Privacy Policy

HealixPlus (“we”, “our”, or “HealixPlus”) operates the HealixPlus Portal, a Hospital Management System (HMS) designed for clinics, hospitals, and healthcare chains in India. This Privacy Policy describes how we collect, use, store, disclose, and protect personal data in connection with our website (healixplus.in) and our software platform.

This policy applies to all visitors to our marketing website, prospective customers who submit enquiry forms, and healthcare facilities (“Clients”) that subscribe to the HealixPlus Portal. It should be read together with any Data Processing Agreement (DPA) executed with Client organisations.

By accessing our website or using our platform, you acknowledge that you have read and understood this Privacy Policy.

For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDPA 2023”) and the Information Technology Act, 2000 (“IT Act”):

• Data Fiduciary: HealixPlus acts as a Data Fiduciary in relation to personal data of website visitors, demo enquiry contacts, and platform users (hospital staff, administrators).
• Data Processor: HealixPlus acts as a Data Processor in relation to patient health data that Client healthcare facilities enter into the platform. In this capacity, we process patient data solely on behalf of and under the instructions of our Client (who is the Data Fiduciary for their patients).
• Body Corporate (IT Act / SPDI Rules): HealixPlus is a body corporate as defined under the Information Technology Act, 2000 and is subject to the obligations prescribed under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

Registered address: HealixPlus Solutions, Noida, Uttar Pradesh, India.
Contact: healixplussolutions@gmail.com

Patient health data — including diagnoses, prescriptions, lab results, and clinical notes — constitutes Sensitive Personal Data or Information (SPDI) as defined under Rule 3 of the IT (SPDI) Rules, 2011. Such data is collected and processed only with appropriate consent and under strict security controls in accordance with Rule 5 and Rule 8 of the SPDI Rules.

3.1 Website Visitors & Enquiries

When you visit our marketing website or submit a contact or demo-request form, we may collect:

• Name and job title
• Email address and phone number
• Name and size of your healthcare organisation
• Technical data: IP address, browser type, pages visited, and referral source (via cookies and server logs)

3.2 Platform Users (Hospital Staff)

For staff accounts created within the HealixPlus Portal, we collect:

• Full name, employee ID, and designation / role
• Work email address and phone number
• Login credentials (passwords stored as bcrypt hashes)
• Audit-log data: timestamps, IP addresses, and actions performed within the platform

3.3 Patient Data (Processed on Behalf of Clients)

When Clients use the platform, they may enter patient data including (but not limited to):

• Identifiers: patient name, date of birth, gender, contact number, address, ABHA number (Ayushman Bharat Health Account)
• Clinical records: chief complaints, diagnoses (ICD-10/11), prescriptions, vital signs, EMR/SOAP notes
• Lab results, radiology reports, and investigation orders
• Billing and insurance information
• Consent records (DPDPA 2023 and ABDM PHR consent artefacts)

This data is processed solely as instructed by the Client and only to the extent necessary to provide the contracted services. The collection of SPDI from patients requires prior written consent as mandated by Rule 5 of the SPDI Rules, which is the responsibility of the Client as Data Fiduciary.

We use the data we collect for the following purposes:

4.1 Deemed Consent (DPDPA 2023, Section 7)

In certain circumstances, patient data may be processed without obtaining fresh consent where processing is necessary:

• For the performance of a function of the State or for compliance with a law or court order;
• To respond to a medical emergency threatening the life or immediate safety of a patient or another individual;
• For providing medical treatment or health services during an epidemic, disease outbreak, or similar public health threat;
• For purposes of employment, to the extent such processing is reasonably expected.

In all such cases, processing is limited to the minimum data necessary for the specific purpose.

We do not use patient health data for any marketing, advertising, analytics, or product-improvement purposes without explicit written authorisation from the Client.

We do not sell personal data. We share data only in the following limited circumstances:

• Sub-processors: Trusted third-party vendors (cloud hosting, email delivery) who process data on our behalf under strict contractual obligations and confidentiality agreements. All sub-processors are required to maintain equivalent data protection standards and are bound by obligations no less protective than those in this policy. All data processing by sub-processors occurs within India unless separately agreed in writing with the Client.
• ABDM / HIE: Where the Client or patient has given a valid ABDM PHR consent artefact, health data may be shared with other ABDM-compliant Health Repository Providers or Health Information Users through the ABDM Health Information Exchange.
• Client healthcare facilities:Patient data is accessible to and controlled by the Client that created it. HealixPlus does not share one Client’s data with another.
• Legal obligations: We may disclose data where required by Indian law, court order, or lawful request from a competent authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity under equivalent protection obligations.

As a body corporate handling SPDI, HealixPlus implements technical and organisational security measures commensurate with IS/ISO 27001 principles, proportionate to the sensitivity of healthcare data, and in accordance with Rule 8 of the SPDI Rules:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest.
• Authentication: JWT-based session tokens with short expiry; passwords hashed with bcrypt (12 rounds).
• Role-based access control: Six distinct roles (Admin, Doctor, Nurse, Lab, Pharmacist, Receptionist) ensure each user sees only data relevant to their function.
• Audit logging: Every data access and modification event is logged with timestamp and user identity, providing a complete audit trail as required by MoHFW EHR Standards 2016.
• Infrastructure isolation:Each Client organisation’s data is stored in a separate database schema, preventing cross-tenant data leakage.
• Data localisation: All personal data and patient health records are stored on servers located within India. Cross-border transfer of personal data is not undertaken without a lawful basis under DPDPA 2023 §16 and prior written agreement with the Client.
• ABDM compliance: The platform is designed to comply with the Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy (HDMP) and applicable Health Repository Provider (HRP) obligations, including ABHA number handling and PHR consent artefact management.
• Vulnerability management: Regular security reviews and dependency updates.

