DocuMed ("we", "us", or "our") operates the DocuMed electronic health records platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you and your patients when you use our Service.
By using DocuMed, you agree to the collection and use of information as described in this policy.
We collect information you provide directly when you:
This may include names, contact information, clinical notes, diagnoses, and uploaded documents.
We use the information we collect to:
We do not sell, trade, or otherwise transfer patient data to third parties.
DocuMed uses clinic-level data isolation, role-based access control, and authenticated file delivery to protect patient records. All data is stored with access restricted to authorised users of the specific clinic.
No system is 100% secure. We encourage clinic administrators to enforce strong passwords and promptly deactivate departing staff accounts.
Active accounts. All patient data — including records, visit notes, uploaded files, and audit logs — is retained for as long as your clinic's account remains active. There is no automatic deletion of data during an active subscription.
Upon termination or non-renewal. When a subscription ends or is not renewed, your clinic's data is held securely for a 30-day grace period. During this window your data remains intact and you may request an export (see below). After 30 days, all data associated with your clinic is permanently and irreversibly deleted from our systems and backups.
Data export. You may request a structured export of your clinic's patient data at any time during an active subscription, or within the 30-day grace period following termination, by emailing privacy@dcumed.health. We will respond within 10 business days. Exports are provided at no additional charge.
Your obligations as data controller. DocuMed acts as a data processor on your behalf; your clinic is the data controller. Medical records legislation varies by country and may require you to retain certain records for a defined period (commonly 7–10 years) regardless of which system you use. You are responsible for ensuring that terminating your DocuMed subscription does not cause you to breach your local medical records retention obligations. We recommend exporting and archiving your data before your account closes if required by your jurisdiction.
Backups. We maintain system backups for disaster recovery purposes. Backup copies of data may persist for up to 30 days after deletion from live systems, after which they are purged as part of our regular backup rotation.
Depending on the data protection laws applicable in your jurisdiction, you and/or your patients may have the following rights with respect to personal data held by DocuMed. Requests should be submitted to privacy@dcumed.health and we will respond within 30 days.
Right of access. You may request a copy of the personal data we hold about your clinic, its users, and its patients. We will provide this in a structured, machine-readable format (such as CSV).
Right to rectification. If any data we hold is inaccurate or incomplete, you may request that we correct it. In most cases, clinic administrators can correct patient and user data directly within the application without needing to contact us.
Right to erasure ("right to be forgotten"). You may request deletion of personal data. We will delete the requested data unless we are legally required to retain it (for example, where local law mandates a minimum medical records retention period). Please note that as your clinic is the data controller for patient records, requests for erasure of patient data should be handled by your clinic in the first instance.
Right to restriction of processing. You may request that we restrict our processing of your data in certain circumstances — for example, while a dispute about accuracy is being resolved.
Right to data portability. You may request a copy of your clinic's data in a structured, portable format so it can be transferred to another provider. See the data export section above for details.
Right to object. You may object to our processing of your data where we rely on legitimate interest as a legal basis. We will assess the objection and cease processing unless we have compelling legitimate grounds that override your interests.
Rights related to automated decision-making. DocuMed does not make automated decisions with legal or significant effects based on patient data.
Note for patient rights requests. Patients wishing to exercise their data rights (such as requesting access to or deletion of their records) should contact their clinic directly. The clinic, as data controller, is the appropriate party to handle such requests. DocuMed will co-operate fully with a clinic's legally compliant request to assist in fulfilling patient rights.
If you have questions about this Privacy Policy or how we handle your data, please contact us at: