Privacy Policy

Last updated: 16 May 2026

This Privacy Policy explains how [LLC LEGAL NAME], a limited liability company organized in the State of Wyoming, United States ("Aegis EMR", "we", "us"), handles personal data in connection with the Aegis EMR software platform (the "Service"). It is written for two audiences: the organizations and professionals who subscribe to the Service ("Customers"), and individuals whose data may be processed.

1. Our Roles: Controller vs. Processor

Aegis EMR plays two distinct roles depending on the data:

As a data controller — for account, billing, and website data of our Customers and their staff (e.g. the person who registers a clinic account). We decide how this data is used to operate our business.
As a data processor — for clinical and patient data that a Customer enters into the Service ("Customer Data"). The Customer (the clinic or practitioner) is the controller of that data. We process it only on the Customer's instructions to provide the Service. We do not access, use, sell, or disclose patient clinical data for our own purposes.

2. Information We Collect

Category	Examples	Our role
Account & identity	Name, email, phone, clinic name, role, credentials, password (hashed)	Controller
Billing	Subscription tier, billing country, transaction records. Card/payment details are collected and held by Paddle, not by us.	Controller (jointly with Paddle for the transaction)
Usage & technical	IP address, log data, device/browser type, feature usage, audit trails	Controller
Customer Data (clinical)	Patient records, visits, prescriptions, lab/imaging orders, clinical notes entered by the Customer	Processor (Customer is controller)

3. How We Use Information

To provide, secure, maintain, and improve the Service.
To create and administer accounts, tenants, and subscriptions.
To process payments through our payment provider (see Section 5).
To communicate service, security, and billing notices.
To comply with legal obligations and enforce our Terms.

We do not sell personal data, and we do not use patient clinical Customer Data for advertising, model training, or any purpose other than operating the Service for the Customer.

4. Legal Bases

Where applicable law requires a legal basis, we rely on: performance of a contract (providing the Service), legitimate interests (security, service improvement), consent (where specifically requested), and compliance with legal obligations. For Customer Data processed as a processor, the lawful basis is the responsibility of the Customer as controller.

5. Payment Processing — Paddle

All payments are processed by Paddle.com Market Limited and affiliates, acting as Merchant of Record. Paddle independently collects and controls the payment data needed to process your transaction (such as card details and billing address) under its own privacy policy, available at paddle.com/legal/privacy. We receive only limited transaction metadata (e.g. plan, status, country, last four digits) needed to manage your subscription. We never receive or store full card numbers.

6. Sub-processors and Service Providers

We use a limited set of infrastructure and service providers to operate the Service, which may include hosting/server infrastructure, email delivery, and bot protection. These providers process data only as needed to provide their function and under confidentiality obligations. A current list of sub-processors is available on request at support@electronicmedicalrecord.cloud.

7. International Transfers and Hosting

The Service is hosted on infrastructure that may be located in the United States or other countries outside your country of residence. Where data is transferred internationally, we take reasonable steps to ensure an appropriate level of protection consistent with applicable law. Customers requiring a specific data-residency arrangement should contact us before subscribing.

8. Data Retention

Account and billing records are retained for the life of the account and as required for legal, tax, and accounting obligations thereafter.
Customer Data is retained while the subscription is active. After termination, Customer Data is retained for a limited recovery window and then deleted or anonymized, unless longer retention is required by law applicable to the Customer.

9. Security

We apply technical and organizational measures appropriate to the risk, including encrypted transport, access controls, tenant isolation, hashed credentials, and audit logging. No system is perfectly secure; we cannot guarantee absolute security but commit to industry-standard safeguards and timely notification of material breaches as required by applicable law.

10. Your Rights

Subject to applicable data-protection law, individuals may request access, correction, deletion, or restriction of their personal data, and may object to certain processing. For account/billing data, contact us directly. For patient clinical data held in a clinic's tenant, requests should be directed to the relevant Customer (clinic), which is the controller of that data; we will assist the Customer in responding.

Section requiring legal review. Data-subject rights handling and the controller/processor split for patient health data should be validated against the data-protection and health-data regulations applicable to you and to your Customers' jurisdictions by a qualified lawyer before commercial reliance.

