Privacy Policy

MediFlow Technologies Ltd. ("MediFlow", "we", "us", or "our") operates the MediFlow HMS platform accessible at https://www.medifl.com ("Service"). This Privacy Policy explains how we collect, use, store, share, and protect information about you and your organisation when you use our Service. This policy applies to: • Hospital Administrators and staff who use the MediFlow dashboard • Visitors to our marketing website at https://www.medifl.com • Any individual whose personal data is processed through the Service (including patients whose records are managed by our customers) We are committed to protecting your privacy and handling all personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

2.1 For Website Visitors. When you visit our marketing website, MediFlow Technologies Ltd. acts as the data controller for any personal data collected. 2.2 For Customer Data. When your organisation uses the MediFlow HMS platform to manage patient records, staff accounts, and clinical workflows, your organisation is the data controller, and MediFlow Technologies Ltd. acts as a data processor, processing data strictly on your instructions. 2.3 Responsibilities. As a data controller, your organisation is responsible for ensuring you have a lawful basis to process personal health data within the Service and that your patients and staff are informed of such processing. We provide tools (audit logs, export, deletion) to support your compliance obligations. 2.4 Data Processing Agreement (DPA). A Data Processing Agreement governing our obligations as your processor is available upon request at hello@medifl.com. Organisations subject to HIPAA may also request a Business Associate Agreement (BAA).

3.1 Account & Organisation Information • Organisation name, URL slug, short code, registration number • Hospital Administrator name, email address, username, and hashed password • Billing email address and Skrill transaction references (we do not store card details) • Organisation contact details: phone number, email, physical address 3.2 Staff Account Information • Name, email address, username, role, and branch assignments • Login timestamps, IP addresses, and session tokens (for security and audit purposes) • Account activity and audit log entries 3.3 Patient Data (processed on behalf of customers) • Patient demographics: name, date of birth, gender, national ID / NIC, contact details • Medical history, diagnoses, consultation notes, and prescriptions • Laboratory orders and results • Pharmacy dispense records and prescriptions • OPD appointment records and ward/bed admissions • SMS notification preferences and opt-out status 3.4 Usage & Technical Data • Browser type, operating system, IP address, and device identifiers • Pages visited, features used, and interaction timestamps • Error logs and performance diagnostics (anonymised where possible) • Cookies and similar tracking technologies (see Section 8) 3.5 Payment Information • Subscription plan and billing cycle • Skrill transaction IDs and recurring payment references • We do not store, process, or have access to full card numbers or bank account details — all payment processing is handled by Skrill.

We use personal data for the following purposes and on the following legal bases: 4.1 Service Delivery (Contractual Necessity) • Provision, maintenance, and support of the HMS platform • Account creation, authentication, and access control • Recurring subscription billing via Skrill • Sending transactional emails (account setup, password reset, payment confirmation) 4.2 Patient Care Workflow (Legitimate Interest / Contractual) • Storing and displaying patient records to authorised clinical staff • Sending SMS appointment reminders and lab result notifications to patients (where opted in) • Generating clinical reports and analytics for hospital management 4.3 Security & Compliance (Legal Obligation / Legitimate Interest) • Maintaining comprehensive audit logs of all data access and modifications • Detecting and preventing unauthorised access, fraud, or abuse • Account lockout after repeated failed login attempts • Retaining records as required by applicable healthcare regulations 4.4 Service Improvement (Legitimate Interest) • Analysing aggregated, anonymised usage patterns to improve features • Identifying and resolving bugs and performance issues • Internal research and product development (no individual patient data is used) 4.5 Legal Compliance (Legal Obligation) • Responding to lawful requests from regulators, courts, or law enforcement • Enforcing our Terms and Conditions

We do not sell, rent, or trade your personal data. We share data only in the following circumstances: 5.1 Subprocessors. We engage third-party service providers to help deliver the Service. Each subprocessor is bound by confidentiality and data processing obligations at least as protective as those in this policy. Our key subprocessors include: • Cloud infrastructure provider (hosting and database) • Skrill (payment processing) • Twilio (SMS notifications) • Amazon Web Services SES (transactional email) • Redis / BullMQ provider (background job queues) An up-to-date list of subprocessors is available upon request. 5.2 Legal Requirements. We may disclose personal data if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud. 5.3 Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, customer data may be transferred to the successor entity, subject to the same privacy protections described in this policy. We will notify you by email and prominent notice on the Service before any such transfer. 5.4 With Your Consent. We may share data for any other purpose with your explicit consent.

