Privacy Policy

01 Who We Are

Siuex Medical is a cloud-based clinic management platform operated by Siuex Medical (Pvt) Ltd, incorporated in Sri Lanka. We provide software tools for optical clinics and pharmacies to manage prescriptions, patients, inventory, orders, staff, and business analytics.

For the purposes of applicable data protection law, Siuex Medical is the data controller of information relating to account holders and clinic administrators. Clinic administrators are the data controllers of patient data entered into the platform; Siuex Medical acts as a data processor in respect of that patient data.

02 Information We Collect

Account & billing information

• Name, email address, and password (hashed) when you create an account
• Clinic name, type (optical or pharmacy), and address
• Billing details (processed by our payment provider — we do not store raw card numbers)
• Subscription tier and payment history

Clinic operational data (entered by you)

• Patient records: names, contact details, date of birth, medical history, allergies
• Prescriptions: optical measurements, diagnosis codes, medication details
• Orders, inventory items, and stock levels
• Staff profiles and role assignments
• Tasks, audit logs, and campaign data

Usage & technical data

• IP address, browser type, device type, and operating system
• Pages visited, features used, and session duration
• Error logs and performance diagnostics

03 How We Use Your Data

We use the information we collect to:

• Provide, operate, and improve the Siuex Medical platform
• Process payments and manage your subscription
• Send transactional emails (account confirmation, password reset, billing receipts)
• Respond to support requests
• Monitor platform security and prevent fraud or abuse
• Analyse aggregate usage to improve features and performance
• Comply with legal obligations

We do not use your clinic's patient data for marketing, sell it to third parties, or use it to train AI models without explicit consent.

04 AI Features & Patient Data

Siuex Medical uses AI to power prescription anomaly detection, patient summaries, natural language reports, and business insights. We take specific care with how patient data is handled in these contexts:

• Anonymisation before processing: Patient names and direct identifiers are removed before any data is passed to AI models. AI features operate on anonymised clinical records only.
• No training on your data: Your clinic's patient data is never used to train AI models — either our own or third-party models.
• Ephemeral processing: AI queries are processed in-memory and not stored by the AI provider beyond the duration of the request.
• Third-party AI providers: We use Anthropic's Claude API for AI features. Anthropic processes anonymised data in accordance with their API usage policies. No personally identifiable patient information is transmitted.

05 Data Sharing

We do not sell your data. We share information only in the following limited circumstances:

• Service providers: We use trusted third-party providers for hosting (cloud infrastructure), payments, email delivery, and error monitoring. Each is bound by data processing agreements.
• Legal requirements: We may disclose data if required by law, regulation, court order, or to protect the rights and safety of our users or the public.
• Business transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you before any such transfer and before your data becomes subject to a different privacy policy.
• With your consent: We may share data in any other way you explicitly agree to.

06 Data Retention

We retain your account data for as long as your subscription is active, and for up to 90 days after cancellation to allow account recovery. After that period, account and clinic data is permanently deleted from our systems.

You can request immediate deletion of your data at any time by contacting us at the address below. We will complete deletion within 30 days, except where we are required to retain certain records by law (e.g. billing records for tax purposes, which are retained for 7 years).

Audit logs are retained for 12 months from the date of the recorded action, then purged.

07 Security

• All data is encrypted in transit using TLS 1.2 or higher
• All data is encrypted at rest using AES-256
• Passwords are hashed using bcrypt with a per-user salt
• Access to production systems is restricted to authorised personnel only, protected by MFA
• We perform regular security assessments and dependency audits
• Clinic staff accounts use role-based access control so staff only see what their role permits

Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately.

08 Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Request an export of your data in a machine-readable format
• Objection: Object to processing of your data for marketing purposes
• Restriction: Request that we limit how we use your data in certain circumstances

To exercise any of these rights, contact us at the address in Section 12. We will respond within 30 days. We do not charge a fee for reasonable requests.

Note: as a clinic administrator, you are also responsible for handling the equivalent rights requests from your own patients regarding data you have entered into the platform.

09 Cookies

Siuex Medical uses a minimal set of cookies necessary for the platform to function:

• Authentication token: Stored in localStorage to keep you logged in. Essential — the platform cannot function without it.
• Session preferences: Remembers UI settings such as pricing toggle state. No personal data.

We do not use advertising cookies, cross-site tracking cookies, or sell cookie data to third parties. We do not currently use analytics cookies (e.g. Google Analytics).

10 Children

Siuex Medical is a business software platform intended for use by clinic professionals aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Note: patient records for minors may be stored in the platform by clinic administrators as part of their professional obligations. Such records are subject to the data processing terms in Section 4.

11 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by displaying a prominent notice in the platform at least 14 days before the change takes effect.

The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12 Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or want to report a security concern, please contact us: