- 1. Introduction & scope
- 2. The information we handle
- 3. SEAES as a Data Processor
- 4. How we collect information
- 5. How we use information
- 6. Sharing & disclosure
- 7. Storage & security
- 8. Data retention
- 9. Your rights under the DPDP Act
- 10. Children's data
- 11. Links to third-party sites
- 12. Changes to this policy
- 13. Grievance Officer & contact
1. Introduction & scope
This Privacy Policy explains how SEAES (“SEAES”, “we”, “us”) handles personal information in connection with the SEAES HMS hospital management software and this website. It is written to align with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 and rules made under it.
SEAES HMS is deployed either on a hospital's own server (on-premises) or on SEAES-managed cloud infrastructure. The roles described below apply in both cases; what differs is where the data physically sits.
2. The information we handle
We distinguish three categories:
- Account & staff information — names, work email, phone, role and login credentials of the hospital staff who use the system, and of people who contact us through this website.
- Patient data — the clinical and demographic records a hospital creates inside SEAES HMS (registration details, encounters, prescriptions, lab and billing records). This data belongs to the hospital and its patients.
- Usage & technical data — logs, audit trails, device and browser information generated automatically when the software or website is used, kept for security and reliability.
3. SEAES as a Data Processor
For patient data, the hospital is the Data Fiduciary — it decides what is collected and why, and is the primary point of contact for patients exercising their rights. SEAES acts as a Data Processor, processing that data only to provide and support the software, and only on the hospital's documented instructions.
We do not use patient data for our own purposes, we do not sell it, and we do not use it for advertising or profiling.
4. How we collect information
- Directly from you — when staff use the system, or when you email us or fill in a form on this website.
- From the hospital — staff accounts and configuration provided by the hospital that licenses SEAES HMS.
- Automatically — security logs, audit entries and basic technical data generated as the software runs.
5. How we use information
We use account, staff and usage information to:
- provide, operate, secure and support the SEAES HMS software and this website;
- authenticate users and maintain the audit trail;
- respond to enquiries, demos and support requests;
- meet legal, tax and regulatory obligations.
Patient data is processed only as needed to run the software for the hospital, as described in section 3.
6. Sharing & disclosure
We share personal information only where necessary, and never sell it. Recipients may include:
- vetted sub-processors who help us run the service (for example, hosting for cloud deployments), under contracts that bind them to equivalent protection;
- authorities or courts where disclosure is required by law;
- a successor entity in the event of a merger or acquisition, under continued confidentiality.
On an on-premises deployment, the hospital controls all access; SEAES sees data only when the hospital asks us to for support.
7. Storage & security
We apply reasonable technical and organisational safeguards — access controls, role-based permissions, encryption in transit, and a tamper-evident audit log of who changed what. No system can be guaranteed perfectly secure, but we work to reduce risk and to respond quickly to incidents.
Where SEAES HMS is deployed on-premises, the data resides on the hospital's infrastructure and its physical and network security is the hospital's responsibility, with our support.
8. Data retention
Account and contact information is kept for as long as the relationship is active and as long as needed to meet legal, tax and audit obligations, after which it is deleted or anonymised. Patient data is retained under the hospital's instructions and applicable medical-records retention rules.
9. Your rights under the DPDP Act
Subject to the DPDP Act, you may request to:
- access a summary of the personal data we hold about you;
- correct or complete inaccurate or incomplete data;
- have your data erased where it is no longer needed;
- withdraw consent you previously gave;
- nominate another individual to exercise your rights in case of death or incapacity;
- raise a grievance about how your data is handled.
If you are a patient, these rights are usually exercised through the hospital that holds your record (the Data Fiduciary); we will support the hospital in fulfilling them.
10. Children's data
This website is not directed at children. Patient records of minors are created and managed by the hospital with the consent of a parent or lawful guardian, as required by the DPDP Act.
11. Links to third-party sites
Our website and software may link to or integrate with third-party services. Their privacy practices are their own; we encourage you to review their policies. We are not responsible for content or practices of external sites.
12. Changes to this policy
We may update this policy from time to time. The “Last updated” date below reflects the current version; material changes will be highlighted on this page.
13. Grievance Officer & contact
For any privacy question, request or grievance, contact our Grievance Officer at [email protected]. SEAES is based in Pune, Maharashtra, India.
If you believe your rights under the DPDP Act have not been addressed, you may also raise a complaint with the Data Protection Board of India.