • Load balancing
  • Debugging
  • Feature development

6.4 Legal Obligation

  • Compliance with healthcare laws
  • Responding to authorities
  • Record retention

6.5 Vital Interests

Processing to protect life during emergencies.

6.6 Public Interest / Public Health

Where mandated by law.

7. Methods of Collection

7.1 Data Provided by Users

  • Account creation
  • Patient registration
  • Clinical workflows
  • Uploading PHI

7.2 Automatically Collected Data

  • Device/app diagnostics
  • Cookies
  • Crash logs
  • API call logs
  • Authentication metadata

7.3 Data from Clinics/Hospitals

  • Imported patient records
  • HIS/EMR integration

7.4 Data from Integrated Devices

  • Bluetooth oximeters, BP monitors
  • USB ECG devices
  • WiFi medical equipment

7.5 Data from Third Parties

  • Lab integrations
  • Pharmacy integrations
  • Insurance systems
  • Government health registries

8. How We Use Personal Data

8.1 Clinical Workflow Management

  • OPD management
  • Queues
  • Consultation notes
  • Patient history

8.2 Device-Generated Data Handling

  • Real-time vitals
  • Syncing to medical records
  • Trend analysis

8.3 AI-Assisted Documentation

  • AI summaries, drafts, SOAP notes
  • Must be clinician-reviewed
  • Not a replacement for medical judgment

8.4 Teleconsultation & Remote Care

  • Video/audio
  • Chat
  • Follow-ups
  • Reporting

8.5 Security & Monitoring

  • Unauthorized access detection
  • Audit trails
  • System integrity

8.6 Analytics (Non-identifiable)

  • Usage trends
  • Performance
  • Crash diagnostics

8.7 Compliance & Legal

  • Regulatory responses
  • Audit support
  • Retention logs

9. AI-Generated Outputs & Automated Processing

9.1 AI-Assisted Features

  • Summarization
  • Template suggestions
  • Speech-to-text
  • Vitals interpretation assistance

9.2 Human Review Required

  • AI outputs must be reviewed
  • AI never provides medical advice

9.3 Transparency

Users are informed wherever automation is used.

9.4 No Automated Decision Making

No clinical decisions are made without human oversight.

10. How We Disclose Personal Data

10.1 Clinics & Authorized Staff

PHI is shared only with authorized clinical staff.

10.2 Sub-Processors

Used for:

  • Hosting
  • Email delivery
  • SMS/OTP
  • Monitoring
  • Error logging

10.3 Government Authorities

If required by applicable law.

10.4 Business Transfers

During mergers or acquisitions.

11. International Data Transfers

11.1 Cross-Border Flow

Data may be processed in:

  • India
  • Singapore
  • Japan
  • EU
  • USA (SOC2/HITRUST-compliant)

11.2 Safeguards

  • SCCs
  • DPDP-compliant mechanisms
  • Data minimization

11.3 User Notification

Users may be notified if legally required.

12. Data Security Measures

12.1 Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.3
  • Tokenization
  • Encrypted backups
  • Key rotation

12.2 Administrative Safeguards

  • Confidentiality agreements
  • RBAC
  • Least privilege
  • Security training

12.3 Physical Safeguards

  • Biometric access
  • Surveillance
  • Redundant environments

12.4 Monitoring

  • IDS
  • Log monitoring
  • API verification

13. Data Retention & Archival

13.1 Retention Policy

Governed by:

  • Controller
  • Local laws

13.2 Log Retention

6–24 months.

13.3 Data Deletion

Upon request or termination.

13.4 Archival Rules

Encrypted archival storage.

14. Your Rights (DPDP, GDPR, CCPA, Global)

14.1 Under DPDP (India)

  • Access
  • Correction
  • Erasure
  • Grievance redressal

14.2 Under GDPR

  • Right to be informed
  • Access
  • Rectification
  • Erasure
  • Restrict processing
  • Portability
  • Object

14.3 Under CCPA

  • Right to know
  • Delete
  • Opt-out
  • Non-discrimination

Requests: support@octor.health

15. Children’s Privacy

15.1 Not designed for direct use by minors.

15.2 Clinics must ensure proper consent for child PHI.

15.3 We do not knowingly collect data directly from minors.

16. Cookies & Tracking Technologies

16.1 Octor uses essential, functional, and performance cookies.

16.2 No advertising cookies.

16.3 Details are in the Cookie Policy.

17. Third-Party Links & Integrations

17.1 External links may be provided.

17.2 Octor is not responsible for external privacy practices.

17.3 Integrations must comply with clinic agreements.

18. Data Breach Response

18.1 Incident Management

  • 24x7 monitoring
  • Risk assessment
  • System isolation

18.2 Notification

We will notify:

  • Clinics/hospitals
  • Authorities (as required)
  • Users (as required)

18.3 Documentation

All breaches are logged.

19. Confidentiality Obligations

19.1 Employees sign confidentiality agreements.

19.2 Access is limited to operational necessity.

20. Data Integrity & Accuracy

20.1 Clinics must ensure PHI accuracy.

20.2 Users may request corrections.

21. Cross-Border Teleconsultation & Regulatory Compliance

21.1 Telemedicine laws vary by region.

21.2 Doctors must ensure compliance.

21.3 Octor acts solely as a technology platform.

22. Responsibilities of Clinics, Hospitals & Practitioners

Clinics must:

  • Obtain consent
  • Configure access roles
  • Validate AI outputs
  • Maintain compliance
  • Avoid unlawful PHI export

23. Sub-Processors & Approved Vendors

23.1 Octor maintains a vetted list.

23.2 Sub-processors must follow Octor-level security.

23.3 Users may be notified when required.

24. Logging, Audit Trails & Monitoring

24.1 Logs maintained for:

  • Authentication
  • Device pairing
  • API usage
  • Data access

24.2 Logs are used for:

  • Security
  • Compliance
  • QA

25. Clinical Device Data Handling

25.1 Device readings transmitted securely.

25.2 Calibration is manufacturer responsibility.

25.3 Octor is not liable for inaccurate readings.

26. Amendments & Updates

26.1 Policy may be updated periodically.

26.2 Material changes will be announced.

All rights reserved.© Octor 2025.