Privacy Commitment: We are committed to protecting your privacy and ensuring you have a positive experience on our Platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.
IT Act 2000 Compliant
SPI Rules 2011 Compliant
IG Rules 2021 Compliant
1. INTRODUCTION
This Privacy Policy ("Policy") applies to the access and use of the N.C. Bose Health Care System platform, including all associated web and mobile applications (collectively, the "Platform") and all services provided through the Platform ("Services").
The Platform is owned and operated by NcBose Private Limited ("we", "us", "our", "Company"). This Policy applies to all users including Doctors, Patients, Pharmacy professionals, Pathlab staff, Suppliers, Coordinators, and Administrative personnel (collectively, "Users" or "you").
1.1 Legal Compliance
This Privacy Policy complies with:
- The Information Technology Act, 2000
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Digital Personal Data Protection Act, 2023 (DPDPA) where applicable
2. INFORMATION WE COLLECT
2.1 Personal Information
Personal Information is data that can be used to uniquely identify or contact you. We collect the following categories of Personal Information:
| Category |
Information Collected |
Applicable To |
| Identity Information |
Name, date of birth, age, gender, identification documents |
All Users |
| Contact Information |
Email address, phone number, residential address, clinic address |
All Users |
| Medical Information |
Medical history, health conditions, prescriptions, diagnostic reports, medical records |
Patients, Doctors |
| Professional Information |
Medical license, qualifications, specialties, clinic details, registration numbers |
Doctors, Pathlab, Pharmacy |
| Token Information |
Tokens, transaction history |
All Users |
| Biometric Data |
Fingerprints, facial recognition data (if applicable) |
Users who opt-in |
2.2 Sensitive Personal Information
We collect the following Sensitive Personal Information with explicit consent:
- Medical records and health history
- Mental health information and psychological data
- Financial account information
- Password and authentication credentials
- Biometric information (with consent)
- Sexual orientation and reproductive health information (if medically relevant)
2.3 Non-Personal Information
We also collect information that does not directly identify you:
- Browser type and operating system
- IP address and device identifiers
- Pages visited and time spent on the Platform
- Features used and services accessed
- Referral source and interaction data
- Cookie and tracking data
2.4 Device and Permission Information
To provide full functionality, we request the following permissions on mobile devices:
- Camera & Photo Gallery: For profile photos and medical document uploads
- Location: For finding nearby doctors and pharmacies
- Storage: For saving medical records and documents
- Contacts: For appointment reminders and communication
- Microphone & Audio: For video consultations
3. HOW WE COLLECT INFORMATION
3.1 Direct Collection
We collect information directly from you when you:
- Register or create an account
- Complete your profile information
- Use the Services on the Platform
- Upload documents or medical records
- Initiate appointments or consultations
- Make payments or add funds to your wallet
- Submit support requests or feedback
3.2 Automatic Collection
We automatically collect certain information when you access the Platform:
- Log data (IP address, browser type, pages visited, timestamp)
- Cookie data (session tokens, preferences, user identifiers)
- Device information (device type, model, operating system)
- Usage analytics (features accessed, time spent, interactions)
3.3 Third-Party Collection
We may receive information from:
- Third-party service providers (payment processors, storage providers)
- Medical councils and professional registers (verification)
- Other users (when they share your contact information)
- Analytics providers and advertising partners
4. PURPOSE OF DATA COLLECTION AND USE
4.1 Primary Purposes
We collect and use your information for the following primary purposes:
| Purpose |
Data Used |
| Account creation and management |
Identity, contact, authentication information |
| Service delivery (appointments, consultations) |
Medical records, personal information, contact details |
| Payment processing and billing |
Financial information, transaction data |
| Doctor verification and credentialing |
Medical license, qualifications, professional information |
| Medical record management |
Health data, prescriptions, diagnostic reports |
| Communication and notifications |
Contact information, appointment details |
| Customer support |
All user-provided information relevant to inquiry |
4.2 Additional Uses
With your consent, we may use your information for:
- Research and statistical analysis (de-identified data)
- Service improvement and optimization
- Marketing and promotional communications
- Personalized recommendations and features
- Analytics and user behavior studies
- Fraud detection and prevention
- Compliance with legal obligations
5. DATA SHARING AND DISCLOSURE
5.1 Third-Party Service Providers
We may share your information with third-party service providers who assist us in operating the Platform:
- Payment Processors: For transaction processing (financial information only)
- Cloud Storage Providers: For data storage and backup
- Email Service Providers: For sending notifications
- SMS Providers: For sending OTP and appointment reminders
- Analytics Providers: For usage analysis (non-personal data)
- Communication Platforms: For video consultations and messaging
5.2 Legal Requirements
We may disclose your information when required by law or legal process:
- Court orders or judicial summons
- Government agency requests
- Investigation of suspected illegal activity
- Compliance with regulatory authorities
- Prevention of fraud or security threats
5.3 Business Transfers
If the Company is involved in a merger, acquisition, bankruptcy, or asset sale, your information may be transferred as part of that transaction. You will be notified of any such change.
