Skip to main content

Legal

Privacy Policy

Last updated: July 12, 2026

SpatiaMed (“we”, “our”, “us”) operates spatiamed.com and provides hospital OPD queue management and patient marketing software. This policy explains how we collect and handle personal data under the Digital Personal Data Protection Act 2023 (DPDP Act) and applicable Indian law.

1. Who we are

SpatiaMed is a technology company registered in India. We are the Data Fiduciary for hospital administrators and staff who sign up on spatiamed.com. For patient data processed through our software on behalf of hospitals, we act as a Data Processor — the hospital (our customer) is the Data Fiduciary for their patients.

2. Data we collect

From hospital administrators (our customers): Name, work email, mobile number, hospital name, city, state, bed count, and billing information (payment processed by Razorpay — we do not store card numbers).

From patients (via our software, on behalf of hospitals): Name, mobile number, department preference, and queue token history. Patients interact with the hospital's SpatiaMed-powered kiosk and WhatsApp channel — the hospital is responsible for obtaining patient consent under the DPDP Act.

Usage data: Browser type, IP address, pages visited, and interactions on this website — collected via Google Analytics 4 and PostHog. We do not collect any patient or health data on this website.

Session replay: PostHog records replays of how visitors interact with this website — pages viewed, scrolling, and clicks — so we can find and fix usability problems. All form inputs are masked, so what you type is never captured. And on any page where you enter personal details — including onboarding, contact, and demo booking — replay is switched off entirely, so no recording of that page is made at all.

Your choice: Analytics are on by default, and a banner on your first visit lets you accept or reject them. If you reject them, we stop collecting the usage data and session replays described above: PostHog stops capturing, and Google Analytics is not loaded at all on any page you open from then on — your browser makes no request to Google, so not even your IP address reaches it. You can change your decision at any time by selecting Cookie preferences in the footer of any page.

3. Purpose of processing

We process personal data to:

  • Provision and operate your SpatiaMed portal
  • Send transactional emails (setup, billing, support)
  • Process subscription payments via Razorpay
  • Improve our product and monitor platform health
  • Comply with legal obligations

We do not sell your data. We do not use patient data for advertising or profiling outside the hospital's use case.

4. Data retention

Administrator account data is retained for the duration of your subscription plus 90 days after cancellation, then purged.

Patient queue history is retained for 12 months from the date of the encounter, then automatically deleted from our systems. Hospitals may export their patient data at any time from the portal.

5. Your rights under DPDP 2023

As a Data Principal you have the right to:

  • Access — request a summary of personal data we hold about you
  • Correction — request correction of inaccurate data
  • Erasure — request deletion of your personal data, subject to legal retention obligations
  • Grievance redressal — contact our Data Protection Officer if you believe your rights have been violated

To exercise any right, write to privacy@spatiamed.com. We will respond within 30 days.

6. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We perform periodic access reviews and restrict data access to personnel who need it to perform their role. We hold SOC 2 Type I certification (Type II in progress).

7. Third-party processors

We share data only with processors necessary to deliver the service: Razorpay (payments), Resend (transactional email), Vercel (hosting), Google Analytics 4 and PostHog (website analytics and session replay — PostHog processes this data in the European Union). All processors are bound by data-processing agreements consistent with DPDP requirements.

8. Changes to this policy

We will notify active customers by email at least 14 days before making material changes to this policy. Continued use after the effective date constitutes acceptance.

9. Contact

Data Protection Officer: privacy@spatiamed.com