Privacy Policy

Last updated: April 2026

1. Introduction

OHC Command ("we", "us", "the Service") is committed to protecting the privacy of our users and the employees whose health data is managed through our platform. This policy describes how we collect, use, store, and protect personal and health information.

This policy applies to all users of OHC Command, including OHC administrators, doctors, nurses, pharmacy staff, and the employees whose records are managed in the system.

2. Data Controller

The data controller is Dr. Karthikayan, operating OHC Command. Your organisation (the "Tenant") acts as the data controller for employee health records, and we act as the data processor on behalf of the Tenant.

Contact: drkarthikayan@gmail.com

3. Data We Collect

3.1 Account Data

Data Type	Purpose	Retention
Name, email, staff ID	Authentication and access control	Duration of account
Role (doctor, nurse, admin, etc.)	Role-based permissions	Duration of account
Login timestamps	Security monitoring	90 days

3.2 Employee Health Data (processed on behalf of your organisation)

Data Type	Purpose	Legal Basis
Employee demographics (name, ID, dept)	Identity and record linking	Employment contract / Factories Act
Clinical records (OPD visits, vitals, complaints)	Healthcare delivery	Factories Act Sec 73 / Employment
Examination results (pre-employment, periodic)	Fitness certification	Factories Act Sec 73
Injury and incident records	Regulatory reporting (OSHA, ILO)	Factories Act Sec 88 / Legal obligation
Prescription and dispensary records	Medication tracking	Healthcare delivery
Vaccination records	Immunisation compliance	Occupational health requirements

3.3 Technical Data

We automatically collect browser type, IP address (anonymised), and usage patterns for service improvement and security monitoring. We do not use this data for advertising.

4. How We Use Data

Service delivery: To provide OHC management features as described in our Terms of Service
Security: To authenticate users, enforce tenant isolation, and detect unauthorised access
Compliance: To generate statutory reports required under the Factories Act, OSHA, and ILO conventions
Support: To respond to support requests and troubleshoot issues
Improvement: To improve the Service based on anonymised, aggregated usage patterns

We do not: Sell personal data, use health data for advertising, share individual-level data with third parties, or use data for purposes beyond those described here.

5. Data Storage & Security

Infrastructure: Google Cloud Platform (Firebase), asia-south1 region (Mumbai, India)
Encryption: TLS 1.3 in transit, AES-256 at rest (Google-managed keys)
Authentication: Firebase Auth with bcrypt-hashed passwords and custom JWT tokens
Tenant isolation: Firestore security rules enforce isTenantMember() — one tenant cannot access another's data
Role-based access: 5 roles (super_admin, ohc_admin, doctor, nurse, pharmacy) with field-level visibility
Backups: Automated daily backups to Google Cloud Storage
Monitoring: Error tracking via Sentry (if enabled), crash reporting to Firestore

6. Data Sharing

We share data only with:

Google Cloud Platform: Infrastructure provider (data processing agreement in place)
Sentry: Error tracking (only error metadata, no health data) — if enabled by tenant
SMS/WhatsApp providers: MSG91 or Twilio for alert notifications — if configured by tenant (only alert text, no clinical data)

We do not share employee health records with any third party. Your organisation controls all data sharing decisions.

7. Data Retention

Active accounts: Data retained for the duration of the subscription
After cancellation: Data available for export for 30 days, then permanently deleted
Health records: Retained as required by the Factories Act (minimum 5 years for injury records per OSHA 29 CFR 1904.33)
Audit logs: Retained for 2 years for compliance purposes

8. Your Rights

Under the Digital Personal Data Protection Act (DPDP Act, 2023), data principals have the right to:

Access: Request a copy of personal data we hold
Correction: Request correction of inaccurate data
Erasure: Request deletion of personal data (subject to legal retention requirements)
Portability: Export data in CSV/Excel format via the portal's export features
Grievance redressal: Contact us to resolve any privacy concerns

To exercise these rights, contact: drkarthikayan@gmail.com

9. Cookies

OHC Command uses only essential cookies and localStorage for session management and offline functionality. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Children's Privacy

The Service is designed for workplace occupational health management. We do not knowingly collect data from individuals under 18 years of age.

11. International Transfers

All data is stored in Google Cloud's asia-south1 region (Mumbai, India). No data is transferred outside India unless required by the tenant's specific configuration.

12. Changes to This Policy

We will notify you of material changes via email or in-app notification at least 14 days before they take effect. Continued use of the Service after changes constitutes acceptance.

13. Contact & Grievance Officer

For privacy concerns or to exercise your rights under the DPDP Act:

Dr. Karthikayan (Data Protection Officer)
Email: drkarthikayan@gmail.com
We will respond to all requests within 30 days.