Privacy Policy

1. Introduction

Svasamm Research Pvt. Ltd. ("we", "us", "our") operates the Lucoze healthcare management platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using Lucoze, you agree to the terms of this Privacy Policy.

This policy applies to all users of the Lucoze platform, including facility administrators, healthcare practitioners, staff members, and any other individuals who interact with the Service.

2. Information We Collect

We collect the following categories of information:

• Account Information: When you register for Lucoze, we collect your name, email address, phone number, facility name, and billing information. For facility administrators, we may also collect business registration details and tax identification numbers.
• Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, browser type, device information, and IP address. This data helps us improve the platform and troubleshoot issues.
• Health Data: Lucoze processes health data (patient records, clinical notes, lab results, prescriptions) on behalf of our customers. We act strictly as a data processor for this information — our customers (healthcare facilities) are the data controllers who determine how and why patient data is processed.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the Service: To operate your account, process transactions, deliver the features you request, and provide customer support.
• Improve the platform: To analyse usage patterns, identify bugs, optimise performance, and develop new features. All analytics are performed on aggregated, anonymised data.
• Communicate with you: To send service-related notifications, respond to your enquiries, and provide important updates about your account or changes to our terms.
• Comply with legal obligations: To meet regulatory requirements, respond to lawful requests from authorities, and enforce our terms of service.

4. Data Storage & Security

We take the security of your data extremely seriously. Our security measures include:

• Encryption at rest: All data stored on our servers is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your browser and our servers is protected with TLS 1.3.
• Regional data centres: Your data is stored in the geographic region closest to your facility. We offer data residency in India, Europe, and North America to help you comply with local data protection regulations.
• SOC 2 practices: We follow SOC 2 Type II security practices, including regular security audits, vulnerability assessments, access logging, and incident response procedures.
• Access controls: Role-based access controls ensure that only authorised personnel can access specific data. All access to production systems is logged and monitored.

5. Data Sharing

We do not sell your data. We will never sell, rent, or trade your personal information or your patients' health data to third parties for marketing or any other purpose.

We may share information only in the following limited circumstances:

• Service providers: We work with carefully vetted third-party providers for hosting, payment processing, email delivery, and customer support. These providers are contractually bound to protect your data and may only use it to perform services on our behalf.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: You can request a copy of the personal data we hold about you.
• Correction: You can ask us to correct any inaccurate or incomplete personal data.
• Deletion: You can request that we delete your personal data, subject to legal retention requirements.
• Export: You can request a machine-readable export of your data at any time from your account settings.
• Restriction: You can ask us to restrict the processing of your personal data in certain circumstances.
• Objection: You can object to the processing of your personal data for specific purposes.

These rights apply under GDPR (for EU/EEA residents), CCPA (for California residents), and similar data protection laws worldwide. To exercise any of these rights, contact us at privacy@lucoze.com.

7. Health Data

Lucoze processes health and medical data exclusively on behalf of our customers. In this relationship:

• The healthcare facility (our customer) is the data controller — they determine the purposes and means of processing patient data.
• Lucoze acts as the data processor — we process patient data only as instructed by the data controller and in accordance with our data processing agreement.
• We do not independently access, analyse, or use patient health data for any purpose beyond providing the Service as contracted.
• All health data processing complies with applicable healthcare data protection regulations, including but not limited to India's Digital Personal Data Protection Act and GDPR.

8. Cookies

Lucoze uses only essential cookies that are strictly necessary for the operation of the platform. These include:

• Session cookies: To keep you logged in and maintain your session state.
• Security cookies: To prevent cross-site request forgery and other security threats.
• Preference cookies: To remember your settings such as language and theme preference.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not participate in ad networks or cross-site tracking.

9. Data Retention

• Active accounts: Your data is retained for as long as your account remains active and you continue to use the Service.
• Cancelled accounts: Upon cancellation, your data is retained for 90 days to allow for reactivation or data export. After 90 days, all data is permanently and irreversibly deleted from our servers, including backups.
• Legal holds: We may retain certain data for longer periods if required by law or to resolve disputes.

10. Children's Privacy

Lucoze is a professional healthcare management platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@lucoze.com and we will promptly delete it.

Note: Patient records for minors are managed by authorised healthcare professionals through the platform and are governed by the data processing agreement with the healthcare facility.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will notify you by email at the address associated with your account.
• We will update the "Last updated" date at the top of this page.
• For significant changes, we will provide a prominent notice within the platform at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@lucoze.com
• Company: Svasamm Research Pvt. Ltd.

We aim to respond to all privacy-related enquiries within 5 business days.