Privacy Policy

The Saalas Shifa Partner Portal (“the Portal”) at https://shifa.saalas.app is a professional management platform operated by Saalas Technologies. It is designed exclusively for:

• Doctors & Specialists — to manage patient consultations, view shared medical records, issue digital prescriptions, and conduct video calls.
• Laboratory Partners — to receive home test requests, upload diagnostic results, and manage sample collections.
• Administrators — to onboard, review, and approve partner accounts; oversee platform operations.

This Portal is not a patient-facing application. Patients use the separate Saalas Shifa mobile app. This policy covers how we handle the data of partner users (doctors, labs, admins) and explains how patient data may be accessed through the Portal under strict consent conditions.

2.1 Doctor Onboarding Data

When a doctor registers on the Portal, we collect:

• Full name, profile photograph, specialization, and years of experience.
• Medical license number, issuing authority, and validity dates.
• Scanned copies of professional qualification certificates (MBBS, MD, FCPS, etc.).
• Clinic or hospital affiliation, address, and contact details.
• Email address and mobile number for account authentication.
• Bank account / payment details for processing consultation fees (handled via secure third-party payment processor).

2.2 Lab Partner Onboarding Data

• Laboratory name, physical address, operating license, and accreditation certificates.
• Contact person name, email, and phone number.
• Catalog of available diagnostic tests and pricing.

2.3 Administrator Accounts

• Name, email, and role permissions assigned by the organization.

2.4 Automatically Collected Data

• Login timestamps, IP address, browser/device type used to access the Portal.
• Activity logs (which records were viewed, actions taken) for security audit purposes.

Partner users (doctors and labs) may access certain patient health information through this Portal. This access is strictly governed by the following principles:

• Explicit Patient Consent: A doctor can only view a patient's medical records, lab reports, or consultation history if the patient has explicitly chosen to share those records when booking an appointment through the Saalas Shifa mobile app.
• Purpose Limitation: Access is limited to the records relevant to the specific booked appointment or lab test. Doctors cannot browse patient records beyond what the patient has authorized.
• Read-Only Context: Lab results from other providers are accessible only in read-only mode to inform clinical decisions during a consultation.
• Session-Scoped: Patient data is displayed contextually within an active appointment. It is not exported, downloaded, or stored independently by the Portal.
• No Marketing Use: Patient data accessed through the Portal will never be used for marketing, profiling, or any purpose other than direct patient care.

The originating privacy notice for patient data is contained within the Saalas Shifa patient app, where patients provide their initial consent.

• To verify professional credentials and approve partner accounts before granting access.
• To authenticate login sessions and protect accounts from unauthorized access.
• To enable doctors to manage their appointment schedules and conduct video consultations.
• To enable lab partners to receive, process, and report on diagnostic test requests.
• To process and distribute payments to healthcare providers for completed services.
• To maintain security audit logs and investigate any suspicious activity.
• To send account notifications (approval status updates, appointment alerts, payment confirmations).
• To comply with applicable healthcare and data protection regulations.

Partner data is shared only in the following circumstances:

• Within the Platform: Approved doctor profiles (name, specialization, photo) are published to the patient-facing app to enable appointment booking.
• Payment Processors: Banking details are securely transmitted to our payment gateway for fee disbursement. We do not store raw bank account credentials on our servers.
• Cloud Infrastructure: Data is hosted on Amazon Web Services (AWS) under strict data processing agreements.
• Legal Obligations: We may disclose data to regulatory authorities (e.g., medical licensing boards, courts) when required by applicable law.

We do not sell, rent, or trade partner data to any third party for commercial purposes.

• Encryption in Transit: All data between the Portal and our servers is encrypted with TLS 1.3.
• Encryption at Rest: Sensitive credential documents and personal information are stored with AES-256 encryption.
• Authentication: AWS Cognito provides secure multi-factor authentication and session token management.
• Role-Based Access Control: Admin users have tiered permissions — no single role can access all platform data.
• Audit Logs: All access to sensitive records (especially patient data views) is logged with timestamps, user identity, and action type.

• Partner account data is retained for the duration of the active partnership plus 3 years after deactivation, for audit and compliance purposes.
• Professional credential documents may be retained for up to 7 years to comply with healthcare licensing regulations.
• Access logs are retained for 12 months.
• You may request account deactivation and deletion at any time by contacting us.

• Access: Request a copy of all personal data we hold about you.
• Rectification: Update or correct your professional profile information.
• Erasure: Request deletion of your account and associated data, subject to legal retention obligations.
• Restriction: Request that we limit how we use your data while a dispute is being investigated.
• Objection: Object to certain types of processing.

To exercise any right, email us at contact@saalas.app. We will respond within 30 days.

Medical licenses, degree certificates, and other uploaded verification documents are used solely for the purpose of identity verification and professional credential validation. They are:

• Stored in encrypted cloud storage accessible only to authorized Saalas administrators.
• Never shared with third parties outside of the Saalas platform.
• Eligible for deletion upon written request once your account is deactivated, subject to any mandatory regulatory retention periods.

The Portal uses your device camera only for conducting live video consultations with patients who have booked an appointment. Camera access is:

• Initiated only when you actively start or join a video call session.
• Never accessed in the background or without your direct action.
• Video calls are transmitted via encrypted WebRTC — they are not recorded or stored by Saalas Technologies unless explicitly disclosed and consented to by both parties.

We may update this Privacy Policy to reflect changes in our services or legal requirements. Material changes will be communicated via email to your registered address and via a notice on the Portal. Continued use of the Portal after the effective date constitutes acceptance.

For privacy-related questions, data requests, or to report a concern: