NcBose NcBose Healthcare System Empowering Your Health Journey
Legal

Privacy Policy

This Privacy Policy explains how NcBose Healthcare System ("NcBose", "we", "us") collects, uses, stores, and protects your personal information when you use our platform at www.ncbose.com. By registering or using our services, you agree to this policy.

1. Who We Are (Data Fiduciary)

NcBose Healthcare System is the Data Fiduciary responsible for your personal data as defined under the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Registered Address: Basunagar 1, Madhyamgram, Kolkata – 700129, West Bengal, India
Grievance Contact: ncboseinfo@ncbose.com  |  +91 9920284451

2. What Personal Data We Collect

We collect the following categories of data depending on your role on the platform:

All Users (Doctors, Patients, Pharmacies, Path Labs, Suppliers)

  • Full name, email address, mobile number
  • Password (stored in encrypted/hashed form — never in plain text)
  • Address details (city, state, country)
  • Profile photograph (optional)

Patients (additionally)

  • Appointment history and visit records
  • Chief complaints and symptoms described during consultations
  • Prescriptions issued by doctors
  • Diagnostic reports uploaded or generated
  • Medical history and metadata entered during visits
  • Wallet transaction records

Doctors (additionally)

  • Medical registration number and specialisation
  • Clinic details and visiting hours
  • Prescription records created on the platform

Pharmacies / Path Labs / Suppliers (additionally)

  • Business registration and drug licence details
  • Inventory and transaction records
Health-related information (symptoms, prescriptions, diagnostic reports) is classified as Sensitive Personal Data or Information (SPDI) under Indian law and is handled with the highest level of care.

3. How We Use Your Data (Purpose)

We use your data only for the following purposes:

  • Creating and managing your account on the platform
  • Enabling appointment booking between patients and doctors
  • Generating, storing, and sharing digital prescriptions
  • Sending OTP-based verification via SMS for account security
  • Sending appointment confirmations and notifications via email
  • Processing payments through our payment gateway (Razorpay)
  • Storing documents and reports securely in cloud storage
  • Providing AI-assisted clinical suggestions to doctors (see Section 5)
  • Improving platform features and resolving technical issues
  • Complying with applicable Indian laws and regulations

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

4. Legal Basis for Processing Your Data

Under the DPDPA 2023, we process your personal data on the following lawful bases:

  • Consent: You provide explicit consent at registration for collection and use of your personal and health data.
  • Contractual necessity: Processing is required to deliver the services you have signed up for.
  • Legal obligation: Certain data is retained to comply with Indian healthcare, tax, and regulatory laws.
  • Legitimate interest: Platform security, fraud prevention, and service improvement.

You may withdraw your consent at any time by contacting us at ncboseinfo@ncbose.com. Withdrawal of consent may affect your ability to use certain features of the platform.

5. Use of AI for Clinical Suggestions

NcBose uses an AI service (OpenAI) to assist doctors with medical test and medicine suggestions during consultations. This is a doctor-facing tool only — patients do not interact with the AI directly.

What is sent to the AI service:

  • The patient's chief complaint (e.g., "fever with cough for 3 days")
  • Answers to clinical questions entered by the doctor during the consultation

What is NOT sent to the AI service:

  • Patient name, phone number, email address, or Aadhaar
  • Any directly identifying personal information
Only de-identified clinical text is transmitted. The AI service is used solely to assist the doctor's clinical decision-making. The final diagnosis and prescription remain entirely the responsibility of the treating doctor. AI output is not medical advice.

The AI service provider (OpenAI) processes this data under their own data processing terms. By using the platform, you consent to this limited, de-identified data processing for the purpose of improving the quality of your consultation.

6. Third-Party Services We Use

We share limited data with the following trusted third-party service providers solely to operate the platform:

  • Razorpay — Payment processing. Your payment data is handled directly by Razorpay under PCI-DSS standards. We do not store card details.
  • Google Cloud Storage (GCS) — Secure storage of documents, prescriptions, and diagnostic reports.
  • Fast2SMS / SMSIndiaHub — OTP delivery via SMS for account verification and security.
  • Gmail SMTP (Google) — Sending appointment confirmations and notifications via email.
  • OpenAI — De-identified clinical text for AI-assisted suggestions to doctors (see Section 5).

All third-party providers are contractually bound to process data only for the specified purpose and to maintain appropriate security standards.

7. Data Storage and Retention

Your data is stored on servers located in India (Google Cloud Platform — Mumbai region) and is protected using industry-standard encryption in transit (TLS) and at rest.

We retain your data for the following periods:

  • Account data: For the duration of your active account, plus 3 years after account closure
  • Prescription and medical records: Minimum 7 years as required under Indian medical regulations
  • Payment transaction records: 8 years as required under Indian tax laws
  • OTP records: Deleted within 24 hours of generation
  • Application logs: Retained for 90 days for security and debugging purposes

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights as a Data Principal

Under the DPDPA 2023 and SPDI Rules 2011, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Correction: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal retention obligations)
  • Right to Grievance Redressal: Raise a complaint about how your data is handled
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Nominate: Nominate another person to exercise your rights in case of death or incapacity

To exercise any of these rights, contact our Grievance Officer at ncboseinfo@ncbose.com. We will respond within 30 days of receiving your request.

9. Cookies and Session Data

NcBose uses session cookies to keep you securely logged in. These cookies are:

  • HTTP-only (not accessible by JavaScript)
  • SameSite=Lax (protection against cross-site request forgery)
  • Automatically deleted when you log out or your session expires

We do not use advertising cookies or third-party tracking cookies. A "Remember Me" option is available which stores a persistent login token in your browser for up to 7 days. You can clear this at any time by logging out.

10. Data Security

We implement the following security measures to protect your data:

  • All passwords are stored using BCrypt hashing — never in plain text
  • All data in transit is encrypted using TLS (HTTPS)
  • Role-based access control ensures users can only access data relevant to their role
  • OTP-based two-step verification for account registration and password reset
  • Input sanitisation and encoding to prevent injection attacks
  • Session management with HTTP-only, SameSite cookies

In the event of a data breach that is likely to affect your rights, we will notify you and the relevant authorities as required under applicable Indian law.

11. Children's Privacy

NcBose does not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent. If you believe a minor's data has been submitted without consent, please contact us immediately at ncboseinfo@ncbose.com and we will take prompt action to delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you via email or a prominent notice on the platform before the changes take effect.

Continued use of the platform after the effective date of any update constitutes your acceptance of the revised policy.

13. Governing Law and Grievance Redressal

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act 2023, the Information Technology Act 2000, and the SPDI Rules 2011.

If you have any concerns or complaints regarding the handling of your personal data, please contact our Grievance Officer:

  • Name: Grievance Officer, NcBose Healthcare System
  • Email: ncboseinfo@ncbose.com
  • Phone: +91 9920284451
  • Address: Basunagar 1, Madhyamgram, Kolkata – 700129, West Bengal, India
  • Response time: Within 30 days of receipt

If you are not satisfied with our response, you may approach the Data Protection Board of India once constituted under the DPDPA 2023.

Last reviewed: May 2026  |  Effective date: May 2026