Privacy Policy

1. Introduction

CARA Healthcare Pvt. Ltd. (“we,” “us,” or “our”) operates CARA Hair Transplant & Aesthetic Clinic at 305 Business Suits 9, 3rd Floor, SV Road, Santacruz West, Mumbai – 400054 (“Clinic”). We are committed to protecting the privacy of all individuals whose personal data we collect and process in connection with our healthcare services, including hair transplant, aesthetic treatments, and telemedicine consultations. This Privacy Policy explains how we collect, use, disclose, retain, and secure personal data, and the rights you have under India’s Information Technology Act 2000, the SPDI Rules 2011, and the Digital Personal Data Protection Act 2023.

2. Scope & Applicability

This Policy applies to:

  • All patients and prospective patients (including minors) who visit our Clinic in person.
  • Users of our website and mobile applications.
  • Participants in our telemedicine (video) consultations.

 

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual (e.g., name, contact details).
  • Sensitive Personal Data or Information (SPDI): Personal data that is inherently sensitive—medical history, photographs (facial images), biometric identifiers—whose disclosure could harm the individual.
  • Minor: Any individual under the age of 18.

4. Categories of Personal Data Collected

Category Examples
Identity & Contact Data Name, postal address, email, phone number
Medical & Health Data (SPDI) Medical history, treatment records, diagnostic images
Photographs (SPDI) Before/after treatment images
Telemedicine Metadata Video call logs, timestamps, chat transcripts via Google Meet, Instagram, WhatsApp, Botim
Web & App Analytics Device/IP address, browser type, pages visited, cookies via Google Analytics, Google Tag Manager, Facebook Pixel

5. Purposes of Processing

We process your personal data for the following purposes:

  1. Treatment & Care: Diagnosis, procedure planning, follow‑up care.
  2. Appointment Management: Scheduling, reminders, cancellations.
  3. Telemedicine: Secure video consultations, post‑consultation summaries.
  4. Marketing & Outreach: Newsletters, promotional offers (only with explicit consent).
  5. Analytics & Website Improvement: To understand site usage and enhance user experience.

6. Legal Basis & Consent

  • We collect SPDI only after obtaining prior written consent (paper form or e‑signature) or via an online consent checkbox at the point of data collection.
  • For minors’ data, we require verifiable consent from a parent or legal guardian before processing any personal or SPDI.
  • You may withdraw consent at any time by contacting us (see Section 13). Withdrawal will not affect processing that occurred prior to withdrawal.

7. Disclosure & Third‑Party Sharing

We do not sell or rent your personal data. We may disclose SPDI or other personal data to:

  • Healthcare Labs & Diagnostic Centers: For tests and analyses, only with your consent.
  • Payment Gateways: To process fees (e.g., credit‑card processors).
  • Cloud & IT Service Providers: To host medical records and appointment systems under strict confidentiality agreements.
  • Regulatory & Legal Authorities: When required by law (e.g., public health orders, court directives).

Unless required by law, we will share SPDI only with your explicit approval.

8. Cross‑Border Transfers

We do not transfer any personal data outside India. Should this change, we will ensure transfer only to recipients offering equivalent data‑protection levels and subject to contractual safeguards.

9. Data Retention

  • We retain personal data and SPDI indefinitely, in accordance with our medical‑record retention policy and legal obligations.
  • Periodic reviews will ensure data remains accurate and securely stored.

10. Security Measures

We implement “reasonable security practices and procedures” as required under Rule 8 of the SPDI Rules, including:

  • Organizational Controls: Defined information‑security roles and responsibilities.
  • Technical Controls: AES‑256 encryption for data at rest; TLS 1.2+ for data in transit; multi‑factor authentication.
  • Physical Controls: Secure server rooms, access logs, CCTV monitoring.
  • Audit & Certification: Annual audits against ISO/IEC 27001 standards by an independent auditor.

11. Cookies & Tracking

Our website employs:

  • Google Analytics & Google Tag Manager for site‑usage analytics.
  • Facebook Pixel for advertising‑performance tracking.

You may disable cookies via your browser settings; however, certain website features may not function without cookies.

12. Your Rights

Under the DPDP Act 2023 and SPDI Rules, you have the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase data (where no longer necessary for the original purpose).
  • Restrict or object to certain processing (e.g., marketing).
  • Data Portability: Receive a copy of your data in a structured format.

To exercise these rights, contact our Grievance Officer (see Section 13).

 

13. Grievance Redressal & Contact

Grievance Officer:

Jatin Shah
Phone: +91 77779 57464
Email: hr.caraclinic@gmail.com

We will acknowledge and resolve any complaint within 30 days of receipt.

14. Changes to This Policy

We may update this Policy periodically (e.g., to reflect legal changes). We will post the updated Policy with a new “Effective Date” on our website and, where appropriate, notify you by email.

Thank you for entrusting CARA Healthcare Pvt. Ltd. with your care. If you have any questions or concerns about this Privacy Policy, please reach out to our Grievance Officer.

WhatsApp
Telephone

    Enter Your Details Here