Privacy policy – Kolkata Heart Foundation

Kolkata Heart Foundation

Effective Date: April 15, 2025 | Last Updated: April 15, 2025

Registered Address: 42/1A, Harish Mukherjee Road, Opposite Azad Hind Dhaba, Bhowanipore, Kolkata, West Bengal – 700025

Contact: +91 98310 30908

1. INTRODUCTION

Kolkata Heart Foundation (“KHF,” “We,” “Us,” or “Our”) is a specialised cardiac care facility operating in accordance with the laws of the Republic of India. We are committed to protecting the privacy and security of your personal data and to being transparent about how we collect, use, store, and share information about you.

This Privacy Policy (“Policy”) explains our practices with respect to the personal data we collect from users (“You,” “Your,” or “User”) who visit our website, use our digital services, book appointments through our platforms, or interact with us through any online or offline channel.

This Policy is published in compliance with:

The Digital Personal Data Protection Act, 2023 (“DPDP Act”)
The Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Consumer Protection Act, 2019
The Indian Contract Act, 1872
All other applicable laws and regulations in force in India

By accessing our website or using any of our digital services, You acknowledge that You have read, understood, and consent to the practices described in this Policy. If You do not agree with this Policy, You must immediately cease using our Site and services.

2. SCOPE AND APPLICABILITY

This Policy applies to:

All personal data collected through our official website and any related digital platforms or mobile interfaces operated by KHF.
Personal data collected through appointment booking channels, including in-person registration, telephone, WhatsApp, or any other messaging or communication platform.
Personal data of patients, prospective patients, website visitors, and any other individuals who interact with KHF through digital or physical channels.

This Policy does not apply to the data practices of third-party websites that may be linked from our Site. We encourage You to review the privacy policies of any third-party sites You visit.

NOTE: Patient health information collected and maintained for the purposes of clinical treatment is also governed by the applicable medical ethics guidelines of the Medical Council of India, the Clinical Establishments (Registration and Regulation) Act, 2010, and any applicable state-level regulations. In the event of conflict, the more protective standard shall apply.

3. PERSONAL DATA WE COLLECT

We collect various categories of personal data as described below. Under the DPDP Act, 2023, “personal data” means any data about an individual who is identifiable by or in relation to such data.

3.1 Information You Provide Directly

When You interact with our Site, book an appointment, or contact us, You may provide:

Identity Data: Full name, date of birth, age, gender, and photograph (where applicable).
Contact Data: Postal address, email address, mobile and telephone numbers.
Medical and Health Data (Sensitive Personal Data): Medical history, symptoms, existing diagnoses, prescribed medications, test results, allergies, and other health-related information provided for the purpose of obtaining cardiac care or consultation. This constitutes “Sensitive Personal Data or Information” (SPDI) under the SPDI Rules, 2011 and will be treated with the highest level of protection.
Financial Data: Payment details including UPI IDs, credit/debit card information, and bank account details provided for processing consultation fees or purchasing services. Payment data is handled exclusively through RBI-compliant payment gateways and is not stored on KHF’s servers.
Insurance Data: Health insurance policy details, claim information, and related documentation where relevant.
Government Identification: Aadhaar number, PAN, or other government-issued identifiers where required by law or for verification purposes. Such data is collected and stored in strict compliance with applicable laws, including the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
Communication Records: Records of correspondence, emails, and messages You send to us.
Feedback and Survey Responses: Responses to patient satisfaction surveys, feedback forms, and reviews.

3.2 Information Collected Automatically

When You use our website, we may automatically collect:

Usage Data: Details of Your visits including pages viewed, time spent, referring/exit URLs, clickstream data, and resources accessed.
Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
Location Data: Approximate location data derived from Your IP address. We do not collect precise GPS location without Your explicit consent.
Cookie Data: Information collected through cookies and similar tracking technologies as described in Section 7 of this Policy.

3.3 Information from Third Parties

We may receive personal data about You from:

Referring physicians, hospitals, or other healthcare providers who refer You to KHF for specialist cardiac care.
Insurance companies or third-party administrators (TPAs) for the purpose of processing cashless or reimbursement claims.
Diagnostic laboratories or imaging centres that share reports with KHF at Your direction or with Your consent.

