Privacy Policy

Effective Date: May 2, 2026

Last Updated: April 27, 2026

1. Introduction

Axon Systems (Pvt) Ltd (“we,” “us,” “our,” or “HealthSync”) is committed to protecting your privacy and ensuring the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use the HealthSync platform (“Platform,” “Service,” or “Services”).

HealthSync is designed with privacy and security at its core, following the principles of the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (“PDPA”), the Health Insurance Portability and Accountability Act of the United States (“HIPAA”), and the General Data Protection Regulation of the European Union (“GDPR”). While we have not obtained third-party certification, our systems, processes, and policies are designed to comply with these regulatory frameworks.

By using HealthSync, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

2. Definitions

For the purposes of this Privacy Policy:

  1. “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to name, identification number, contact details, location data, and online identifiers.
  2. “Health Information” or “Protected Health Information (PHI)” means any information relating to your physical or mental health, medical history, treatment, diagnosis, healthcare services received, or payment for healthcare services.
  3. “Processing” means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, or deletion.
  4. “Data Controller” means Axon Systems (Pvt) Ltd, which determines the purposes and means of processing personal data.

3. Information We Collect

HealthSync allows you to control how much information you provide. While we require certain basic information to create and maintain your account, most health-related data is optional and provided at your discretion. The more information you provide, the more useful our features, insights, and analytics become.

3.1 Information You Provide Directly

3.1.1 Account Information (Required)

  1. Email address (for account management, authentication, and communications)
  2. Password (encrypted and stored securely using industry-standard hashing algorithms)

3.1.2 Profile Information (Optional)

  1. Full name, date of birth, gender, and contact information
  2. Demographic information (age, location, language preferences)
  3. Profile photograph or avatar

3.1.3 Health Information (Optional)

  1. Medical records, test results, lab reports, imaging studies, and clinical notes
  2. Medications, prescriptions, allergies, and immunization records
  3. Diagnoses, treatment plans, surgical history, and family medical history
  4. Health metrics and vital signs (blood pressure, heart rate, blood glucose, weight, etc.)
  5. Health journal entries, symptoms logs, mood tracking, and wellness notes
  6. Fitness and activity data, nutrition information, and sleep patterns
  7. Healthcare provider information, appointment schedules, and care team details

3.1.4 Insurance and Payment Information (Optional)

  1. Health insurance information (policy numbers, coverage details, insurance provider information)
  2. Payment information for premium services (credit/debit card details, billing addresses)
  3. Claims information, explanation of benefits (EOB), and healthcare costs

3.2 Information from Third-Party Integrations

With your explicit authorization, HealthSync can integrate with patient portals, healthcare providers, pharmacies, laboratories, health apps, and wearable devices to import your health data. When you authorize such integrations:

  1. We retrieve and store all data you authorize during the integration process
  2. Some third-party services allow you to select specific data types to sync; we respect your preferences
  3. Patient portal documents may contain extensive personal and medical information; we recommend reviewing document contents before syncing
  4. You can revoke integration access at any time from your HealthSync settings

3.3 Automatically Collected Information

When you use HealthSync, we automatically collect certain technical information necessary for security, performance, debugging, and service improvement:

3.3.1 Device and Access Information

  1. IP address and approximate geographic location
  2. Device type, operating system, browser type and version
  3. Screen resolution, language settings, and time zone
  4. Unique device identifiers and mobile network information (for mobile access)

3.3.2 Usage and Activity Logs

  1. Pages visited, features used, and time spent on the Platform
  2. Login timestamps, session duration, and authentication events
  3. Actions performed (data uploads, record views, report generation, sharing events)
  4. Error logs, crash reports, and performance metrics

4. How We Use Your Information

We process your personal data and health information only for legitimate purposes and in accordance with applicable data protection laws. The primary purpose of collecting your information is to provide you with comprehensive health management services.

