Privacy Policy

Orbit Care ("Orbit Care," "we," "us," or "our") provides a Health Information Management System (HIMS) platform for hospitals, clinics and healthcare professionals. The platform enables healthcare providers to digitize, securely store and access patient health information, with the option to make patient records available across multiple healthcare facilities within the Orbit Care ecosystem.

This Privacy Policy explains how we collect, use, disclose and protect information processed through Orbit Care, in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, EHR Standards of India (2016) and other relevant rules and guidelines.

This Policy applies to:

• Hospitals, clinics and healthcare providers using Orbit Care ("Users").
• Doctors, authorized staff and hospital/clinic administrators.
• Patients whose information is processed by Users through Orbit Care (DISCLAIMER: PATIENTS DO NOT DIRECTLY ACCESS ORBIT CARE AT THIS STAGE).
• Visitors to our website.

1. Definitions

1.1. Data Principal: The individual to whom the Personal Data relates. For purposes of this Policy, the term “Patient” shall be construed as Data Principal.

1.2. Data Fiduciary: Any person who determines the purpose and means of processing Personal Data. Under this Policy, Orbit Care and the respective healthcare provider act as Joint Data Fiduciaries.

1.3. Joint Significant Data Fiduciaries: Orbit Care and each healthcare provider jointly determine purposes and means of processing Patient Data under the DPDP Act. If designated as Significant Data Fiduciaries by the Government/Board, additional obligations will apply (such as DPO appointment, DPIAs, audits).

1.4. Patients: Individuals whose personal and health data is processed through Orbit Care by their healthcare provider.

1.5. Patient Data: Personal data and sensitive health information entered, stored, or accessed through Orbit Care.

1.6. Platform: Orbit Care’s HIMS software, applications and services.

1.7. Users: Hospitals, clinics, healthcare providers and their authorized staff.

2. Compliance with the DPDP Act, 2023

Orbit Care adheres to the principles of the Digital Personal Data Protection Act, 2023:

2.1. Notice & Consent:

2.1.1. Consent from Patients must be obtained by healthcare providers before uploading or sharing their data on Orbit Care.

2.1.2. Consent must specify whether data may be used only within one clinic/hospital or across the Orbit Care ecosystem of multiple clinics.

2.1.3. Orbit Care processes Patient Data solely based on such valid consent and User instructions.

2.1.4. Inter-Provider Access: Where a Patient books an appointment with a new healthcare provider within the Orbit Care ecosystem, that provider’s authorized doctor may access consultation notes and records from the Patient’s past visits to other Orbit Care affiliated providers, starting from the time of booking and continuing for the legally mandated retention period. This access is subject to the Patient’s consent to interoperability.

2.1.5. Patient Data may also be processed without explicit consent where permitted under the DPDP Act or other applicable law, including but not limited to:

a) medical emergencies threatening life or health;

b) epidemic outbreak management and public health interventions;

c) compliance with court orders, regulatory obligations, or lawful government directions.

2.2. Purpose Limitation: Patient Data will be used strictly for healthcare delivery, medical record-keeping and continuity of care.

2.3. Data Minimization: Only essential data is collected (basic details and relevant medical records).

2.4. Data Subject Rights: Patients may exercise their rights under DPDP (access, correction, erasure, withdrawal of consent, grievance redressal) through their healthcare provider. Orbit Care will assist providers in fulfilling such requests.

2.5. Significant Data Fiduciary Obligations:

2.5.1. Appointment of a Data Protection Officer.

2.5.2. Independent audits and compliance reviews.

2.5.3. Data Protection Impact Assessments (DPIAs) for high-risk processing.

2.6. Lawful Sharing: No Patient Data is disclosed or transferred except with patient consent, for healthcare delivery, or as required by law.

2.7. Consent Reliance and Secondary Use:

2.7.1. Orbit Care relies on consent obtained by hospitals/clinics for all processing, including interoperability and AI-driven analytics.

2.7.2. If prior consent for secondary use, research, or AI analytics is absent, such hospitals and clinics will assist Orbit Care to obtain explicit patient consent before processing.

