Legal

Privacy Policy

Mediwatch is built for healthcare teams handling sensitive patient data. This policy explains exactly what we collect, why we collect it, and how it is protected — in plain language.

Effective Date 1 January 2026
Last Updated 1 June 2026
Applies To mediwatch.in and all sub-paths
Section 01

Who We Are

Mediwatch is a clinical-grade remote patient monitoring platform operated by Gopinath Sahu, and deployed at mediwatch.in. The platform enables hospitals and clinics across India to track post-surgery patient recovery through structured daily symptom submissions, automated alerts, and WhatsApp-based communication.

For the purposes of this Privacy Policy, "Mediwatch", "we", "us", or "our" refers to the platform and its operator. "You" refers to any individual accessing the platform — whether as a healthcare provider (doctor, nurse, monitor, super admin) or as a patient.

Mediwatch handles clinical health data. We treat it with the same care and confidentiality expected in a hospital environment.
Section 02

Data We Collect

We collect only the data required to operate the monitoring platform. This includes:

  • Patient identifiers: Name, phone number (WhatsApp-linked), disease type, risk category, surgery date, and assigned doctor.
  • Daily health submissions: Symptom responses, numeric scores, uploaded wound or symptom images, and submission timestamps.
  • Computed health data: Disease scores (e.g. BASDAI), alert status (GREEN / YELLOW / RED), and recovery trend data derived from submissions.
  • Staff account data: Name, email address, hashed password, role (doctor / nurse / monitor / super admin), and facility assignment.
  • Communication logs: WhatsApp message delivery statuses and timestamps for reminders, OTPs, and alert notifications.
  • Clinical notes and prescriptions: Text entries created by doctors attached to a patient's monitoring record.
  • System logs: IP addresses, browser type, and request timestamps for security and debugging purposes.

We do not collect payment information, government ID numbers, or any data unrelated to post-surgery monitoring.

Section 03

How We Use Your Data

All data collected by Mediwatch is used exclusively to operate the platform. Specifically:

  • To compute daily health scores and classify patient alert status.
  • To send WhatsApp reminders, OTPs, and escalation alerts to patients, relatives, and healthcare staff.
  • To enable doctors, nurses, and monitors to review patient history, add clinical notes, and acknowledge alerts.
  • To generate trend reports and CSV exports for authorised clinical staff.
  • To authenticate staff logins via JWT-based role access control.
  • To debug platform issues and maintain uptime via system logs.

We do not sell your data. We do not use patient data for advertising, analytics resale, or any commercial purpose beyond operating the platform for its intended clinical use.

Section 04

WhatsApp & Third-Party Services

Mediwatch uses the Meta WhatsApp Business API to deliver messages to patients and staff. Phone numbers are shared with Meta solely for the purpose of message delivery. Meta's own data policies apply to messages passing through their platform.

We also use:

  • Twilio — as an SMS fallback channel when WhatsApp delivery fails. Phone numbers may be shared with Twilio for this purpose.
  • Supabase (PostgreSQL) — as our primary database, hosted in a managed cloud environment. Patient and staff data is stored here.
  • Firebase Cloud Messaging — for in-app push notifications to clinical staff on the dashboard.
Patient WhatsApp messages are delivered via Meta's infrastructure. Mediwatch does not store the content of WhatsApp messages beyond delivery status logs.

We do not integrate with any advertising networks, analytics trackers (such as Google Analytics), or social media platforms.

Section 05

Storage & Security

All data is stored in a PostgreSQL database managed through Supabase, with servers located in the Asia South (India) region. Access to the database is restricted by row-level security policies, environment variables, and role-based access controls.

  • Staff passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • All API communication is secured over HTTPS/TLS.
  • JWT tokens are short-lived and role-scoped — a nurse's token cannot access doctor-only endpoints.
  • Patient images are stored in a private bucket with access controlled per facility.
  • System activity is logged via Winston with configurable retention.

While we take all reasonable technical precautions, no system can guarantee absolute security. We will notify affected facilities promptly in the event of a data breach.

Section 06

Data Retention

Patient monitoring records are retained for a minimum of 3 years from the date the monitoring window closes, to support clinical audit requirements. Facilities may request earlier deletion subject to applicable Indian health data regulations.

Staff account data is retained for as long as the account is active. Inactive accounts are flagged after 12 months and may be deactivated by a super admin.

System logs are retained for up to 90 days and then purged automatically.

Section 07

Your Rights

Whether you are a patient or a staff member, you have the following rights regarding your data held on Mediwatch:

  • Access: Request a copy of the data we hold about you.
  • Correction: Ask us to correct inaccurate personal data.
  • Deletion: Request deletion of your data, subject to clinical retention obligations.
  • Portability: Request an export of your data in a machine-readable format (CSV).
  • Objection: Object to how your data is being used if you believe it is outside the scope of your care.

To exercise any of these rights, contact us at gopinathsahu2003@gmail.com. We will respond within 14 business days.

Section 08

Minors

Mediwatch may be used to monitor post-surgery recovery in patients under the age of 18. In such cases, consent is obtained from a parent or legal guardian during patient registration by the treating doctor or nurse. The guardian's contact details are used for WhatsApp notifications in place of the patient's own number where applicable.

We do not knowingly collect data from minors through self-registration.

Section 09

Policy Changes

We may update this Privacy Policy as the platform evolves. When changes are material, we will update the "Last Updated" date at the top of this page and, where feasible, notify super admins of registered facilities by email.

Continued use of Mediwatch after a policy update constitutes acceptance of the revised terms.

Section 10

Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your data on Mediwatch, please reach out:

For urgent clinical data concerns — such as a suspected breach affecting active patient records — please email with the subject line "URGENT: Data Concern" for prioritised handling.