4.1 Service Delivery and Core Functions

  1. Creating, maintaining, and managing your HealthSync account
  2. Storing, organizing, and displaying your health records and data
  3. Generating health insights, trends, charts, and visualizations
  4. Providing AI-powered features, analytics, and personalized health recommendations (if you choose to use these features)
  5. Enabling you to share health information with healthcare providers, family members, or other authorized individuals
  6. Facilitating communication between you and your healthcare team through the Platform

4.2 Communication and Notifications

  1. Sending service-related communications (account creation, password resets, security alerts)
  2. Notifying you of new health records, test results, or appointments
  3. Providing health insights, summaries, and activity updates
  4. Sending medication reminders or appointment notifications (if enabled)
  5. Delivering marketing or promotional communications only if you opt in to receive them

4.3 Security and Fraud Prevention

  1. Authenticating your identity and preventing unauthorized access
  2. Detecting, investigating, and preventing fraudulent activity, security breaches, or policy violations
  3. Monitoring for unusual account activity or suspicious behavior
  4. Maintaining audit logs for security investigations and compliance purposes

4.4 Platform Improvement and Development

  1. Analyzing usage patterns to improve Platform functionality and user experience
  2. Debugging technical issues, fixing errors, and maintaining system stability
  3. Developing new features, tools, and services
  4. Conducting research and development to enhance health technology (using de-identified or aggregated data only)

4.5 Legal and Regulatory Compliance

  1. Complying with applicable laws, regulations, and legal processes
  2. Responding to lawful requests from government authorities or law enforcement
  3. Protecting our legal rights and defending against legal claims
  4. Enforcing our Terms of Service and other policies

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or health information. Your data belongs to you, and we only share it in the limited circumstances described below.

5.1 Sharing You Authorize

We share your information with third parties only when you explicitly authorize us to do so:

  1. Healthcare Providers: When you use HealthSync’s sharing features to provide access to healthcare professionals, clinics, hospitals, or specialists
  2. Family Members or Caregivers: When you designate authorized family members, caregivers, or trusted individuals to access your health information
  3. Third-Party Applications: When you connect HealthSync with other health apps, patient portals, or services through authorized integrations
  4. Emergency Contacts: When you configure emergency access settings that allow designated individuals to access your information in urgent situations

5.2 Service Providers and Business Partners

We engage trusted third-party service providers to help us deliver HealthSync services. These providers process your data on our behalf and are contractually obligated to protect your information and use it only for the purposes we specify. Our service providers include:

  1. Cloud Infrastructure Providers: Amazon Web Services (AWS) and Cloudflare for secure data storage, hosting, and content delivery
  2. AI and Analytics Services: OpenAI and similar providers for AI-powered features (data is processed with minimal retention and encrypted in transit)
  3. Payment Processors: Third-party payment gateways for processing subscription payments and billing (payment information is not stored on HealthSync servers)
  4. Email and Communication Services: Email delivery platforms for sending notifications and account-related communications
  5. Analytics and Monitoring Tools: Limited analytics services for understanding Platform usage on non-PHI pages (we do not use third-party analytics within the main health portal containing personal health information)

All service providers are selected based on their security capabilities and compliance with data protection standards. Data shared with service providers is encrypted at rest and in transit, and processed with minimal visibility through techniques such as brief in-memory processing that does not permanently store your data.

5.3 Legal Requirements and Protection

We may disclose your information without your consent if required by law or to protect legitimate interests:

  1. To comply with court orders, subpoenas, warrants, or other legal processes
  2. To respond to lawful requests from government authorities, regulators, or law enforcement agencies
  3. To protect against fraud, security threats, or illegal activities
  4. To protect the safety, rights, or property of HealthSync, our users, or the public
  5. To enforce our Terms of Service or investigate violations of our policies

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to a successor entity. Before any such transfer, we will notify you via email and provide you with an opportunity to download or delete your data before the transfer occurs. Any successor entity will be required to honor the commitments made in this Privacy Policy.

5.5 De-identified and Aggregated Data

HealthSync does not create, use, or share de-identified or aggregated data derived from your personal data or health information for research, analytics, product development, or any other external or internal purposes.

