Privacy Policy
Effective date: {{EFFECTIVE_DATE}}
This Privacy Policy explains how {{CLINIC_NAME}} (“we”, “us”, “our”) collects, uses, discloses, and protects your personal data when you visit {{WEBSITE_URL}}, contact us (including via WhatsApp), book appointments, receive teleconsultations, or use our services offline or online.
We are committed to patient confidentiality and to complying with applicable Indian laws.
1) Who we are & how to contact us
Clinic: {{CLINIC_NAME}}
Address: {{CLINIC_ADDRESS}}
Phone: {{CLINIC_PHONE}}
Email: {{CLINIC_EMAIL}}
WhatsApp: {{CLINIC_WHATSAPP_LINK}} (clicking opens WhatsApp)
Grievance Officer (India): {{GRIEVANCE_OFFICER_NAME}}, {{GRIEVANCE_OFFICER_EMAIL}}, {{GRIEVANCE_OFFICER_PHONE}}
(For privacy complaints or requests.)
If you have a privacy concern, please contact the Grievance Officer first. If unresolved, you may have the right to escalate to the Data Protection Board of India as per law.
2) Scope
This Policy applies to:
Our website {{WEBSITE_URL}}, forms, cookies, and analytics;
Calls, SMS, email, and WhatsApp communications;
In-clinic registration and medical records;
Telemedicine/teleconsultation platforms we use;
Third-party services integrated for payments, diagnostics, imaging, e-prescriptions, reminders, or hosting.
3) The data we collect
A. Identity & contact
Name, age/date of birth, gender, address, phone, email, WhatsApp number, guardian/attendant details (for minors or dependent patients).
B. Medical & appointment data (health information)
Medical history, prescriptions, allergies, vitals, investigations, images/reports, visit notes, diagnosis, treatment plan, referrals, e-prescriptions, and follow-up details.
C. Transaction & payment
Appointment fees, invoices, payment status, and limited payment instrument details processed via our payment partners. We do not store full card/UPI credentials on our servers.
D. Technical & usage
IP address, device/browser details, pages viewed, referrers, session logs, and cookies/pixels used for security, performance, and analytics.
E. Communications
Messages/calls/emails/WhatsApp chats with us (including recordings or transcripts where legally allowed and operationally necessary).
4) How we collect data
Directly from you (website forms, in-clinic forms, calls, chats, WhatsApp, teleconsults).
From your authorized representatives (parent/guardian/caregiver).
From healthcare partners (labs, imaging centers, pharmacies) when you request or consent to coordination.
Automatically via cookies, SDKs, and similar technologies on our site/app.
From third parties you choose to connect (e.g., appointment/telemedicine apps, payment gateways).
5) Why we process your data (purposes)
Provide clinical care, maintain medical records, and manage appointments.
Telemedicine consultations and follow-ups, including e-prescriptions.
Coordinate diagnostics, pharmacy, and referrals that you request.
Communicate reminders, schedule changes, results availability, and necessary service messages.
Billing, accounting, payments, and fraud prevention.
Maintain information security, troubleshoot, and improve our services.
Comply with legal and regulatory obligations and respond to lawful requests.
Marketing: We do not sell your personal data. We may send clinic updates or health education with your consent. You can opt out anytime (see Section 10).
6) Legal basis & consent (India)
We rely on:
Your consent (e.g., when you submit forms, book, or use teleconsults).
Certain legitimate uses under Indian law (e.g., responding to medical emergencies or providing health services during outbreaks).
Compliance with law (e.g., record retention, responding to lawful requests).
Where the law requires consent, we obtain and record it. You can withdraw consent at any time; this will not affect processing already done, but may impact services that rely on that data.
7) Children & minors
We do not knowingly collect personal data from children without verifiable consent of a parent or legal guardian. If you believe a child’s data was provided without such consent, please contact our Grievance Officer for prompt action.
8) Telemedicine
When we deliver care via telemedicine, we will:
Confirm identities of patient and registered medical practitioner (RMP);
Record explicit patient consent for teleconsultation (text/voice/click consent);
Document clinical notes, advice, and prescriptions to the same standard of care as an in-person visit.
9) Cookies & analytics
We use necessary cookies for site functionality and may use optional analytics and performance cookies (e.g., {{ANALYTICS_TOOL}}).
You can manage non-essential cookies via {{COOKIE_PREFERENCES_LINK}} or your browser settings.
Some cookies/pixels may be placed by our service providers (see Section 12).
10) Your rights (India)
Subject to applicable law, you may:
Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request erasure when data is no longer needed or consent is withdrawn (unless we must retain it by law);
Withdraw consent where consent is the basis of processing;
Raise a grievance if you are dissatisfied with our response.
