Elevate Health World (“we”, “us”, “Company”) is a Kolkata-based integrated healthcare services platform planning to expand across West Bengal and India. We act as a coordination/aggregation platform for on-call and contracted ambulance services, doctor and clinic appointments, pharmacy distribution/wholesale, and our own healthcare clinics. In providing these services we collect and process personal and sensitive health data of patients, doctors, staff, and partners. This Privacy Policy describes in detail how we collect, use, share, protect, and retain such data. It is designed to be fully compliant with Indian law, including the Digital Personal Data Protection Act 2023 (“DPDP Act”), the Information Technology Act 2000 (including Section 43A and the SPDI Rules), the Telemedicine Practice Guidelines, the Drugs & Cosmetics Act and Rules, Pharmacy regulations, and other applicable healthcare regulations. By using our services, users consent to this Policy and the processing of data as described herein. Throughout this Policy, we emphasize data minimization, lawful purpose, and robust security safeguards. We outline the categories of data we handle (patients, providers, employees, etc.), how it is collected (web/app forms, calls, GPS, prescriptions, etc.), the legal bases for processing (consent or permitted “legitimate uses” under DPDP), and detailed purposes (appointment scheduling, emergency response, order fulfillment, etc.). We provide tables of retention schedules by data type (for example, patient health records and prescription copies may be retained for statutory periods such as 3–6 years) and outline procedures for data deletion once no longer needed. We also cover user rights (access, correction, deletion, grievance redress), our grievance officer contact, breach notification timelines, vendor agreements, cross-border safeguards, and indemnity/limitation clauses. In comparison to existing healthcare platforms This Policy is drafted in accordance with Indian data protection laws and healthcare norms and is structured to provide clear, paragraph-wise explanations of each clause.
This Privacy Policy applies to all personal and sensitive data processed by Elevate Health World in connection with our operations and services. It covers all channels and systems under our control: our website, mobile applications, call center and WhatsApp support, ambulance dispatch system, clinic and pharmacy systems, and any other platform or technology we use. It applies to data collected from all categories of individuals (“Data Principals”), including:
(a) Patients and Caregivers: persons seeking medical care, ambulance service, teleconsultation, diagnostic or pharmacy services through our platform.
(b) Healthcare Providers and Partners: registered doctors, clinics, hospitals, diagnostic centers, ambulance operators, pharmacies, and allied health professionals who have a contract or relationship with Elevate.
(c) Employees and Contractors: staff and contractors of Elevate (drivers, call-center agents, delivery personnel, administrative personnel).
(d) Vendors and Third Parties: service providers (e.g. cloud hosts, payment gateways, analytics firms) that process data on our behalf.
This Policy also covers data of visitors who browse our website or app without signing up; to the extent they provide any personal information (e.g. through search or contact forms), that data is covered here. Casual browsing without submission of data is not tracked with personal identifiers beyond cookies and log files (see “Cookies” below). Elevate maintains all necessary licenses and complies with relevant healthcare regulations. This Policy supplements any contractual or statutory obligations (for example, the Telemedicine Guidelines require patient confidentiality). In case of any conflict between this Policy and a legal requirement, we will meet the legal standard.
(a) “Personal Data” means any information relating to a natural person that identifies them (directly or indirectly). This includes name, phone number, email, addresses, identification numbers, etc. .
(b) “Sensitive Personal Data/Information” (SPDI) in India includes health records, medical history, biometric data, financial details, passwords, and other data that law classifies as sensitive. Patient health records, prescriptions, and diagnostic reports are SPDI.
(c) “Data Principal” is the individual whose personal data we process (patients, doctors, staff).
(d) “Data Fiduciary” (our role) means an entity deciding “why” and “how” personal data is processed, i.e. Elevate Health World as operator of the platform.
(e) “Data Processor” means entities processing personal data on our behalf (e.g. cloud hosts, IT vendors).
(f) “Processing” is any operation on data (collecting, storing, transferring, using, disclosing, etc.).
(g) “Appointment” refers to scheduling a consultation or service with a doctor or clinic via our system.
