Purpose

This GDPR Compliance Policy describes how Rehab-Software, a software-as-a-service (SaaS) platform operated by Strategic Ventures, aligns its data processing practices with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) where applicable. This policy applies to the processing of personal data of individuals located in the European Union (EU) and the European Economic Area (EEA).

Scope

This policy applies to users of Rehab-Software located in the EU and EEA, to personal data processed through the platform, and to cloud-based processing associated with SaaS delivery. Rehab-Software primarily functions as a data processor, while customers such as healthcare organisations or professionals act as data controllers, unless otherwise agreed in writing.

Definitions

For the purposes of this policy, personal data means any information relating to an identified or identifiable natural person. Processing refers to any operation performed on personal data, including collection, storage, or use. A controller is the entity that determines the purposes and means of processing, while a processor is the entity that processes data on behalf of the controller.

Categories of Personal Data Processed

Rehab-Software may process user data such as names, email addresses, and account credentials; healthcare operational data used for administrative and workflow purposes; documents uploaded by users, including PDFs and other files; and derived data extracted through OCR, automation, or machine learning–assisted processes. Rehab-Software does not independently determine the clinical purpose of data processing.

Lawful Basis for Processing

Personal data is processed only where a lawful basis exists under GDPR. This may include the performance of a contract, compliance with legal obligations applicable to the controller, legitimate interests related to SaaS operations, or explicit consent where required and obtained by the controller. Rehab-Software relies on the data controller to ensure that an appropriate lawful basis exists for all uploaded data.

Use of AI and Automated Processing

Rehab-Software uses AI-enabled technologies such as optical character recognition, workflow automation, and machine learning–assisted data extraction to support operational efficiency. These technologies do not perform automated decision-making with legal or similarly significant effects under Article 22 of GDPR and require human review and validation.

Data Subject Rights

Where applicable, Rehab-Software supports data controllers in fulfilling data subject rights under GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection. Requests should be submitted to the relevant data controller, and Rehab-Software will provide reasonable assistance as required by law.

Data Security Measures

Strategic Ventures implements appropriate technical and organisational measures to protect personal data, including access controls, authentication mechanisms, secure cloud-based infrastructure, and data protection practices aligned with industry standards. While absolute security cannot be guaranteed, reasonable safeguards are maintained to reduce risk.

Data Retention

Personal data is retained only for the duration necessary to provide SaaS services or to meet contractual, legal, and compliance obligations. Retention schedules are primarily defined by the data controller.

Sub-Processors and Cloud Services

Rehab-Software may engage cloud infrastructure providers and technical sub-processors strictly for service delivery. All sub-processors are bound by contractual data protection obligations, process data only on documented instructions, and are selected based on appropriate security and compliance considerations. No vendor lock-in commitments are imposed.

International Data Transfers

Where personal data is transferred outside the EU or EEA, appropriate safeguards are applied, including Standard Contractual Clauses or other lawful transfer mechanisms permitted under GDPR.

Data Breach Management

In the event of a personal data breach, reasonable steps are taken to identify and mitigate its impact. Affected data controllers are notified without undue delay, and cooperation is provided to support regulatory notifications where required.

Controller Responsibilities

Customers acting as data controllers are responsible for obtaining valid consent where required, providing appropriate privacy notices to data subjects, responding to data subject requests, and ensuring lawful use of Rehab-Software in compliance with GDPR.

Governing Law

This GDPR Compliance Policy is governed by the laws of India, without prejudice to mandatory GDPR requirements applicable to EU and EEA data subjects.