This Privacy Policy applies to licensed homeopathic practitioners who use Rubrisense. Patients do not register with this Platform. Patient data is entered and managed exclusively by the treating practitioner. If you are a patient, please contact your practitioner directly for information about how they handle your data.

Privacy Policy

Last updated: June 01, 2026

1. Who We Are

Rubrisense ("we", "our", "us") operates a Clinical Decision Support System (CDSS) built exclusively for licensed homeopathic practitioners. We are a data processor acting on behalf of each practitioner (the data controller) who uses our Platform. We are committed to protecting both practitioner account data and the patient records practitioners entrust to our infrastructure.

Rubrisense does not interact with patients directly. Patients do not have accounts on this Platform. All personal data relating to patients is entered, owned, and controlled by the practitioner.

2. Data We Collect

2.1 Practitioner Account Data

When you create and use an account, we collect:

  • Name, email address, and phone number
  • Professional credentials (qualification, registration number, jurisdiction)
  • Practice/clinic name and address
  • Payment details (processed and stored by Razorpay — we do not store card or bank details)
  • Account preferences and settings
  • Session logs, IP addresses, and activity logs for security and audit purposes

2.2 Patient Data (Entered by Practitioners)

Practitioners enter and manage the following patient data through the Platform:

  • Demographics: name, date of birth, gender, blood group, contact details, address, occupation
  • Medical and case history: chief complaints, chronic history, miasmatic background, family history, allergies, immunisations, surgical history
  • Consultation records: symptoms, AI-generated form responses, AI analysis outputs, practitioner notes
  • Prescriptions: medicines, potency, dosage, timing
  • Weight and lifestyle logs
  • Lab reports (uploaded as PDF or image files)

We are not the data controller for patient data. The practitioner is the data controller. We store and process this data solely on the practitioner's behalf and on their instruction.

3. How We Use Your Data

3.1 Practitioner Account Data

  • To provide, operate, and maintain the Platform and your account
  • To process payments and manage your subscription
  • To communicate service updates, security notices, and support responses
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal and regulatory obligations

3.2 Patient Data

  • To provide the clinical decision support features you have enabled
  • To generate AI-assisted intake forms, repertorization, and remedy suggestions
  • To store, retrieve, and display records as directed by you

We do not use patient data for advertising, product development, model training, or any purpose other than delivering the Platform services to you.

4. Data Security

Security Measures in Force

  • Column-level database encryption: Patient PII (name, phone, email, address) and medical history fields are encrypted in the database using AES-256 encryption. A breach of the database would not yield readable patient data.
  • Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+ only. HTTP is not supported.
  • Tenant data isolation: Each practice's data is architecturally isolated. It is not possible for a practitioner on the Platform to access another practice's data.
  • Role-based access control: Each team member can only access data permitted by their role. Permissions are enforced at the application layer.
  • Two-factor authentication: TOTP-based 2FA available for all accounts; enforceable by practice administrators.
  • Audit logging: All sensitive operations (data access, exports, deletions, role changes, logins) are logged with timestamps and IP addresses.
  • Secure invitations: Team members join via signed, single-use, time-limited invitation tokens. Open registration is disabled.

5. AI Processing and Patient Data

When you use AI-assisted features, the Platform sends data to third-party AI model providers. We implement the following protections:

  • No PII is sent to AI providers. Patient name, phone number, email address, and physical address are never included in AI prompts. Only clinically relevant data (symptoms, age range, gender, consultation notes) is sent.
  • Your patient data is not used to train AI models. We use commercial AI APIs (AWS Bedrock, OpenAI, Anthropic) under enterprise agreements that prohibit the use of customer data for model training without explicit consent.
  • No patient data is sold or shared with any third party for marketing, research, or any other purpose.
  • AI queries are processed over encrypted connections. AI provider data handling is governed by their respective enterprise privacy terms.

6. Data Ownership and Portability

You own your data. All patient records, consultation history, prescriptions, and clinical content you enter into the Platform belong to you. We hold it on your behalf.