(h) “Ambulance Service” means emergency or on-call transportation coordinated by Elevate between patients and ambulance providers.
(i) “Pharmacy Distribution” means wholesale or retail distribution of medicines and medical supplies coordinated or operated by Elevate.
(j) “Clinic Operations” refers to any clinics owned or managed by Elevate, including patient care and record-keeping.
These definitions are aligned with Indian law (e.g., the DPDP Act 2023 and the SPDI Rules 2011). Terms in capital letters not defined here have meanings given under applicable laws.
We collect different categories of personal and sensitive data from various data principals, as follows:
(a) Patient/End-User Data: Contact details (name, phone number, email, address), demographic data (age, gender, date of birth, etc.), government ID numbers (e.g. Aadhar/PAN) where required. Medical and health information: symptoms, medical history, diagnoses, prescriptions, diagnostic reports, lab results, health insurance data, and tele-consultation records. Appointment history and feedback. GPS/location data during ambulance dispatch or delivery. Payment/transaction details (UPI/credit card/bank details, billing address).
(b) Doctor/Provider Data: Professional registration and license numbers, qualifications, specialization, clinic/hospital affiliation, practice address and hours, consultation fees, bank account details for payments, and insurance affiliations. Communications records (e.g. emails or messages with Elevate). Any content (profiles, images, descriptions) they submit to the platform.
(c) Ambulance Operator Data: Company or individual registration details, driver’s license and training certificates, vehicle registration, ambulance permit. Location (GPS) and status logs for each ambulance. Safety compliance documents. Call recordings or notes from emergency dispatch (with caller consent notice).
(d) Pharmacy/Distributor Data: Company registration and GST, storage facility details, list of medicines stocked, inventory and distribution records, copies of prescriptions for Schedule H/H1 drugs, point-of-sale records. Bank/payment information for wholesale orders. Delivery partner details.
(e) Elevate Employee Data: Employment contracts, identity documents, address, bank account/PF/ESIC details, biometric attendance (if used), performance records. Health information if we manage employee medical benefits.
(f) Technical/Usage Data: IP addresses, device information, operating system, browser type, login timestamps, cookies and similar tracking identifiers, usage logs on the website/app (pages visited, features used, errors encountered) for analytics and security.
(g) Miscellaneous: CCTV camera images in our offices/ambulances, call center recordings (with notice), chat logs if you use our WhatsApp or chat support (subject to notice at call start).
Some of these data are “sensitive” (health data, medical history, prescriptions, biometric ID, financial details). We handle all sensitive data with extra care as required by SPDI rules and DPDP. For example, payment card data is processed only by PCI-compliant payment gateways and not stored by us beyond authorization.
We collect data through the following means:
(a) Account Registration/Forms: When users register on our website/app or fill forms, we ask for contact and profile information. Doctors and partners submit their credentials and licenses via secure onboarding forms. Patients may upload medical reports or prescriptions through the app.
(b) Service Transactions: Booking appointments, ordering medicines, requesting an ambulance or home visit all generate data. We record these requests and confirmations in our system. When a user calls our call-center or support (phone/WhatsApp), the agent records information (e.g. symptoms, address) to schedule services.
(c) Health and Diagnostic Interactions: When consulting with a doctor through our platform, the doctor or patient may enter notes, diagnoses, and treatment plans. We collect these consultation records (either via telemedicine or in our clinics) as part of patient charts. Diagnostic centers sharing test results will provide structured reports or reports are uploaded.
(d) Ambulance Dispatch Systems: When an ambulance is requested, the system logs patient location, time of request, and dispatch details. GPS devices in ambulances automatically transmit vehicle location data to our servers. Call recordings of the emergency call may be made (with automated voice notice at the start of the call).
(e) Pharmacy Orders: Pharmacies upload order forms, prescriptions (for dispensation of Schedule H/H1 drugs), and invoice details. We collect these for order processing and record-keeping. Wholesale transactions generate GST invoices and delivery records which we archive.
