Privacy Policy

1. Personal Data We Collect

• Practitioner Account Information: When a healthcare practitioner registers to use MediSolo, we collect basic personal information such as name, contact details (email, phone number), and login credentials. This is used to create and manage the user’s account. We will not collect any information from you that you do not knowingly and explicitly provide.
• Patient Health Records: Practitioners may input their patients’ health information (e.g. medical history, diagnoses, prescriptions) into MediSolo. MediSolo does not actively collect this data; it is provided and controlled by the practitioner. Each practitioner’s data is stored in an encrypted, isolated database unique to them, ensuring that one practitioner cannot access another’s records. We treat all patient health information as “sensitive personal data” requiring enhanced protection under Sri Lankan law. MediSolo personnel do not access patient records except as strictly necessary to maintain the service or if required by law.
• Usage Data: We may automatically collect technical data when you use the Platform, such as IP address, device type, browser, and usage logs (e.g. login times, features used). This data helps us monitor system performance and security. Any analytics we perform use aggregated or anonymized data that does not identify individuals. For example, we might track overall usage statistics to improve features, but we do not profile individual patients or share their health data for analytics or marketing.
• Support Communications: If you contact us for support or feedback, we will collect the information you choose to give us (such as your email and details of the inquiry). This information will be used only to assist you and improve our services.
• We do not use cookies or third-party tracking for advertising. If our website uses any cookies, it is only for essential functions like maintaining your session (login state). We do not collect any financial information or payment details through the Platform at this time (if in the future we do, such data will be handled with strict security and not stored on our servers after processing).

2. Use of Personal Data

We use the collected data solely to provide and enhance the MediSolo service in accordance with this Policy and applicable law. Specifically:

• Providing the Service: Practitioner account data is used to authenticate users and allow access to the Platform. Patient health data entered by practitioners is stored and organized to enable the practitioner to manage records and prescriptions for patient care. We process that data only on the practitioner’s instructions as needed to deliver the service (acting as a data processor on their behalf).
• Maintenance and Security: Technical and usage data are used to monitor system health, perform troubleshooting, and protect against fraudulent or unauthorized activity. For instance, we may use log information to detect suspicious login attempts and keep the Platform secure. We have taken reasonable steps to ensure the information on the Platform remains authentic and secure.
• Communication: We use contact information to send important notices about the service (for example, updates to terms or privacy policy, security alerts, or service downtime notices). We may also respond to support requests using your contact details. We do not send promotional emails unrelated to the service without your consent.
• Legal Compliance: If necessary, we will use and disclose information to comply with legal obligations. For example, if we receive a valid legal order or if it’s necessary to enforce our Terms of Service, investigate fraud, or protect the rights and safety of MediSolo, our users, or others.

We will never sell or rent personal data to third parties. We do not use personal health data for marketing or any purpose other than providing the MediSolo service.

3. Disclosure of Data to Third Parties

No routine third-party sharing: MediSolo does not integrate with or share data with any third-party service providers (e.g., we do not use third-party analytics that access personal data, and we have no partnerships with pharmacies or labs that involve data exchange). By default, all data stays within MediSolo’s controlled infrastructure and is accessible only to the practitioner and those they authorize. We do not disclose your or your patients’ information to any third party except in the following rare circumstances:

• With the Practitioner or Patient’s Consent: If you explicitly request or consent that we share data (for example, you ask our support team to help import/export data to another system), we will do so only with proper authorization.
• Legal Requirements: We may disclose information if required by a lawful order, subpoena, or other legal requirement under Sri Lankan law. In such cases, we will only provide the minimum necessary information and, where lawfully permitted, notify the affected practitioner beforehand. We also may disclose information to regulatory or enforcement authorities if we are legally compelled (for instance, under investigations).
• Security or Technical Support: On rare occasions, authorized MediSolo engineers may access data to the extent needed to resolve a technical issue or investigate a security incident. Even in these cases, access to personal health data is highly restricted and logged. Our team is bound by strict confidentiality obligations.
• Business Transfer: If MediSolo’s ownership or structure changes (e.g., through a merger, acquisition, or asset sale), personal data may be transferred to the successor entity. If so, we will ensure the new owner has to abide by the same privacy commitments, and we will notify users of any change in data handling. (Note: currently MediSolo is not a registered company; if we incorporate in the future, this clause would apply.)

Importantly, healthcare providers using MediSolo are bound by their own professional confidentiality duties for any patient data they store. MediSolo’s role is to safeguard the platform, but the decisions about with whom patient information is shared (e.g., referring to another doctor, giving a prescription to a pharmacy, etc.) are controlled by the practitioner and the patient. We expect all practitioners to handle patient data in accordance with medical ethics and privacy laws.