4. LEGAL BASIS FOR PROCESSING PERSONAL DATA

Under the DPDP Act, 2023, KHF processes Your personal data on the following legal bases:

Consent: Where You have given Your free, specific, informed, unconditional, and unambiguous consent for processing Your personal data for a specific purpose. You have the right to withdraw consent at any time.
Legitimate Uses: Where processing is necessary for the performance of a contract to which You are party (e.g., providing healthcare services), compliance with a legal obligation, or protection of vital interests.
Medical Treatment: Processing of health data is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, and management of healthcare systems, in accordance with applicable Indian laws and medical ethics guidelines.
Legal Compliance: Where processing is necessary to comply with any judgment or decree or order issued under any law for the time being in force, or any direction of a government or statutory authority.

We will only process Sensitive Personal Data (including health data) with Your explicit consent, except where processing is required or permitted by law.

5. HOW WE USE YOUR PERSONAL DATA

We use the personal data we collect for the following purposes:

5.1 Healthcare and Clinical Purposes

Providing cardiac consultations, diagnostic assessments, treatment, and follow-up care.
Maintaining accurate and up-to-date medical records as required by the Clinical Establishments Act, 2010 and Medical Council of India guidelines.
Coordinating care with other healthcare providers, specialists, laboratories, or hospitals at Your request or with Your consent.
Sending appointment reminders, follow-up communications, and care management notifications via SMS, WhatsApp, or email (with Your consent).

5.2 Administrative and Operational Purposes

Processing appointment bookings, cancellations, and rescheduling.
Processing payments, issuing receipts, and managing billing and insurance claims.
Maintaining accounts, correspondence records, and patient management systems.
Verifying Your identity and eligibility for services.

5.3 Communication and Marketing (With Consent)

Sending You health awareness newsletters, cardiac wellness tips, and promotional information about KHF’s services — only where You have provided explicit consent.
Responding to Your enquiries, feedback, and complaints.
Conducting patient satisfaction surveys to improve our services.

5.4 Legal, Regulatory, and Safety Purposes

Complying with applicable Indian laws, court orders, and regulatory requirements.
Protecting the rights, safety, and interests of KHF, its staff, patients, and the public.
Preventing fraud, misuse, and unauthorised access to our systems.
Establishing, exercising, or defending legal claims.

5.5 Improvement of Services

Analysing de-identified and aggregated data to understand patient demographics, health trends, and service utilisation patterns for the purpose of improving our healthcare offerings.
Optimising the performance and user experience of our website.

We will not use Your personal data for any purpose incompatible with the purposes listed above without Your prior consent.

6. DISCLOSURE AND SHARING OF PERSONAL DATA

KHF does not sell, rent, or trade Your personal data to third parties for commercial purposes. We may share Your personal data with the following categories of recipients only where necessary and lawful:

Healthcare Providers: Referring doctors, specialists, diagnostic laboratories, imaging centres, and hospitals involved in Your care, shared with Your knowledge and, where required, Your explicit consent.
Insurance Companies and TPAs: For the purpose of processing insurance claims (cashless or reimbursement) on Your behalf, limited to data necessary for the claim.
IT and Technology Service Providers: Cloud hosting providers, website maintenance vendors, patient management software providers, and cybersecurity service providers who process data on our behalf under strict data processing agreements requiring them to maintain confidentiality and security.
Payment Processors: RBI-regulated and PCI-DSS compliant payment gateway providers for the sole purpose of processing transactions.
Legal and Regulatory Authorities: Government bodies, law enforcement agencies, courts, or statutory authorities where disclosure is required by law, court order, or regulatory direction under applicable Indian law.
Professional Advisors: Lawyers, auditors, and accountants where necessary for compliance and legal purposes, bound by professional obligations of confidentiality.
Successors in Business: In the event of a merger, acquisition, restructuring, or sale of KHF’s assets, Your personal data may be transferred to the successor entity, subject to equivalent data protection commitments.

Any third party receiving Your personal data is required to handle it in accordance with applicable Indian data protection laws and is contractually obligated to implement adequate security measures.