(f) Clinic Records: For any clinic visits in our network, we record patient intake forms, doctor’s notes, prescriptions, and billing information electronically. Physical documents (e.g. written prescriptions) may be scanned into our system.
(g) Technology and Cookies: We use cookies and similar technologies on our website/app for session management, user preferences, and analytics. We may use analytics tools (e.g. Google Analytics) to collect IP addresses, clickstream data, and device information for service improvement and security.
(h) Third-Party Integrations: We may obtain data through integrated services: for example, if a user pays via a payment gateway, we receive confirmation of payment and necessary billing details; or if a user logs in via a social network, we may receive name/email from that network with user consent.
(i) Public and Third-Party Sources: We may verify or supplement data from public records or third-party databases (e.g. address validation, pharmacy license data from government registries, medical practitioner registries) where permitted.
At all points of collection, where feasible, we notify users about the purpose of data collection (see “Consent and Notice” below). Except as described here, we do not obtain personal data by non-standard or surreptitious means.
We process personal data only on lawful grounds under the DPDP Act and related laws. Our primary legal bases include:
(a) Consent: We obtain explicit consent of the Data Principal for collecting and processing their personal data, especially sensitive health information. For example, when a patient provides medical history or uploads health records, we require their consent through an “I agree” checkbox or signature on our platform. The DPDP Act requires consent to be free, specific, informed and unambiguous. Our consent forms and notices clearly state the data categories and purposes. We do not bundle consent with unrelated terms. Users can withdraw consent at any time (see “Rights of Individuals”).
(b) Contractual Necessity: Processing that is necessary to provide or improve our contracted services. For instance, to schedule a doctor’s appointment or dispatch an ambulance, we need to use patient contact info, health concern details, and coordinate with providers. Without this data, we could not fulfill the service. Likewise, fulfilling pharmacy orders requires processing prescription data. We consider these actions necessary for the “performance of a contract” or at the very least in our legitimate interest to perform our service obligations.
(c) Legitimate Interests: In some cases, we rely on our legitimate interests (Balancing Test): e.g. analyzing aggregated user data to improve service quality, preventing fraud on the platform, securing our network, or enforcing our Terms of Use. Such processing is done in a way that minimally impacts privacy – for example, we use pseudonymization and only keep logs for a limited time. DPDP allows processing without consent for certain legitimate purposes as long as they are balanced against the data principal’s rights.
(d) Legal Compliance: We process personal data when required by law or to comply with regulatory obligations. For example, under the Drugs and Cosmetics Rules, we must keep prescription records of Schedule H1 drugs for 3 years. Under tax laws, we must keep billing records for 8 years. We may also disclose data to law enforcement if compelled by court orders or government directives.
(e) Vital Interests: In emergencies (e.g. a life-threatening medical situation), the DPDP Act treats data processing to save a person’s life as a legitimate purpose that does not require prior consent. Thus, in dire ambulance or medical emergencies, we may process and share necessary information (like patient identity and condition) immediately with emergency responders without delay for explicit consent.
(f) Public Health/Public Interest: Occasionally, we may share anonymized data (e.g. aggregated COVID-19 stats) with public health authorities for epidemic tracking, as permitted under law. If any mandated “public interest” exception exists (in forthcoming rules, for example, some exceptions apply for health data to combat epidemics or fraud), we will act accordingly.
Throughout, we aim to obtain consent wherever possible. Even when relying on other grounds (e.g. emergency), we provide notice and obtain consent retrospectively when feasible.
We use collected data only for the specific, legitimate purposes communicated to you. These purposes include:
(a) Healthcare Coordination: Scheduling and managing appointments with doctors, clinics, laboratories, and home healthcare providers. This includes sharing patient health concerns and medical records with the booked doctor for consultation.
(b) Ambulance Dispatch and Emergency Response: Coordinating on-call and contract ambulances. We use location data, medical emergency information, and patient details to dispatch the nearest appropriate ambulance and guide responders. We may also integrate with hospital emergency departments to transfer patient data.
