Legal

Privacy Policy

Plain-English summary first, then the detail. No dark patterns, no "we may share with partners" weasel wording.

Last updated: 14 April 2026

Who we are

MedPilot AI is a product operated by CyberFreezeDev ("we", "us"). This policy covers the MedPilot AI web application, WhatsApp integration, and marketing website at medpilot.ai.

The short version

  • We collect only what we need to run your clinic's bookings, communications, and dashboards.
  • We do not sell your data. We do not use patient data to train third-party AI models.
  • Clinic and patient data is stored in Indian data centres and is DPDP-aligned.
  • You (the clinic) are the Data Fiduciary for your patients' data. We are your Data Processor.
  • You can export or delete your clinic's data at any time.

1. What we collect

From clinics (our customers)

Business name, GSTIN (optional), billing address, contact name, email, phone, and login credentials. Usage analytics from the dashboard.

From patients (on behalf of clinics)

Name, phone number, email (optional), appointment history, clinical notes the clinic chooses to store, and WhatsApp conversation logs relevant to their appointments.

Automatically

IP address, browser/device metadata, and cookies for session management and aggregate analytics.

2. Why we collect it

  • To deliver the service you signed up for (bookings, reminders, dashboards).
  • To communicate with you about your account, invoices, and product updates.
  • To improve the product using aggregated, de-identified metrics.
  • To comply with legal obligations (tax, accounting, lawful requests).

3. Who we share it with

We share data only with sub-processors necessary to run the service: our cloud provider (AWS Mumbai region), WhatsApp Business API provider, payment gateway (for billing), and transactional email/SMS providers. We have data-processing agreements with each. A full sub-processor list is available on request.

We never sell personal data.

4. Where it's stored

All clinic and patient data is stored in India (ap-south-1 region). Backups are encrypted at rest (AES-256) and in transit (TLS 1.2+).

5. How long we keep it

Active clinic data is retained for as long as your account is active. On cancellation, you have 30 days to export; after 90 days we permanently delete your tenant data from production and backups.

6. Your rights

Under India's Digital Personal Data Protection Act, 2023, data principals have the right to access, correct, erase, and withdraw consent. Clinics can exercise these on their own data through the dashboard. Patients should contact their clinic first (the Data Fiduciary); we assist the clinic in fulfilling the request.

To raise a concern with us directly, write to privacy@cyberfreezedev.com.

7. Security

Role-based access, encrypted storage, 2FA for admin accounts, audit logs, and regular vulnerability scans. We notify affected clinics within 72 hours of confirming a material breach.

8. Changes to this policy

We'll email clinic admins at least 14 days before any material change. Minor clarifications are reflected by updating the "last updated" date above.

9. Contact

Privacy queries: privacy@cyberfreezedev.com
Grievance Officer: Saranraj (grievance@cyberfreezedev.com)