4. Data Security Measures

We understand the sensitive nature of health information and employ robust security measures to protect personal data. Some of the key security practices we follow include:

• Encryption: All databases storing patient health records are encrypted at rest. In addition, data transmitted between the MediSolo app/website and our servers is encrypted via industry-standard HTTPS/TLS encryption. This means that any information you send to our servers or retrieve is protected in transit from eavesdropping.
• Isolated Data Stores: Each practitioner’s data is logically isolated from others. Your records are stored in a dedicated database schema or instance accessible only by your account (and authorized collaborators in your practice, if any). This design ensures that even within MediSolo, there is separation between different users’ data.
• Access Controls: Access to our production systems is limited to a small number of authorized personnel who require it to maintain the service. We use authentication, firewalls, and other access controls to prevent unauthorized access. No MediSolo staff can casually browse patient data; any support access is granted case-by-case for specific issues and is audited.
• Data Integrity: We implement backups and redundancy to protect against data loss. Regular backups of databases are taken and stored securely. In the event of a system failure, we have disaster recovery procedures to restore data and resume operations with minimal disruption.
• Security Testing: We periodically test our Platform for vulnerabilities and keep our software and infrastructure updated with security patches. Our security framework is aligned with best practices in handling healthcare data. While we strive to provide a highly secure service, no system is entirely risk-free, and therefore we cannot guarantee absolute security. However, we take security very seriously and continuously improve our safeguards.
• Important: As a practitioner using MediSolo, you also play a role in security. Always keep your login credentials confidential and use a strong password. If you suspect any unauthorized access to your account, notify us immediately so we can help secure it. We are not liable for breaches or access that result from weak credentials or negligence on the user’s part.

In the unlikely event of a data breach that affects personal data, MediSolo will follow applicable breach notification laws. Under Sri Lanka’s Personal Data Protection Act (PDPA), controllers must notify the Data Protection Authority of certain personal data breaches and also inform affected individuals in high-risk cases. In line with these requirements, if MediSolo discovers a significant data breach, we will promptly inform the impacted practitioners (who in turn should inform patients, if applicable) and report to authorities as required. We will also take all needed steps to mitigate the breach and prevent future occurrences.

5. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of providing the service and satisfying any legal or accounting requirements. The “storage limitation” principle under PDPA mandates that data should be kept only for as long as needed for the stated purpose. In practice:

• Patient Records: These are kept until the practitioner decides to delete them or close their account. MediSolo does not delete or purge any patient data as long as the practitioner’s account is active, so that the practitioner has complete historical records. Practitioners can delete individual records through the app; once deleted, those records will no longer be accessible. (Deleted data may remain temporarily in our backups, which are purged periodically, but will not be available to any user or used for any purpose.)
• Practitioner Account Data: We keep your account registration information while your account is active. If you choose to delete your account or stop using MediSolo, we will remove or anonymize your personal account data upon request, after verifying your identity. Some minimal information may be retained in backups or logs for a short period, but we will securely erase or anonymize that in the normal course of operations.
• Logs and Usage Data: System logs are retained for a limited time (typically a few months) for security monitoring and analytics. After that period, they are automatically deleted or anonymized, unless we need to retain them longer to investigate a known incident.
• Legal Requirements: If a specific law requires retaining certain data for a defined period (for example, medical professionals may be required by regulations or guidelines to keep patient records for a number of years), it is the practitioner’s responsibility to comply with those requirements. MediSolo provides the tools to store data, but the practitioner must ensure they archive or export records if needed to meet legal retention duties. From our side, if we are aware of a legal order or regulation that mandates preserving data (e.g., a court order to retain records for investigation), we will comply and notify the user if possible.

When data is no longer needed, we take care to securely delete it. Electronic deletion is done in such a way that data cannot be reasonably recovered. For any backups reaching end-of-life, we destroy or wipe them securely.

6. International Data Transfers

MediSolo is designed for users in Sri Lanka, and our primary operations are based in Sri Lanka. Currently, we aim to store and process data on servers located in Sri Lanka or in a jurisdiction with adequate data protection standards. If we utilize cloud infrastructure, we will choose reputable providers with strong security and privacy commitments. It is possible that in future or as needed, some data may be processed or backed up on servers outside Sri Lanka. Any transfer of personal data outside Sri Lanka will be done in compliance with the Sri Lankan Personal Data Protection Act’s cross-border data transfer requirements. The PDPA allows transfer of personal data to third countries if certain safeguards or conditions are met. In such cases, we will ensure at least one of the following is in place:

• The destination country has been officially designated as providing adequate data protection (note: as of now, no such list exists yet).
• We have appropriate safeguards and binding agreements with any external hosting provider or partner, to ensure your data receives the same level of protection as it would under Sri Lankan law.
• We obtain your explicit consent for the transfer, after informing you of any risks (for example, if for some reason your data needed to be stored in a country without an adequacy decision, we’d let you know and ask for consent, though this scenario is unlikely). In urgent situations such as a necessary transfer to protect a person’s life or for a contractual service you requested, the law also provides exceptions.