(c) Teleconsultation Support: Enabling online doctor consultations. We route patient and doctor on telemedicine platforms, share necessary medical data, and record the consultation (with notice) for quality and continuity of care. Compliance with Telemedicine Guidelines (patient identity verification, consent for teleconsult, documentation) is maintained.
(d) Pharmacy Services: Managing medicine orders, prescription fulfillment, and medicine deliveries. We use prescription data to verify and procure medications, and share prescription details with dispensing pharmacists or partner pharmacies. We handle wholesale procurement by collecting and processing pharmacy ordering data (stock levels, purchase records).
(e) Clinic Operations: In our own clinics, we maintain electronic health records of patients – reasons for visit, diagnosis, treatment, prescriptions, billing. These are used for ongoing care, reference in follow-ups, and administrative purposes.
(f) Patient Communications and Reminders: Sending appointment confirmations, medication reminders, follow-up messages (SMS, email, or automated call/WhatsApp), and health alerts. (E.g. blood test results, vaccine reminders, or urgent health bulletins). Marketing communications (e.g. newsletters) are only sent if users have opted in and can unsubscribe at any time.
(g) Billing and Payments: Processing payments for services (appointments, deliveries, clinic visits). This requires handling financial data (card/UPI/bank details) in a secure, PCI-compliant manner, and generating invoices and receipts.
(h) Quality Assurance and Research: Analyzing service usage and outcomes to improve our platform, training personnel, and for internal research (e.g. patient satisfaction trends). Any clinical research data is anonymized/de-identified to protect privacy.
(i) Security and Fraud Prevention: Monitoring for unauthorized access or unusual activities to protect user accounts and prevent fraud (e.g. fake bookings, insurance fraud). This includes analyzing IP and login patterns, and may involve sharing limited data with fraud detection services.
(j) Regulatory Compliance and Audit: We maintain and use data to comply with healthcare regulations, respond to audits (e.g. tax, pharmacy compliance), and fulfill legal obligations such as responding to law enforcement requests.
(i) Legal and Dispute Resolution: Use of data for resolving any disputes or claims (e.g. verifying transaction history if a billing dispute arises).
We will not process data for purposes beyond those listed above without obtaining fresh consent (unless required by law).
Where consent is required, we ensure it is informed and affirmative. At the point of data collection (e.g. registration form, medical history upload, ambulance request), we display clear notices or obtain signed consent forms that specify the purposes, categories of data collected, and any third parties with whom data will be shared. For example: “By providing your medical history and checking this box, you consent to Elevate Health World using this information for scheduling your appointment and sharing it with the doctor for consultation.” Consistent with the DPDP Act, all consent requests are accompanied by a privacy notice detailing (1) what data we collect, (2) the purpose(s) of processing, (3) third parties involved, (4) data storage details, and (5) how the user can exercise their rights. Consent is freely given and specific to each purpose. Users may withdraw consent at any time by contacting us (see “User Rights” below). Withdrawal of consent will apply going forward and will not affect the lawfulness of past processing under the old consent. Where feasible, we also provide opt-in/opt-out toggles in account settings (for marketing emails, newsletters, etc.). We do not use pre-ticked boxes for consent; consent must be an explicit action by the user.
We do not sell or rent personal data to unrelated third parties. We may share personal data only in the following situations:
(a) With Service Partners: We may share data with third-party service providers (Data Processors) who perform tasks on our behalf, such as cloud hosting companies, payment gateways, SMS/email delivery services, IT support vendors, call-center partners, or analytics firms. These parties are under contractual Data Processing Agreements obligating them to use the data only for the purposes we specify and to maintain confidentiality. For example, our cloud provider stores encrypted copies of health records, but is prohibited from using that data for any other purpose.
(b) With Healthcare Providers: When you request services (doctors, clinics, labs, ambulance, pharmacies), we share your relevant data (such as symptoms, address, insurance info) with the chosen provider to fulfill your request. Similarly, when doctors or labs use our platform, they receive only the patient data needed for the consultation or test. For example, if you book a lab test, the lab gets your name, contact, and sample requirements, but not unrelated account details. We ensure providers handle this data according to professional confidentiality standards (Indian Medical Council rules for doctors, Pharmacy regulations for pharmacists, etc.).