All data you provide to HealthSync is used strictly in accordance with this Privacy Policy and solely for the purpose of delivering and improving the services you directly use within the Platform.

We do not use your data-whether identifiable or de-identified-for third-party sharing, commercial purposes, or independent research activities.

6. Data Security

We implement comprehensive technical, administrative, and physical safeguards designed to protect your personal and health information from unauthorized access, disclosure, alteration, or destruction. Our security measures are designed to comply with HIPAA, GDPR, and PDPA requirements.

6.1 Technical Security Measures

  1. Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher
  2. Password Security: Passwords are hashed using industry-standard one-way encryption algorithms (bcrypt) and cannot be recovered or read by HealthSync employees
  3. Secure Authentication: Multi-factor authentication (MFA) options are available for enhanced account security
  4. Network Security: Firewalls, intrusion detection systems, and network segmentation protect our infrastructure
  5. Regular Security Audits: Ongoing vulnerability assessments, penetration testing, and security reviews
  6. Secure Development Practices: Code reviews, security testing, and secure coding standards throughout the development lifecycle

6.2 Administrative Security Measures

  1. Access Controls: Role-based access controls ensure that only authorized personnel can access your data
  2. Need-to-Know Basis: Employee access to databases and systems is granted only when necessary to perform their job functions
  3. Employee Training: All employees receive regular training on data protection, privacy, and security best practices
  4. Confidentiality Agreements: All employees and contractors sign confidentiality agreements and are bound by strict data protection obligations
  5. Audit Logging: Comprehensive audit trails track all access to sensitive data for accountability and investigation purposes

6.3 Physical Security Measures

  1. Secure Data Centers: Our cloud infrastructure providers maintain secure, access-controlled data centers with 24/7 monitoring
  2. Redundancy and Backup: Regular data backups and redundant systems ensure data availability and disaster recovery
  3. Environmental Controls: Climate control, fire suppression, and power backup systems protect physical infrastructure

6.4 Breach Response

In the unlikely event of a data breach that compromises your personal information, we will immediately take action to contain the breach, assess the damage, and implement additional safeguards to prevent recurrence. We will notify affected users promptly as required by applicable law, provide details about what information was compromised, and recommend steps you should take to protect yourself. We will also report breaches to relevant regulatory authorities within the timeframes required by law.

7. Data Retention

We retain your personal data and health information for as long as necessary to provide you with HealthSync services, comply with legal obligations, resolve disputes, and enforce our agreements.

7.1 Active Account Data

While your account is active, we retain all data you upload, create, or authorize us to collect through integrations. This includes your health records, journal entries, uploaded documents, and all associated metadata. You maintain full control over this data and can delete specific records or your entire account at any time from your HealthSync settings.

7.2 Account Deletion

When you delete your account, we will permanently delete all your personal data and health information from our active databases within 30 days, except where we are required to retain certain information for legal, regulatory, or legitimate business purposes. Backup copies may persist in our disaster recovery systems for up to 90 days but will not be accessible and will be permanently deleted when backups are rotated.

7.3 Legal Retention Requirements

We may retain certain information beyond account deletion if required by law, such as transaction records for tax purposes, billing information for accounting requirements, or data subject to legal holds, court orders, or ongoing investigations. De-identified data that cannot be linked back to you may be retained indefinitely for research and analytics purposes.

7.4 Inactive Accounts

If your account remains inactive (no login activity) for a continuous period of 5 years, we may contact you to confirm whether you wish to keep your account active. If we do not receive a response within 90 days, we may delete your account and data following the process described in Section 7.2.

8. Your Rights and Choices

You have significant rights regarding your personal data and health information. HealthSync is committed to honoring these rights in accordance with the PDPA, HIPAA, and GDPR principles.