By using MediSolo, you consent to the possibility of your data being transferred and stored outside Sri Lanka under these safeguards. Rest assured, such transfers (if any) will not affect the security and privacy protections on your data – we remain responsible for safeguarding your information regardless of where it is hosted.

7. Data Subject Rights

Under Sri Lanka’s PDPA and other applicable laws, individuals have certain rights regarding their personal data. Because of the unique role of MediSolo, there are two categories of individuals to consider: practitioners (our direct users) and patients whose data is entered by those users.

• Rights of Practitioners (Users): If you have an account with MediSolo, you have the right to access the personal information we hold about you (such as your registration details and any logs associated with your use). You also have the right to request correction of any inaccurate information (for example, if your email on file is wrong, we will update it). You may request deletion of your personal data or account, as described in the Data Retention section, and we will honor it provided that it does not conflict with any legal obligations. We acknowledge users’ rights to data portability as well – if you need a copy of your data in a common format, we will assist with that (for instance, exporting your patient records if you wish to move to another platform). We will respond to any such requests within a reasonable timeframe and in accordance with the PDPA’s provisions. Under the PDPA, users can also object to or restrict certain processing, but note that MediSolo processes very little data for its own purposes – mainly just what is necessary for the service. If you have given consent for something (e.g., receiving an optional newsletter in the future) you can withdraw that consent at any time.
• Rights of Patients: As a patient whose data might be stored by your healthcare provider on MediSolo, you have rights under privacy laws as well. Typically, your healthcare provider is the “data controller” responsible for your personal data in the system. This means you should generally direct any requests to access or correct your medical records to your provider, who can use MediSolo’s features to fulfill those requests. MediSolo cannot directly disclose patient records to any patient without the authorization of the practitioner, because we must ensure that proper medical context and authorization are in place. However, if you (as a patient) were to contact us directly about your data, we will facilitate the request by coordinating with the relevant practitioner. We support practitioners in meeting obligations to provide patients access to their data or to delete it if a valid request arises. Do note, certain medical records might need to be retained by the practitioner for legal reasons and may not be erasable immediately on request (for example, doctors might be required to keep treatment records for a minimum period). We encourage transparency: practitioners using MediSolo should have their own privacy notices informing patients that they use MediSolo as a records system and how patients can exercise their rights.

To submit a personal data request or inquiry, you can contact us at our support email (see Section 10). We may need to verify your identity before fulfilling requests (for example, by confirming you have control of the email associated with your account). We will not charge you for reasonable requests. If we ever deny a request, we will explain why (e.g., if it’s exempt under PDPA, or if we cannot fulfill it without compromising others’ rights). You also have the right to lodge a complaint with Sri Lanka’s Data Protection Authority if you believe your data rights have been violated. We would appreciate the chance to address your concerns first, and we are committed to resolving any issues in good faith.

8. Children’s Privacy

MediSolo is not directed to children as primary users. Only licensed healthcare professionals and their authorized staff are eligible to create accounts on the Platform, and they must be adults (18+). We do not knowingly collect any personal information directly from individuals under 18. However, practitioners might enter health data about minors (e.g. pediatric patient records). Such data is treated with the highest confidentiality and security, as described above. If you are a parent or guardian and believe your child’s personal health data is being stored in MediSolo without proper safeguards or consent, please contact the relevant healthcare provider and/or MediSolo so that we can address the concern. We rely on practitioners to obtain any necessary parental consent for treating minors and recording their data digitally.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify our users (practitioners) via email or via an in-app notification. The “Last Updated” date at the top will always indicate when the latest changes were made. We will provide at least 14 days’ notice of major changes, when required. Continued use of MediSolo after a policy update will signify your acceptance of the revised terms. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal information you entrust to us.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. You can reach out via email at support@medisolo.example (placeholder email) or through the support section on our website. We will do our best to respond promptly and help resolve any issues.

By using MediSolo, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. We are dedicated to safeguarding your privacy and ensuring compliance with Sri Lankan data protection laws (such as the PDPA).