Orion EMR — Privacy Policy
Effective Date: 25 May 2026 Last Updated: 25 May 2026 Operated by: Orionhms — [REGISTERED LEGAL ENTITY NAME AND NUMBER] Registered Office: [REGISTERED OFFICE ADDRESS, UAE] Contact for Privacy Queries: customercare@orionhms.com General Contact: customercare@orionhms.com
1. Introduction
This Privacy Policy ("Policy") explains how Orionhms ("we", "us", "our", or "Orion") collects, uses, discloses, retains, and protects personal data in connection with the Orion EMR platform ("Orion", "the Platform", or "the Service").
This Policy applies to:
- Visitors to our public marketing website
- Representatives of healthcare facilities that subscribe to, evaluate, or trial Orion EMR ("Customers" or "Clinics")
- Authorised users of the Platform — clinicians, nurses, administrative staff, billers, and other personnel granted access by a Customer ("Authorised Users")
- Patients whose personal data and health information are processed through the Platform by a Customer ("Patients" or "Data Subjects")
- Prospective customers who submit inquiries through our website
This Policy should be read together with our Terms of Service and, where applicable, our Data Processing Addendum.
We are committed to compliance with:
- The United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL")
- Applicable UAE health data laws, including but not limited to Dubai Health Authority Law No. (8) of 2018 concerning Health Data, the Health Data Law of Abu Dhabi (as enforced by the Department of Health), and the federal regulations administered by the Ministry of Health and Prevention ("MoHAP")
- Where applicable, the EU General Data Protection Regulation ("GDPR") and, for Customers serving United States populations, the Health Insurance Portability and Accountability Act ("HIPAA") to the extent of any applicable Business Associate Agreement
2. Our Roles Under Data Protection Law
Orion EMR operates under two distinct data protection roles depending on the data in question.
2.1 Orion as Data Controller
We act as a Data Controller in respect of the personal data we collect and use directly for our own purposes, including:
- Information collected from visitors to our marketing website and from prospective customers via our sign-up inquiry form
- Information collected during account creation, contract negotiation, billing, and account administration with our Customers
- Information about Authorised Users that we collect to enable, support, and secure their access to the Platform
- Usage analytics, system logs, security telemetry, and audit information generated by use of the Platform
2.2 Orion as Data Processor
We act as a Data Processor on behalf of our Customers (who are Data Controllers) in respect of the personal data, including patient health information, that Customers upload to or generate within the Platform in the course of providing healthcare services ("Customer Data"). Our processing of Customer Data is governed by the agreement between Orion and the Customer, including any Data Processing Addendum.
Patients should direct enquiries about their health records, including requests to access, correct, or delete records, to the relevant Clinic that holds those records. We will support Customers in responding to such requests but cannot, in our capacity as a Data Processor, action them directly without instruction from the Customer.
3. Personal Data We Collect
3.1 Information you provide
- Inquiry data: when you submit our sign-up inquiry form, we collect your name, email address, phone number, clinic name, specialty, emirate, and any message you include.
- Account data: when a Customer subscribes, we collect contact details for designated administrators, billing contacts, and Authorised Users (name, work email, role, professional licence number where applicable).
- Authentication data: passwords (stored as cryptographic hashes only), multi-factor authentication tokens, and recovery information.
- Support data: information you provide when contacting our support, sales, or customer care teams.
3.2 Information generated by your use of the Platform
- Profile and configuration data: facility settings, user roles, permissions, schedules.
- Clinical and operational data entered by Authorised Users: appointments, encounter notes, prescriptions, lab orders and results, imaging references, billing line items, insurance claims, and other data forming part of the medical record. This category is processed by us as a Data Processor on behalf of the Customer.
- Audit and security logs: records of user logins, role assignments, record access, configuration changes, and data exports.
- Technical data: IP address, browser type and version, operating system, device identifiers, time-zone settings, language preferences, pages visited, and similar telemetry necessary to operate, secure, and improve the Platform.
3.3 Information from third parties
- Regulatory health information exchanges: where a Customer is connected to NABIDH (Dubai), Malaffi (Abu Dhabi), Riyati (Northern Emirates) or other regulatory exchanges, the Platform may receive patient information from those systems pursuant to UAE regulatory requirements.
- Identity and licensing data: where applicable, professional licensing information may be verified against published registries such as the Dubai Health Authority Sheryan service.
- Payment processors: limited transaction confirmation data from any payment service we may use in future.
3.4 Sensitive personal data
Health and medical information is "Sensitive Personal Data" under the UAE PDPL and the GDPR. Most data within Customer Data falls into this category. We process such data only as necessary to provide the Service and only on the documented instructions of the Customer, except where required by UAE law.
4. Purposes for Which We Process Personal Data
We process personal data for the following purposes:
- Service delivery: to provide, maintain, configure, and improve the Platform and the features Customers subscribe to.
- Customer onboarding and administration: to create accounts, manage subscriptions, and provide support.
- Authorised user enablement: to authenticate users, enforce role-based access controls, and provide multi-factor authentication.