8.1 Access and Portability

  1. Right to Access: You can access all your personal data and health information at any time through your HealthSync account
  2. Right to Data Portability: You can request a complete download of your data in a structured, commonly used, machine-readable format (JSON, CSV, or PDF) by contacting info@healthsync.lk
  3. Download Timeline: Data download requests will be fulfilled within 30 days, or shorter if required by applicable law, but typically much faster (usually within 7 business days)

8.2 Correction and Updating

  1. Right to Rectification: You can update, correct, or modify your personal information at any time from your HealthSync account settings
  2. Health Records: You can edit, annotate, or delete individual health records, journal entries, and uploaded documents directly from the Platform

8.3 Deletion

  1. Right to Erasure: You can delete your entire account and all associated data at any time from your HealthSync settings
  2. Selective Deletion: You can delete specific health records, documents, or data entries without closing your account
  3. Deletion Process: Account and data deletion is permanent and cannot be reversed once completed

8.4 Objection and Restriction

  1. Right to Object: You can object to certain processing activities, such as marketing communications or optional AI-powered features
  2. Right to Restriction: You can request that we restrict the processing of your data in certain circumstances, such as while we verify the accuracy of disputed information

8.5 Notification Preferences

You can customize your notification preferences at any time from your HealthSync settings. This includes opting out of marketing emails, adjusting the frequency of health insights and summaries, disabling push notifications, or changing notification channels (email, SMS, mobile push). Service-critical notifications (security alerts, account changes, billing notices) cannot be disabled but will be kept to a minimum.

8.6 Withdraw Consent

Where our processing is based on your consent, you have the right to withdraw that consent at any time. This includes revoking third-party integration authorizations, disabling AI features, or withdrawing consent for specific data processing activities. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

8.7 Lodge a Complaint

If you believe we have not handled your personal data in accordance with this Privacy Policy or applicable law, you have the right to lodge a complaint with the relevant supervisory authority. In Sri Lanka, you may contact the Personal Data Protection Authority established under the PDPA. You may also contact the relevant data protection authority in your jurisdiction if you reside outside Sri Lanka.

8.8 Exercising Your Rights

To exercise any of these rights, you can use the controls available in your HealthSync account settings or contact us at info@healthsync.lk. We will respond to your requests within the timeframes required by applicable law (typically 30 days for PDPA and GDPR requests). We may need to verify your identity before processing certain requests to protect your privacy and security.

9. Cookies and Tracking Technologies

HealthSync uses cookies and similar technologies to provide and improve our services. We are transparent about our use of these technologies and give you control over non-essential cookies.

9.1 First-Party Cookies (Essential)

We use first-party cookies that are essential for Platform functionality:

  1. Authentication Cookies: To keep you logged in and maintain your session
  2. Security Cookies: To protect against fraud and secure your account
  3. Preference Cookies: To remember your settings (language, timezone, display preferences)
  4. “Trust This Device” Option: If you select this option on login, we store your email address in a cookie to streamline future logins

9.2 Third-Party Cookies and Analytics

We do not use third-party tracking or advertising cookies within the main HealthSync portal (the logged-in area containing personal health information). We may use analytics software from time to time on our public marketing pages (website homepage, blog, help center) to understand content quality and effectiveness. This analytics data is not sold or shared with advertisers. You can opt out of analytics cookies through your browser settings or cookie preferences.

9.3 Managing Cookies

You can delete cookies at any time through your web browser settings. However, deleting cookies may require you to re-enter your email address and credentials when logging into HealthSync, and you may lose certain preferences. Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies or alert you when cookies are being sent.

10. Children’s Privacy

HealthSync is not intended for use by individuals under the age of 18 without parental consent. We do not knowingly collect personal information from children under 18 unless a parent or legal guardian has created an account on their behalf and provided appropriate authorization. If we become aware that we have collected personal information from a child under 18 without proper parental consent, we will take immediate steps to delete that information. Parents or guardians who believe we may have collected information from their child should contact us immediately at info@healthsync.lk.

11. International Data Transfers

HealthSync is based in Sri Lanka and primarily serves users in Sri Lanka. However, our cloud infrastructure providers (such as AWS and Cloudflare) operate globally, which means your data may be stored and processed in data centers located in various countries, including countries outside Sri Lanka.

