AyurVista

Privacy Notice

Last updated: 2026-05-11

AyurVista Pte. Ltd. (“AyurVista”) provides clinic management software to Ayurvedic clinics, hospitals, and wellness centres. This Notice explains what personal data we process, why, and your rights.

Clinics using AyurVista are Data Controllers of their patients' data. AyurVista acts as a Data Processor on the clinic's instruction.

Compliance frameworks

AyurVista is built to comply with:

  • Singapore — PDPA (Personal Data Protection Act 2012)
  • India — DPDP (Digital Personal Data Protection Act 2023)
  • Malaysia — PDPA (Personal Data Protection Act 2010)
  • EU — GDPR when a clinic processes EU-resident data

1. What we collect

From clinics (Customers)

  • Account details — name, email, phone, role
  • Clinic details — legal name, address, registration numbers, tax IDs
  • Billing details — invoicing address (we never store card numbers)

From patients (entered by the clinic)

  • Identification — name, date of birth, gender, nationality, ID number (NRIC / Aadhaar / passport — collected with consent)
  • Contact — phone, email, address
  • Health information — symptoms, diagnoses, prescriptions, treatment plans, Ayurvedic prakriti/vikriti, allergies, history
  • Consent records — Casetrust acknowledgements, PDPA/DPDP consent, treatment authorisations, photo consents

Automatically (via the platform)

  • Usage logs — pages visited, actions performed (for audit + support)
  • Device info — browser, OS, IP address (last-octet truncated after 30 days)
  • WhatsApp / email message logs — for delivery confirmation
  • AI call audit — transcript, structured output, tokens used, cost

2. Lawful bases

  • Contract — to provide the Service to the clinic
  • Consent — for any direct marketing or new categories of processing
  • Legal obligation — tax records, medical record retention
  • Vital interests — emergency clinical context

3. Where data is stored

  • Primary region: Singapore (ap-southeast-1) via Supabase / AWS
  • Backups: encrypted, retained for 30 days
  • WhatsApp delivery logs: passed through Meta's Cloud API infrastructure
  • Email delivery: via Brevo (EU) or Resend (EU/US) for transactional mail
  • AI processing: Anthropic Claude (US) — no model training on customer data

4. Sharing

We do not sell personal data. We share only with:

  • Sub-processors who provide infrastructure (database, email, WhatsApp, AI). All sign DPAs with security obligations equivalent to ours.
  • Payment providers when a clinic uses online payments (HitPay, Stripe).
  • Regulators / law enforcement when legally required.

5. Retention

  • Active clinical records: as long as the clinic uses the Service.
  • Closed accounts: 30-day export window, then full deletion (subject to legal retention for invoices/tax records).
  • Audit logs: 12 months.
  • Backups: 30 days rolling.

6. Your rights

Under PDPA / DPDP / GDPR you (or the clinic on behalf of patients) can:

  • Access your personal data
  • Correct inaccurate data
  • Withdraw consent
  • Request deletion (subject to legal retention)
  • Receive a portable copy
  • Object to certain processing
  • Complain to your data protection authority

Patients can submit a data-subject request directly at /privacy/request. Clinics can request platform-level data actions from Settings → Audit & consents.

7. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control (28 modules × 7 roles, per-user overrides)
  • Audit log of all sensitive actions, immutable
  • 2FA required for platform admin accounts
  • Vulnerability disclosure: security@ayurvista.in

8. AI processing

When AI-assisted features are enabled, prompts and outputs pass through Anthropic's Claude API. Anthropic does not train models on AyurVista customer data per their commercial terms. Each AI call writes an audit row with transcript, structured output, model used, tokens, and cost so the clinic can review.

9. Cookies

We use only essential cookies (authentication session + CSRF). No tracking or third-party advertising cookies.

10. Children

Patient records for minors are accepted only with parental/guardian consent recorded by the clinic.

11. Changes

We will notify clinics by email of material changes at least 30 days in advance.

12. Contact

Data Protection Officer: dpo@ayurvista.in
General: hello@ayurvista.in