- Regulatory compliance and submissions: to enable Customers to submit data to NABIDH, Malaffi, Riyati and other mandated health information exchanges in accordance with the law of the emirate in which they operate.
- Security and integrity: to detect, investigate, and prevent fraudulent, unauthorised, or illegal activity, and to protect the rights and safety of Customers, Authorised Users, Patients, the public, and Orion.
- Audit and accountability: to maintain access and change logs as required by health data laws and as expected of clinical information systems.
- Billing and accounting: to invoice Customers and maintain financial records as required by UAE commercial and tax law.
- Customer communications: to send service announcements, security notices, maintenance windows, regulatory updates, and other transactional communications. Marketing communications are sent only with consent and may be withdrawn at any time.
- Sales and lead handling: to respond to inquiries submitted via our website, to follow up with prospects, and to maintain a sales pipeline.
- Aggregated analytics: to produce statistical and analytical insights about Platform usage. Where used outside the originating Customer's environment, this data is aggregated and de-identified such that it cannot reasonably be re-associated with an individual or a single Customer.
- Legal obligations and defence of legal claims: to comply with court orders, lawful requests from competent authorities, and to establish, exercise, or defend legal claims.
5. Legal Bases for Processing
Under the UAE PDPL and other applicable laws, we rely on one or more of the following legal bases:
- Performance of a contract: processing necessary to provide the Service to Customers and to administer the contractual relationship.
- Compliance with a legal obligation: processing required by UAE health data laws, regulatory exchange requirements, tax law, anti-money-laundering law, and similar mandates.
- Legitimate interests: processing necessary for our legitimate business interests, such as platform security, fraud prevention, service improvement, and direct business-to-business communication, where these interests are not overridden by the rights and freedoms of data subjects.
- Consent: processing carried out with the data subject's freely given, specific, informed, and unambiguous consent, such as for non-essential cookies or marketing communications.
- Protection of vital interests: in narrow circumstances where processing is necessary to protect the life or physical safety of a data subject.
- Public interest tasks in the healthcare field: where processing is required for reasons of substantial public interest in healthcare, in accordance with applicable law.
6. Sharing of Personal Data
We do not sell personal data. We share personal data only as set out below.
6.1 Within the Customer's authorised circle
Customer Data is accessible to Authorised Users designated by the Customer, subject to role-based permissions configured by the Customer.
6.2 Regulatory exchanges
Where required by UAE law and at the Customer's direction, we transmit relevant data to:
- NABIDH (Dubai)
- Malaffi (Abu Dhabi)
- Riyati (Northern Emirates)
- Other federal or emirate-level health information systems as mandated
6.3 Sub-processors
We engage trusted third-party service providers ("Sub-processors") to support delivery of the Service. Sub-processors are contractually bound to confidentiality, security, and data protection obligations no less protective than those we owe to Customers. Our current Sub-processors include:
| Sub-processor | Purpose | Processing Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud application hosting | United Arab Emirates (AWS me-central-1) |
| Cloudflare, Inc. | Object storage (Cloudflare R2) and content delivery | European Union region |
| Resend | Transactional email delivery | United States |
| [Other Sub-processors as engaged] | [Purpose] | [Location] |
The above list is current as of the Last Updated date. An up-to-date list is available on request.
6.4 Professional advisors and corporate transactions
We may disclose personal data to our auditors, accountants, lawyers, insurers, and other professional advisors where reasonably necessary. In the event of a merger, acquisition, restructuring, or sale of business or assets, personal data may be disclosed to the prospective party or successor, subject to confidentiality undertakings.
6.5 Legal and regulatory disclosure
We may disclose personal data to law enforcement agencies, courts, regulators, government officials, or other authorised third parties where required by law, court order, or to protect the rights, property, or safety of Orion, Customers, Authorised Users, Patients, or the public.
7. International Transfers
The Platform operates from UAE-based infrastructure (AWS Middle East — me-central-1, UAE region). Certain Sub-processors may process limited data outside the UAE (see Section 6.3). Where personal data is transferred outside the UAE, we ensure such transfers are made in accordance with the UAE PDPL and Cabinet Decision regulations on cross-border transfers, including by:
- Transferring only to jurisdictions recognised under UAE law as offering an adequate level of protection
- Using contractual safeguards equivalent to internationally recognised standard contractual clauses
- Obtaining explicit consent where required
- Relying on derogations permitted under the UAE PDPL for specific necessary transfers
Customers who require all data to remain within the UAE should contact us to discuss UAE-resident deployment options.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any requirements to comply with legal, regulatory, accounting, or reporting obligations.
- Inquiry data (sign-up form submissions): retained for up to 24 months from collection unless the prospect becomes a Customer, in which case the data is migrated into the Customer account record.
- Authorised User account data: retained for the duration of the Customer's subscription plus 12 months following termination, subject to any longer period required by Customer instruction or applicable law.
- Customer Data (medical records): retained in accordance with the Customer's documented instructions and applicable UAE health record retention rules. Medical records in the UAE are typically subject to minimum retention periods set by health authorities (often a minimum of 7-10 years from the last entry, with longer or indefinite retention for certain record categories). The Customer remains the Data Controller and is responsible for setting and instructing retention.
