Privacy Policy

1. Who We Are

MedFollow AI ("we", "us", "our") is a healthcare technology platform operated by Chatslytics Technologies. Our registered contact email is admin@chatslytics.com. We provide AI-powered patient follow-up services to licensed medical practitioners in India via WhatsApp Business API.

2. Information We Collect

We collect the following categories of information:

• Doctor (User) Data: Name, clinic name, specialization, email address, phone number, and WhatsApp Business credentials (phone number ID, access token — stored encrypted).
• Patient Data: Name, phone number, diagnosis/condition, prescription details, and care plan information — provided by the registered doctor.
• WhatsApp Message Data: Inbound and outbound WhatsApp messages exchanged between patients and the AI system, including message content, timestamps, and delivery status.
• Usage Data: Log files, API request metadata, IP addresses, and browser/device information for security and performance monitoring.
• Payment Data: Subscription billing information processed by Razorpay. We do not store raw card numbers.

3. How We Use Your Information

• Deliver AI-generated care plans and medication reminders to patients via WhatsApp on behalf of their doctor.
• Enable doctors to monitor patient adherence, receive escalation alerts, and manage clinical workflows.
• Authenticate users and maintain secure access to the platform dashboard.
• Process subscription payments and send billing notifications.
• Improve platform reliability, debug issues, and detect fraud or abuse.
• Comply with applicable laws and respond to lawful requests by public authorities.

4. WhatsApp Business API Data

MedFollow AI integrates with the WhatsApp Business Platform (Cloud API) operated by Meta Platforms, Inc. Through this integration:

• We act as a Tech Provider — we access WhatsApp Business Accounts (WABAs) on behalf of doctors who grant explicit OAuth consent during onboarding.
• Message content sent via WhatsApp is processed on Meta's Cloud API infrastructure and is subject to WhatsApp's Privacy Policy.
• We request only the permissions whatsapp_business_messaging and whatsapp_business_management for operational purposes.
• Access tokens are encrypted using AES-256 (Fernet) and stored in our database. They are never shared with third parties except Infobip (our BSP) as required for message delivery.

5. Data Sharing and Third Parties

We share data only in the following limited circumstances:

• Infobip d.o.o. — Our WhatsApp Business Solution Provider (BSP) for message routing. Data shared: phone number IDs and message payloads necessary for delivery.
• Meta Platforms, Inc. — WhatsApp Cloud API infrastructure. Subject to Meta's Data Processing Terms.
• Razorpay Software Pvt. Ltd. — Payment processing. Subject to Razorpay's privacy policy.
• Microsoft Azure — Cloud hosting (AKS, ACR) in the Southeast Asia region. Data is stored on Azure infrastructure.
• Legal requirements — We may disclose data to comply with a court order, legal process, or lawful request by Indian or international public authorities, including national security or law enforcement requirements.

We do not sell, rent, or trade personal data to any third party for advertising or marketing purposes.

6. Data Retention

• Doctor account data: retained while the account is active, deleted within 30 days of account closure.
• Patient data and messages: retained for up to 3 years to support clinical continuity, or until the doctor requests deletion.
• Billing records: retained for 7 years as required by Indian tax regulations.
• Log files: retained for 90 days.

7. Data Security

We implement industry-standard security measures including:

• TLS 1.2+ encryption in transit for all API communications.
• AES-256 (Fernet) encryption at rest for WhatsApp access tokens and sensitive credentials.
• Kubernetes RBAC, network policies, and secret management on Microsoft Azure AKS.
• HMAC-SHA256 signature verification for all inbound WhatsApp webhooks.
• Periodic security audits and penetration testing.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your data (see Section 9).
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain processing activities.

To exercise these rights, email us at privacy@chatslytics.com.

9. Data Deletion

To request deletion of your personal data:

1. Email privacy@chatslytics.com with the subject line "Data Deletion Request" and your registered email address.
2. We will verify your identity and process the request within 30 days.
3. You will receive a confirmation once your data has been deleted from our active systems. Note: data retained for legal compliance (Section 6) will be purged after the mandatory retention period.

Doctors can also delete patient records directly from the dashboard. This triggers immediate removal from our active database.

10. Cookies

We use only essential session cookies required for authentication. We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are loaded on our platform.

11. Children's Privacy

MedFollow AI is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. Patient data for minor patients is managed under the doctor's professional responsibility.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered doctors by email at least 14 days before material changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us