We may share anonymised, aggregated, non-identifiable statistical data (such as general patient demographics or disease prevalence trends) with research institutions, public health bodies, or academic organisations for public health purposes. Such data will not identify You individually.

7. COOKIES AND TRACKING TECHNOLOGIES

Our website may use cookies and similar tracking technologies to enhance your browsing experience and to collect usage information.

7.1 What Are Cookies

Cookies are small text files placed on Your device when You visit our website. They help us recognise Your browser, remember Your preferences, and understand how You interact with our Site.

7.2 Types of Cookies We Use

Essential Cookies: Necessary for the website to function properly. These cannot be disabled.
Functional Cookies: Enable personalised features such as remembering Your language preferences or login status.
Analytics Cookies: Help us understand how visitors interact with our Site through aggregated, anonymised data. We use this solely to improve our website’s performance and content.
Marketing Cookies: Used to deliver relevant health awareness content. These are only placed with Your explicit prior consent.

7.3 Your Cookie Choices

You may manage Your cookie preferences at any time through Your browser settings. Please note that disabling certain cookies may affect the functionality of some parts of our website. By continuing to use our website after being informed of our cookie practices, You consent to our use of cookies as described above.

7.4 Do Not Track

At this time, our website does not respond to browser “Do Not Track” signals. However, we do not track Your activity across third-party websites for advertising purposes.

8. SMS, WHATSAPP, AND ELECTRONIC COMMUNICATIONS

By providing Your mobile number and communicating with us via WhatsApp, SMS, or email for appointment booking or patient services, You consent to receive communications from KHF including:

Appointment confirmations, reminders, and rescheduling notifications.
Post-consultation follow-up messages and care instructions.
Billing notifications and payment receipts.
Health awareness content and service information (where separately consented to).

All such communications are governed by the applicable provisions of the Telecom Commercial Communications Customer Preference Regulations (TCCCPR) issued by the Telecom Regulatory Authority of India (TRAI). We will register all commercial communications in accordance with TRAI regulations.

You may opt out of non-essential marketing communications at any time by:

Sending “STOP” in response to any promotional SMS from KHF.
Notifying us in writing at our contact address below.

Opting out of marketing communications will not affect essential service communications related to Your appointments or treatment.

Please note that communications via WhatsApp and standard SMS are not end-to-end encrypted on our infrastructure. You should refrain from sending sensitive medical information through these channels unless explicitly directed to do so by KHF clinical staff.

9. DATA RETENTION

KHF retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law, whichever is longer. Our specific retention practices are:

Patient Medical Records: Retained for a minimum period as prescribed by the Medical Council of India guidelines (currently a minimum of 3 years from the date of last treatment for adult patients) and applicable state regulations. Records relating to minors are retained until the patient attains the age of majority plus the applicable limitation period.
Financial and Billing Records: Retained for a minimum of 8 years in compliance with Indian accounting and tax laws, including the Income Tax Act, 1961, and the Companies Act, 2013 (where applicable).
Appointment and Communication Records: Retained for a period of 3 years from the date of last interaction, or as required for legal or regulatory purposes.
Website Usage Data and Cookies: Retained for a period not exceeding 12 months from collection, unless a longer period is required for security or legal purposes.

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with our internal data disposal procedures and applicable Indian law.

Requests for early deletion of personal data will be considered in accordance with Your rights under the DPDP Act, 2023, subject to overriding legal, regulatory, or clinical retention obligations.

10. SECURITY OF PERSONAL DATA

Kolkata Heart Foundation implements reasonable and appropriate technical, administrative, and physical security measures to protect Your personal data from unauthorised access, disclosure, alteration, misuse, or destruction, in accordance with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Our security measures include, but are not limited to:

Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption for all data transmitted through our website.
Role-based access controls limiting access to personal data to authorised personnel only.
Regular security assessments and vulnerability testing of our digital infrastructure.
Physical security measures at our clinic premises to protect paper-based and digital health records.
Confidentiality obligations imposed on all staff, contractors, and third-party processors handling personal data.

