Privacy Policy

We collect information necessary to provide our healthcare platform services. This includes: **Personal Information:** Name, email, phone number, date of birth, gender, and address when you create an account. **Health Information:** Medical records, prescriptions, lab results, consultation notes, and other clinical data generated through the platform. This constitutes Sensitive Personal Data under DPDPA 2023. **ABHA Information:** When you link your ABHA ID, we verify your identity through ABDM APIs and store your ABHA address for record exchange. **Usage Data:** Device information, IP address, browser type, pages visited, and interaction patterns to improve our services. **Communication Data:** Messages between patients and doctors, support tickets, and feedback. We collect health information only with explicit consent and for the specific purpose of providing healthcare services. **Payment Information:** When you subscribe to a paid plan, your payment is processed by Razorpay. We store transaction IDs, subscription status, billing interval, and coupon usage. We do NOT store card numbers, bank account details, UPI PINs, or CVV codes.

We use your information for the following purposes: **Healthcare Services:** To enable consultations, maintain medical records, process prescriptions, send appointment reminders, and facilitate communication between patients and doctors. **AI Features:** Voice-to-SOAP note generation, smart patient briefs, drug interaction checking, and task extraction. All AI-processed data requires doctor review before saving. **ABDM Compliance:** To share health records with other ABDM-certified providers when you provide explicit consent through the Consent Manager. **Platform Improvement:** Anonymized, aggregated data analysis to improve our services, features, and user experience. **Legal Compliance:** To comply with applicable laws including DPDPA 2023, IT Act 2000, and ABDM regulations. We never sell your personal or health data. We do not use your health data for advertising or marketing purposes.

We share your data only in the following circumstances: **With Your Doctor:** Your health records are accessible to the healthcare provider you consult with. **ABDM Network:** When you grant consent, your records may be shared with other ABDM-certified HIP/HIU participants. **Service Providers:** We use trusted third-party services who are contractually bound to protect your data: - **AWS** — Cloud hosting and data storage - **Razorpay** — Payment processing and subscription management. We share your name, email, and phone number with Razorpay to process payments. See Razorpay's privacy policy at razorpay.com/privacy - **SendGrid** — Transactional email delivery **Legal Requirements:** We may disclose information if required by law, court order, or government request. **De-identified Data:** We may share anonymized, aggregated data for research purposes. This data cannot be traced back to you. We never share your data with advertisers, data brokers, or any party for purposes unrelated to your healthcare.

We implement comprehensive security measures to protect your data: **Encryption:** AES-256-GCM encryption for data at rest. TLS 1.3 for data in transit. Field-level encryption for sensitive PII and PHI. **Access Control:** Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication for all accounts. **Infrastructure:** Hosted on AWS Mumbai (ap-south-1) ensuring data residency in India. VPC isolation, WAF protection, and DDoS mitigation. **Audit Trails:** 7-year immutable audit logs recording all data access and modifications. **Tenant Isolation:** Each clinic's data is logically isolated with separate encryption keys. **Incident Response:** Documented incident response plan with breach notification within 72 hours as required by DPDPA.

We retain your data as follows: **Health Records:** Retained for the duration of your account plus 7 years after account closure, as required for medical records in India. **Account Data:** Retained while your account is active and for 30 days after deletion request to allow for recovery. **Audit Logs:** Retained for 7 years for compliance and forensic purposes. **Communication Data:** Retained for 3 years from the date of communication. **Usage Data:** Retained for 2 years in identifiable form; indefinitely in anonymized form. You may request data deletion at any time through your account settings or by contacting our Data Protection Officer. We will process deletion requests within 30 days, subject to legal retention requirements.

As a Data Principal under DPDPA 2023, you have the following rights: **Right to Access:** Request a copy of all personal data we hold about you. **Right to Correction:** Request correction of inaccurate or incomplete personal data. **Right to Erasure:** Request deletion of your personal data, subject to legal retention requirements. **Right to Withdraw Consent:** Withdraw consent for data processing at any time. This does not affect the lawfulness of processing before withdrawal. **Right to Grievance Redressal:** File a complaint with our Data Protection Officer or the Data Protection Board of India. **Right to Nominate:** Nominate another person to exercise your rights in case of your incapacity or death. To exercise any of these rights, contact our Data Protection Officer at privacy@clinvo.health or through your account settings.

Our platform integrates with the Ayushman Bharat Digital Mission (ABDM) ecosystem: **ABHA Integration:** When you link your ABHA ID, we verify your identity and enable interoperable health record sharing. **Consent-Based Sharing:** All health record sharing through ABDM requires your explicit consent through the Consent Manager. You can view, grant, or revoke consent at any time. **HIP Role:** As a certified Health Information Provider, we share your records (created on our platform) with other ABDM participants only when you consent. **HIU Role:** As a Health Information User, we can pull your records from other ABDM providers for your doctor's review, only with your consent. **Data Standards:** All health records exchanged through ABDM use FHIR R4 standard, ensuring interoperability and data integrity. **ABHA Data Deletion:** You can unlink your ABHA ID at any time. This revokes future ABDM sharing but does not affect records already shared.

We send the following transactional communications related to your subscription: - **Payment receipts** after each successful charge - **Failed payment alerts** when a billing attempt fails - **Trial expiry reminders** 5 days before your trial ends - **Grace period warnings** during the 7-day read-only period - **Subscription status changes** (activation, cancellation, plan changes) These are transactional communications necessary for the operation of your account and cannot be unsubscribed from while you have an active account. They are not marketing communications.

For privacy-related inquiries, concerns, or to exercise your rights: **Data Protection Officer** Email: privacy@clinvo.health **General Inquiries** Email: support@clinvo.health Phone: +91-XXXXXXXXXX **Registered Address** Clinvo Health Pvt. Ltd. Mumbai, Maharashtra, India **Grievance Officer** As required under IT Act 2000 and DPDPA 2023, our Grievance Officer can be reached at grievance@clinvo.health. We acknowledge complaints within 24 hours and resolve within 30 days. This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts in Mumbai, Maharashtra.