Despite these measures, no system is completely secure. If you believe a security incident has occurred, please notify us immediately at healixplussolutions@gmail.com.

In the event of a personal data breach, HealixPlus will act in accordance with DPDPA 2023 §8(6) and the IT Act 2000:

• Notification to the Data Protection Board: We will notify the Data Protection Board of India of any personal data breach without undue delay and in the manner prescribed by the Board once operational. Until the Board is constituted and prescribes a form, we will document all breaches internally and take all reasonable steps to contain and remediate them.
• Notification to affected Data Principals: Where a breach is likely to result in harm to affected individuals, we will notify those individuals in the form and manner specified by the Board, or — pending such specification — by direct email to the affected parties as soon as practicable.
• Notification to Clients: Where a breach involves patient data processed on behalf of a Client, we will notify that Client without undue delay so that the Client, as Data Fiduciary, can fulfil its own notification obligations.
• Breach record: We maintain an internal register of all personal data breaches regardless of severity, including the facts, effects, and remedial actions taken.

If you discover or suspect a security vulnerability or data breach, please report it immediately to healixplussolutions@gmail.com.

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law:

• Website enquiry data: Retained for up to 24 months from the date of enquiry, or until you request deletion.
• Platform user account data: Retained for the duration of the subscription and for up to 12 months after account termination (for audit and dispute-resolution purposes).
• Patient health records:Retained for the period specified in the Client’s agreement and in accordance with MoHFW guidelines (minimum 5 years for medical records, consistent with MoHFW EHR Standards 2016). On contract termination, data is exported to the Client and securely deleted within 90 days.
• Audit logs: Retained for a minimum of 5 years as required by DPDPA 2023 and the IT Act.

Under the Digital Personal Data Protection Act, 2023, Data Principals (individuals whose personal data we process) have the following rights:

• Right to information: Know what personal data we hold about you and how it is processed.
• Right to correction and erasure: Request correction of inaccurate data or erasure of data that is no longer necessary or for which consent has been withdrawn.
• Right to grievance redressal: File a complaint with our Grievance Officer (see Section 13).
• Right to nominate: Nominate another individual to exercise rights on your behalf in the event of death or incapacity.

9.1 Withdrawing Consent

Under DPDPA 2023 §6(4), you have the right to withdraw consent at any time. Withdrawing consent must be as easy as giving it. To withdraw consent:

• Website visitors / enquiry contacts: Send an email to healixplussolutions@gmail.com with the subject line “Withdraw Consent” and your name and contact details. We will process your request within 7 business days.
• Platform users: Contact your organisation's administrator or email us at the address above. Where withdrawal of consent conflicts with a legal obligation or contractual necessity (e.g., audit log retention), we will inform you of this limitation.
• Patients: Contact your healthcare provider directly. As Data Processor for patient data, HealixPlus will act on verified withdrawal requests received from the responsible Client.

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and may mean we are unable to continue providing certain services.

9.2 How to Exercise Your Rights

For platform users and website enquiry contacts: Submit your request to healixplussolutions@gmail.com. We will respond within 30 days.

For patients whose data is managed by a hospital: Please contact your healthcare provider directly. HealixPlus processes patient data solely under Client instructions and will act on verified requests from the responsible Client.

Escalation: If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is established under DPDPA 2023.

Our marketing website uses minimal, strictly necessary cookies to ensure basic site functionality (e.g., form session handling). We do not use third-party tracking or advertising cookies.

We may use anonymised analytics to understand how visitors use our website (e.g., page views, referral sources). This data is aggregated and cannot be used to identify individuals.

You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of certain features on our site.

Our platform is designed for use by healthcare professionals and administrative staff. We do not knowingly collect personal data directly from individuals under 18 years of age through our website or sales channels.

In the context of patient records, minors’ health data may be entered into the platform by healthcare providers (our Clients) as part of delivering clinical care. Under DPDPA 2023 §9, processing of personal data of a child requires verifiable consent from a parent or lawful guardian. It is the Client’s responsibility as Data Fiduciary to:

• Obtain verifiable consent from a parent or lawful guardian before entering or processing any personal data of a patient who is a minor (under 18 years of age);
• Maintain records of such consent and make them available to HealixPlus upon request;
• Ensure that no tracking, profiling, or targeted advertising is directed at minors through the platform.

HealixPlus does not use minor patients’ health data for behavioural monitoring, profiling, or any purpose beyond delivering the contracted clinical management services. This data is handled with the same security controls and access restrictions as all other SPDI.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify active Clients of material changes by email at least 14 days before the changes take effect.

The “Last updated” date at the top of this page reflects the most recent revision. Continued use of our website or platform after the effective date constitutes acceptance of the updated policy.

In accordance with the Information Technology Act, 2000, the IT (SPDI) Rules 2011, and DPDPA 2023, HealixPlus has appointed a Grievance Officer to address concerns related to the processing of personal data. Complaints will be acknowledged within 7 days and resolved within 30 days of receipt, as required by applicable law.