Privacy Policy
Last updated: 5 July 2026
DocyLis (docylis.com), operated by Synapticon AI, is an AI front-desk for clinics. This policy explains what we collect, why, and the choices you have. It is written to satisfy the IT Act 2000 / SPDI Rules 2011 in force today and to align with the Digital Personal Data Protection Act, 2023 ahead of its enforcement.
1. What we collect
- From clinics (our customers): clinic and doctor name, phone, email, city, specialty, plan and payment metadata (payments themselves are processed by Razorpay — we never see card or UPI credentials), and the settings you save in your portal (hours, languages, escalation number).
- From patients (on your clinic’s behalf, once your AI receptionist is live): caller name, phone number, appointment details, and call recordings/transcripts needed to book and confirm appointments.
- Technical: standard server logs (IP, timestamps) kept for security and required incident reporting.
2. Why we collect it — and nothing else
One purpose: running your clinic’s front desk — answering calls, booking appointments, sending confirmations and reminders, and showing you your own usage. Riya never provides medical advice, and we never sell or rent personal data to anyone. Patient data processed for a clinic is shared with that clinic only.
3. Where it lives and who processes it
- Database & auth: Supabase, hosted in the AWS Mumbai region (ap-south-1, India).
- Payments: Razorpay (India), which has its own privacy policy.
- Hosting: Vercel serves the website; application data stays in the database above.
- Email delivery: transactional email (receipts, sign-in links) via our email providers.
4. How it is protected
- Encryption in transit (TLS) and at rest.
- Row-level security: database access is default-deny; each clinic can only ever see its own data.
- Access to production systems is limited to authorised personnel.
5. Retention
We keep account and order data for as long as your account is active and as required for tax and accounting law. Call recordings and transcripts are kept only as long as needed for the service and your clinic’s records, and are deleted on verified request. Security logs are retained 180 days as required by CERT-In directions.
6. Your rights
You (and your patients, through you) can ask us to access, correct or delete personal data we hold. Write to support@docylis.com — we respond within 7 working days. This address is also our grievance contact under Indian law.
7. Changes
If this policy changes materially we will notify active customers by email or portal notice before the change takes effect.