ShylCare
← Back to home

Privacy Policy

Shylzora Technologies Private Limited (ShylCare) · Last updated: 27 May 2026

This Privacy Policy explains how Shylzora Technologies Private Limited ("we", "us", "ShylCare") collects, uses, discloses, and safeguards information in connection with the ShylCare platform. It applies to visitors of this website, healthcare facilities using ShylCare, and their staff and patients. Please read it carefully.

1. Who We Are

ShylCare is a cloud-based Electronic Medical Records (EMR) and Hospital Management platform developed and operated by Shylzora Technologies, based in Navi Mumbai, India.

For the purposes of the Digital Personal Data Protection Act, 2023 (DPDPA), Shylzora Technologies is a Data Processor when processing patient health data on behalf of a healthcare facility (the Data Fiduciary). We are a Data Fiduciary in our own right when processing the personal data of website visitors, trial users, and staff who register directly with us.

2. Data We Collect

a) Data you or your facility provides

  • Account registration: Name, designation, email address, phone number, hospital or clinic name, address, GST number, and subscription plan details.
  • Patient records (entered by healthcare facility staff): Patient name, date of birth, gender, UHID, contact details, medical history, diagnoses (ICD codes), prescriptions, lab and radiology orders and results, vital signs, allergies, surgical and hospitalisation history, discharge summaries, and billing information including insurance and government scheme details.
  • Payment information: For subscription billing — GST invoice details, payment reference numbers. We do not store full card numbers; payment transactions are processed through trusted payment gateways.
  • Support communications: Messages sent via WhatsApp support, in-app chat, or email for support requests.
  • Demo and enquiry forms: Name, hospital name, phone, email, and city provided when booking a demo or contacting us.

b) Data collected automatically

  • Usage logs: Pages visited, features used, timestamps, session duration, and actions performed within the platform (for security auditing and product improvement).
  • Device and browser information: IP address, browser type and version, operating system, screen resolution, and referring URL.
  • Error and crash reports: Anonymised diagnostic data to help us identify and fix bugs.

c) Data from third parties

If you sign in using Google (for the ShylCare patient app), we receive your name and email address from Google, subject to Google's privacy policy. We do not receive or store your Google password.

3. How We Use Your Data

We use the data collected for the following purposes:

PurposeLawful Basis
Provide and operate the ShylCare platformContract performance
Process and display patient health recordsContract (on behalf of healthcare facility)
Send subscription invoices and payment remindersContract / Legal obligation
Send OTP and appointment notifications (SMS/email)Consent / Contract
Respond to support queriesLegitimate interest
Improve and debug the platformLegitimate interest (anonymised data)
Generate AI-assisted clinical summaries (if enabled)Consent (feature opt-in by facility)
Comply with legal and regulatory requirementsLegal obligation
Prevent fraud and ensure platform securityLegitimate interest

We do not use patient health data for advertising, profiling, or any commercial purpose beyond operating the platform on behalf of the healthcare facility.

4. Sharing & Sub-processors

We do not sell your personal data. We share data only with trusted service providers ("sub-processors") necessary to deliver the platform:

ProviderPurposeLocation
DigitalOceanAPI server hostingIndia (Bangalore)
MongoDB AtlasDatabase hosting and backupsIndia (Mumbai)
Amazon Web Services (S3)File storage — PDFs, reports, uploadsIndia (Mumbai)
Google FirebaseTenant web application hostingGlobal CDN
Anthropic PBCAI clinical summary generation (opt-in only)USA
Fast2SMSSMS notifications and OTP deliveryIndia

Cross-border transfer (Anthropic): When an authorised user invokes an AI-assisted feature (such as AI discharge summary or AI prescription assistance), limited clinical text is sent to Anthropic's API solely to generate the requested output. Anthropic does not store this data beyond the processing of the individual request. This transfer occurs only when a healthcare facility has enabled AI features. We maintain data processing terms with Anthropic.

Infrastructure note: The ShylCare API server runs on a DigitalOcean Droplet in Bangalore. Patient records are stored in MongoDB Atlas (Mumbai). Uploaded files and generated PDFs are stored on Amazon S3 (Mumbai). The tenant web application is served via Google Firebase Hosting. All data storage locations are within India except for Anthropic (AI features only, opt-in).

We may disclose personal data if required by law, court order, or a regulatory authority in India. We will notify you of such requests where legally permitted to do so.

