Privacy Policy

Privacy Policy for Electronic Record Management System (ERMS)


Effective Date: 17 June 2025

Tavira ("we," "our," or "us") is committed to protecting the privacy, confidentiality, and security of the personal information collected through our Electronic Record Management System (ERMS). This Privacy Policy outlines how we collect, use, disclose, and protect personal data in accordance with applicable laws in Sri Lanka and international standards.

1. Legal Compliance

Our PAS is developed in strict compliance with:

  • Sri Lanka Personal Data Protection Act, No. 9 of 2022
  • Computer Crimes Act, No. 24 of 2007
  • Electronic Transactions Act, No. 19 of 2006

    • International standards including:

  • HIPAA (USA)
  • ISO/IEC 27001
  • HL7 FHIR interoperability frameworks.

    • 2. Data We Collect

    We collect personal and medical information necessary for the operation of our PAS, which may include:

  • Patient names, NIC numbers, contact details
  • Appointment, treatment, and diagnosis records
  • Staff login credentials and activity logs
  • Administrative and billing information

    • 3. Use of Information

    We use the collected data for the following purposes:

  • To manage patient appointments, admissions, and records
  • To provide access-controlled information to authorized staff
  • To facilitate billing, discharge, and reporting workflows
  • To ensure system functionality, security, and support

    • 4. Consent

    Patients and system users are required to provide informed, explicit consent prior to data collection, in accordance with the PDPA. Hospitals using our system are responsible for implementing these consent procedures.


    5. Data Security

    Tavira employs technical and organizational measures including:

  • End-to-end encryption of data in transit and at rest
  • Role-based user access control
  • System logging, audit trails, and breach monitoring
  • Secure hosting with daily backups and disaster recovery protocols

    • 6. Data Sharing and Disclosure

    We do not sell or disclose personal data to third parties except:

  • To authorized hospital staff for treatment and administrative purposes
  • If required by law or regulatory authority
  • With patient or user consent

    • 7. Data Retention

    Personal data will be retained only for as long as necessary for its intended purpose and in accordance with applicable laws. Hospitals may set their own data retention policies.


    8. User Rights

    In accordance with the PDPA, patients and users have the right to:

  • Access their personal data
  • Request corrections or updates
  • Withdraw consent at any time
  • Request data deletion, subject to legal limitations

    • Requests must be made through the hospital or healthcare provider using Tavira ERMS.


    9. Data Transfers

    If data is transferred outside Sri Lanka (e.g., for cloud hosting), Tavira ensures compliance with cross-border data protection safeguards as required under the PDPA.


    10. Contact Us

    For any inquiries regarding this Privacy Policy or data protection practices, please contact:

    Tavira (Pvt) Ltd
    Email: [email protected]
    Phone: +94 74 001 2284
    Address: 67, Sri Sangaraja Mawatha, Ambalangoda

    This policy will be reviewed and updated periodically to reflect changes in laws, technologies, and operations. We recommend that you check this page regularly for updates.