Privacy Policy
TODO marker indicates a section requiring legal review.
1. Who we are
Cure4Pain is operated by TODO — legal entity name and registered address (the “Data Fiduciary” for the purposes of the Digital Personal Data Protection Act, 2023). We operate a rheumatology + integrative medicine clinic in Mumbai, India, and an online supplement store at this domain.
Contact for privacy queries: TODO — designated privacy contact email and phone.
2. What personal data we collect
We collect the following categories of personal data when you interact with our clinic, store, or appointment booking surfaces:
- Identity: name, age, gender, date of birth.
- Contact: phone number, email address (optional), postal address.
- Clinical: medical history, complaints, diagnoses, vitals, prescriptions, lab reports, treatment notes — collected and used solely for your medical care.
- Financial: invoice and payment records, payment-mode-of-choice tokens (we do not store card numbers; payment data is processed by our gateway).
- Operational: appointment dates and times, order history, delivery address.
3. How we use your data
We process your personal data for the following purposes:
- To provide medical consultation, treatment, and follow-up care.
- To fulfil supplement orders placed through the store.
- To schedule and confirm appointments.
- To issue invoices and process payments.
- To comply with applicable legal obligations including record-retention requirements under the Income Tax Act, 1961 and Companies Act, 2013.
4. Data sharing
We do not sell or rent your personal data. We share data only with the following categories of Data Processors and only to the extent necessary for the service:
- Hosting: our application server is hosted by TODO — hosting provider name and region (e.g. Hostinger, Mumbai). Data resides on servers located in India.
- Backups: encrypted backup copies are stored in cloud storage. The encryption key remains with us; the storage provider cannot read the contents.
- Payment processing: payment transactions are processed by TODO — payment gateway name (e.g. Razorpay). They receive only the data necessary to complete the transaction.
- Communication: OTP delivery and order notifications are sent via TODO — SMS/WhatsApp provider name (e.g. Msg91).
- Courier: when you place a delivery order, your name, address, and phone number are shared with our courier partner for shipment.
TODO — lawyer to confirm Data Processing Agreements (DPAs) are executed with each Processor before this policy goes live.
5. Cross-border data transfer
TODO — lawyer to draft disclosure for the encrypted-backup tier, which uses cloud storage that may be located outside India. Disclose that only encrypted blobs (not readable data) cross the border, and that this is permitted because the underlying data is rendered unreadable to the foreign Processor.
6. How long we keep your data
Retention periods are governed by clinical record requirements and applicable Indian law:
- Medical records: retained for the duration of the doctor-patient relationship and thereafter as required under medical record-keeping norms.
- Financial records: retained for at least 8 years (Income Tax Act §44AA, Companies Act §128).
- Audit logs: retained for the lifetime of the corresponding record.
TODO — lawyer to confirm exact retention periods.
7. Your rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request erasure of your data, subject to our legal record-retention obligations.
- Nominate another person to exercise your rights in case of death or incapacity.
- Withdraw consent for processing where consent is the lawful basis.
- File a complaint with the Data Protection Board of India.
To exercise any of these rights, contact us at TODO — privacy contact.
8. Grievance redressal
If you have a privacy-related grievance, you may contact our designated Grievance Officer:
- Name: TODO
- Email: TODO
- Phone: TODO
- Address: TODO
We will acknowledge your grievance within a reasonable time and respond as required under applicable law.
9. Children’s data
For patients under the age of 18, consent for processing is provided by a parent or lawful guardian. We collect parent/guardian name and phone for children patients. We do not engage in tracking, behavioural monitoring, or targeted advertising to children.
10. Security
We follow reasonable security practices appropriate to the sensitivity of the data we handle, including encryption of off-site backups, role-based access controls, audit logging of every change to clinical and financial records, and regular integrity verification. TODO — lawyer to draft the specific paragraph required by the DPDP Act security-safeguards provision.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified through the portal and via the contact methods on record. The “Last updated” date at the top of the page reflects the most recent revision.
12. Contact
Questions about this policy: TODO — contact details.