(c) For Medical Emergencies: If you are unconscious or unable to consent, we may share critical medical data with emergency doctors or family as needed to save life.
(d) Legal and Regulatory Compliance: We will disclose personal data to law enforcement or government agencies if required by a valid court order, legal process, or statutory requirement (e.g. public health reporting mandates). We may also share aggregate (non-identifiable) data with authorities for public health monitoring (e.g. disease outbreak stats).
(e) Corporate Transactions: In the event of a merger, acquisition, or sale of Elevate’s assets, personal data may be transferred as part of the transaction. Any acquiring entity will be bound by similar privacy obligations.
We maintain strict internal policies to ensure shared data is the minimum necessary for the given purpose. For example, we will not share full patient records with a pharmacy — only prescriptions needed to fill orders.
Protecting data is a core responsibility. We implement comprehensive technical and organizational measures to secure data, including:
(a) Encryption: All sensitive data in transit (e.g. via HTTPS, mobile API connections) and at rest (on our servers and backups) is encrypted using industry-standard encryption (TLS 1.2+ for transit, AES-256 for storage). For example, patient records in our database and any uploaded medical documents are encrypted on disk.
(b) Access Controls: We enforce strict role-based access. Only authorized employees (doctors, care coordinators, pharmacists, etc.) can access patient data, and only for authorized purposes. All staff undergo background checks and privacy training. Administrative and managerial accounts use multi-factor authentication. System access is logged.
(c) Authentication: Users (patients, doctors, pharmacies) must authenticate (via password, OTP, etc.) to access personal account pages. Doctors verify their identity (via medical license/ID checks) before accessing sensitive patient lists.
(d) Audit and Monitoring: We maintain audit logs of who accessed or changed data (what record, which user, timestamp) to detect unauthorized access. Regular audits are conducted. Any irregular access triggers security review.
(e) Network Security: Our infrastructure is hosted in secure data centers with firewalls, intrusion detection/prevention systems, and routine vulnerability scanning/patching. Wireless networks (e.g. in our clinics) use enterprise Wi-Fi security.
(f) Data Segregation: We segregate sensitive personal data from general account info in our systems to limit exposure. For instance, financial account details are kept in a separate encrypted vault.
(g) Physical Security: For any physical records or server logs (e.g. archived hard copies), we maintain them in locked, access-controlled storage. CCTV monitors sensitive areas (with recorded footage stored securely for a limited time).
(h) Employee Training: All employees are trained on data privacy and breach response. We enforce written confidentiality obligations in employment contracts.
Where possible, we adopt industry best practices (such as ISO/IEC 27001 standards) and comply with the IT Act’s “reasonable security practices.” Nevertheless, no system is 100% secure; if a breach occurs we will act as described below. We also limit data collection to what is necessary (data minimization). For example, we do not collect biometric data from users, and only record call center conversations after informing the caller.
Our website and app use cookies, web beacons, and similar technologies to enhance functionality and user experience. Types of cookies include:
(a) Essential Cookies: Necessary for basic functions (e.g. authentication, session management). Without these, the site/app may not function properly.
(b) Performance/Analytics Cookies: We use analytics (e.g. Google Analytics) to understand site usage patterns (pages visited, features used). These collect non-personal data (e.g. browser type, IP address) in aggregate form.
(c) Functional Cookies: These remember user preferences (language, font size) and may track login status.
(d) Advertising/Marketing Cookies: If we show ads or partner offers, third-party ad networks may use cookies (for example, targeting local health services promotions). Users can opt out of such tracking via account settings or browser controls.
Users can control cookies via their browser or device settings (disable or alert for cookies). However, blocking cookies may affect functionality. We do not use cookie data beyond improving services. Cookies do not store raw passwords or full personal data. Similar tracking is used in our mobile apps (device identifiers, push notification tokens). We treat these identifiers as personal data under DPDP and protect them accordingly.