  • You may export your data at any time from your account settings
  • On account closure, you may request a full data export before deletion
  • We will not hold your data hostage — portability is a right, not a premium feature

7. Data Retention

  • Patient and consultation data is retained for as long as your account remains active
  • After account closure, data is permanently deleted within 30 days, unless you request deletion earlier or a longer period is required by applicable law
  • Encrypted database backups are retained for up to 90 days for disaster recovery purposes, after which they are purged
  • Security audit logs are retained for 2 years for compliance and incident investigation purposes
  • Payment transaction records are retained for 7 years as required by applicable financial regulations

8. Your Rights Under the DPDP Act 2023

In accordance with India's Digital Personal Data Protection Act 2023 (DPDP Act), you have the following rights with respect to your personal data:

  • Right of Access: Request a summary of the personal data we hold about you
  • Right of Correction: Request correction of any inaccurate or incomplete personal data
  • Right of Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected
  • Right to Grievance Redressal: File a complaint with our Data Protection Officer if you believe your rights have been violated
  • Right to Nominate: Nominate another individual to exercise your rights on your behalf in the event of death or incapacity

To exercise any of these rights, contact us at: privacy@rubrisense.com

9. Practitioner's Obligations Regarding Patient Data

As the data controller for your patients' data, you are responsible for:

  • Obtaining informed consent from patients before entering their personal data into the Platform
  • Informing patients that their data is stored in a digital system and that AI-assisted tools are used as part of clinical decision support
  • Responding to any data access or deletion requests made directly by patients
  • Complying with all applicable data protection laws in your jurisdiction, including the DPDP Act 2023

10. Third-Party Services

We use the following third-party services in delivering the Platform:

  • Amazon Web Services (AWS) / AWS Bedrock: Cloud hosting and primary AI model provider. AWS enterprise agreements prohibit use of customer data for model training.
  • OpenAI: Secondary AI model provider (GPT-4 series). Governed by OpenAI Enterprise API terms.
  • Anthropic: AI model provider (Claude). Governed by Anthropic API terms.
  • Razorpay: Payment processing. We transmit payment details to Razorpay but do not store card numbers or bank credentials. Razorpay is PCI-DSS compliant.
  • ZeptoMail: Transactional email delivery (appointment confirmations, account notifications).

None of the above providers are authorised to use your data or your patients' data for any purpose other than delivering their respective services to us.

11. Cookies and Session Data

We use the following types of cookies:

  • Session cookies: Required to keep you authenticated while using the Platform. These expire when you log out or close your browser.
  • CSRF tokens: Security cookies that protect against cross-site request forgery attacks. Required for the Platform to function.
  • Preference cookies: Remember your in-app settings and display preferences.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies that profile your browsing behaviour.

12. Data Breach Notification

In the event of a personal data breach affecting your account or patient data, we will:

  • Notify you within 72 hours of becoming aware of the breach
  • Provide a clear description of the nature of the breach, the data affected, and the remediation steps we are taking
  • Notify the relevant Data Protection Board of India where required by the DPDP Act

13. Children's Data

Patient records on the Platform may include minors treated by practitioner users. Such data is entered by the practitioner in their professional clinical capacity. We do not knowingly collect personal data directly from individuals under the age of 18. Parental or guardian consent for minor patient records is the responsibility of the practitioner.

14. International Data Transfers

Your data is primarily stored and processed in India via AWS infrastructure. Certain AI processing calls may traverse international data centres operated by AWS, OpenAI, and Anthropic under enterprise data processing agreements that provide equivalent data protection standards.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and an in-app notice at least 14 days before they take effect. The date of the last update is shown at the top of this page.

16. Data Protection Officer / Contact

For all privacy-related queries, to exercise your rights, or to raise a complaint:

We will acknowledge your request within 3 business days and aim to resolve it within 30 days.

← Back
Terms of Service Refund Policy