11. Cookies

The website and application use only cookies and similar technologies necessary for authentication, security, and core functionality. We do not use third-party advertising or cross-site tracking cookies.

12. Children

The Service is a professional tool and is not directed to children as users. Patient records managed by Customers may relate to individuals of any age; such data is processed under the Customer's responsibility as controller.

13. Changes

We may update this Policy. Material changes will be communicated by reasonable means, and the "Last updated" date will be revised.

14. Contact

Privacy questions: support@electronicmedicalrecord.cloud
Postal: [LLC REGISTERED ADDRESS, WYOMING, USA]
Data protection contact: [DPO / RESPONSIBLE PERSON, if appointed]

سياسة الخصوصية

آخر تحديث: 16 مايو 2026

⚠ النص العربي قيد المراجعة القانونية. الترجمة الرسمية ستُضاف بعد مراجعة المستشار القانوني المصري. للنسخة الإنجليزية الرسمية، يُرجى التبديل إلى EN في الأعلى.

1. من نحن

تُشغِّل خدمة "إيجيس إي إم آر" (Aegis EMR) منصة سجلات طبية إلكترونية كخدمة سحابية. هذه السياسة توضح كيفية معالجتنا للبيانات الشخصية وفقاً لقانون حماية البيانات الشخصية المصري رقم 151 لسنة 2020، واللائحة العامة لحماية البيانات الأوروبية (GDPR) عندما تنطبق.

2. البيانات التي نجمعها

نقوم بمعالجة فئتين من البيانات:

بيانات حساب المستخدم: الاسم، البريد الإلكتروني، رقم الهاتف، الدور الوظيفي، اسم المؤسسة.
البيانات السريرية: سجلات المرضى التي يُدخلها العاملون الصحيون. هذه البيانات تخص العميل (مقدم الخدمة الصحية) كمسؤول عن المعالجة، ونحن نعالجها بصفتنا معالجاً نيابةً عنه.

3. الأساس القانوني للمعالجة (المادة 6 من قانون 151)

تنفيذ العقد المُبرَم بين العميل ومُقدم الخدمة.
الموافقة الصريحة للمستخدم على نقل البيانات عبر الحدود (للوصول إلى نماذج الذكاء الاصطناعي السحابية).
الالتزامات القانونية والتنظيمية في مجال الرعاية الصحية.

4. النقل عبر الحدود

قد تتم معالجة البيانات في مراكز بيانات خارج جمهورية مصر العربية، بما في ذلك دول لديها أحكام حماية بيانات مكافئة (مثل الاتحاد الأوروبي طبقاً لقرار التكافؤ، والمملكة المتحدة، والإمارات العربية المتحدة). يتطلب نقل البيانات السريرية الموافقة الصريحة للعميل، وتتم وفقاً للضمانات المنصوص عليها في القانون 151.

5. حقوق صاحب البيانات (المواد 12-14)

الحق في الوصول إلى بياناتك الشخصية والحصول على نسخة منها.
الحق في تصحيح البيانات غير الدقيقة أو غير المكتملة.
الحق في الحذف (الحق في النسيان) ضمن الحدود التي يُجيزها القانون.
الحق في تقييد المعالجة أو الاعتراض عليها.
الحق في نقل البيانات (data portability) في تنسيق مهيكل وآلي القراءة.
الحق في سحب الموافقة في أي وقت دون أن يؤثر ذلك على المعالجة المشروعة قبل السحب.
الحق في تقديم شكوى للمركز الوطني لحماية البيانات الشخصية.

📋 الأقسام التالية قيد الصياغة من قِبَل المستشار القانوني: مدد الاحتفاظ بالبيانات حسب نوع البيانات (سريرية، فوترة، سجل تدقيق) — التدابير التقنية والتنظيمية للأمن — إخطار الخروقات — مسؤول حماية البيانات (DPO) — استخدام ملفات تعريف الارتباط (Cookies) — الإفصاحات لأطراف ثالثة.

11. التواصل ومسؤول حماية البيانات

للاستفسارات وممارسة الحقوق المنصوص عليها أعلاه:
البريد الإلكتروني: dpo@electronicmedicalrecord.cloud
الدعم العام: support@electronicmedicalrecord.cloud