Privacy Policy

Effective Date: February 2026 | Last Updated: February 2026

This Privacy Policy explains how Fossible Works Inc. collects, uses, discloses, and protects information when you interact with our website, use Biograph EHR, or engage with us. It applies to healthcare providers, enterprise customers, website visitors, and developers.

Two Types of Data

Customer Account & Contact Data (about you as a Fossible Works customer or visitor) is covered by this Policy. Patient Health Data (PHI/ePHI) stored in Biograph EHR is governed by the Business Associate Agreement and applicable healthcare law (HIPAA, GDPR, DPDP Act) — not solely by this Policy.

1. Information We Collect

Account & contact data: name, email, job title, organisation, country
Billing and payment data (processed by our secure payment processor; card details not stored by us)
Usage and technical data: IP address, device/browser info, pages visited, feature usage, error logs
Communications: support enquiries, feedback, survey responses
Patient Health Data: processed strictly as Business Associate or Data Processor under your BAA, solely to deliver the Services

2. How We Use Information

To provision, operate, and improve Biograph EHR and the Services
To communicate regarding your account, security alerts, and support
To process billing and verify healthcare provider credentials
To comply with legal obligations (HIPAA, GDPR, DPDP Act, and applicable local law)
To detect and prevent security incidents and fraud
To send product updates and marketing (with opt-out available at any time)

We do not use Patient Health Data for our own marketing, analytics, or any purpose beyond delivering your Services.

Contract performance: delivering Services you have contracted for
Legal obligation: HIPAA, GDPR, DPDP Act, tax and regulatory requirements
Legitimate interests: security monitoring, fraud prevention, and analytics (not overriding your rights)
Consent: marketing communications and non-essential cookies where required by law

4. Service Delivery & Group Companies

Services are provided by Fossible Works Inc. and may be delivered through its operational subsidiary, Tacten Services LLP (India). Both entities operate under the same privacy and security standards described in this Policy. Fossible Works Inc. remains the data controller for all personal data collected through this website and the Services.

We do not sell your personal data. We may share with:

Cloud infrastructure and hosting providers
Payment processors
Analytics and monitoring tools

All under data processing agreements. We disclose to legal/regulatory authorities only when required by law. In a merger or acquisition, this Policy continues to apply and you will be notified. PHI shared with subcontractors is subject to HIPAA-compliant BAAs.

6. International Data Transfers

EEA/UK: Standard Contractual Clauses (SCCs) or equivalent mechanisms
US: HIPAA-compliant data handling across all processing locations
India: Compliance with DPDP Act 2023 cross-border transfer conditions
Other jurisdictions: applicable national data transfer mechanisms

7. Data Retention

Customer account data: retained for the duration of your relationship and as required by law
Patient Health Data: retained per your Service Order or BAA, and no less than the minimum required by applicable healthcare record retention law
When retention is no longer required, data is securely deleted or anonymised

8. Cookies

We use strictly necessary cookies (no consent required) and, with your consent where required by law, performance, functional, and marketing cookies. You may manage preferences via our cookie consent tool or your browser settings.

9. Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

Access, rectify, erase, or restrict processing of your data
Receive a portable copy of your data
Object to processing
Opt out of marketing

California residents have CCPA rights — we do not sell data.

Indian residents have DPDP Act rights including access, correction, erasure, and grievance redress.

To exercise your rights, contact privacy@fossibleworks.com. We respond within the timeframe required by applicable law (generally 30 days).

10. Security

We apply encryption, role-based access control, audit logging, and independent penetration testing to protect personal data. No internet transmission is 100% secure. Report suspected breaches to security@fossibleworks.com immediately.

11. Children's Privacy

Biograph EHR is not directed at individuals under 18 as platform users. Healthcare providers storing records of minor patients are responsible for obtaining appropriate parental or guardian consent under applicable law.

12. Updates to This Policy

We may update this Policy to reflect changes in our practices or applicable law. Material changes will be notified by email or in-platform notice. Continued use after the effective date constitutes acceptance.

13. Contact Us

Privacy enquiries: privacy@fossibleworks.com
Security incidents: security@fossibleworks.com
Legal & BAA requests: legal@fossibleworks.com
Data Protection Officer: dpo@fossibleworks.com

Privacy Policy ​

1. Information We Collect ​

2. How We Use Information ​

3. Legal Basis for Processing (GDPR / DPDP) ​

4. Service Delivery & Group Companies ​

5. Sharing Your Information ​

6. International Data Transfers ​

7. Data Retention ​

8. Cookies ​

9. Your Privacy Rights ​

10. Security ​

11. Children's Privacy ​

12. Updates to This Policy ​

13. Contact Us ​