How to exercise: Email {{GRIEVANCE_OFFICER_EMAIL}} with your request. We may verify your identity and/or authority (for nominees/guardians).
11) Data retention
Medical records: retained for the period required under applicable medical record-keeping norms or laws (and for legitimate business needs), then securely deleted or anonymized.
Non-clinical data: retained only as long as necessary for the purposes stated or as required by law.
You can request details of specific retention periods relevant to your case from {{GRIEVANCE_OFFICER_EMAIL}}.
12) Sharing & disclosures
We share data only on a need-to-know basis with:
Healthcare partners (labs, imaging, pharmacy) when you request or consent;
Payment processors (e.g., {{PAYMENT_GATEWAY}}) to complete transactions;
Technology providers (hosting, EHR/EMR, telemedicine, email/SMS/WhatsApp delivery, analytics) who act under contracts and security obligations;
Government/regulatory authorities where legally required;
Professional advisors (auditors, legal counsel) under confidentiality.
We require vendors to follow appropriate security and privacy standards.
13) Cross-border transfers
Our service providers (cloud, email, analytics, telemedicine) may process data in other countries. We allow such transfers only in line with Indian law, including any government notifications that may restrict transfers to specific countries. By using our services, you understand that your data may be processed outside India subject to these safeguards.
14) Information security
We use reasonable technical and organizational measures to protect your data—such as access controls, encryption in transit where feasible, least-privilege access, logging, and staff confidentiality. No system is 100% secure; if we become aware of a personal data breach that affects you, we will notify you and, where required, inform the appropriate authorities.
15) Third-party links & platforms
Our site may link to third-party websites, apps, or widgets (e.g., maps, payment pages, WhatsApp). Their privacy practices are governed by their own policies. Please review them before use.
16) WhatsApp & messaging
If you message us on WhatsApp or similar platforms:
Your phone number and message content will be processed to respond to you;
Platform providers may receive metadata in accordance with their policies;
Do not share emergency, highly sensitive, or password/OTP information on open chats.
For emergencies, please call {{EMERGENCY_PHONE}} or visit the nearest hospital.
17) Changes to this Policy
We may update this Policy to reflect operational, legal, or regulatory changes. The “Effective date” at the top shows when the latest version took effect. Material changes will be highlighted on this page.
18) How to complain
Write to our Grievance Officer at {{GRIEVANCE_OFFICER_EMAIL}}.
If you are not satisfied with our response, you may have the right to escalate the matter to the Data Protection Board of India under applicable law.
Quick consent settings
Manage non-essential cookies: {{COOKIE_PREFERENCES_LINK}}
Marketing opt-out: Reply STOP to SMS/WhatsApp or email unsubscribe to {{CLINIC_EMAIL}}
Access/correct/erase data: Email {{GRIEVANCE_OFFICER_EMAIL}}
Glossary (plain language)
Personal data: Any data that can identify you (directly or indirectly).
Health data/medical records: Clinical information we maintain to provide care.
Processor/vendor: A company we engage to process data for us (e.g., cloud host).
Consent: Your clear, specific permission for us to process your data for a stated purpose.
Footer (not shown to patients; optional internal note)
Internal owner: {{PRIVACY_OWNER_NAME}} • Review cycle: {{REVIEW_FREQUENCY}} • Next review due: {{NEXT_REVIEW_DATE}}
Implementation notes & legal references (for you; not part of the public page)
India – DPDP Act, 2023: establishes data principal rights (access, correction, erasure, grievance; nomination), defines a child as under 18, provides for grievance redressal, “certain legitimate uses” including medical emergencies/public health, breach notifications to affected individuals and the Board, and allows cross-border transfers except to blacklisted countries (negative-list approach). MeitYdpdpa.comCarnegie EndowmentBaker McKenzie Resource Hubhttps://www.taxmann.com
SPDI Rules (2011): until fully superseded in practice, clinics should still publish a privacy policy and name a Grievance Officer; redress within one month. DataGuidance
Telemedicine (NMC Guidelines): record patient consent, confirm identities, maintain records—apply to your teleconsultation flows. nmcn.inPMC
Cross-border transfers: permitted by default unless the Government notifies restricted countries; keep an eye on notifications/rules. Baker McKenzie Resource HubSecuriti
Children’s data: parental consent required; avoid behavioral tracking/targeted ads for minors. Law.asiaTech Policy Press
Tip: In your multisite “template variables” table, map each placeholder (e.g., {{CLINIC_NAME}}, {{GRIEVANCE_OFFICER_EMAIL}}) and auto-inject them during site cloning. For cookies, wire {{COOKIE_PREFERENCES_LINK}} to your CMP (CookieYes/Complianz) per-site URL.