2.7.3. Patient Data may only be made interoperable across clinics in the Orbit Care ecosystem if (i) explicit consent is obtained by the originating clinic and (ii) interoperability is technically enabled by Orbit Care.

2.7.4. Patients’ use of the Orbit Care patient-facing app implies consent to receive notifications, appointment reminders, access to digital prescriptions, and view-only access to their records, unless explicitly withdrawn.

2.7.5. All Patient Data used for secondary research or AI analytics will be de-identified or aggregated to prevent re-identification of individuals.

3. Our Role in Data Processing

3.1. Orbit Care Admin Access: Orbit Care technical administrators have limited access solely for system maintenance, security, and AI-powered features. They do not make clinical decisions or modify Patient Data without explicit authorization.

3.2. Hospital/Clinic Admin Access: Each healthcare provider designates administrative personnel to manage staff accounts, oversee usage, and ensure compliance with data protection obligations.

3.3. Doctors’ Access: Authorized doctors can view and update Patient Data within their hospital/clinic. With explicit patient consent, records may also be accessed across the Orbit Care ecosystem for continuity of care.

3.4. Patients’ Access: Patients have access to a patient-facing version of the Orbit Care app, enabling them to:

• View their own health records, prescriptions, and consultation history;
• Manage their consent preferences for interoperability and secondary use;
• Request correction, deletion, or access under applicable law.

3.5. Role-Based Access and Permissions:

• Access to Patient Data is strictly role-based. Hospitals/clinics determine which personnel (doctors, nurses, admins) can view, edit, or delete records.
• Orbit Care implements system-level access controls, audit logging and technical safeguards to enforce these permissions.
• All access is logged, monitored, and subject to compliance reviews. Orbit Care does not determine clinical access policies.

4. Information We Collect

4.1. From Where We Collect Data:

• 4.1.1. Orbit Care Super Admin Portal – Access is strictly limited to Orbit Care administrative personnel for technical, security, and system maintenance purposes. These administrators do not make clinical decisions or alter Patient Data without authorization.
• 4.1.2. Hospitals and Clinics – Authorized hospital or clinic administrators enter and manage Patient Data. Hospitals/clinics remain responsible for ensuring the accuracy, completeness, and legality of data entered, as well as for obtaining valid patient consent.
• 4.1.3. User App – Patients may create their own profiles on the Orbit Care application where permitted. Explicit consent is required from the patient for all processing, including secondary uses, interoperability, and AI-driven analytics.

4.2. Patient Information:

• Basic Information: Name, phone number, email address.
• Health Records: Medical history, consultation notes, prescriptions, diagnostic reports and related health data.

4.3. User & Admin Information:

• Organization name and contact details.
• User accounts, emails, phone numbers.
• Authentication credentials and logs.

4.4. Automatically Collected Data:

• Device identifiers, IP address and browser type.
• Platform usage logs, error reports and performance metrics.

5. How We Use Information

• 5.1. Delivering healthcare services.
• 5.2. Continuity of care across the Orbit Care ecosystem (if patient has consented).
• 5.3. Secure storage and retrieval of health records.
• 5.4. Generating clinical analytics and reports (in aggregated, de-identified form).
• 5.5. Platform security, audits and regulatory compliance.
• 5.6. AI-Based Analytics and Alerts: Orbit Care uses Artificial Intelligence (AI) tools to analyze aggregated and de-identified consultation data, prescriptions and patient records to identify patterns, detect trends and support healthcare decision-making.

6. Data Sharing and Disclosure

6.1. With Healthcare Providers: Patient Data is shared only with doctors and staff authorized by the patient’s healthcare provider.

6.2. Across Clinics: If a Patient books an appointment with a new clinic/hospital within the Orbit Care ecosystem, the treating doctor may access prior consultation records as permitted by law and consent.

6.3. Service Providers: We may engage third-party providers (e.g., hosting, analytics, compliance auditors) under strict confidentiality agreements.

