Privacy Policy

1. Definitions and scope

Personal information means any information from which a person can be identified, directly or indirectly. Sensitive personal information includes health information as defined under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules—for example medical history, consultations, prescriptions, and diagnoses.

This policy applies to all personal and sensitive personal information we process in connection with the EMR platform: the web application and related services used for patient registration, consultations, appointments, prescriptions, queue management, multi-clinic operations, and support. You and only you own your data and have the right to control how it is used; we process it on your behalf as your service provider and, where applicable, as a data processor under your instructions.

2. Information we collect

2.1 Account and clinic information

When you register and use the Service we collect: email address and password (stored using secure, one-way hashing); your name, license number, and contact details; and for each clinic you add—clinic name, address, phone, email, and weekly schedule. If you use multi-clinic, we store which clinics you belong to and your role per clinic. If you invite staff (e.g. secretaries), we process their email and role for the purpose of sending invites and managing access.

2.2 Patient and clinical data

Data you enter into the EMR in the course of your practice: patient demographics (name, date of birth, gender, contact details, address, emergency contact, blood type); consultation records (chief complaint, SOAP notes, vital signs, diagnoses, allergies, prescriptions, lab requests, medical certificates, diagrams, and file attachments); appointment and queue data; and e-signature images you upload or draw for use on prescriptions and certificates. This data is sensitive personal information. You are the data controller; we process and store it solely to provide the EMR platform to you and in accordance with your instructions and applicable law.

2.3 SMS and communications

If your plan includes SMS appointment reminders, we use the patient phone numbers you have stored in the registry to send reminders on your behalf. Message content and delivery are handled via our contracted SMS provider; we do not use patient numbers for marketing or share them with third parties for their own purposes.

2.4 Automatically collected information

When you access the platform we collect: device and browser type; IP address and general location; and logs of access and actions (e.g. login, page views, API requests) for security, troubleshooting, and compliance. We use cookies and similar technologies for authentication, session management, and security—see Section 7.

2.5 Third-party sign-in

If you sign in through a third-party provider (e.g. Google), we receive the identifiers and profile data that the provider shares with us in line with your consent there. We do not sell your personal information or your patients’ data to anyone.

3. How we use your information

We use the information we collect to:

• Provide, operate, and improve the EMR platform—including patient registry, consultations, appointments, queue management, multi-clinic switching, staff roles, e-prescriptions, and e-signature.
• Authenticate users and enforce role-based access (e.g. doctors vs. secretaries) and clinic-scoped data so that each clinic’s data is accessible only to authorized users.
• Send SMS appointment reminders when you have enabled that feature and provided patient phone numbers.
• Perform backups, security monitoring, and incident response; comply with legal obligations; and protect the rights and safety of EMR, our users, and the public.

We do not use patient or clinical data for advertising or marketing. We do not sell personal information or sensitive personal information.

4. Disclosure and sharing

We may disclose information to: (a) service providers and subprocessors that help us run the platform (e.g. hosting, SMS gateway, email)—under contracts that require them to protect data and use it only for the services they provide to us; (b) regulators or law enforcement when required by law or to protect rights and safety; (c) affiliates or in connection with a merger, sale, or restructuring, with notice where required by law.

We do not share patient or clinical data with advertisers or data brokers. For more on our technical and organizational safeguards, see our DPA & HIPAA Compliance page.

5. Data retention and security

We retain your data for as long as your account is active and as needed to provide the service, comply with legal obligations, and resolve disputes. If your subscription ends or you terminate your account, we will allow you to export your data during a grace period (as described in our Terms of Use). After that, we may retain data for a limited time for backup or legal purposes, then delete or anonymize it in accordance with our retention schedule. In no case do we use your or your patients’ data for our own commercial purposes beyond providing the Service.

We implement technical and organizational measures to protect personal and sensitive personal information, including: encryption of data in transit (TLS) and at rest; secure storage of passwords (one-way hashing); role-based and clinic-scoped access control; audit logging of access and significant actions; and, where available, support for multi-factor authentication and automatic session logout after inactivity. For a detailed description, see our DPA & HIPAA Compliance page.

6. Your rights (Philippine Data Privacy Act)

Under the Philippine Data Privacy Act of 2012 (RA 10173) and its implementing rules, you have the right to be informed, object, access, correct, request erasure or blocking, data portability, and withdraw consent where processing is based on consent. To exercise these rights in relation to data we hold about you, contact us at privacy@emrdocs.ph or through our Contact page. For data about your patients, you are the data controller and are responsible for responding to their requests; we will assist you with access, correction, or export as needed to fulfill your obligations. You may also lodge a complaint with the National Privacy Commission (NPC).

7. Cookies and similar technologies

We use cookies and similar technologies for: authentication and session management; security (e.g. CSRF protection); and remembering your preferences (e.g. active clinic). You can control cookies through your browser settings; disabling certain cookies may affect the functionality of the platform. We do not use third-party advertising cookies.

8. Changes and contact

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. For material changes we may notify you by email or through the service. Your continued use after the effective date constitutes acceptance. For questions or to exercise your rights: privacy@emrdocs.ph or our Contact page.