Privacy Policy

Last updated: 16 June 2026

This document is a template and does not constitute legal advice. Please consult a qualified lawyer before launch.

ClinicPylot ("ClinicPylot", "we", "us") provides a follow-through and patient-communication service for dental clinics in India. This policy explains what personal data we handle, why, and the rights available to individuals under the Digital Personal Data Protection Act, 2023 (the "DPDP Act").

1. Roles under the DPDP Act

The dental clinic that uses ClinicPylot is the Data Fiduciary for its patients' personal data and decides the purposes for which that data is processed. ClinicPylot acts as a Data Processor on the clinic's behalf. Patients and clinic staff whose data is processed are Data Principals.

2. Data we process

• Patient data: name, mobile phone number, and appointment / treatment-plan logistics (scheduling, recalls, follow-ups). We do not store clinical notes, diagnoses, or images, and we do not send any clinical information over WhatsApp.
• Clinic account data: staff name, work email, login credentials managed by our authentication provider.
• Usage & billing data: log data and payment records (processed by Razorpay; we do not store full card details).

3. Consent & lawful purpose

Clinics are responsible for obtaining lawful consent from their patients before adding them to ClinicPylot and for ensuring messages are for the legitimate purpose of appointment and treatment follow-through. We process personal data only on documented instructions from the clinic and only for those purposes.

4. Where your data is stored (data residency)

Personal data is hosted in India in the AWS Asia Pacific (Mumbai) ap-south-1 region via Supabase (PostgreSQL with row-level security). WhatsApp messaging is delivered through the official Meta WhatsApp Cloud API; message content is limited to appointment logistics.

5. Sub-processors

• Supabase — database, authentication, storage (ap-south-1).
• Meta Platforms — WhatsApp Cloud API message delivery.
• Razorpay — payments and subscription billing.
• Hosting / infrastructure providers (Vercel, Railway).

6. Retention

We retain personal data for as long as the clinic's account is active and for a reasonable period thereafter to meet legal, tax, and accounting obligations, after which it is deleted or anonymised.

7. Your rights as a Data Principal

Subject to the DPDP Act, you may request access to, correction of, or erasure of your personal data, withdraw consent, and nominate another individual to exercise your rights. Patient requests are usually handled by the clinic that holds your data; we will assist the clinic in fulfilling valid requests.

8. Security

We use tenant isolation (every record is scoped to a clinic), row-level security, encryption in transit, and access controls to protect personal data. No system is perfectly secure, but we take reasonable safeguards appropriate to the sensitivity of the data.

9. Grievance Officer

For any privacy questions, requests, or complaints, contact our Grievance Officer:
sawhneyarnav87@gmail.com

10. Changes

We may update this policy from time to time. Material changes will be communicated to clinic account holders.

Template only — not legal advice. Consult a lawyer before launch.