We retain personal data only as long as necessary for the purposes stated, and in compliance with law:
(a) Patient Health Records: Maintained for at least the minimum period required by healthcare regulations. For teleconsultations and clinic visits, we retain electronic medical records for a minimum of six years from the date of service (anonymized thereafter unless medical follow-up is needed). This aligns with general medical practice norms and the timeframes for potential legal claims.
(b) Pharmacy and Prescription Records: As required by the Drugs & Cosmetics Rules, copies of prescriptions for Schedule H1 drugs (and similarly for Schedule H) are kept for three years. We also retain pharmacy order logs and sales invoices for the statutory period (usually 8 years for tax compliance).
(c) Appointment and Billing Data: Appointment booking logs and billing/invoice documents are kept for at least 8 years (tax retention requirement) or longer if necessary for dispute resolution.
(d) User Account Data: An account’s personal profile data (name, contact, ID proofs) is retained until the account is closed, plus a grace period of up to 90 days in case of account reactivation requests.
(e) Employee Records: Maintained as per labor laws (for example, PF/ESIC filings and tax records for 5–8 years after employment ends).
(f) Security Logs: Access logs and CCTV footage are stored for 180 days (typical industry practice) unless needed longer for an investigation.
(g) Marketing Data: If you opt out or unsubscribe, we delete (or de-link) your contact details from marketing databases immediately; anonymized analytics data may be kept for trend analysis.
(h) Data of Deceased or Deactivated Users: If an account is deactivated or a user is deceased, we anonymize personal data (removing direct identifiers) after statutory retention periods.
We adhere to the principle of data minimization: we collect only the data necessary for each purpose. For instance, we do not collect biometric or genetic data about patients; we only gather the specific medical details needed for the requested service. We do not combine unrelated data sets unless necessary (e.g., we do not link patient financial transactions with unrelated health records). Each piece of data we collect has a clear purpose (as outlined above). We do not use data for a new purpose without notice and consent. For example, marketing communications are only sent with consent, and collected health data will never be used for non-health-related profiling.
(Combined with Section 9 for conciseness.)
In the event of any personal data breach (unauthorized access, loss, or disclosure of personal data), we will follow the DPDP Act’s breach notification requirements. We will promptly (no later than 72 hours after becoming aware) notify the Data Protection Board of India as required, and inform affected individuals without undue delay. Notifications will include at minimum the nature of the breach, categories of data involved, likely consequences, and our remedial actions. We will also mitigate the breach by locking affected accounts, changing access keys, or other measures as needed. Additionally, we commit to:
(a) Investigate the incident and identify root causes.
(b) Take immediate steps to contain and fix vulnerabilities.
(c) Cooperate with the DPBI or law enforcement in any investigation.
(d) Provide clear information to data principals about what happened and what they should do (e.g., advice on monitoring credit in case of financial data breaches).
These procedures ensure compliance with DPDP obligations to notify both the authorities and the data subjects promptly.
When we engage third-party data processors (vendors) to handle personal data, we impose contractual obligations on them consistent with this policy and the law. Every such Data Processing Agreement (DPA) will require the processor to:
(a) Process data only on our documented instructions.
(b) Apply at least the same security measures we do (encryption, access controls).
(c) Restrict internal access to authorised personnel only, with confidentiality obligations.
(d) Assist us in handling data subject requests (e.g. providing copies of data or correcting it if needed).
(e) Promptly report any data breach to us.
(f) Delete or return all personal data to us upon contract termination.
(g) Sub-contract only with our prior written consent and under a similar DPA.
For example, our cloud host is contractually required to protect all data and not to use the data for its own marketing. Our payment gateway must securely encrypt card data and cannot retain or reuse any payment info beyond processing the transaction. We conduct regular vendor due diligence (security audits or questionnaires) to ensure their compliance. This aligns with DPDP’s principle that Data Fiduciaries must ensure processors are also compliant. (A recommended Data Processing Agreement template clause might read: “The Processor shall treat all personal data as confidential, implement AES-256 encryption at rest, and notify the Data Fiduciary within 24 hours of any breach.”)
