A Note on Healthcare Data
SnehBharat builds software used in hospitals, clinics, diagnostic centres, and patient health record applications. Health data is among the most sensitive personal data that exists. We treat it with clinical-grade seriousness — not just legal compliance. If you have any concern about how we handle your health data, email us directly: legal@snehbharat.com.
Who We Are
Section 01SnehBharat Pvt. Ltd. ("SnehBharat", "we", "us", or "our") is a Healthcare Information Technology company incorporated under the Companies Act, 2013, with its registered office in Kolkata, West Bengal, India.
We develop and operate: Bharat HMS (Hospital Management System), Bharat LMS (Laboratory Management System), SnehBharat Clinic Software, AI Healthcare Clinical Assistant, and the SnehBharat PHR App (Personal Health Records). We also provide digital marketing services, website development, graphic design, and custom healthcare software development exclusively for healthcare organisations.
As a data fiduciary under India's Digital Personal Data Protection Act 2023 (DPDP Act) and an empanelled vendor under India's Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy, we are bound by obligations that go beyond standard commercial data protection requirements.
Data Fiduciary
SnehBharat Pvt. Ltd. acts as the Data Fiduciary for data collected through our websites, software products, and services. For health data shared with our products through the ABDM ecosystem, the National Health Authority (NHA) framework governs consent artefacts and patient rights as defined in the Health Data Management Policy 2020.
Data We Collect
Section 02We collect different categories of data depending on your relationship with us — whether you are a patient using our PHR App, a hospital or clinic using our HMS/LMS, a healthcare professional, or a visitor to our website.
| Data Category | What We Collect | Who It Applies To |
|---|---|---|
| Account & Identity | Name, email address, mobile number, designation, organisation name | All registered users |
| Patient Demographics | Name, date of birth, gender, address, contact number, Aadhaar-linked ABHA ID | Patients registered through HMS, Clinic, or PHR App |
| Health & Clinical Data | Diagnoses, prescriptions, lab results, vital signs, discharge summaries, imaging reports, vaccination records | Patients via HMS, LMS, Clinic, and PHR App |
| ABHA & ABDM Data | ABHA Health ID number, FHIR R4 health records, consent artefacts, Health Locker sync records | PHR App users and ABDM-linked patients |
| Financial & Billing | Invoice amounts, payment method type (not full card details), GST information, insurance claim data | Hospital, clinic, and lab clients (B2B) |
| Technical & Usage | IP address, browser type, device ID, pages visited, feature usage, error logs | All users (website and software) |
| Communication | Emails sent to us, chat messages, support tickets, feedback form submissions | Anyone who contacts us |
| Marketing Consent | Newsletter subscription status, WhatsApp broadcast opt-in, communication preferences | Website visitors, newsletter subscribers |
⚠️ We Do Not Collect
We do not collect: full payment card numbers (handled by Razorpay's PCI-DSS infrastructure), Aadhaar numbers in raw form (only the ABHA ID derived from verified Aadhaar OTP, stored by NHA), biometric data, or any data for the purpose of advertising targeting on third-party platforms. Patient health data is never used to train our AI models.
How We Use Your Data
Section 03We use personal data only for the purposes specified at the time of collection, consistent with reasonable expectations based on your relationship with us.
- ›Service Delivery: To operate, maintain, and improve our HMS, LMS, Clinic Software, AI Clinical Assistant, and PHR App — including processing patient registrations, generating prescriptions, delivering lab reports, and managing appointments.
- ›ABDM Integration: To link ABHA Health IDs, generate FHIR R4 health records, and sync patient data to the NHA Health Locker — strictly under patient consent artefacts issued through the ABDM consent management framework.
- ›Communications: To send appointment reminders, lab report notifications, system alerts, account updates, and (where opted in) healthcare IT insights via email, SMS, and WhatsApp.
- ›Support & Troubleshooting: To diagnose technical issues, respond to support requests, and maintain service quality — including reviewing anonymised error logs.
- ›Billing & Compliance: To issue GST-compliant invoices, process subscription payments through Razorpay, and maintain financial records as required by Indian tax law.
- ›Product Improvement: To understand how our products are used — using aggregated, de-identified analytics — to improve features, design, and clinical workflows. Individual patient data is never used for AI training.
- ›Legal Obligations: To comply with applicable laws, NHA directives, judicial orders, or regulatory investigations where legally required.
