Back
CardioZenith

Privacy Policy

Last updated: April 13, 2026 · Effective immediately

1. Introduction

Elentor LLC ("Company", "we", "us", "our"), a Delaware limited liability company, United States, operates the CardioZenith Hospital Management System ("Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information and Protected Health Information ("PHI") when you use our Service.

We are committed to protecting the privacy and security of all personal data and health information entrusted to us. This policy complies with applicable data protection laws including HIPAA (United States), GDPR (European Union), and the data protection frameworks of the African jurisdictions we serve.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, phone number, role, department, professional credentials
  • Hospital information: facility name, address, licensing details, tax identification
  • Patient health information (PHI): medical records, diagnoses, lab results, prescriptions, vitals, imaging reports, insurance details, demographic data
  • Financial data: invoices, payments, insurance claims, billing records, expense reports
  • Communications: support requests, feedback, email correspondence

2.2 Information Collected Automatically

  • Device and browser information: browser type, operating system, screen resolution
  • Usage data: pages visited, features used, session duration, click patterns
  • Log data: IP addresses, access times, error logs, API call records
  • Performance data: page load times, system health metrics

2.3 Information We Do NOT Collect

  • We do not use cookies for advertising or tracking
  • We do not sell, rent, or trade any personal data or PHI to third parties
  • We do not use PHI for marketing purposes
  • We do not use patient data to train AI models outside of the Service

3. How We Use Your Information

We process information solely for the following purposes:

  • Providing the Service: hosting, processing, and delivering the hospital management platform
  • Authentication and access control: verifying identity, managing roles and permissions
  • Clinical operations: supporting patient care workflows, lab results, prescriptions, scheduling
  • Financial operations: processing invoices, payments, insurance claims, financial reporting
  • Communication: sending system notifications, appointment reminders, lab result alerts
  • Security: detecting unauthorized access, preventing fraud, maintaining audit trails
  • Service improvement: analyzing aggregated, de-identified usage patterns to improve features
  • Legal compliance: meeting regulatory requirements for healthcare data handling

4. Protected Health Information (PHI)

CardioZenith processes PHI on behalf of healthcare organizations. We handle PHI in accordance with:

4.1 Our Obligations

  • We act as a Business Associate under HIPAA when processing PHI for covered entities
  • We implement administrative, physical, and technical safeguards to protect PHI
  • We limit access to PHI to authorized personnel on a need-to-know basis
  • We maintain audit logs of all access to and modifications of PHI
  • We will execute a Business Associate Agreement (BAA) upon request
  • We will notify affected customers of any breach involving PHI within 72 hours

4.2 Your Obligations

  • Obtain appropriate patient consent before entering PHI into the Service
  • Ensure staff accessing the Service are trained on PHI handling requirements
  • Configure role-based access controls appropriate to your organization
  • Report suspected security incidents to us promptly
  • Comply with applicable healthcare regulations in your jurisdiction

5. Data Storage & Security

5.1 Infrastructure

  • Data is stored in enterprise-grade PostgreSQL databases managed by our database hosting partner
  • Database connections use TLS/SSL encryption in transit
  • Data at rest is encrypted using AES-256 encryption
  • Application is hosted on a global edge network with automatic HTTPS
  • All API endpoints require authentication via secure JWT tokens

5.2 Access Controls

  • Role-Based Access Control (RBAC) with 9 distinct roles limiting data visibility
  • Row-Level Security (RLS) enforced at the database layer — each hospital can only access its own data
  • Multi-tenant isolation: hospital data is strictly separated by hospital_id foreign keys
  • Rate limiting on login attempts (5 per 15 minutes) and API calls to prevent brute force
  • Session management with automatic expiry and secure token refresh

5.3 Monitoring & Auditing

  • General audit log tracking 20+ action types: who did what, when, to which record
  • Financial audit trail with double-entry ledger integrity
  • Real-time notifications for critical events (deteriorating patients, critical lab results)
  • Server-side validation via database CHECK constraints and triggers

6. Data Sharing & Disclosure

We do not sell personal data or PHI. We may share information only in these circumstances:

  • Service providers: our technical partners for database hosting, application hosting, and transactional email — each bound by data processing agreements
  • Payment processors: Paystack, Flutterwave, M-Pesa, MTN MoMo, Airtel Money, DPO Group — for payment processing only, receiving only the minimum data required
  • Legal requirements: if required by law, court order, or government regulation
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice
  • With your consent: for any purpose you explicitly authorize

All third-party service providers are contractually obligated to protect your data and process it only as instructed by us.

7. International Data Transfers

CardioZenith serves healthcare facilities globally. Your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) for transfers from the EU/EEA
  • Adequacy decisions where applicable
  • Binding corporate rules for internal transfers
  • Contractual data protection obligations with all processors

8. Data Retention

We retain your data for the following periods:

  • Patient records: for the duration of your subscription plus 30 days for export, then permanently deleted. You are responsible for maintaining records per your local retention requirements (typically 7+ years for medical records)
  • Financial records: retained for the subscription period plus 30 days
  • Audit logs: retained for 5 years for compliance purposes
  • Account information: retained until account deletion plus 30 days
  • Automated backups: 7-day rolling retention

Upon termination of your subscription, you have 30 days to export all data using the built-in CSV export tools. After 30 days, data is permanently deleted from our active systems and backups within 37 days.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

9.1 All Users

  • Access: request a copy of the data we hold about you
  • Correction: request correction of inaccurate data
  • Export: download your data in CSV format at any time via the application
  • Deletion: request deletion of your account and associated data
  • Objection: object to processing of your data for specific purposes

9.2 GDPR (EU/EEA Residents)

  • Right to data portability in machine-readable format
  • Right to restriction of processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

9.3 African Data Protection Laws

We respect the data subject rights established by:

  • Kenya Data Protection Act 2019 — right to access, correction, deletion; data processed by Data Commissioner oversight
  • Uganda Data Protection and Privacy Act 2019 — consent-based processing, right to access and correction
  • Nigeria Data Protection Regulation (NDPR) 2019 — right to access, rectification, deletion; data protection impact assessments
  • Ghana Data Protection Act 2012 — registration with Data Protection Commission, right to access and correction
  • Tanzania EPOCA regulations — communications data protection provisions
  • South Africa POPIA — conditions for lawful processing, right to access, correction, and deletion

To exercise any of these rights, contact us at privacy@cardiozenith.com.

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. The Service processes pediatric patient data only as part of legitimate healthcare operations, under the direction and responsibility of the healthcare organization.

11. Cookies & Tracking

CardioZenith uses minimal browser storage:

  • localStorage: language preference (cz_lang) — no personal data
  • Secure session tokens: authentication only, no tracking
  • No advertising cookies, no third-party trackers, no analytics cookies
  • No cross-site tracking or fingerprinting

12. Breach Notification

In the event of a data breach involving personal data or PHI:

  • We will investigate and contain the breach within 24 hours of discovery
  • We will notify affected customers within 72 hours via email and in-app notification
  • We will notify relevant regulatory authorities as required by applicable law
  • We will provide a detailed incident report including scope, impact, and remediation steps
  • We will cooperate fully with any regulatory investigation

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Data Protection Officer

For privacy-related inquiries, data subject requests, or to report a concern:

Elentor LLC — Data Protection
Email: privacy@cardiozenith.com
General: legal@cardiozenith.com
Website: www.cardiozenith.com

We will respond to all privacy requests within 30 days.

© 2026 Elentor LLC. All rights reserved.
Terms of ServiceBack to CardioZenith