Privacy Policy

CrestWard ("we", "us", or "our") operates the CrestWard platform, a Software-as-a-Service (SaaS) product that helps medical clinics and doctors in India manage their online reputation, including Google reviews and patient feedback.

Contact: support@crestward.in · Kochi, Kerala, India

From Doctors / Clinic Owners (our customers):

• Name, email address, and clinic name (at signup)
• Google Business Profile connection (OAuth access token and refresh token, used solely to sync and reply to reviews)
• WhatsApp business number (for sending review request messages)
• Subscription and billing information (plan, payment status — not card details)
• Auto-reply settings and message templates

From Patients (via feedback forms):

• Optional name (may be submitted anonymously)
• Star rating (1–5)
• Written feedback / review text
• WhatsApp phone number (only if provided by the clinic for outreach)

From Google (via API, with doctor's consent):

• Public Google reviews for the connected clinic
• Reviewer name and rating (as displayed publicly on Google Maps)

Usage data (automatically collected):

• Login events, feature usage (for product improvement)
• Error logs (no personal data)

• To provide the service: Syncing Google reviews, generating AI-powered reply drafts, sending WhatsApp feedback requests, displaying analytics
• To improve the product: Aggregated, anonymised usage analytics — never individual patient data
• To send service communications: Subscription reminders, product updates (can be unsubscribed)
• To comply with legal obligations: Retaining billing records as required by Indian law

We do not use patient feedback data for advertising, profiling, or any purpose other than delivering the service to the clinic that collected it.

When a patient submits feedback through a clinic's Crestward feedback link:

• 1–3 star ratings are stored privately and shown only to the clinic. They are never posted to Google or shared publicly.
• 4–5 star ratings are stored in the clinic's Crestward account. If the patient consents ("Share on Google Maps"), they are redirected to Google Maps to post their own review — Crestward does not post on their behalf.

Patient feedback is owned by and visible only to the clinic that collected it. Crestward staff do not access individual patient feedback except to resolve support issues with the clinic's explicit permission.

When a doctor connects their Google Business Profile account to Crestward:

• We request the business.manage OAuth scope
• This allows us to read Google reviews and post replies on behalf of the clinic
• The access token and refresh token are stored encrypted in our database
• Tokens are used only to perform actions the doctor explicitly initiates in Crestward
• Doctors can disconnect their Google account at any time from Settings, which immediately revokes our access

Our use of Google APIs is subject to the Google Privacy Policy. We comply with the Google API Services User Data Policy, including the Limited Use requirements.

Crestward is designed with HIPAA-awareness for healthcare contexts:

• AI-generated review replies are designed to never confirm or deny a patient's identity, medical condition, or treatment details
• Patient feedback is stored with encryption at rest
• Access is restricted to authenticated clinic accounts via Supabase Row-Level Security

Crestward is not a covered entity under HIPAA. Clinics are responsible for ensuring their use of Crestward complies with applicable healthcare privacy regulations in their jurisdiction.

We do not sell your data to third parties. We share data only with:

• Supabase (database and authentication infrastructure) — servers in EU/US regions
• Google (AI reply generation via Gemini API; Google Business Profile API for review sync) — data sent is limited to review text and doctor name
• WhatsApp Business API (for sending patient outreach messages) — only phone numbers provided by the clinic
• Razorpay (payment processing, once integrated) — billing data only, no health data

All sub-processors are contractually obligated to protect your data and use it only for the purpose of providing Crestward's services.

• Active accounts: Data retained while subscription is active
• Cancelled accounts: Data retained for 90 days after cancellation, then permanently deleted
• Patient feedback: Retained as long as the clinic account is active; deleted with the account
• Billing records: Retained for 7 years as required by Indian GST regulations
• Google OAuth tokens: Deleted immediately upon disconnect

Depending on your location, you may have the right to:

• Access — Request a copy of all data we hold about you
• Correction — Update incorrect personal information
• Deletion — Request deletion of your account and associated data
• Portability — Export your review data as CSV from the Analytics page
• Objection — Object to specific processing activities

To exercise any of these rights, email support@crestward.in. We will respond within 30 days.

• All data in transit is encrypted via TLS 1.3
• Database access is controlled via Row-Level Security (RLS) — clinics can only access their own data
• API keys and OAuth tokens are stored as environment secrets, never in client-side code
• We conduct periodic security reviews of our infrastructure

Crestward uses only essential cookies required for authentication (Supabase session management). We do not use tracking cookies, advertising cookies, or analytics cookies that identify individual users.

Crestward is a B2B SaaS platform for medical professionals. We do not knowingly collect data from anyone under 18 years of age.

We will notify active users by email at least 14 days before any material changes to this policy. Continued use of Crestward after the effective date constitutes acceptance of the updated policy.

For privacy-related questions or requests:

• Email: support@crestward.in
• Location: Kochi, Kerala, India