✓ Our Core Commitment
We will never sell your personal data, share it with advertisers, or use it for any purpose other than those stated in this policy. SnehBharat's products are not and will never be ad-supported models. Our revenue comes from software subscriptions and professional services — not from your data.
Legal Basis for Processing
Section 04Under India's Digital Personal Data Protection Act 2023, we process personal data on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Patient registration, EMR creation, prescription processing | Consent + Legitimate use for healthcare services (DPDP Act S.7) |
| ABHA ID linking and ABDM Health Locker sync | Explicit patient consent via ABDM Consent Artefact (NHA HDMP 2020) |
| Software subscription billing and GST invoicing | Contractual necessity + Legal obligation (Income Tax Act, GST Act) |
| System usage analytics for product improvement | Legitimate interest (anonymised & de-identified — no individual profiling) |
| Marketing communications (newsletter, WhatsApp campaigns) | Explicit consent + Opt-in only (DPDP Act S.7 & TRAI) |
| Compliance with NHA ABDM audits or government directives | Legal obligation (DPDP Act S.7(f), ABDM framework) |
For users in the European Economic Area (EEA) or United Kingdom accessing our international services, we rely on equivalent GDPR Article 6 lawful bases: consent, contract performance, legal obligation, and legitimate interest.
How We Share Data
Section 05We do not sell, rent, or trade personal data. We share data only in the limited circumstances described below, and only to the extent necessary for the specified purpose.
| Recipient | What Is Shared | Purpose & Basis |
|---|---|---|
| National Health Authority (NHA) | FHIR R4 health records, ABHA ID data, consent artefacts | ABDM legal mandate — under patient consent |
| AWS India (ap-south-1) | All platform data (encrypted at rest) | Cloud infrastructure — data processor agreement in place |
| Razorpay | Invoice amount, client name, email (no card data) | Payment processing — PCI-DSS certified processor |
| WhatsApp Business (Meta) | Patient mobile number, appointment/report notification text | Patient-consented communication only — opt-in required |
| Hospital / Clinic Clients (B2B) | Patient records within that client's system | Service delivery — data processor relationship, not data sharing |
| Law Enforcement / Courts | As legally required and no more than required | Legal obligation — we notify affected users where legally permitted |
💼 B2B Data Processing
For hospitals, clinics, and labs using our software: patient data entered into our systems belongs to your organisation. We are a data processor acting under your instructions as the data fiduciary. All B2B clients execute a Data Processing Agreement (DPA) as part of their subscription contract, specifying our obligations, retention limits, and sub-processor disclosure.
Health Data & ABDM
Section 06Health data is classified as sensitive personal data under the DPDP Act 2023 and as a special category under the NHA Health Data Management Policy (HDMP) 2020. We apply the highest level of protection to all health-related information processed through our systems.
- ›ABDM Consent-Only Processing: Health records are pushed to or pulled from the ABDM Health Locker only after a valid, time-limited, purpose-specific consent artefact is generated and accepted by the patient.
- ›FHIR R4 Structure: All health records are stored and transmitted as FHIR R4 structured data — DiagnosticReport, MedicationRequest, Encounter, Condition — aligned with NHA's interoperability standards.
- ›Zero AI Training on Patient Data: Patient health data is not used to train, fine-tune, or evaluate our AI Clinical Assistant models.
- ›Revocable Consent: Patients may revoke consent to share their health records at any time from within the SnehBharat PHR App or by contacting our ABDM consent desk. Revocation is processed within 24 hours.
- ›Clinician Access: Health records are accessible only to clinicians with whom the patient has an active treatment relationship and where consent has been granted.
🔬 Laboratory Reports
Laboratory reports generated through SnehBharat LMS are stored encrypted on AWS Mumbai servers. WhatsApp delivery of reports requires explicit patient opt-in at the time of test booking. Reports delivered via WhatsApp are sent as encrypted PDF attachments using the WhatsApp Business API — not in plaintext messages. Report access links expire within 7 days.
Data Storage & Security
Section 07All SnehBharat data is stored exclusively on Amazon Web Services (AWS) servers in the Mumbai (ap-south-1) region — ensuring India data residency compliance. No patient health data is stored outside Indian territorial borders.
- ›Encryption at Rest: All data stored on AWS is encrypted using AES-256 encryption with keys managed through AWS KMS.
- ›Encryption in Transit: All data transmitted between your browser/app and our servers uses TLS 1.3.
- ›Row-Level Security (RLS): PostgreSQL databases implement Row-Level Security policies ensuring logical isolation per tenant.
