Privacy Policy

We collect different categories of information depending on whether you are a Tenant (doctor/clinic/hospital), a patient, or a visitor to our website:

• Tenant & Practitioner KYC Information: Clinic or hospital name, registered address, GSTIN (if applicable), contact details of authorised personnel, bank account or UPI details for settlement, professional registration numbers (e.g., MCI/NMC/State Medical Council registration), and subscription and billing records. Where our payment-gateway partners require it to activate fund settlement, we also collect Know-Your-Customer (KYC) identifiers and documents of the Tenant and its practitioners, which may include PAN and government-issued identity documents (such as Aadhaar). Such identity documents are collected and shared solely for payment-onboarding and statutory compliance, and are not used for any other purpose.
• Doctor & Staff Information: Name, qualifications, specialisation, contact details, role-based access credentials, and profile information displayed on the Tenant’s booking page.
• Patient Information: Name, mobile number (used for SMS OTP authentication), date of birth, gender, appointment history, consultation notes (as entered by the Tenant), and payment transaction records. We process patient data strictly on behalf of Tenants as a data processor.
• Automatically Collected Data: IP address, device type, browser information, operating system, access timestamps, referring URLs, and usage analytics for platform improvement and security of OTP-based authentication flows.
• Payment Information: Payment amounts, transaction IDs, payment status, and settlement records processed through our RBI-authorised payment-gateway partners (Razorpay and/or Cashfree). We do not store full credit/debit card numbers, CVV, or net-banking credentials — these are handled entirely by the payment gateway under its PCI-DSS-compliant infrastructure.

• To provision and maintain Tenant accounts, including white-label booking pages and doctor dashboards.
• To facilitate appointment booking, SMS/OTP notifications, appointment reminders, and patient communication on behalf of Tenants.
• To facilitate appointment payments and the automatic settlement of those funds to Tenants through our RBI-authorised payment-gateway partners, as per the gateway’s settlement timelines.
• To generate invoices, manage subscription billing, and provide accountant-level reporting dashboards to Tenants.
• To improve platform performance, troubleshoot issues, prevent fraud, and ensure security of authentication systems.
• To comply with applicable Indian laws, respond to lawful requests from government authorities, and enforce our Terms of Use.

We do not sell, rent, or trade personal information or patient health data to any third party for marketing or advertising purposes.

Treatlly operates as a technology infrastructure provider, offering a SaaS platform to Tenants (doctors, clinics, and hospitals). In relation to patient data, we act as a data processor — meaning we process such data strictly on behalf of and under the instructions of the respective Tenant (who is the data fiduciary/controller). Each Tenant is independently responsible for obtaining the necessary consent from their patients for collecting and processing personal and health information.

However, for a limited set of data that we process for our own purposes — namely Tenant account administration, subscription billing, platform analytics and performance monitoring, fraud prevention, and platform security — Treatlly is itself the data fiduciary and is directly responsible for that processing under the DPDP Act, 2023.

We may share personal data with the following categories of third parties, strictly for the purposes described in this Policy:

• Payment Gateways (Razorpay and/or Cashfree): RBI-authorised payment aggregators that process appointment-fee payments and settle those funds directly to the Tenant’s linked settlement account via the gateway’s split-settlement facility. Treatlly does not receive, hold, pool, or control patient funds.
• SMS & Communication Providers: To deliver OTP codes, appointment reminders, and transactional notifications.
• Cloud Hosting Providers: For secure data storage and platform hosting within India.
• Government & Legal Authorities: When required under applicable Indian law, court orders, or lawful government requests.

• All personal data and health information is stored on servers located within the territory of India, in compliance with applicable data localisation requirements.
• We implement reasonable security practices and procedures as required under the SPDI Rules and the DPDP Act, including encryption of data in transit, role-based access controls, logical tenant data isolation, and periodic security reviews. No method of transmission or storage is completely secure, and we continue to strengthen our safeguards over time.
• OTP codes are short-lived and automatically expire. Session tokens are secured with industry-standard measures.
• Multi-tenant architecture ensures logical data isolation — one Tenant cannot access another Tenant’s patient or operational data.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable Indian law. Tenant account data is retained for the duration of the subscription and for a period of 60 (sixty) days after account termination, during which Tenants may request a data export. After this period, all data is permanently and irreversibly deleted, unless retention is required under any applicable law or regulation.

Subject to applicable provisions of the DPDP Act, 2023 and SPDI Rules, you have the following rights:

• Right to Access: You may request confirmation of whether we hold your personal data and obtain a copy of such data.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to applicable legal retention requirements.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
• Right to Grievance Redressal: You may raise a grievance with our Grievance Officer (details below).

For Patients: Since we process patient data on behalf of Tenants, patients should first contact their respective doctor, clinic, or hospital for data access, correction, or deletion requests. If the Tenant is unresponsive, patients may contact us directly.

Our Platform is not intended to be used directly by individuals under the age of 18. Where an appointment is booked for a minor, it must be initiated by a parent or lawful guardian, who is responsible for providing consent on the child’s behalf.

Under the DPDP Act, 2023, the processing of a child’s personal data requires verifiable consent of a parent or lawful guardian. As the data fiduciary for patient data, each Tenant (doctor, clinic, or hospital) is responsible for obtaining such verifiable parental consent before a minor’s data is processed through the Platform, and Treatlly provides the technical means to support this. We do not undertake any tracking, behavioural monitoring, or targeted advertising directed at children. If we become aware that a minor’s personal data has been processed without the required verifiable parental consent, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes will be communicated via email to registered Tenants or by posting a prominent notice on the Platform. Continued use of the Platform after such changes constitutes acceptance of the updated Policy.

In accordance with Section 5(2) of the SPDI Rules and the DPDP Act, 2023, the name and contact details of the Grievance Officer are as follows:

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes arising out of or in connection with this Privacy Policy between Treatlly and any Tenant (doctor, clinic, or hospital) shall be subject to the exclusive jurisdiction of the Civil Courts at Patna, Bihar, India.