Elevate primarily processes data within India. However, some of our cloud and vendor services may involve servers located outside India. Under the DPDP Act, cross-border transfer is allowed by default to any country unless expressly restricted by the Central Government. We will transfer data abroad only in compliance with applicable laws and guidelines. This means:
(a) We will monitor notifications by the Government of India listing any prohibited countries and avoid transfers there.
(b) If required by law or policy, we will implement contractual safeguards (even though DPDP currently does not mandate specific clauses, industry best practice is to use binding contractual clauses) when transferring data.
(c) We will keep copies of critical data on local servers to comply with any future data localization rules. Indeed, DPDP explicitly allows the government to require localization for certain sensitive categories (especially by large data fiduciaries). We will adapt our infrastructure accordingly and keep users informed if any new rules emerge.
As of now, most transfers (e.g. to cloud service providers) proceed normally; we store sensitive health data in Indian data centers when possible. All cross-border transfers are logged and reviewed as part of our compliance program.
Data principals (users) have the following rights under Indian law:
(a) Right to Access: You may request a copy of your personal data held by us, and information about how it is processed (purposes, retention, recipients).
(b) Right to Correction/Updating: If your data is inaccurate or incomplete, you can ask us to correct it. We will rectify or update the data within a reasonable time (DPDP rules currently envision a response within 90 days for such requests).
(c) Right to Erasure (“Right to be Forgotten”): You may request deletion of your data when the purpose of processing is over or if consent is withdrawn (and no legal requirement prevents deletion). We will erase or anonymize data as appropriate unless we must retain it for legal compliance.
(d) Right to Restrict/Objection: You can object to certain processing (e.g. direct marketing) or ask us to restrict processing while a dispute is resolved.
(e) Right to Data Portability: Where technically feasible, you can request an export of data you provided, in a structured format, to port to another service.
(f) Right to Nominate: You may nominate someone (e.g. a family member) to exercise your rights in case of your death or incapacity.
(g) Right to Withdraw Consent: If you withdraw your consent, we will stop processing that personal data (unless we have a lawful basis to continue, such as a legal obligation).
These rights are guaranteed by Section 11–13 of the DPDP Act, and our policy facilitates them. To exercise any right, please follow the procedure below:
1. Submit Request: Send a written request to our Grievance Officer (see below) via email or postal mail. Clearly state your name, contact, account (if any), and the right you wish to exercise (Access, Correction, etc.).
2. Verification: We may ask for proof of your identity (e.g. a government ID) to protect confidentiality.
3. Acknowledge Receipt: We will acknowledge your request within 3 business days, and keep you updated.
4. Action Timeline: We will respond substantively within the DPDP-mandated timeframe (generally 30 days, extendable to 90 days if needed). If unable to comply (e.g. data not found, or an exemption applies), we will inform you of the reasons.
5. Provision of Information: For access requests, we will furnish a summary or copies of the data. For corrections, we will make the changes and notify you when done. For deletion, we will erase/anonymous data and confirm the deletion.
6. Review Option: If you are not satisfied with our response, you may escalate it to our Grievance Officer or appeal to the Data Protection Board of India under DPDP.
The DPDP Act requires us to publish the name and contact of a Grievance Officer. Accordingly, our Grievance Officer is:
Name: Ms./Mr. Subrota Karmakar (designated Officer)
Email: admin@elevatehealthworld.com
Address: [30/9A Atta Para Lane, Sinthee, Baranagar, Kolkata- 700050, West Bengal, India]
You may contact the Grievance Officer for any privacy concerns or to file a complaint about data processing. We will aim to resolve grievances promptly (and in any case within the DPDP timeline). Every organization must appoint a grievance officer, and we have done so in accordance with the law.
Our services are primarily intended for adults seeking healthcare. We do not knowingly collect personal data from children under 18 without parental consent. In the case of minors, consent from a parent or guardian is implied (for example, if a parent uses our app to book a doctor for a child). We do not engage in profiling or marketing to children, and we do not collect sensitive data of children beyond what is necessary for their healthcare (e.g. vaccination records with parental consent). If we discover we have inadvertently collected data from an underage child without proper consent, we will delete it immediately and notify the parent/guardian if identifiable.
