This Privacy Policy explains how the Pomeco service (“Pomeco,” “we,” “us,” or “our”) collects, uses, and shares information when you use our websites, applications, and related services (collectively, the “Service”). It also describes your choices and how to request deletion of your personal data, as required for app platforms such as Meta’s developer terms. If you do not agree with this policy, do not use the Service.
1. Who this applies to
Pomeco is used by healthcare organisations and their authorised staff, and may include related features (for example, a patient portal). Your organisation is responsible for how it uses the Service, including information about patients. Where your organisation controls patient or medical records, that organisation is typically the primary contact for those records; we process such information as part of providing the Service to the organisation, as described in your organisation’s terms and in agreements with your organisation, where applicable.
2. Information we collect
Depending on how you use the Service, we may collect or receive:
- Account and authentication data — for example, when you sign in with Google we process information provided through that sign-in (such as a subject identifier and basic profile information as permitted by the sign-in flow you approve). We also maintain account data such as your user profile, linked organisations (tenants), and session tokens needed to keep you signed in securely.
- Organisation and operations data you enter or upload — for example, hospital or team settings, staff directory details, patient demographics and clinical workflow data, visits, attendance and operations data, billing and finance-related records, payroll-related fields where that module is used, and reminders, as you or your organisation configure and use the product.
- Invitations and communications — for example, when an administrator sends a team invitation, we process the invitee’s email address and send transactional messages. Depending on configuration, these messages may be sent through our email provider (for example, Zoho ZeptoMail or a development-mode logger).
- WhatsApp and business messaging (where offered) — if you or your organisation use features that send or receive messages through WhatsApp, we (and, as described below, Meta) may process the phone number used with WhatsApp, message content and media you send or we deliver (for example, appointment or operational updates), delivery and read receipts where available, and records needed to show consent and channel preferences (for example, opt-in to receive messages, or template message categories you approve). The exact features depend on what we enable in the product and what your organisation turns on.
- Payment-related information — if you use paid plans or in-app payment flows, our payment partners (for example, Razorpay, where enabled) may process payment details; we do not store full card numbers on our own servers, and are subject to the payment provider’s own privacy and security practices for that processing.
- Device, technical, and security data — for example, IP address, browser type, approximate region derived from network data, dates and times of access, and diagnostic information used to protect the Service, fix errors, and improve performance.
-
Local storage on your device — the web app may use browser storage (such as
localStorage) to hold session tokens, preferences, and similar data needed to keep you signed in. You can clear site data in your browser settings, which will sign you out and remove locally stored tokens.
3. How we use information
We use the information we collect to:
- Provide, operate, secure, and improve the Service;
- Authenticate you and manage multi-organisation (tenant) access;
- Process transactions, subscriptions, and related notices where applicable;
- Send transactional and administrative messages (for example, invitations, security notices);
- Deliver messages through channels your organisation enables (for example, WhatsApp) for uses such as reminders, operational updates, or support, subject to user consent, product settings, and channel rules;
- Comply with law, respond to legal requests, and protect rights, safety, and integrity.
We do not sell your personal information as that term is commonly understood. We do not use sign-in data for unrelated advertising solely based on this policy’s scope; if we introduce new uses, we will update this page.
4. How we share information
We may share information with:
- Sign-in and identity providers (for example, Google) as needed to process authentication you initiate;
- Service providers and subprocessors who help us host, secure, or operate the Service (such as cloud infrastructure, email delivery, payment processing, and—where you use it—the WhatsApp Business Platform operated by Meta to route messages. Meta processes data according to its own terms and policies for WhatsApp; we do not control Meta’s infrastructure.
- Your organisation and its administrators, in accordance with how the product works (for example, staff within the same organisation may see operational data they are allowed to access);
- Authorities or third parties when required by law or in good faith to protect the Service or its users.
5. WhatsApp and business messaging
Where Pomeco offers or connects to WhatsApp for your organisation, messaging is provided through Meta’s WhatsApp Business products. In addition to the rest of this policy:
- Your choices — organisations must obtain and document consent and use cases in line with WhatsApp’s business and commerce policies. You can typically stop our messages to your number by replying with channel-supported opt-out where available, or by asking your care provider or organisation, or by contacting us at hi@pomeco.in for account-level help.
- Content — do not share unnecessary sensitive information in free-form chat; follow your clinician or organisation’s guidance. Messages may be retained as part of providing the Service and as required by law or your organisation’s settings.
- Further reading — for how Meta processes data in connection with WhatsApp for business, see Meta’s and WhatsApp’s public documentation and terms (for example, business and developer help centres). This policy does not override Meta’s terms for use of the WhatsApp service.
6. Retention
We keep information for as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Your organisation’s retention and medical-record obligations may also apply to data managed through the Service. WhatsApp-related logs and message metadata are retained according to our operational needs, your organisation’s configuration, and applicable rules. If you are unsure how long data is kept, contact your organisation (for patient/operational data) or us (for your account) using the contact details below.
7. Security
We use administrative, technical, and organisational measures designed to protect information. No method of transmission or storage is completely secure; use the Service only on devices and networks you trust.
8. International transfers
We or our service providers may process or store data in countries other than where you live. In those cases, we use appropriate safeguards as required by applicable law (for example, contractual measures where applicable).
9. Your rights and choices
Depending on your location, you may have the right to access, correct, delete, object to, or restrict certain processing of your personal data, or to data portability. To exercise these rights, contact us using the email address below. If you are a patient or a member of the public, your healthcare provider may be the appropriate contact for access or correction of clinical records; we can assist where we are permitted and able.
10. How to request deletion of your data
You may request that we delete personal data we hold that is not required to be retained for legal, security, or legitimate business purposes, or to resolve disputes. To do so, email us at hi@pomeco.in and include: (1) the email address you use to sign in, (2) a short description of your request, and (3) if relevant, the organisation (hospital) name. If your request concerns WhatsApp or messaging, include the phone number in international format, if possible. We will respond within a reasonable time and may need to verify your identity.
In addition, you can revoke the Service’s access to your Google account from your Google account security settings, and you can clear local storage from your browser; doing so will limit or end your use of the Service until you sign in again.
11. Children’s privacy
The Service is not directed at children for independent sign-up. Organisations and guardians are responsible for any patient information relating to minors entered in the system in line with their professional and legal duties.
12. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will change, and where changes are material we will provide additional notice as appropriate (for example, by email or an in-app notice). Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy, except where the law requires a different form of consent.
13. Contact
Questions about this Privacy Policy or the Pomeco Service: hi@pomeco.in