When your data is transferred to other countries, we ensure appropriate safeguards are in place:

  1. We select service providers that maintain data protection standards equivalent to or exceeding Sri Lankan requirements
  2. We enter into data processing agreements with service providers that include appropriate data protection clauses
  3. All data transferred internationally is encrypted both in transit and at rest
  4. For transfers to countries not recognized as providing adequate data protection, we implement additional safeguards such as Standard Contractual Clauses (SCCs) approved by relevant authorities

12. Third-Party Links and Services

HealthSync may contain links to third-party websites, applications, or services (such as patient portals, health information resources, or partner services). This Privacy Policy applies only to HealthSync and does not govern the privacy practices of third parties. We are not responsible for the privacy policies or practices of third-party websites or services. When you leave HealthSync to visit a third-party site or use a third-party integration, we encourage you to read that entity’s privacy policy to understand how they collect, use, and share your information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you by:

  1. Sending an email notification to the email address associated with your account
  2. Displaying a prominent notice on the HealthSync Platform when you log in
  3. Updating the “Last Updated” date at the top of this Privacy Policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of HealthSync after changes to this Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the updated Privacy Policy, you may delete your account as described in Section 8.3.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Axon Systems (Pvt) Ltd

Email: info@healthsync.lk

Privacy Officer/Data Protection Officer: info@healthsync.lk

We will respond to your inquiries within 30 days, or sooner as required by applicable law. For urgent privacy or security matters, please mark your communication as “URGENT” in the subject line.

15. Sri Lanka-Specific Provisions (PDPA Compliance)

This section provides additional information for users in Sri Lanka regarding our compliance with the Personal Data Protection Act No. 9 of 2022.

15.1 Lawful Basis for Processing

We process your personal data under the following lawful bases as defined by the PDPA:

  1. Consent: Where you have given explicit consent for specific processing activities (e.g., third-party integrations, AI features, marketing communications)
  2. Contractual Necessity: Where processing is necessary to provide the HealthSync services you have requested
  3. Legal Obligation: Where we are required by law to process your data (e.g., responding to court orders, regulatory compliance)
  4. Legitimate Interests: Where processing is necessary for our legitimate business interests (e.g., fraud prevention, security, service improvement) balanced against your privacy rights

15.2 Data Protection Authority

The Personal Data Protection Authority of Sri Lanka is the supervisory authority for data protection matters in Sri Lanka. If you have concerns about our data processing practices that we have not resolved to your satisfaction, you have the right to lodge a complaint with the Authority.

15.3 Cross-Border Data Transfer Notification

As disclosed in Section 11, your data may be transferred to and processed in countries outside Sri Lanka. We will seek your explicit consent where required by the PDPA for such transfers and ensure appropriate safeguards are in place as described in Section 11.

16. Additional Compliance Information

16.1 GDPR Compliance for EU Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including the right to data portability, the right to be forgotten, and the right to lodge a complaint with your local supervisory authority. Our practices described in this Privacy Policy are designed to comply with GDPR requirements. For GDPR-specific inquiries, please contact our Data Protection Officer at info@healthsync.lk.

16.2 HIPAA Compliance Design

While HealthSync is not a covered entity or business associate under HIPAA (as we are based in Sri Lanka and primarily serve Sri Lankan users), our platform is designed with HIPAA privacy and security principles in mind. This includes encryption of protected health information, access controls, audit logging, and secure transmission protocols. Users in the United States should be aware that HealthSync does not provide HIPAA compliance guarantees and should consult with legal counsel if HIPAA compliance is required for their use case.

17. Acknowledgment and Consent

By creating an account and using HealthSync, you acknowledge that you have read, understood, and agree to this Privacy Policy. You consent to the collection, use, disclosure, and processing of your personal data and health information as described in this Privacy Policy. You understand that you can withdraw your consent or delete your account at any time as described in Section 8.

***

Thank you for trusting HealthSync with your health information.

We are committed to protecting your privacy and earning your trust every day.