BISTEC Care - Clinic Management Software Sri Lanka

Privacy Policy

Last updated: 1 January 2026

BISTEC Care Private Limited (“BISTEC Care”, “we”, “us”) is committed to protecting the privacy of every person whose data is processed through our websites and practice management software (the “Service”). This Privacy Policy explains what information we collect, how we use it, and the rights available to you under Sri Lanka’s Personal Data Protection Act No. 9 of 2022, the EU General Data Protection Regulation (GDPR), and other applicable laws.

1. Our Role: Controller vs Processor

We act as a data controller for information collected directly through our websites, marketing channels, and our own business operations (for example, enquiries, demo requests, and newsletter sign-ups).

We act as a data processor for patient records, clinical notes, and other personal data that our clinic customers upload to the Service. In that role, the clinic is the controller and we process data strictly on their documented instructions to provide the Service.

2. Information We Collect

From website visitors: name, clinic name, email, phone number, role, and any information you submit through forms; plus standard technical data such as IP address, device/browser type, pages viewed, and cookie identifiers.

From clinic staff users: account identifiers, login credentials, role permissions, audit logs of actions taken in the Service, and support-related correspondence.

Patient data processed on behalf of clinics: identifiers (name, NIC/passport, contact details), appointment history, clinical notes, prescriptions, investigation results, treatment plans, billing and insurance information, and any documents the clinic chooses to upload. Some of this qualifies as “special category” health data and is handled with heightened safeguards.

3. How We Use the Information

  • To provide, operate, secure, and improve the Service.
  • To respond to enquiries, arrange demos, and send requested resources such as case studies.
  • To issue invoices, collect payment, and maintain financial records.
  • To provide customer support, training, and incident response.
  • To send service notices, security alerts, and, where you have opted in, marketing communications.
  • To comply with legal, tax, and regulatory obligations.

4. Legal Bases

Where GDPR or similar laws apply, we rely on one or more of: performance of a contract (delivering the Service), legitimate interests (running and protecting our business), consent (marketing communications, certain cookies), and compliance with legal obligations. Clinic customers are responsible for establishing the lawful basis for the patient data they upload.

5. How We Protect Data

  • Data is encrypted in transit (TLS) and at rest.
  • Role-based access control and least-privilege policies for staff.
  • Regular automated backups and tested restore procedures.
  • Segregated environments for development, staging, and production.
  • Continuous monitoring, logging, and vulnerability management.
  • Staff training on confidentiality and handling of health data.

6. Sharing With Third Parties

We do not sell personal data. We share information only with:

  • Vetted sub-processors (cloud hosting, email, SMS, analytics, payments) under written data-processing terms.
  • Professional advisers (auditors, lawyers) bound by confidentiality.
  • Public authorities where disclosure is required by law or to protect rights, safety, and property.

A current list of sub-processors is available on request.

7. International Transfers

Patient data for Sri Lankan clinics is primarily hosted in regionally appropriate data centres. Where data is transferred across borders, we put in place appropriate safeguards such as standard contractual clauses.

8. Data Retention

We retain website enquiry data for up to 24 months after last contact unless you ask us to delete it sooner. Customer Data (including patient records) is retained for the duration of the subscription and made available for export for thirty (30) days after termination, after which it is deleted from active systems in line with our retention schedule, subject to any legal hold.

9. Your Rights

Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal data, to withdraw consent, and to data portability. Patients whose data has been uploaded to the Service should contact their clinic first, as the clinic is the controller of that data. We will support clinics in responding to such requests.

To exercise rights over data we control, email us via the Contact page. You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka or your local supervisory authority.

10. Cookies & Analytics

Our websites use essential cookies to operate securely and analytics cookies (such as Google Analytics) to understand how visitors use the site. You can control non-essential cookies through your browser settings.

11. Children

The Service is not directed at children, but clinics may process paediatric patient records on behalf of their patients’ parents or guardians. Consent for such processing is the responsibility of the clinic.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted on this page and, where appropriate, notified to account administrators.

13. Contact Us

BISTEC Care Private Limited
No: 14, Sir Baron Jayathilake Mawatha, Colombo 01, Sri Lanka
Get in touch via our Contact page or WhatsApp for privacy-related questions.