Privacy Policy

1. Overview

HMSPoint ("we", "our", or "us") operates a cloud-based Hospital Management System accessible via web at app.hmspoint.com and via the HMSPoint Patient mobile application ("App").

This Privacy Policy explains how we collect, use, store, and protect your personal and health information when you use our services. By using HMSPoint, you agree to the practices described in this policy.

2. Information We Collect

Patient Information

• Full name, date of birth, gender, blood group
• Contact details: phone number, email address, home address
• Medical Record Number (MRN) — auto-generated unique identifier
• Emergency contact details

Medical & Health Data

• Vital signs (blood pressure, temperature, weight, height, SpO₂, pulse)
• Clinical notes and diagnoses from doctor visits
• Prescriptions and medication history
• Laboratory test orders and results
• Radiology procedure orders and reports
• Surgical records (OT notes and anesthesia records)
• Admission and discharge records

Billing Information

• Service charges, invoice records and payment history
• Advance deposit and refund records
• No credit card or bank account data is stored on our servers

Account & Authentication Data

• Login credentials (passwords are hashed using Argon2 — never stored in plain text)
• JWT authentication tokens (short-lived, stored securely)
• Device FCM tokens for push notifications

Technical Data

• IP address, device type, operating system
• App version, session timestamps
• API request logs (for security and debugging)

3. How We Use Your Information

We use your information solely to provide and improve healthcare management services:

• Provide patient registration, appointment booking and visit management
• Enable healthcare staff to access patient records for treatment
• Generate lab results, radiology reports and prescriptions
• Process billing, payments and generate invoices
• Send appointment reminders and result notifications via push notification
• Maintain accurate medical history for continuity of care
• Comply with legal and regulatory healthcare requirements
• Detect and prevent fraudulent or unauthorized access

We do not use your health data for advertising, sell it to third parties, or use it for any purpose unrelated to your healthcare.

4. Data Sharing

Your data is shared only in the following circumstances:

Healthcare Staff at Your Facility

Doctors, nurses, lab technicians and administrative staff at the hospital you registered with have role-based access to your records — only to the extent required for your care.

Service Providers

We use the following infrastructure providers who process data on our behalf under strict data processing agreements:

• Amazon Web Services (AWS) — cloud hosting and database storage
• Google Firebase — push notification delivery only (no health data transmitted)

Legal Requirements

We may disclose your information if required by law, court order, or regulatory authority.

We Never Sell Your Data

We do not sell, rent, or trade your personal or health information to any third party for any purpose.

5. Data Storage & Security

We take the security of health data seriously and implement the following measures:

• Encryption in transit — all data transmitted over HTTPS/TLS
• Encryption at rest — database and storage encrypted at the infrastructure level
• Password hashing — Argon2id algorithm, never stored in plain text
• JWT tokens — short expiry, stored in secure storage on mobile
• Role-based access — staff can only access data within their granted permissions
• Tenant isolation — each hospital's data is strictly isolated from other tenants
• Audit logging — all API access is logged for security review

Your data is stored on servers hosted in the cloud. We retain patient records as long as required by applicable healthcare regulations or as directed by your healthcare facility.

6. Your Rights

As a patient, you have the following rights regarding your data:

• Access — view your medical records, lab results and prescriptions via the patient app
• Correction — request correction of inaccurate personal information
• Portability — request a copy of your health records from your healthcare facility
• Deletion — request deletion of your account and personal data, subject to legal retention requirements
• Notification opt-out — disable push notifications at any time in app settings

To exercise these rights, contact us at pijushsukanta@email.com or reach out to your healthcare facility directly.

7. Mobile App Permissions

The HMSPoint Patient Android and iOS app requests the following device permissions:

• Notifications — to send appointment reminders and result alerts (required for core functionality)
• Internet access — to connect to HMS servers
• Camera — only if you choose to upload a profile photo (optional)

All permissions are requested at the time of use. You can revoke any permission from your device settings at any time.

The app stores your authentication token in encrypted secure storage on your device — never in plain shared preferences or local storage.

8. Push Notifications

We use Google Firebase Cloud Messaging (FCM) to deliver push notifications to your device. Notifications are sent for:

• Appointment confirmations and reminders
• Lab and radiology result availability
• Invoice and billing updates
• Discharge summaries

Your FCM device token is transmitted to our servers to enable notification delivery. We do not share this token with any third party other than Google Firebase for the sole purpose of message delivery.

You can disable push notifications at any time in your device settings or within the app.

9. Cookies

The HMSPoint web application (app.hmspoint.com) uses minimal cookies:

• Authentication cookies — to maintain your login session
• Preference cookies — to remember your settings

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. The marketing website (hmspoint.com) uses no cookies.

10. Children's Privacy

HMSPoint may process health records for patients of all ages, including minors, as part of legitimate healthcare services. Records for patients under 18 are managed by their guardian or the healthcare facility under applicable laws.

The patient mobile app is not directed at children under 13 for self-registration purposes.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make significant changes, we will:

• Update the "Last updated" date at the top of this page
• Send a push notification to active app users
• Display a notice in the HMS dashboard

Continued use of HMSPoint after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns about how your health information is handled, contact us: