Privacy Policy

1. Who we are

Cure4Pain is operated by TODO — legal entity name and registered address (the “Data Fiduciary” for the purposes of the Digital Personal Data Protection Act, 2023). We operate a rheumatology + integrative medicine clinic in Mumbai, India, and an online supplement store at this domain.

Contact for privacy queries: TODO — designated privacy contact email and phone.

2. What personal data we collect

We collect the following categories of personal data when you interact with our clinic, store, or appointment booking surfaces:

3. How we use your data

We process your personal data for the following purposes:

4. Data sharing

We do not sell or rent your personal data. We share data only with the following categories of Data Processors and only to the extent necessary for the service:

TODO — lawyer to confirm Data Processing Agreements (DPAs) are executed with each Processor before this policy goes live.

5. Cross-border data transfer

TODO — lawyer to draft disclosure for the encrypted-backup tier, which uses cloud storage that may be located outside India. Disclose that only encrypted blobs (not readable data) cross the border, and that this is permitted because the underlying data is rendered unreadable to the foreign Processor.

6. How long we keep your data

Retention periods are governed by clinical record requirements and applicable Indian law:

TODO — lawyer to confirm exact retention periods.

7. Your rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the right to:

To exercise any of these rights, contact us at TODO — privacy contact.

8. Grievance redressal

If you have a privacy-related grievance, you may contact our designated Grievance Officer:

We will acknowledge your grievance within a reasonable time and respond as required under applicable law.

9. Children’s data

For patients under the age of 18, consent for processing is provided by a parent or lawful guardian. We collect parent/guardian name and phone for children patients. We do not engage in tracking, behavioural monitoring, or targeted advertising to children.

10. Security

We follow reasonable security practices appropriate to the sensitivity of the data we handle, including encryption of off-site backups, role-based access controls, audit logging of every change to clinical and financial records, and regular integrity verification. TODO — lawyer to draft the specific paragraph required by the DPDP Act security-safeguards provision.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified through the portal and via the contact methods on record. The “Last updated” date at the top of the page reflects the most recent revision.

12. Contact

Questions about this policy: TODO — contact details.