- ›Role-Based Access Control (RBAC): Staff access is governed by RBAC policies with full audit logging.
- ›VAPT: We conduct VAPT audits by certified security firms before major releases and annually.
- ›Incident Response: We will notify affected individuals and the relevant authority within 72 hours of a confirmed breach.
- ›Backup & Recovery: Data is backed up continuously or daily depending on tier, with tested disaster recovery.
Data Retention Periods
Section 08We retain personal data only for as long as necessary for the purpose it was collected, or as required by applicable Indian law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Patient clinical records (HMS/LMS/Clinic) | Minimum 7 years from last encounter | Medical Council of India guidelines |
| ABHA-linked FHIR R4 records | Lifetime (controlled by NHA Health Locker) | ABDM Health Data Management Policy 2020 |
| PHR App personal health data | Until account deletion request + 30 days | DPDP Act 2023 — right to erasure |
| B2B billing and financial records | 8 years from invoice date | Income Tax Act 1961, GST Act 2017 |
| Website usage logs and analytics | 13 months (rolling) | Legitimate interest — security and performance |
| Support tickets and communications | 3 years from ticket closure | Legitimate interest — service improvement |
| Marketing consent records | Until withdrawal + 1 year | TRAI guidelines, DPDP Act consent records |
When retention periods expire, data is securely deleted using cryptographic erasure for structured database records, and NIST 800-88-compliant deletion for file storage objects.
Your Privacy Rights
Section 09Under India's Digital Personal Data Protection Act 2023, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days.
Right to Access
Request a copy of the personal data we hold about you, including what it is, how it's used, and who we've shared it with.
Right to Correction
Request correction of inaccurate or incomplete personal data. For clinical records, corrections must follow our clinical governance process.
Right to Erasure
Request deletion of your personal data. Health records subject to minimum retention requirements under MCI guidelines cannot be deleted before that period.
Right to Withdraw Consent
Withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Rights for Nominees
Nominate a person to exercise data rights on your behalf — relevant for elderly users, minors, or those with limited digital literacy.
Right to Grieve
Lodge a complaint with our Data Protection Officer. Unresolved complaints may be escalated to India's Data Protection Board once constituted under the DPDP Act.
How to Exercise Your Rights
Email legal@snehbharat.com with subject line "Privacy Rights Request — [Your Request Type]". Include your name, registered email, and a description of your request. For PHR App users, most rights can be exercised directly within the app under Settings → Privacy → Data Rights.
Children's Privacy
Section 11Our software products are not directed at children under 18 as independent users. However, our HMS, LMS, and Clinic Software process health records of paediatric patients as part of legitimate hospital and clinic operations.
- ›Paediatric health records are processed under the consent and authority of a parent or legal guardian.
- ›ABDM ABHA IDs for children under 18 are created under a parent or guardian's ABHA Health ID as a family member link.
- ›The PHR App's Premium AI Wellness features are not designed for or marketed to users under 18 as independent subscribers.
- ›Under the DPDP Act 2023, processing of children's data requires verifiable parental consent.
International Data Transfers
Section 12Patient health data and personal data of Indian users is stored exclusively on AWS Mumbai (ap-south-1) servers and does not leave Indian territory.
For our international expansion markets (SAARC, MENA, Africa), we deploy region-specific infrastructure to comply with local data residency requirements.
- ›Bangladesh: Client data hosted on AWS Asia-Pacific South region, compliant with Bangladesh Digital Security Act.
- ›UAE: NPHIES-compliant deployments use AWS UAE (me-central-1) region.
- ›GDPR (EEA/UK): We implement Standard Contractual Clauses (SCCs) where required.
Our AI model APIs transmit anonymised, de-identified prompts only. No patient names, ABHA IDs, or personally identifiable health data is included in AI API calls.
Changes to This Policy
Section 13We may update this Privacy Policy periodically to reflect changes in our services, applicable law, or NHA ABDM guidelines. When we make material changes:
- ›We will post the updated policy on this page with a revised Last Updated date.
- ›For material changes affecting health data or patient rights, we will notify registered users via email at least 30 days before the change takes effect.
- ›For B2B clients, material changes will be communicated via the account dashboard and email to the designated administrator.
- ›Continued use after the effective date constitutes acceptance. You may terminate your subscription or delete your account if you do not agree.
Questions About Your Health Data?
Our Privacy Team responds to every query. If you're a patient concerned about your health records, or a hospital administrator with compliance questions — we're here to help.