Privacy Policy

Last updated: 11 July 2026

ClinicFlow ("ClinicFlow", "we", "us") is a clinic-management tool provided by Cephas Infosystems that helps solo practitioners and small clinics ("Clinics", "you") manage appointments, clinical notes and billing. This policy explains what personal data we collect, how we use it, and the rights you and your patients have over it, including under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Two kinds of personal data on ClinicFlow

It matters who each piece of data belongs to, because it changes who is responsible for it under the DPDP Act:

2. What we collect

We do not collect payment card details, government ID numbers, or health/biometric data beyond the free-text clinical notes a Clinic chooses to type.

3. How we use this data

We do not use your data or your patients' data for advertising, and we do not sell personal data to anyone.

4. Who we share data with

We share data only where it's needed to run the service:

Every clinic's patients, appointments and invoices are stored in strictly separated records — one clinic can never see another clinic's data through the product.

5. Data retention

6. Cookies

ClinicFlow sets exactly one cookie: a session cookie (cf_sid) that keeps you signed in. It is HttpOnly (not readable by page scripts) and is deleted when you log out or it expires. We do not use third-party advertising or analytics cookies.

7. Security

Passwords are hashed with bcrypt and are never stored or logged in plain text. Access to the application is via encrypted HTTPS connections. Every database query that touches patient or clinic data is scoped to the logged-in clinic, so one clinic's records are not reachable from another clinic's session. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security, but we take reasonable technical measures appropriate to the sensitivity of the data.

8. Your rights under the DPDP Act, 2023

If you are an individual whose personal data we hold (as a Clinic account holder, or as a patient whose Clinic uses ClinicFlow), you have the right to:

Patients should first raise data requests with their Clinic directly, since the Clinic controls that data. If you're a Clinic account holder, you can raise requests about your own account data with us using the contact details below.

9. Grievance Officer

In accordance with the DPDP Act, 2023, you may contact our Grievance Officer with any question or complaint about how personal data is handled on ClinicFlow:

Grievance Officer, Cephas Infosystems
Email: privacy@cephasinfosystems.com

(Cephas Infosystems: please replace the placeholder name/email above with your appointed Grievance Officer's actual details before publishing.)

10. Children's data

ClinicFlow accounts are intended for use by adult clinic staff/owners, not by children. Clinical notes about a minor patient may be entered by a Clinic as part of normal medical record-keeping, which the DPDP Act's provisions for minors' data are designed to accommodate for legitimate healthcare purposes — this remains the Clinic's responsibility as Data Fiduciary for that data.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date above and, where appropriate, notify Clinics by email.

12. Contact us

Questions about this policy can be sent to privacy@cephasinfosystems.com.