Menu

Privacy Policy

 Updated: 17-Feb-2026

CareHQ (“CareHQ”, “we”, “our”, or “us”) is a healthcare technology platform operated by BitSynapse. This Privacy Policy describes how we collect, use, process, disclose, and safeguard personal data and Protected Health Information (“PHI”) when you access or use the CareHQ application and related services (“Services”).

CareHQ is designed for healthcare use cases and processes sensitive health data in accordance with:

  • The Digital Personal Data Protection Act, 2023 (India)

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA), United States, where applicable

1. Data Controller

The Services are operated by BitSynapse.

Contact Information:
Email: carehq@bitsynapse.io
Address: [Insert Registered Office Address]

A Grievance Officer is appointed in accordance with the DPDPA.
Grievances will be acknowledged within 48 hours and resolved within 30 days.

2. Scope of This Policy

This Policy applies to:

  • Healthcare professionals

  • Patients

  • Client organizations

  • Website and mobile app users

  • U.S. Covered Entities for whom CareHQ acts as a Business Associate

3. Categories of Data Collected

We may collect and process:

A. Identity & Contact Data

Name, email address, phone number, professional credentials.

B. Health & Medical Information (PHI)

Medical records, diagnoses, treatment plans, consultation notes, occupational health data, and related health identifiers.

C. Technical & Usage Data

IP address, device identifiers, browser type, access logs, crash diagnostics.

D. Authentication Data

Encrypted passwords, login credentials, access tokens.

We collect only the minimum data necessary to provide our Services.

4. Legal Basis for Processing (India – DPDPA)

We process personal data:

  • Based on user consent

  • To provide healthcare-related services requested

  • To comply with legal and regulatory obligations

Users may withdraw consent at any time. Withdrawal will not affect prior lawful processing.

5. HIPAA Compliance & Business Associate Status (United States)

Where CareHQ provides services to U.S. Covered Entities:

  • CareHQ acts as a Business Associate under HIPAA.

  • We enter into Business Associate Agreements (BAAs) where required.

  • We implement administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements.

  • Access to PHI is limited under the “minimum necessary” standard.

  • Workforce members are subject to confidentiality obligations and access controls.

  • Audit logging and monitoring mechanisms are maintained.

CareHQ does not use PHI for marketing or advertising purposes.

6. Data Security Measures

CareHQ implements enterprise-grade security controls, including:

  • TLS 1.2 or higher encryption for data in transit

  • AES-256 (or equivalent) encryption for data at rest

  • Role-based access control (RBAC)

  • Multi-factor authentication where applicable

  • Audit logs and system monitoring

  • Secure cloud infrastructure hosted on Amazon Web Services India region

  • Network isolation and restricted administrative access

All production and backup environments are encrypted and access-controlled.

7. Data Residency & International Transfers

Primary data hosting is located in AWS data centers within India.

We do not transfer personal data to countries restricted by notification of the Government of India under the DPDPA.

Where international transfers are required for U.S. healthcare operations, appropriate contractual and security safeguards are implemented.

8. Data Retention & Backups

Personal data and PHI are retained only as long as necessary to:

  • Provide healthcare services

  • Meet regulatory requirements

  • Support audit and compliance obligations

Encrypted system backups are retained for a minimum of five (5) years.

If a user requests deletion:

  • Data will be deleted from active systems within 30 days

  • Residual encrypted copies may remain in backup systems until automatically overwritten according to the backup retention schedule

Backup data is encrypted, logically isolated, and access-restricted.

9. User Rights (India – DPDPA)

Users have the right to:

  • Access their personal data

  • Correct inaccurate data

  • Request erasure of data

  • Withdraw consent

  • Nominate a representative in case of incapacity

  • Lodge a grievance with the Data Protection Board of India

Requests can be submitted via carehq@bitsynapse.io. Identity verification may be required.

10. Data Sharing & Subprocessors

We may share data with:

  • Healthcare providers involved in patient care

  • Authorized client organizations

  • Cloud hosting providers (AWS)

  • Service providers performing infrastructure, analytics, or support services under contractual confidentiality obligations

We do not sell personal data.

A current list of subprocessors is available upon request.

11. Cookies & Tracking Technologies

CareHQ may use cookies or similar technologies for:

  • Session management

  • Security authentication

  • Performance monitoring

  • Application analytics

CareHQ does not use health data for targeted advertising.

12. Children’s Data

The Services are not intended for individuals under 18 unless accessed through a healthcare provider or guardian.

13. Breach Notification

In the event of a data breach:

  • Affected users and relevant regulatory authorities will be notified in accordance with DPDPA and HIPAA breach notification requirements.

14. Account Deletion

Users may request account deletion via in-app settings or by contacting support.

Upon deletion:

  • Access credentials are revoked immediately

  • Active records are removed within 30 days

  • Backup retention applies as described above

15. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be posted within the application and on our website.