Privacy Policy

We collect different categories of information depending on whether you are a Tenant (doctor/clinic/hospital), a patient, or a visitor to our website:

• Tenant Information: Clinic or hospital name, registered address, GSTIN (if applicable), contact details of authorised personnel, bank account or UPI details for Razorpay settlement, professional registration numbers (e.g., MCI/NMC registration), and subscription and billing records.
• Doctor & Staff Information: Name, qualifications, specialisation, contact details, role-based access credentials, and profile information displayed on the Tenant’s booking page.
• Patient Information: Name, mobile number (used for SMS OTP authentication), date of birth, gender, appointment history, consultation notes (as entered by the Tenant), and payment transaction records. We process patient data strictly on behalf of Tenants as a data processor.
• Automatically Collected Data: IP address, device type, browser information, operating system, access timestamps, referring URLs, and usage analytics for platform improvement and security of OTP-based authentication flows.
• Payment Information: Payment amounts, transaction IDs, payment status, and settlement records processed via Razorpay. We do not store full credit/debit card numbers, CVV, or net banking credentials — these are handled entirely by Razorpay as a PCI-DSS compliant payment gateway.

• To provision and maintain Tenant accounts, including white-label booking pages and doctor dashboards.
• To facilitate appointment booking, SMS/OTP notifications, appointment reminders, and patient communication on behalf of Tenants.
• To process appointment payments collected on behalf of Tenants and facilitate automatic settlement to Tenants as per Razorpay’s settlement timelines.
• To generate invoices, manage subscription billing, and provide accountant-level reporting dashboards to Tenants.
• To improve platform performance, troubleshoot issues, prevent fraud, and ensure security of authentication systems.
• To comply with applicable Indian laws, respond to lawful requests from government authorities, and enforce our Terms of Use.

We do not sell, rent, or trade personal information or patient health data to any third party for marketing or advertising purposes.

Treatlly operates as a technology infrastructure provider, offering a SaaS platform to Tenants (doctors, clinics, and hospitals). In this capacity, we act as a data processor for patient data — meaning we process personal data strictly on behalf of and under the instructions of the respective Tenant (who is the data fiduciary/controller). Each Tenant is independently responsible for obtaining necessary consent from their patients for collecting and processing personal health information. We merely provide the technological means to facilitate such collection and processing.

We may share personal data with the following categories of third parties, strictly for the purposes described in this Policy:

• Payment Gateway (Razorpay): To process appointment fee payments collected on behalf of Tenants and to settle funds automatically as per Razorpay’s settlement timeline.
• SMS & Communication Providers: To deliver OTP codes, appointment reminders, and transactional notifications.
• Cloud Hosting Providers: For secure data storage and platform hosting within India.
• Government & Legal Authorities: When required under applicable Indian law, court orders, or lawful government requests.

• All personal data and health information is stored on servers located within the territory of India, in compliance with applicable data localisation requirements.
• We implement reasonable security practices and procedures as required under the SPDI Rules, including encryption of data at rest and in transit, role-based access controls, and regular security audits.
• OTP codes are short-lived and automatically expire. Session tokens are secured with industry-standard measures.
• Multi-tenant architecture ensures logical data isolation — one Tenant cannot access another Tenant’s patient or operational data.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable Indian law. Tenant account data is retained for the duration of the subscription and for a period of 60 (sixty) days after account termination, during which Tenants may request a data export. After this period, all data is permanently and irreversibly deleted, unless retention is required under any applicable law or regulation.

Subject to applicable provisions of the DPDP Act, 2023 and SPDI Rules, you have the following rights:

• Right to Access: You may request confirmation of whether we hold your personal data and obtain a copy of such data.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to applicable legal retention requirements.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
• Right to Grievance Redressal: You may raise a grievance with our Grievance Officer (details below).

For Patients: Since we process patient data on behalf of Tenants, patients should first contact their respective doctor, clinic, or hospital for data access, correction, or deletion requests. If the Tenant is unresponsive, patients may contact us directly.

Our Platform is not intended to be used directly by individuals under the age of 18. Where appointment bookings are made for minors, such bookings are expected to be initiated by a parent or lawful guardian. We do not knowingly collect personal data from children without parental consent. If we become aware that we have inadvertently collected personal data from a child without verifiable parental consent, we shall take steps to delete such data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes will be communicated via email to registered Tenants or by posting a prominent notice on the Platform. Continued use of the Platform after such changes constitutes acceptance of the updated Policy.

In accordance with Section 5(2) of the SPDI Rules and the DPDP Act, 2023, the name and contact details of the Grievance Officer are as follows:

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes arising out of or in connection with this Privacy Policy between Treatlly and any Tenant (doctor, clinic, or hospital) shall be subject to the exclusive jurisdiction of the Civil Courts at Patna, Bihar, India.