6.4. Legal Compliance: Data may be disclosed to comply with court orders, regulatory obligations, or lawful government requests.

6.5. No Sale of Data: Orbit Care does not sell or monetize Patient Data.

7. Data Security

• 7.1. Encryption of data as per industry standards.
• 7.2. Role-based access controls and multi-factor authentication.
• 7.3. Regular penetration testing and vulnerability scans.
• 7.4. Monitoring and incident response protocols.
• 7.5. Breach Notification: Orbit Care will promptly notify affected healthcare providers, who are responsible for informing impacted Patients unless required otherwise by law.

8. Data Retention

• 8.1. Patient Data is retained as long as necessary for healthcare delivery, continuity of care, or as required under law.
• 8.2. Logs and audit records are retained for compliance.
• 8.3. Upon service termination, data may be securely deleted or archived.
• 8.4. When retention is no longer necessary, data will be irreversibly deleted, anonymized, or securely archived.
• 8.5. Dual Retention and Deletion Responsibilities:
• 8.5.1. Orbit Care retains data only as long as necessary for interoperability, analytics, and legal obligations.
• 8.5.2. Hospitals/clinics retain their own copies for medico-legal purposes.
• 8.5.3. Deletion requests are processed jointly with healthcare providers.
• 8.5.4. Clinics/hospitals must ensure data accuracy and hygiene; Orbit Care enforces safeguards to prevent unauthorized changes.

9. Patient Rights under DPDP

9.1. Patients may exercise the following rights through their healthcare provider:

• 9.1.1. Right to Access: Obtain a copy of their data.
• 9.1.2. Right to Correction: Rectify inaccurate or incomplete data.
• 9.1.3. Right to Erasure: Request deletion subject to legal requirements.
• 9.1.4. Right to Consent Management: Withdraw consent for sharing.
• 9.1.5. Right to Grievance Redressal: File complaints regarding misuse.

9.2. All such requests must be made through the Patient’s healthcare provider, who coordinates with Orbit Care to fulfill them.

9.3. Orbit Care does not directly authenticate or process Patient requests except via providers.

10. Children’s Privacy

Patient Data of minors (below 18) may only be processed with parental/guardian consent collected by the healthcare provider.

11. Changes to This Policy

Orbit Care may update this Privacy Policy periodically. Significant changes will be notified via email or platform updates. Continued use of Orbit Care constitutes acceptance of such revisions.

12. Contact Information

For privacy-related queries or to escalate a grievance under the DPDP Act, please contact our Grievance Redressal Officer (GRO):

Orbit Care
Grievance Redressal Officer
Name/Designation: Orbit Care helpdesk
Email: help@orbitcoretech.com
Phone: 8296751736

13. Disclaimer on AI Usage

THE AI FEATURES WITHIN ORBIT CARE ARE INTENDED AS CLINICAL SUPPORT TOOLS ONLY. They do not replace professional medical judgment. AI analytics are performed only on aggregated and de-identified consultation data. No identifiable Patient Data is used to train AI models. Healthcare providers remain fully responsible for diagnosis, treatment decisions and patient care.

14. Acknowledgement

By using Orbit Care, healthcare providers acknowledge that:

• 14.1. They act as Joint Data Fiduciaries with Orbit Care under the DPDP Act.
• 14.2. Orbit Care is responsible for:
  • 14.2.1. Implementing platform security, technical safeguards, and breach response;
  • 14.2.2. Ensuring lawful processing of Patient Data as per DPDP and healthcare regulations;
  • 14.2.3. Providing tools to enable providers to honor Patient rights.
• 14.3. Healthcare Providers are responsible for:
  • 14.3.1. Obtaining valid and informed consent from Patients prior to data upload;
  • 14.3.2. Ensuring data accuracy, completeness, and lawfulness;
  • 14.3.3. Communicating Patient rights requests and breach notifications.
• 14.4. Both parties agree to cooperate to fulfill obligations as Joint Fiduciaries while retaining accountability for their respective roles.
• 14.5. Patients’ rights under DPDP will be honored through the provider–Orbit Care framework.