5.4 De-identified and Aggregated Data
We may share de-identified and aggregated data for:
- Research and statistical analysis
- Improving healthcare services
- Public health initiatives
- Marketing and business intelligence
6. DATA SECURITY
6.1 Security Measures
We implement comprehensive security measures to protect your information:
- Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Access Control: Role-based access; multi-factor authentication for sensitive accounts
- Password Protection: BCrypt password hashing; salted and secured storage
- Secure Sessions: HTTP-only and secure cookies; session token management
- Network Security: Firewalls, intrusion detection, DDoS protection
- Physical Security: Secured data centers with access controls
- Monitoring: Continuous security monitoring and threat detection
6.2 Staff Training
All employees and contractors with access to personal data receive regular training on:
- Data protection and privacy principles
- Secure handling of sensitive information
- Incident response procedures
- Confidentiality obligations
6.3 Limitation of Liability
Security Disclaimer: While we implement industry-standard security measures, no system is completely secure. We assume no liability for unauthorized access due to factors beyond our reasonable control, including security breaches by third parties or errors in transmission.
7. DATA RETENTION
7.1 Retention Periods
We retain your information for the following periods:
- Account Data: Retained while your account is active; deleted upon account closure (subject to legal requirements)
- Medical Records: Retained for 10 years post-consultation as per medical regulations
- Transaction Data: Retained for 7 years for tax and compliance purposes
- Support Communications: Retained for 2 years for reference and dispute resolution
- Marketing Data: Retained until you opt out or for 2 years, whichever is earlier
- Log Data: Retained for 90 days for security and troubleshooting
7.2 Mandatory Retention
Notwithstanding deletion requests, we may retain certain information to:
- Comply with legal and regulatory requirements
- Resolve disputes and enforce agreements
- Maintain medical records for patient safety
- Detect and prevent fraud
8. YOUR RIGHTS AND CHOICES
8.1 Access and Portability
You have the right to:
- Request a copy of all personal information we hold about you
- Receive your data in a portable, machine-readable format
- Request information about how your data is used
8.2 Correction and Updates
You may request correction of inaccurate or incomplete information. To update your information:
- Log into your account and update your profile
- Email privacy@ncbosehcs.com with requested changes
- Contact our Grievance Officer
8.3 Deletion and Data Erasure
You may request deletion of your personal information, subject to:
- Legal retention requirements
- Medical record retention regulations
- Ongoing disputes or investigations
- Tax and compliance obligations
8.4 Withdrawal of Consent
You may withdraw consent for data processing at any time by:
- Adjusting privacy settings in your account
- Emailing privacy@ncbosehcs.com
- Contacting our Grievance Officer
Note: Withdrawal of consent will not affect the lawfulness of processing before withdrawal.
