Legal

Privacy Policy

Effective date: 1 January 2025  ·  Last updated: 1 January 2025

YourTurn Medical (“we”, “us”, or “our”) operates the med.yourturn.lk platform, a cloud-based queue management system for medical clinics and healthcare providers in Sri Lanka. This Privacy Policy explains how we collect, use, store, and protect personal information — including patient queue data — handled through our platform.

1. Information We Collect

Clinic and Staff Data (collected during registration and use):

  • Clinic name, address, phone number, and type of practice
  • Administrator and staff names, email addresses, and phone numbers
  • Doctor names, specialisations, consultation fee ranges, and session schedules
  • Billing information (handled via PayHere — card details are never stored by us)

Patient Queue Data (collected during clinic sessions):

  • Patient name and mobile phone number (entered by clinic staff when adding to queue)
  • Queue number, arrival time, waiting status, and consultation outcome (served, no-show, etc.)
  • Booking information (for online pre-bookings)

Automatically collected data:

  • IP addresses, browser type, and access logs for security and diagnostics
  • Session cookies for authentication

2. How We Use Information

Clinic and staff data is used to:

  • Create and manage your clinic account
  • Process subscription payments via PayHere
  • Send billing receipts and account notifications
  • Provide customer support

Patient queue data is used to:

  • Manage the real-time queue for your clinic sessions
  • Send SMS notifications to patients about their queue position (via text.lk)
  • Allow patients to track their turn via a unique link
  • Generate anonymous aggregate statistics for clinic reporting
  • Request post-visit patient reviews (via secure token link)

We do not use patient data for marketing purposes, and we do not sell or share it with any third party except those listed below.

3. SMS Notifications

When a clinic uses our SMS feature, we transmit the patient's phone number and a message template to text.lk (our SMS gateway provider) solely for the purpose of delivering queue notifications. SMS messages include a unique tracking link. Patients can opt out of further SMS by contacting their clinic.

4. Third-Party Service Providers

  • PayHere — Payment processing for clinic subscriptions and SMS add-ons. Card data is handled entirely by PayHere under their PCI-DSS compliance programme.
  • Supabase — Secure cloud database and file storage. Data is hosted on Supabase infrastructure with row-level security enabled.
  • text.lk — SMS delivery. Phone numbers are transmitted over HTTPS and used only to send the requested queue notification.

All providers are contractually required to handle data confidentially and only for the specified purpose.

5. Data Access Controls

Clinic data is strictly isolated — clinic staff can only access data belonging to their own clinic. Row-Level Security (RLS) is enforced at the database level. Patient data is accessible only to the clinic's own staff during active sessions.

6. Data Security

We implement the following technical and organisational security measures:

  • All data is transmitted over HTTPS (TLS 1.2+)
  • Database access is restricted via service-role credentials stored in secure environment variables
  • Authentication uses short-lived HS256 JWT tokens (7-day expiry)
  • No patient payment card data is ever processed or stored by YourTurn

While we take all reasonable precautions, no system is entirely risk-free. We will notify affected clinics promptly in the event of a confirmed data breach.

7. Data Retention

  • Active accounts: Clinic and patient data is retained while your subscription is active.
  • After account closure: Data is retained for 90 days before permanent deletion, unless required longer by law.
  • Queue entry data: Historical queue entries are retained for reporting purposes and can be exported from the dashboard at any time.
  • SMS logs: SMS send logs are retained for 12 months for audit purposes.

8. Patient Rights

Patients whose data is entered into the system by a clinic have the right to request access to, correction of, or deletion of their data. Such requests should be directed to the clinic that registered their information. Clinics are responsible for honouring patient data rights within the platform.

9. Clinic Responsibilities

Clinics using YourTurn Medical act as data controllers for the patient data they enter. Clinics are responsible for:

  • Obtaining appropriate consent from patients before collecting their phone numbers
  • Complying with applicable data protection laws, including the Personal Data Protection Act (PDPA) of Sri Lanka when enacted
  • Maintaining confidentiality of their staff login credentials

10. Cookies

We use a session cookie (gp-session) to authenticate logged-in clinic staff. This cookie is strictly necessary for the application to function. We do not use advertising or analytics tracking cookies.

11. Changes to This Policy

We may update this policy periodically. Registered clinics will be notified of material changes by email. The effective date at the top of this page will be updated accordingly. Continued use of the platform after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or data requests, please contact:
YourTurn Medical  ·  info@yourturn.lk