6.1 Active Accounts. Customer Data is retained for as long as your organisation maintains an active subscription. 6.2 After Cancellation or Termination. Upon cancellation or termination of your subscription, your Customer Data (including all patient records and staff accounts) is retained for 90 days. During this period you may request a full export of your data. After 90 days, all data is permanently and irreversibly deleted from our systems and backups. 6.3 Audit Logs. Audit log entries are retained for a minimum of 12 months and up to 7 years where required by healthcare regulations. 6.4 Billing Records. Transaction references and subscription records are retained for 7 years for accounting and legal compliance purposes. These records do not contain full card details. 6.5 Website Analytics. Aggregated, anonymised website usage data is retained indefinitely. Identifiable data collected via cookies is deleted after 13 months.

We implement industry-standard technical and organisational measures to protect your data: • Encryption at rest: AES-256 encryption for all stored data • Encryption in transit: TLS 1.2 or higher for all data transmissions • Access control: Role-based access control (RBAC) enforced at both application and database level — staff can only access data relevant to their role and branch • Authentication security: Bcrypt-hashed passwords, JWT-based sessions, account lockout after 3 failed login attempts with a 10-minute lock and email-based unlock • Audit logging: Every data access, modification, and deletion is logged with user identity, timestamp, and IP address • Infrastructure: Hosted on a SOC 2-compliant cloud provider with automated backups and disaster recovery • Vulnerability management: Regular security reviews and dependency updates Despite our best efforts, no method of transmission or storage is 100% secure. If you suspect a security breach involving your account, contact us immediately at hello@medifl.com. In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law, within 72 hours of becoming aware.

Our marketing website (https://www.medifl.com) uses cookies and similar technologies for the following purposes: 8.1 Strictly Necessary Cookies. Required for the website and application to function. These cannot be disabled. Examples: authentication session tokens, CSRF protection tokens. 8.2 Functional Cookies. Remember your preferences (e.g., language, last visited page). These persist for up to 12 months. 8.3 Analytics Cookies. Help us understand how visitors use our site (e.g., which pages are most visited). Data is anonymised and aggregated. We use privacy-respecting analytics tools. 8.4 No Third-Party Advertising Cookies. We do not use advertising cookies or tracking pixels, and we do not share your browsing behaviour with advertising networks. You can manage or disable cookies through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Service.

Depending on your location, you may have the following rights regarding your personal data: • Right of Access: Request a copy of the personal data we hold about you. • Right to Rectification: Request correction of inaccurate or incomplete data. • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations. • Right to Restriction: Request that we restrict processing of your data in certain circumstances. • Right to Data Portability: Receive your data in a structured, machine-readable format. • Right to Object: Object to processing based on legitimate interests. • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. • Rights Related to Automated Decision-Making: We do not make automated decisions with significant legal effects using your personal data. To exercise any of these rights, contact us at hello@medifl.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request. If you are unhappy with how we have handled your data, you have the right to lodge a complaint with your local supervisory authority (e.g., the UK Information Commissioner's Office at ico.org.uk).

MediFlow Technologies Ltd. is based in the United Kingdom. Your data may be processed by our subprocessors in other countries, including within the European Economic Area (EEA) and the United States. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including: • Standard Contractual Clauses (SCCs) approved by the European Commission • Transfers to countries with an adequacy decision from the UK ICO or European Commission • For US-based processors: adherence to the UK-US Data Bridge or equivalent frameworks By using the Service, you acknowledge that your data may be transferred and processed in these locations.

The MediFlow HMS Service is designed for use by healthcare organisations and their professional staff. We do not knowingly collect personal data directly from children under the age of 16 through our website or account registration process. In the context of patient records, our customers (healthcare organisations) may process health data relating to minors as part of their clinical operations. In such cases, the healthcare organisation, as data controller, is responsible for ensuring they have appropriate legal authority (e.g., parental consent) to process such data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: • Post the updated policy on this page with a new "Last Updated" date • Send a notification email to the primary contact of each active organisation account • Display an in-app notice for at least 14 days before the changes take effect Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree, please stop using the Service and contact us to arrange export and deletion of your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: hello@medifl.com Company: MediFlow Technologies Ltd. Website: https://www.medifl.com For data protection enquiries specifically, including requests to exercise your rights or to obtain a copy of our Data Processing Agreement or BAA, please email hello@medifl.com with the subject line "Data Privacy Request". We aim to respond to all privacy-related enquiries within 5 business days.