Our platform may contain links to third-party sites or services (e.g. partner clinic websites, external insurance portals, social media). This Privacy Policy does not cover those third parties. We encourage you to review the privacy policies of any external sites you visit. We are not responsible for their practices or content. Similarly, if you install any third-party apps (e.g. our teleconsultation partner app), that app’s data handling is governed by its own policy.
To the extent permitted by law, Elevate Health World disclaims any liability for:
(a) The quality, accuracy or outcome of medical consultations or services provided by doctors/clinics/ambulance operators you contact through our platform. We act only as an intermediary or aggregator, not as a medical practitioner. Any diagnosis, prescription or treatment is the responsibility of the licensed healthcare provider. This is similar to standard disclaimers in telemedicine and healthcare apps.
(b) Any unauthorized act or omission by third parties (including data breaches of third-party providers beyond our control).
(c) Losses incurred from using or inability to use our platform (unless we are grossly negligent).
Limitation of Liability: Our liability for direct damages arising from data handling errors or service defects is capped at the amount paid by you for our services in the 12 months before the claim. We exclude liability for indirect, special, incidental, or punitive damages.
Indemnity: You agree to defend and indemnify Elevate Health World against any claims arising from your violation of this policy, misuse of the platform, or unauthorized sharing of your login credentials.
This Privacy Policy shall be governed by the laws of India. Any dispute arising out of or relating to this Policy or the processing of personal data shall be subject to the exclusive jurisdiction of the courts in Kolkata, West Bengal, India. We may update this Policy from time to time to reflect changes in law or our practices. The latest version will be posted on our website with the “Last Updated” date. Continued use of our services after updates constitutes acceptance of the revised Policy.
Example (Patient Appointment): “By confirming this appointment and sharing your personal and medical information, you consent to Elevate Health World processing your data as described in our Privacy Policy for the purpose of scheduling and managing your healthcare services.”
Example (Ambulance Request): “I agree that Elevate Health World may use my location, contact, and medical details to arrange emergency transportation, and I consent to receiving follow-up calls/SMS. I understand this information will only be shared with necessary ambulance and medical personnel.”
Example (Pharmacy Order): “I consent to Elevate Health World using my health and prescription details to procure and deliver the requested medications. I confirm the prescription is valid and may be shared with a licensed pharmacist as required by law.”
In all cases, users are clearly informed of the purpose at the point of collection, as required by DPDP.
When Elevate Health World shares data with processors, we include clauses such as:
“Data Processor Obligations: The processor shall (i) process personal data only according to Elevate’s instructions; (ii) implement the security measures equivalent to Elevate’s (encryption at rest and in transit, access controls, audit logs); (iii) ensure confidentiality among its staff; (iv) notify Elevate within 24 hours of any data breach; (v) provide reasonable assistance for data subject requests; (vi) delete or return all data at contract termination; (vii) restrict onward transfers or sub-processing without Elevate’s consent.”
This aligns with guidance on data fiduciary obligations and processor contracts.
In the event of a personal data breach:
Immediate Response (Hours 0–2): Contain and assess the breach internally (isolate affected systems, change credentials).
Notification to Authorities (Within 72 hours): As per DPDP Section 34 rules, Elevate will notify the Data Protection Board of India within 72 hours of discovering a breach.
Notification to Data Principals (Within 3 days): Affected individuals will be informed promptly (aiming within 72 hours) in clear language about the breach, its impact, and our mitigation steps.
Follow-Up (Days 4–30): Provide updates to authorities and individuals as more information becomes available. Prepare any required compliance reports.
Registered Office: Elevate Health World Pvt. Ltd., [30/9A Atta Para Lane, Sinthee, Baranagar, Kolkata- 700050, WB, India].
Grievance Officer Name: [Mr. Subrota Karmakar], reachable at [admin@elevatehealthworld.com].
Significant Data Fiduciary: If Elevate exceeds DPDP thresholds, we will appoint a Data Protection Officer (DPO) in writing per law.