IMPORTANT: Despite our best efforts, no method of electronic transmission or storage is completely secure. KHF cannot guarantee absolute security of data transmitted over the internet. You transmit personal data to us at Your own risk. In the event of a data breach that is likely to result in a risk to Your rights and freedoms, KHF will comply with its notification obligations under the DPDP Act, 2023, and report the breach to the Data Protection Board of India as required by law.

11. YOUR RIGHTS AS A DATA PRINCIPAL

Under the Digital Personal Data Protection Act, 2023, You have the following rights with respect to Your personal data processed by KHF:

11.1 Right to Access Information

You have the right to obtain a summary of the personal data KHF holds about You and the processing activities being carried out with respect to Your data.

11.2 Right to Correction and Erasure

You have the right to request correction of inaccurate, incomplete, or outdated personal data. You also have the right to request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to KHF’s legal, regulatory, and clinical retention obligations.

11.3 Right to Grievance Redressal

You have the right to have Your grievances regarding the processing of Your personal data addressed by KHF’s Grievance Officer within the timelines prescribed by applicable law.

11.4 Right to Nominate

You may nominate another individual to exercise Your data rights on Your behalf in the event of Your death or incapacity.

11.5 Right to Withdraw Consent

Where KHF processes Your personal data on the basis of Your consent, You have the right to withdraw that consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out before such withdrawal. Please note that withdrawal of consent for processing of health data may limit KHF’s ability to provide You with certain healthcare services.

11.6 Right to Data Portability

You have the right to receive Your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data fiduciary, to the extent technically feasible and as prescribed under applicable law.

How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to our Grievance Officer using the contact details in Section 15. We will acknowledge Your request within 72 hours and endeavour to fulfil it within the timelines prescribed by the DPDP Act, 2023. We may require You to verify Your identity before processing Your request.

12. CHILDREN’S PRIVACY

Our website is not directed to children under the age of 18 years. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent.

Where medical services are provided to patients below 18 years of age, personal and health data is collected and processed with the explicit consent of the parent or legal guardian, who shall be treated as the Data Principal for the purposes of this Policy.

If We become aware that We have inadvertently collected personal data from a child under 18 without appropriate parental consent, We will take immediate steps to delete such data. Parents or guardians who believe We may hold such data should contact our Grievance Officer immediately.

13. LINKS TO THIRD-PARTY WEBSITES

Our website may contain links to third-party websites, including social media platforms and health information portals. These links are provided for Your convenience only. KHF does not control such websites and is not responsible for their content, privacy practices, or data handling. We encourage You to review the privacy policies of any third-party websites before providing them with any personal data.

14. UPDATES TO THIS PRIVACY POLICY

KHF reserves the right to update or amend this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or for any other reason. The revised Policy will be posted on our website with an updated “Last Updated” date at the top of the page.

Where changes are material, we will make reasonable efforts to notify You through prominent notice on our website or via direct communication (e.g., email or SMS) where we hold Your contact details. Your continued use of our website or services following the posting of a revised Policy constitutes Your acceptance of the revised terms. If You do not agree with the revised Policy, You must discontinue use of our Site and services.

15. GRIEVANCE OFFICER AND CONTACT INFORMATION

In accordance with the Information Technology Act, 2000, the IT Rules, 2021, and the Digital Personal Data Protection Act, 2023, KHF has designated a Grievance Officer to address complaints and queries regarding this Privacy Policy and the handling of Your personal data.

Designation: Grievance Officer — Data Privacy

Organisation: Kolkata Heart Foundation

Address: 42/1A, Harish Mukherjee Road, Opposite Azad Hind Dhaba, Bhowanipore, Kolkata, West Bengal – 700025

Phone: +91 98310 30908

Response Time: Acknowledgement within 72 hours; Resolution within 15 business days (as prescribed under applicable law)

If You are not satisfied with the resolution provided by our Grievance Officer, You have the right to escalate Your complaint to the Data Protection Board of India, once constituted and operational under the DPDP Act, 2023.

You may also approach the National Consumer Disputes Redressal Commission or State Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019, for consumer-related grievances.

BY USING OUR WEBSITE OR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND PROCESSING OF YOUR PERSONAL DATA AS DESCRIBED HEREIN.