5. Patient Data

Patient health data entered into ShylCare by a healthcare facility is among the most sensitive personal data we process. We handle it with the following commitments:

  • Ownership: The healthcare facility owns all patient data it enters. We act solely as a processor on its instructions.
  • Purpose limitation: We process patient data only to provide the platform to the facility — never for advertising, research (beyond anonymised, aggregated product analytics), or any other commercial use.
  • Isolation: Each facility's data is held in a separate Tenant with strict access controls; no facility can access another's patient records.
  • Staff access: ShylCare engineers and support staff access patient data only when strictly required to investigate a support issue, and only with the minimum necessary access. Such access is logged.
  • Consent responsibility: The healthcare facility is responsible for obtaining valid consent from patients for the collection and processing of their health data and for operating in compliance with applicable healthcare regulations.

Patients who wish to access, correct, or delete their health records should contact the healthcare facility that collected the data. We will assist the facility in fulfilling such requests upon its instruction.

6. Cookies

This website and the ShylCare platform use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for the platform to function — e.g., authentication session tokens and CSRF protection. These cannot be disabled.
  • Preference cookies: Remember your language or UI preferences (if applicable).
  • Analytics cookies: Help us understand how pages are used (e.g., page load times, errors). We use anonymised, aggregated analytics only. We do not use third-party advertising cookies.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in to the platform. This website does not serve third-party advertising or social media tracking cookies.

7. Data Localisation

All patient and facility data is stored on servers physically located in India: the API server on DigitalOcean (Bangalore), the database on MongoDB Atlas (Mumbai), and uploaded files on Amazon S3 (Mumbai). The tenant web app is served via Google Firebase CDN. We do not transfer patient health data outside India except as described in Section 4 (Anthropic — AI features only, opt-in).

This is consistent with our commitment to comply with Indian data localisation requirements for sensitive personal data, including health data.

8. Data Retention

  • Active subscription: Patient records and facility data are retained for the duration of the subscription.
  • Post-termination: After a subscription ends, data is retained for 30 days during which the facility may request a data export. Production data is then deleted within 60 days; backup copies within 90 days.
  • Legal retention: We may retain certain data (e.g., billing records) for periods required by Indian tax law (typically 8 years) or other regulatory obligations.
  • Website enquiry data: Retained for up to 2 years or until you request deletion.
  • Audit logs: Retained for 2 years for security and compliance purposes.

9. Security

We implement industry-standard technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control with least-privilege principles
  • Passwords hashed using bcrypt; no plaintext storage
  • JWT-based authentication with short-lived tokens and rotation
  • Comprehensive audit logging of all data access and modifications
  • Automated daily backups with 30-day retention and point-in-time recovery
  • Multi-factor authentication for administrative access
  • Regular vulnerability assessments and security patching

No system is completely secure. In the event of a data breach, we will notify affected healthcare facilities within 72 hours and cooperate with them in meeting regulatory notification obligations under the DPDPA.

10. Your Rights Under the DPDPA

Under the Digital Personal Data Protection Act, 2023, you (as a Data Principal) have the following rights in respect of your personal data:

  • Right of access: Request a summary of the personal data we hold about you and the purposes for which it is processed.
  • Right of correction and erasure: Request correction of inaccurate or outdated personal data, or erasure of personal data where the purpose for which it was collected no longer exists and there is no legal obligation to retain it.
  • Right to grievance redressal: Have your grievances addressed in a timely manner.
  • Right to nominate: Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Right to withdraw consent: Where processing is based on your consent, withdraw that consent at any time (this does not affect the lawfulness of prior processing).

For patients: To exercise your rights over your health records held in ShylCare, please contact the hospital or clinic that registered you — they are the Data Fiduciary responsible for your health data.

For website visitors, staff accounts, and demo enquiries: Contact us directly at the email below. We will respond within 30 days.

11. Children's Data

ShylCare processes health records of patients of all ages as part of its healthcare management function. Children are registered in the platform by a healthcare facility on behalf of their parent or legal guardian, who is responsible for providing consent.

This website is not directed at children. We do not knowingly collect personal data directly from children under 18 through this website. If you believe a child has submitted personal data to us directly via this website without parental consent, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Platform. Material changes will be communicated to healthcare facilities via email at least 30 days before taking effect.

The "Last updated" date at the top of this page indicates when the current version was published. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy.

13. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection contact:

Shylzora Technologies

Data Protection Contact

Navi Mumbai, India

Email: krishna@shylzora.com

WhatsApp: +91 8928990989

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India once it is constituted and operational under the DPDPA.