Iqwex logo iqweX
support@iqwex.com Talk to us
Legal · Privacy Policy

Privacy Policy

This Privacy Policy explains how Enstrics LLP handles information collected through the Iqwex Hospital Management Platform — including the limited personal data we process about hospital staff who use the platform, and the role we play with respect to patient data uploaded by hospitals.

Effective date: 1 May 2026
Last updated: 1 May 2026
Operator: Enstrics LLP, Trivandrum, Kerala 695572, India

1.Scope & our role

This policy covers two distinct relationships:

(a) Patient data uploaded by hospitals — we are the processor

When a hospital, clinic or diagnostic centre ("Customer") uses Iqwex, the Customer is the data fiduciary / data controller for all patient data, clinical records and personal data uploaded into its tenant. Enstrics LLP acts as a data processor, processing such data only on the Customer's instructions and as needed to provide the Service. If you are a patient with questions about your medical records, please contact your hospital directly — we cannot release patient data without the Customer's authorisation.

(b) Information about hospital staff and website visitors — we are the controller

Enstrics is the controller for the limited information we collect directly: hospital-staff account information, support communications, and information collected from visitors to our marketing website (iqwex.com). This policy describes how we handle that information.

Using WhatsApp? Iqwex sends transactional messages over the Meta WhatsApp Business Platform (appointment confirmations, OTPs, lab-report-ready notices and similar). The technical detail of those flows — provider, scenarios, data sent, opt-out and deletion — lives in our dedicated WhatsApp Messaging Privacy Policy. Read both pages together.

2.Information we process

Account & staff information

  • Name, work email, role, department, mobile number (where provided)
  • Login credentials (passwords are stored only as one-way salted hashes)
  • Multi-factor authentication tokens, session metadata
  • Audit logs of actions taken inside the Service

Customer Data uploaded into the Service

  • Patient demographics, ABHA IDs (where the Customer chooses to capture them), allergies, vitals, diagnoses, prescriptions, lab orders and reports, billing records, and other clinical or operational data the Customer enters
  • Files and attachments uploaded by Authorised Users
  • Configuration data: tariffs, formularies, departments, schedules, etc.

Technical data

  • IP address, user agent, device type, time-zone, page navigation logs
  • Application telemetry: error logs, performance metrics, request traces

Communications

  • Support tickets, emails, chats, and any information you choose to share with us

3.How we use information

  • To provide, operate, and maintain the Service for the Customer
  • To authenticate users and enforce role-based access controls
  • To detect, investigate and prevent fraud, abuse, and security incidents
  • To provide customer support and respond to enquiries
  • To bill, invoice, and collect fees
  • To improve the Service through aggregated, de-identified analytics
  • To comply with legal obligations and respond to lawful requests

We do not sell personal data, and we do not use Customer Data (including patient data) to train AI models for any third party. Internal product improvement is performed using only aggregated and de-identified telemetry.

4.When we share information

We share information only as needed to provide the Service:

  • Sub-processors: Microsoft Azure (cloud hosting, storage, database), email and notification providers, payment gateways (e.g., Razorpay/Paytm where the Customer enables them), and similar infrastructure vendors. Each sub-processor is bound by appropriate confidentiality and data protection obligations.
  • Within the Customer's tenant: with the Customer's Authorised Users and integrations the Customer enables.
  • Legal: when required by law, regulation, or a binding order from a competent authority.
  • Business transfers: in a merger, acquisition, or asset sale, subject to confidentiality.
  • With consent: where you have given us consent to share.

5.How we protect information

Iqwex is hosted on Microsoft Azure, which maintains globally recognised certifications (including ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 and others). Within that environment, Enstrics implements:

  • Tenant-level isolation of Customer Data;
  • TLS encryption of all data in transit between clients and the Service;
  • Encryption at rest on Azure SQL and Azure Storage using platform-provided mechanisms (e.g., Transparent Data Encryption, Storage Service Encryption);
  • Automated backups using Azure-native backup with point-in-time restore, retained for the standard retention configured in our environment;
  • Role-based access controls for application users and stricter controls (with multi-factor authentication) for production access by Enstrics personnel;
  • Audit logging of user activity inside the application;
  • Patching & vulnerability management on operating systems, runtimes and dependencies;
  • Secret management using Azure-managed secret stores;
  • Hashed passwords with industry-standard one-way hashing — Enstrics personnel cannot read user passwords.

6.Limits of our responsibility & breach handling

No system can be guaranteed against all attacks or disasters. Despite the safeguards listed above:
  • Enstrics is not liable for unauthorised access, loss or disclosure of information caused by cyber-attacks, hacking, ransomware, social engineering, zero-day vulnerabilities, or unauthorised acts of third parties (including Authorised Users of the Customer) — beyond what arises from Enstrics's gross negligence or wilful misconduct.
  • Enstrics is not liable for loss of data or disruption arising from natural disasters, fires, floods, earthquakes, pandemics, war, terrorism, civil unrest, regional power or telecom outages, or other Force Majeure events.
  • Enstrics is not liable for outages, faults, or service-level breaches by Microsoft Azure or other third-party platforms on which the Service depends.
  • Enstrics is not liable for data loss caused by accidental deletion, mis-configuration, or weak security practices on the Customer's side.

If we become aware of a security incident affecting Customer Data within Enstrics's reasonable control, we will use commercially reasonable efforts to investigate, contain and remediate, and to notify the affected Customer in line with applicable law. The Customer, as the data fiduciary, is responsible for any onward notifications to patients, regulators or other authorities. The full liability framework is set out in our Terms & Conditions.

7.Data retention & deletion

We retain Customer Data for as long as the Customer's subscription is active and for a reasonable period thereafter (typically thirty (30) days) to enable export, after which we will delete or anonymise the data from production systems in line with our retention policy and applicable law. Backup copies may persist for a defined retention window before they are recycled in the normal course of business. Account information for hospital staff is retained for the duration of the engagement plus any period required by law.

8.Your rights

Subject to applicable law (including the Digital Personal Data Protection Act, 2023 in India), you may have rights to access, correct, update, or request deletion of your personal data, withdraw consent, or lodge a complaint with the regulator.

  • Patients: please direct requests about your medical records to the hospital that holds them. Enstrics, as a processor, will support the hospital in fulfilling its obligations.
  • Hospital staff & website visitors: contact support@iqwex.com with your request. We may need to verify your identity before acting.

9.Cookies & analytics

The Iqwex application uses cookies, local storage, and similar technologies to keep users signed in, remember preferences, and protect against attacks. Our marketing website may use limited analytics to understand usage and improve content. We do not use cookies to build advertising profiles. You can configure your browser to block cookies, but parts of the Service may not function correctly without them.

10.Children's data

The Service is intended for hospital staff and adult patients. Where a hospital captures records of minors as part of patient care, this is done under the hospital's own consent and lawful-basis framework. Enstrics does not knowingly market the Service to children.

11.International transfers

Customer Data is hosted in Microsoft Azure data-centre regions selected by Enstrics, defaulting to a region within India where available. Limited operational data (such as support communications and aggregated telemetry) may be processed outside India by sub-processors, subject to appropriate safeguards.

12.Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page with an updated effective date. Material changes will be communicated through the Service or by email to the Customer's primary contact.

13.Contact us

For privacy questions, requests, or concerns:

Read together with our Terms. This Privacy Policy should be read alongside our Terms & Conditions, which include the full liability framework, force-majeure provisions, and the allocation of risk between Enstrics and its Customers.