Last updated May 24, 2025
Data Policy
1. Purpose of This Policy
This Data Policy describes how Ozmi manages data across its platform in technical and operational detail. It supplements our Privacy Policy. Where the two conflict, the Privacy Policy takes precedence.
Ozmi is committed to compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and all applicable rules issued under these acts.
2. Data Architecture
2.1 Multi-Tenant Isolation
Each clinic that registers on Ozmi receives an isolated workspace. All clinic data — patient records, appointments, billing, treatment plans, staff profiles — is associated with that clinic's unique identifier and is inaccessible to any other clinic.
Isolation is enforced at the database level using Row-Level Security (RLS) policies in our Postgres database. No user from one clinic can access data from another clinic through any interface, API, or query.
2.2 Role-Based Access Control
Within a clinic workspace, access is further restricted by role:
- Super Admin / Admin: Full access to all clinic data including patient records, billing, staff management, and settings.
- Dentist: Access to patient records, appointments, and treatment plans. No access to billing configuration or staff management.
- Receptionist: Access to appointment scheduling, patient registration, and invoice generation. No access to clinical notes or treatment plans.
Role-based restrictions are enforced both at the UI level and at the database level. The database-level controls are authoritative.
2.3 Data Residency
Ozmi's database is hosted on Supabase. Static application assets are served via Vercel's CDN. No personal or patient data is cached at the CDN level.
3. Categories of Data Processed
3.1 Clinic and Account Data
- Clinic name, address, contact information, GST number
- User profiles: name, email, phone, role, login timestamps, invitation status
- Subscription plan, billing cycle, payment history
- App settings and preference configurations
3.2 Patient Data (Sensitive Personal Data)
Patient data is classified as sensitive personal data under the DPDP Act. It includes:
- Full name, age, gender, date of birth
- Phone number, email address, home address
- Medical history: general health conditions, allergies, medications
- Dental history: previous procedures, existing dental work, chief complaints
- Treatment plans: proposed procedures, clinical notes, progress notes
- Appointment history: dates, times, assigned dentist, attendance status
- Financial records: invoices, payments, outstanding balances, GST details
- Uploaded clinical documents if applicable
3.3 Technical and Operational Data
- Server logs: API request logs, authentication events, error logs
- Usage analytics: feature usage, page views, session duration
- Device metadata: IP address, browser version, OS, device type
4. Security Measures
4.1 Encryption
- In transit: All data is encrypted using TLS 1.2 or higher. HTTPS is enforced across all Ozmi domains.
- At rest: All database content is encrypted using AES-256 managed by Supabase.
4.2 Authentication
- Authentication uses Supabase Auth with secure JWT-based sessions.
- Passwords are hashed using bcrypt and never stored in plain text.
- Session tokens expire after a defined inactivity period.
- All authentication events are logged and retained for 90 days.
4.3 Database Security
- RLS is enforced on all tables containing personal data.
- RLS policies are tested to prevent cross-tenant data leakage.
- Database access is not exposed directly to the public. All interactions go through authenticated API calls.
4.4 Vulnerability Management
- All dependencies are monitored for known vulnerabilities and updated regularly.
- Security patches are applied promptly upon discovery.
- Responsible disclosure can be submitted to support@ozmi.in.
5. Data Retention and Deletion
5.1 Retention Schedule
| Data Type | Retention Period | Reason |
|---|---|---|
| Clinic and patient data (active account) | Duration of active subscription | Service delivery |
| Clinic and patient data (post-cancellation) | 90 days after cancellation | Data export window |
| Billing records and invoices | 7 years | GST and tax compliance |
| Authentication and access logs | 90 days | Security auditing |
| Server error logs | 90 days | Debugging |
| Support communications | 2 years from last contact | Dispute resolution |
| Usage analytics | 24 months | Product improvement |
5.2 Deletion Process
When the post-cancellation retention period expires, all patient records, appointments, treatment plans, and staff profiles are permanently deleted from the live database. Database backups containing this data are purged within 30 days of the deletion date as part of the scheduled backup rotation cycle. Billing records are retained separately per GST obligations.
5.3 Data Export
Clinics may request a data export before deletion by emailing support@ozmi.in. Exports are fulfilled within 7 business days. Failure to request an export before the 90-day window expires results in permanent and irrecoverable data loss. Ozmi is not liable for data lost due to failure to export within this window.
6. Data Processing Relationships
6.1 Clinic as Data Controller
For all patient data, the clinic is the data controller under the DPDP Act 2023. The clinic is solely responsible for obtaining valid patient consent, informing patients about data use, responding to patient data requests, and maintaining a lawful basis for processing patient health data.
6.2 Ozmi as Data Processor
Ozmi processes patient data only on behalf of and under the instructions of the clinic. We do not use patient data for our own purposes. Any liability arising from the clinic's failure to obtain proper consent or comply with applicable law rests entirely with the clinic.
6.3 Sub-Processors
| Sub-Processor | Purpose | Data Accessed |
|---|---|---|
| Supabase | Database, authentication, file storage | All clinic and patient data |
| Vercel | Application hosting and CDN | Static assets only — no personal data |
| Razorpay (payment gateway) | Subscription payment processing | Billing information only |
| Meta (WhatsApp Business API) | Appointment reminder delivery via Ozmi's shared sender number | Patient phone number, appointment details |
The table above covers sub-processors engaged directly by Ozmi. Clinics that configure a custom WhatsApp sender number integrate directly with their own chosen provider (such as Interakt, Wati, or similar). Ozmi has no data-sharing relationship with those providers. The clinic is solely responsible for that integration, including its compliance with applicable law and any data processing agreements required with their provider.
7. Data Subject Rights
7.1 Clinic Owners and Staff
You may request access, correction, deletion, or portability of your personal data by emailing support@ozmi.in. We will respond within 30 days. Deletion requests are subject to our legal retention obligations.
7.2 Patients
Patients must contact their clinic directly to exercise data rights. The clinic is the data controller for patient records and is responsible for fulfilling those requests.
8. Incident Response
In the event of a data breach likely to result in risk to individuals:
- We will investigate and take immediate containment measures.
- We will notify affected clinic owners via email to their registered clinic address as soon as reasonably practicable, and no later than 72 hours after becoming aware of the breach.
- We will report to the Data Protection Board of India as required under the DPDP Act 2023.
- Clinics are responsible for notifying their affected patients in accordance with applicable law.
To report a suspected incident, email support@ozmi.in immediately.
9. Compliance
Ozmi operates in compliance with:
- Digital Personal Data Protection Act, 2023
- Information Technology Act, 2000 and Amendment Act, 2008
- IT (Reasonable Security Practices and Sensitive Personal Data) Rules, 2011
- GST Act requirements for financial record retention
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect.
11. Contact
Ozmi
Email: support@ozmi.in
Website: ozmi.in