8.5 Opt-Out Options
You may opt out of:
- Promotional emails (using unsubscribe links)
- Marketing communications
- Analytics and tracking (some features may be affected)
- Third-party data sharing
9. COOKIES AND TRACKING TECHNOLOGIES
9.1 Cookie Usage
We use cookies for the following purposes:
- Session Management: Maintaining your login and session state
- Security: CSRF protection, fraud detection
- User Preferences: Remembering language and display settings
- Analytics: Understanding usage patterns and improving services
9.2 Cookie Types
- Essential Cookies: Required for Platform functionality
- Preference Cookies: Remember your choices and preferences
- Analytics Cookies: Track usage and performance
- Marketing Cookies: Used with consent for advertising purposes
9.3 Disabling Cookies
You can disable cookies through your browser settings. However, disabling cookies may affect Platform functionality.
10. THIRD-PARTY LINKS AND INTEGRATIONS
10.1 External Links
The Platform may contain links to third-party websites. We are not responsible for:
- Privacy practices of third-party sites
- Security of external platforms
- Content or accuracy of third-party information
10.2 Third-Party Integrations
If you connect your account to third-party services, we collect only the information you authorize. You can revoke access at any time through your third-party account settings.
11. CHILDREN'S PRIVACY
The Platform is not intended for individuals under 18 years of age. We do not knowingly collect information from children. If we become aware that we have collected information from a child, we will immediately delete such information and notify the user.
12. VIDEO CONSULTATION RECORDING AND CONSENT
12.1 Recording Notice
Video consultations may be recorded for medico-legal purposes. The following applies:
- Doctors will inform you before recording a consultation
- You may decline to be recorded (consultation may be terminated)
- Recordings are stored securely and treated as medical records
- Recordings are retained per medical record retention policies
12.2 Recording Usage
Recordings are used only for:
- Medical record keeping
- Quality assurance and training
- Legal or regulatory compliance
- Dispute resolution
13. SECURITY BREACH NOTIFICATION
13.1 Breach Response
In the event of a suspected or confirmed security breach involving your personal information, we will:
- Investigate the breach immediately
- Notify affected users within 72 hours (or as required by law)
- Provide details about the breach and steps taken
- Offer support and remediation services
- Notify relevant regulatory authorities if required
13.2 Notification Method
Breach notifications will be sent via:
- Email to your registered email address
- SMS to your registered phone number
- In-app notification
- Public announcement if breach affects large numbers of users
14. INTERNATIONAL DATA TRANSFERS
Your information is primarily stored in India. If we transfer your data internationally, we will:
- Implement appropriate safeguards
- Include contractual protections
- Comply with local laws of both countries
- Notify you of transfers when required
15. CONTACT AND GRIEVANCE REDRESSAL
15.1 Filing a Privacy Complaint
To file a privacy-related complaint:
- Send details to privacy@ncbosehcs.com
- Include your name, contact information, and complaint description
- Describe the specific privacy concern
- Provide any supporting documentation
- Specify the resolution you are seeking
16. POLICY AMENDMENTS
16.1 Updates
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:
- Notify you of material changes via email or prominent notice on the Platform
- Update the "Last Updated" date at the top of this Policy
- Obtain your consent for material changes where required by law
16.2 Continued Use
Your continued use of the Platform after policy amendments constitutes your acceptance of the updated Policy.
17. LEGAL BASIS FOR PROCESSING
We process your personal information based on:
- Your explicit consent (medical information, sensitive data)
- Performance of a contract (service delivery)
- Legal obligation (compliance, regulatory requirements)
- Legitimate interests (fraud prevention, security, improvement)
- Public health interests (where applicable)
18. COMPLIANCE AND CERTIFICATIONS
Information Technology Act, 2000
IT (SPDI) Rules, 2011
IT Intermediary Guidelines, 2021
GDPR Compliant
This Policy is published in compliance with Rule 3 (1) of the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021.
19. DISCLAIMER
This Privacy Policy does not create any legal obligation beyond what is required by applicable law. The Company reserves the right to disclose information when required by law, court order, or government request.