Privacy Policy

1. Scope

This policy applies to clinics, clinic staff (for example: doctors, administrators, and clinic personnel), and any patient data uploaded or managed through the Sorge platform. Sorge is a B2B product: patients do not log in directly to our platform.

2. Information We Collect

When clinics use Sorge, we may collect the following categories of information:

Clinic & Staff Information

• Names, email addresses, phone numbers, role/permission data, and account credentials.

Patient Information (provided by clinics)

• Identifiers: first name, last name, date of birth, gender.
• Contact details: email address and phone number.
• Medical data: appointment records, prescriptions, medical notes, treatment history, and related clinical data entered by clinics.

Technical & Usage Data

• Log data: IP addresses, browser type, device and OS information, and request timestamps.
• Analytics & performance: collected via Vercel and PostHog to monitor app performance, usage patterns, and to improve the service.

We do not currently collect or store payment or financial data.

3. How We Use Information

We use collected information to:

• Provide and operate the Sorge platform and its features (patient records, appointments, prescriptions).
• Send transactional communications (e.g., appointment reminders, prescription notifications) via the WhatsApp API.
• Integrate with third-party tools (for example, Google Calendar) as requested by clinics.
• Maintain and improve platform security, performance, and reliability using Vercel and PostHog.
• Comply with legal obligations and to respond to lawful requests.

We do not use patient data for marketing.

4. Data Sharing

We may share data only in the following limited circumstances:

• Service providers: Trusted third parties who process data on our behalf (for hosting, analytics, messaging integrations such as WhatsApp API, and calendar integrations).
• Legal obligations: When required by law or to respond to lawful requests from public authorities.
• Business transfers: In connection with a merger, acquisition, or sale of assets — where any buyer must honor this Privacy Policy.

We do not sell clinic or patient data.

5. Data Retention

We retain patient and clinic data for as long as the clinic account remains active. If a clinic requests deletion of its account and data, we will permanently delete the data within 90 days, except where a longer retention period is required by law.

Backups, logs, and temporary copies are also scheduled for purge within the 90-day window following a deletion request.

6. Data Security

We implement reasonable technical and organizational measures to protect the confidentiality, integrity, and availability of data, including:

• Encrypted transmission (HTTPS/TLS) for data in transit.
• Access controls, authentication, and role-based permissions for clinic staff.
• Audit logging and monitoring for security and compliance purposes.
• Secure hosting and deployment with Convex (database) and Vercel (platform), and analytics via PostHog.

While we follow industry best practices, no system is completely secure. Clinics are responsible for choosing and enforcing appropriate internal security practices (strong passwords, protecting account credentials, and limiting user access where appropriate).

7. International Transfers

Sorge uses third-party providers who may process data outside the European Economic Area (EEA). When data is transferred internationally, we put in place appropriate safeguards consistent with GDPR (for example, standard contractual clauses or other lawful transfer mechanisms) as required.

Note: Convex’s server locations are managed by Convex; clinics should consult Convex’s documentation for details about infrastructure regions.

8. Rights under GDPR

Under the GDPR, clinics (as controllers of patient data) and individuals have certain rights, including the rights to access, rectify, export, or delete personal data. Because clinics control patient records in Sorge, patients should contact their clinic to exercise these rights. Clinics may contact Sorge to request assistance in exporting or deleting patient data.

9. User Accounts & Data Portability

Clinic administrators can export patient data in common formats (CSV/JSON) and may request full deletion of clinic and patient data. Export or deletion requests can be initiated from the account settings or by contacting Sorge support.

10. Integrations & Third-Party Services

Sorge integrates with third-party services at a clinic’s request. Examples include:

• WhatsApp API — Sending transactional messages (reminders, prescriptions).
• Google Calendar — Syncing appointments (if enabled by the clinic).
• Vercel and Convex — Hosting and database services.
• PostHog — Product analytics and performance monitoring.

Each third party has its own privacy practices. Clinics should review third-party privacy policies before enabling integrations.

11. Children’s Privacy

Sorge is intended for use by clinics and healthcare professionals. We do not knowingly collect information directly from individuals under 16 years of age.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the revised policy on our website with an updated “Last updated” date.

13. Contact Us

If you have questions about this Privacy Policy or want to make a data request (export, correction, deletion), please contact us:

• Email: hey@sorge.care
• Address: 2/30, Murugan Koil Street, Poyyapakkam, Villupuram, Tamil Nadu, India.