Skip to main content
Prvaha is built with healthcare-grade security and privacy standards. Every architectural decision — from database design to authentication to access control — is made with the sensitivity of clinical data in mind. This page explains exactly how Prvaha protects your clinic’s data and your patients’ personal health information.
Prvaha is a technology platform only. Healthcare providers are solely responsible for all clinical decisions made using the platform. Prvaha does not provide medical advice or clinical diagnosis.

Data Isolation

Each clinic on Prvaha operates in a completely isolated database schema. Your patient records, appointment data, staff profiles, and configuration are stored separately from every other clinic on the platform. There is no shared storage layer, no co-mingling of records, and no possibility of one clinic’s data appearing in another clinic’s view. This architecture means:
  • A data incident at one clinic cannot expose another clinic’s data
  • Prvaha staff access is scoped — support engineers can only access a specific clinic’s schema with explicit authorization
  • Your subdomain ([subdomain].prvaha.com) maps directly to your isolated schema

Encryption

All data handled by Prvaha is protected by encryption at every layer:
LayerProtection
Data in transitTLS encryption on all API and web traffic — data is never transmitted in plaintext
Data at restSensitive fields are encrypted in storage using industry-standard encryption algorithms
Passwords & credentialsCredentials are hashed and salted; plaintext passwords are never stored
No system is 100% secure. While Prvaha implements industry-standard protections, we cannot guarantee absolute security against all threat vectors. We conduct regular security reviews to identify and address vulnerabilities.

Authentication

Prvaha uses multiple secure authentication mechanisms to protect account access:
Log in using a one-time password (OTP) sent to your registered phone number or email address. OTPs expire after a short window and are single-use, preventing replay attacks.
All authenticated sessions are secured with JSON Web Tokens (JWT). Tokens are short-lived and must be refreshed, limiting the exposure window if a token is ever compromised.

Role-Based Access Control

Prvaha enforces strict role-based access control (RBAC) across every endpoint and UI surface. Each user is assigned exactly one role, and that role determines what data they can view, create, modify, or delete.
RoleAccess Level
AdminFull access to all clinic data, settings, and staff management
DoctorAccess to assigned appointments, patient records, prescriptions, and clinical notes
ReceptionistAccess to appointment scheduling, patient registration, and check-in
NurseAccess to patient vitals, assigned workflows, and clinical support tasks
Lab TechnicianAccess to lab investigations, results entry, and assigned lab workflows
PatientAccess to their own records, appointments, and prescriptions only
GuestRead-only, limited access — no write permissions
RBAC is enforced server-side on every API request — no client-side manipulation can bypass access rules. Patients can only ever see their own records; they have no visibility into other patients’ data.

Audit Logs

Every data access event and change made within Prvaha is logged. Audit logs capture:
  • Which user performed an action
  • What action was performed (view, create, update, delete)
  • The timestamp of the action
  • The affected record or resource
Admins can review audit logs from the dashboard to investigate anomalies, support compliance audits, or review staff activity. Audit logs are append-only and cannot be modified by any clinic user.

Compliance

Prvaha operates in compliance with applicable data protection legislation:
Prvaha complies with the Information Technology Act, 2000 and the IT (Amendment) Act, 2008, including the Sensitive Personal Data or Information (SPDI) Rules, 2011. Healthcare data is treated as sensitive personal information and handled accordingly — with explicit consent mechanisms, access controls, and security practices that meet statutory requirements.

No Data Selling

Prvaha does not sell, rent, or trade your personal data or your patients’ data to any third party — ever. Data collected on the platform is used solely to provide and improve the Prvaha service.

Third-Party Services

Prvaha uses a carefully selected set of trusted third-party providers to operate the platform:
CategoryExamples of Use
Cloud HostingSecure infrastructure for data storage and compute
AnalyticsAggregate, anonymized usage metrics to improve the platform
CommunicationSMS and email delivery for appointment notifications
All third-party providers are contractually bound to:
  • Handle data securely and confidentially
  • Use data only for the purpose for which it was shared
  • Meet data protection standards equivalent to those Prvaha applies
If your data is shared with a third-party provider, Prvaha retains responsibility for ensuring that provider handles it appropriately.

Your Rights

As a Prvaha user — whether a clinic admin, staff member, or patient — you have the following rights regarding your personal data:
  • Access — Request a copy of the personal data Prvaha holds about you
  • Correction — Request correction of inaccurate or incomplete information
  • Deletion — Request permanent deletion of your personal data
  • Portability — Request your data in a portable, machine-readable format
  • Withdraw Consent — Withdraw previously given consent for data processing at any time
To exercise any of these rights, contact Prvaha at hello@prvaha.com. For data deletion specifically, see the Data Retention and Deletion page for the full process and timelines.