- Audit logs: retained for the period required by applicable law and clinical information system standards, typically a minimum of 6 years.
- Marketing data: retained until consent is withdrawn or the data subject opts out, whichever is sooner.
- Billing and accounting records: retained for the period required by UAE commercial and tax law (typically 5-10 years).
Following the applicable retention period, personal data is either deleted, anonymised, or archived in a manner that prevents further processing unless re-activated by lawful basis.
9. Security Measures
We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption in transit: TLS 1.2 or higher for all connections between client devices, the Platform, and Sub-processors.
- Encryption at rest: AES-256 encryption for stored data, including database and object storage.
- Access controls: role-based access control (RBAC) with the principle of least privilege; mandatory multi-factor authentication for all administrative and clinical user accounts; periodic access reviews.
- Audit logging: comprehensive logging of access to and changes to clinical records, with logs retained per applicable retention requirements.
- Network and infrastructure security: segmented networks, security groups, firewalls, and intrusion detection monitoring.
- Vulnerability management: regular scanning, patching, and periodic penetration testing.
- Personnel controls: confidentiality undertakings and background checks (where lawful) for Orion personnel; role-based access for staff.
- Sub-processor due diligence: contractual obligations on Sub-processors including security commitments equivalent to those we owe to Customers.
- Incident response: documented procedures for detecting, responding to, and notifying affected parties and authorities of personal data breaches.
No system is perfectly secure. We cannot and do not warrant the absolute security of the Platform. We will, however, notify affected Customers without undue delay following our awareness of any personal data breach that is reasonably likely to result in a high risk to the rights or freedoms of data subjects, and we will cooperate with Customers in their breach notification obligations to data subjects and regulators.
10. Your Rights as a Data Subject
Subject to the UAE PDPL and other applicable laws, data subjects have the following rights in respect of their personal data:
- Right of access: to obtain confirmation of whether we hold personal data about you and to receive a copy
- Right to rectification: to request correction of inaccurate or incomplete data
- Right to erasure: to request deletion of data, subject to legal exceptions (in healthcare contexts, medical record retention obligations frequently override erasure requests)
- Right to restrict processing: to request that we limit processing in specific circumstances
- Right to portability: to request a copy of certain data in a structured, commonly used, machine-readable format
- Right to object: to object to processing carried out on the basis of legitimate interests, and to object to direct marketing at any time
- Right not to be subject to automated decision-making: where automated decisions with significant effect are made; we do not currently make any such automated decisions about data subjects
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint with the UAE Data Office or the data protection authority in your jurisdiction
How to exercise your rights
- If you are a Patient whose health data is held by a Clinic using Orion EMR, please contact your Clinic directly. We will support the Clinic in responding to your request.
- If you are a website visitor, prospect, or Authorised User, please contact us at customercare@orionhms.com.
We may need to verify your identity before responding to a request and may ask for additional information for this purpose. We will respond to verified requests within the time required by applicable law, typically not exceeding 30 days, with extensions where the law permits.
11. Cookies and Similar Technologies
Our marketing website uses a limited set of cookies and similar technologies. We use:
- Strictly necessary cookies: required for the basic functioning of the website (e.g., security, session management). These do not require consent.
- Functional cookies: to remember preferences (e.g., language). Used only with consent where required.
- Analytics cookies: to understand aggregate usage patterns. Used only with consent where required.
We do not currently use third-party advertising cookies. Where applicable, you will be presented with a cookie banner allowing you to accept or reject non-essential cookies. You can also control cookies through your browser settings.
12. Children's Personal Data
The Platform is intended for use by healthcare professionals in a clinical context. Health data concerning paediatric Patients is processed by Customers in the course of clinical care, and the Customer (as the treating healthcare provider) is responsible for obtaining any consents required from parents or legal guardians under applicable law. We do not knowingly collect personal data directly from minors for our own purposes.
13. Marketing Communications
We may send Customers and Authorised Users service-related transactional emails (account notices, security alerts, maintenance windows, regulatory updates) that you cannot opt out of while you maintain an account, because they are necessary to operate the Service.
We send marketing emails only with consent and only to recipients who have explicitly opted in (for example, by submitting our sign-up inquiry form). You can opt out at any time by following the unsubscribe link in any marketing email or by contacting us.
14. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy
- Provide notice through the Platform, by email to Customer administrators, or via a prominent notice on our website where appropriate
- Where required by applicable law, obtain renewed consent for any new processing activity
We encourage you to review this Policy periodically.
15. Contact and Complaints
For privacy enquiries, requests to exercise your rights, or to make a complaint:
Email: customercare@orionhms.com General customer care: customercare@orionhms.com Postal address: [REGISTERED OFFICE ADDRESS, UAE] Phone: [+971 PHONE NUMBER]
If you are not satisfied with our response to a complaint, you may contact the UAE Data Office or the data protection regulator in your jurisdiction.
This Policy is provided in English. In case of any inconsistency with a translated version, the English version prevails.
[END OF PRIVACY POLICY]