Privacy Policy

1. Who We Are

SurgMD is a professional surgical case logbook and revenue tracking service developed and operated by Dr. Choundappan Madhavan, acting as a Sole Proprietor under the trade name Chounda. SurgMD is available as a mobile application (iOS and Android) and as a web application at surgmd.chounda.com.

2. Scope & Applicable Law

This Privacy Policy applies to all users of SurgMD globally, except where regional restrictions apply. SurgMD is governed by and complies with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

SurgMD is not available in the United States or the European Economic Area. Users in those regions are not permitted to create accounts. This policy does not make any claims of compliance with HIPAA, GDPR, or other US/EU data protection frameworks.

By using SurgMD, you confirm that you are accessing the service from a jurisdiction where it is available, and that you are a registered medical professional.

3. Data We Collect

We collect only the data necessary to provide the SurgMD service. This includes:

• Account data: Full name, email address, phone number, and password (stored as a hashed credential).
• Professional data: Surgical specialty, hospital affiliations, and other practice details you choose to provide.
• Case log data: Surgical case entries including procedure name, date, hospital, diagnosis, operative notes, and financial details such as fees charged, collected, and pending amounts.
• Clinical media: Photographs and video clips uploaded to case records. You are solely responsible for obtaining patient consent before uploading identifiable media.
• Subscription & payment data: Subscription tier, transaction reference IDs, and payment status. We do not store full card or bank account numbers — these are handled directly by our payment processors.
• Device & usage data: Device type, operating system version, app version, and anonymised usage events (e.g., features accessed) for product improvement purposes.

4. Purpose of Processing

We collect and process personal data solely for the following purposes:

• To create and maintain your SurgMD account and authenticate access.
• To provide the core surgical logbook, revenue tracking, and multi-hospital management features of the app.
• To process subscription payments and manage your plan entitlements.
• To store and retrieve clinical media (photos and videos) securely on your behalf.
• To respond to support queries and grievances.
• To improve the SurgMD product through aggregated, anonymised usage analysis.
• To comply with applicable Indian law.

We do not use your personal or clinical data for advertising, profiling, or any purpose beyond those listed above.

5. Third-Party Data Processors

To deliver the SurgMD service, we engage the following third-party processors. Each is contractually bound to handle your data only as directed by us and in accordance with applicable law:

• Supabase, Inc. — Cloud database, authentication, and backend infrastructure. Your account data and case log data are stored on Supabase-managed PostgreSQL databases.
• Cloudflare, Inc. — Content delivery, DNS, and R2 object storage for clinical media (photos and videos). Media files are stored in Cloudflare R2 buckets.
• RevenueCat, Inc. — In-app subscription management for iOS and Android. RevenueCat receives your subscription status and transaction identifiers from Apple and Google on our behalf.
• Resend, Inc. — Transactional email delivery for account-related notifications.

We do not sell or share your personal data with any third party for their independent use.

6. Cross-Border Data Transfers

Some of our third-party processors (including Supabase, Cloudflare, RevenueCat, and Resend) are headquartered or operate infrastructure outside India. As a result, your data may be stored and processed in data centres located in other countries, including the United States and the European Union.

We take reasonable steps to ensure that transfers are covered by appropriate safeguards, including processor agreements that obligate data to be handled securely and only for the purposes described in this policy. As the DPDP Act's cross-border transfer rules are progressively notified by the Indian government, we will update our practices accordingly.

7. Security Safeguards

We implement reasonable technical and organisational measures to protect your data, including:

• Row Level Security (RLS): Database-level policies ensuring each user can access only their own records — no data cross-contamination between accounts.
• Encryption in transit: All data between your device and our servers is transmitted over HTTPS/TLS.
• Signed URL access for media: Clinical photos and videos are stored in private object storage buckets; access requires time-limited, cryptographically signed URLs generated per request.
• Authentication controls: Passwords are hashed using industry-standard algorithms. Account access uses secure token-based authentication (PKCE flow).

No system is completely secure. While we work to protect your data, you are responsible for keeping your account credentials confidential.

8. User Responsibility & Patient Consent

SurgMD is a professional tool for use by registered medical practitioners. As the user, you are solely responsible for ensuring that any patient data or clinical media entered into SurgMD has been collected with appropriate patient consent in accordance with the laws and professional standards of your jurisdiction.

We strongly recommend using anonymised or de-identified patient identifiers wherever possible. SurgMD does not verify whether patient consent has been obtained — this responsibility rests entirely with the treating physician.

9. Data Retention & Deletion

We retain your personal data for as long as your account remains active and for as long as necessary to fulfil the purposes described in this policy. When your account is deleted:

• All account data, case log records, and subscription records are permanently purged from our active database within 30 days of the deletion request, in accordance with the DPDP Act 2023.
• Clinical media (photos and videos) stored in Cloudflare R2 are also deleted within the same 30-day window.
• Anonymised, aggregated usage data that cannot identify you may be retained for product analytics.

You may delete your account at any time from the Settings → Delete Account section within the SurgMD app, or by submitting a request to surgmd.chounda.com/delete-account.

10. Your Rights

Under the DPDP Act 2023, you have the following rights as a Data Principal:

• Right to Access: Request a summary of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data (see Section 9 above).
• Right to Grievance Redressal: Raise concerns about how your data is being processed (see Section 12).
• Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity, as provided under the Act.

To exercise any of these rights, contact us at [email protected].

11. Children's Data

SurgMD is intended exclusively for use by registered medical professionals aged 18 and above. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that data has been submitted by a minor, we will take steps to delete it promptly. If you believe a minor has created an account, please contact us at [email protected].

12. Grievance Redressal

In accordance with the Digital Personal Data Protection Act, 2023, any grievances or concerns regarding the processing of your personal data may be directed to our Grievance Officer:

Dr. Choundappan Madhavan
Vanitha Hospital, 3/231, Sankagiri Main Road, Kondalampatty, Salem – 636010, Tamil Nadu, India.
Email: [email protected]

We aim to acknowledge all grievances within 48 hours and resolve them within 30 days of receipt.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the Effective Date at the top of this page and, where appropriate, notify you by email or via an in-app notice.

Your continued use of SurgMD after any such changes constitutes your acceptance of the updated policy.