ICU Desk

Privacy Policy

Effective date: 8 June 2026

ICU Desk (“ICU Desk”, “we”, “us”) provides clinical decision-support tools for healthcare professionals at app.icudesk.com. This policy explains what information we collect, how we use it, and the choices and rights you have. It is written to be consistent with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1. Who this policy covers

ICU Desk is intended for use by registered clinicians and other authorised healthcare professionals. It is not directed at, or intended for use by, members of the general public or patients directly. We do not knowingly collect data from children.

2. Information we collect

a. Account information

When you sign in, we collect the information needed to create and secure your account:

• Email sign-in: your email address and password (stored only as a secure, salted hash — we never see your plaintext password).
• Google sign-in: your name, email address, and Google account identifier, provided by Google with your consent. We do not receive your Google password.

b. Clinical data you enter

To provide the tools, we store the data you enter about the patients you manage: a hospital identifier (UHID), an optional patient name, sex and age, and — where you use the renal calculator — weight, height and serum creatinine. We also store the outputs and records you generate (creatinine-clearance calculations, ICU Companion status and notes, and extubation assessments).

c. ICU Family Companion data

Where a clinician enables the ICU Family Companion for a patient, relatives and the patient access a limited, family-facing view using a per-patient access code (no separate accounts). Through it we process: the patient’s consented first name shown to the family, the respondent’s own name, diary messages and any photos or voice notes they choose to share, and — if they take part in the optional well-being check-in — their responses to a validated anxiety questionnaire (GAD-7). This supports family communication and an associated research study on reducing post-ICU distress; participation in the check-in is voluntary and can be skipped. If a family member chooses to translate the care-team note into another language, only that note text is sent to Google Cloud Translation to generate the translation; we do not send your name, the diary, or any other content for translation.

d. Technical data

Our hosting and infrastructure providers process limited technical information (such as IP address and browser type) to deliver and secure the service. We do not use advertising or third-party tracking cookies.

3. How we use information

• To authenticate you and keep your account secure.
• To provide, operate, and maintain the calculators, diary, and assessment tools.
• To store and display the records you create, only to you.
• To diagnose problems, prevent abuse, and improve reliability.
• To comply with applicable legal obligations.

We do not sell your personal data or the clinical data you enter, and we do not use it for advertising.

4. Use of Google user data

If you sign in with Google, we use the name and email address received from Google solely to create and authenticate your ICU Desk account. ICU Desk’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not share Google user data with third parties except as needed to provide the service, for security, or to comply with law, and we do not use it for advertising or for training generalised AI/ML models.

5. Roles under the DPDP Act

• For your account information, ICU Desk acts as the Data Fiduciary, processing it on the basis of your consent and to provide the service you request.
• For the clinical data you enter, you (and/or your healthcare institution) determine the purpose of processing. ICU Desk acts as a Data Processor on your behalf and processes that data only to provide the service.

6. How we store and protect data

Data is transmitted over encrypted connections (HTTPS/TLS). The application is served as static files via Cloudflare, and accounts and records are stored using Supabase (managed PostgreSQL and authentication). Access to records is enforced at the database level so that each clinician can access only the records they created (row-level security). No security measure is perfect, and we cannot guarantee absolute security.

7. Service providers (sub-processors)

We rely on the following providers to operate ICU Desk:

• Supabase — authentication and database hosting.
• Google — sign-in (only if you choose Google sign-in).
• Cloudflare — static hosting and content delivery.

These providers process data on our behalf under their respective terms.

8. Data retention and deletion

We retain your account and records for as long as your account is active. You can delete a patient and its associated records from within the app at any time, which permanently removes the associated calculations, diary entries, and assessments. To delete your entire account, contact us at [email protected].

9. Your rights

Subject to applicable law, you may:

• access and obtain a summary of the personal data we hold about you;
• request correction or updating of inaccurate data;
• request erasure of your data;
• withdraw consent (which may prevent further use of the service); and
• raise a grievance regarding our handling of your data.

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law.

10. Changes to this policy

We may update this policy from time to time. We will revise the “Effective date” above and, where appropriate, notify you within the app. Continued use after an update constitutes acceptance of the revised policy.

11. Contact & grievance redressal

For any questions, requests, or grievances about this policy or your data, contact:

← Back to ICU Desk