Haylo Healthcare Private Limited is the author and publisher of the internet resource www.haylohealthcare.co ("Website") on the world wide web as well as the software, services and applications provided by it, including but not limited to the software, services and applications of the brand names 'Haylo Onkos', (together with the Website, referred to as the "Services").
This Privacy Policy ("Privacy Policy") describes how Haylo Healthcare Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at No. 292/1A, 293/1A, Chennai Road, Bramhapuram, Vellore – 632014, Tamil Nadu, India ("Company", "Haylo", "we", "us", or "our"), collects, uses, processes, stores, and discloses personal data of users ("User", "you", "your") in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and applicable rules.
BY USING THE SERVICES OR BY OTHERWISE PROVIDING US WITH YOUR INFORMATION, YOU WILL BE DEEMED TO HAVE READ, UNDERSTOOD, AND AGREED TO THE PRACTICES AND POLICIES SET OUT IN THIS PRIVACY POLICY, AND TO BE BOUND BY IT. YOU HEREBY CONSENT TO OUR COLLECTION, USE, SHARING, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY. WE RESERVE THE RIGHT, AT OUR SOLE DISCRETION AND AT ANY TIME, TO CHANGE, MODIFY, ADD TO, OR DELETE PORTIONS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY AT ANY TIME, YOU SHOULD NOT USE ANY OF THE SERVICES OR PROVIDE US WITH ANY INFORMATION. IF YOU USE THE SERVICES ON BEHALF OF ANOTHER PERSON, SUCH AS YOUR CHILD, OR AN ENTITY, SUCH AS YOUR EMPLOYER, YOU REPRESENT THAT YOU ARE AUTHORISED BY THAT PERSON OR ENTITY TO: (I) ACCEPT THIS PRIVACY POLICY ON THEIR BEHALF; AND (II) CONSENT ON THEIR BEHALF TO OUR COLLECTION, USE, AND DISCLOSURE OF THEIR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY.
The Company acts as a Data Fiduciary in respect of personal data processed through the Haylo Onkos platform ("Platform").
1.Definitions
- "Personal Data" shall have the meaning assigned under the DPDP Act, 2023, and includes any data about an individual who is identifiable by or in relation to such data.
- "Sensitive Personal Data" includes health-related data such as cancer diagnosis, treatment stage, and mental health information.
- "Data Principal" means the individual to whom the Personal Data relates.
- "Data Fiduciary" means the Company, which determines the purpose and means of processing Personal Data.
- "Data Processor" means any person who processes Personal Data on behalf of the Company.
- "Consent" means any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal's agreement to process Personal Data.
- "Consultation Information" means all data shared during teleconsultation sessions, including audio, video, text, and related communications.
2.Applicability and Legal Basis of Processing
- This Privacy Policy applies to all Personal Data processed by the Company through the Platform.
- The Company processes Personal Data based on: (a) consent obtained from the Data Principal, and (b) legitimate uses permitted under the DPDP Act, where applicable.
- Consent shall be obtained through clear affirmative action at the time of registration, booking, or data submission.
- The Company shall provide a clear notice specifying the purpose of data processing at or before the time of collection.
3.Categories of Personal Data Collected
The Company collects and processes the following categories of Personal Data:
- Identity and Contact Data, including name, email address, phone number, and login credentials.
- Health and Consultation Data, including cancer type, treatment stage, psychological condition, and consultation records.
- Consultation Information, including session recordings (if any), transcripts, feedback, and clinician notes.
- Transaction Data, including payment confirmations and transaction identifiers processed via third-party payment aggregators.
- Technical Data, including IP address, browser type, device information, and usage analytics.
- Communication Data, including messages, emails, and WhatsApp interactions.
- Clinician Data, including qualifications, licensing details, and payout information.
4.Purpose of Processing
The Company processes Personal Data for the following purposes:
- To facilitate teleconsultation services and connect Users with Clinicians.
- To manage bookings, scheduling, payments, and communication.
- To ensure compliance with legal and regulatory obligations.
- To improve platform functionality and user experience.
- To detect fraud, misuse, and security incidents.
- To conduct research and analytics using anonymised data.
5.Consent Architecture
- The Company shall obtain explicit consent prior to processing Personal Data, particularly health-related data.
- Consent shall be: (a) granular and purpose-specific, (b) recorded and auditable, and (c) capable of being withdrawn at any time.
- Upon withdrawal of consent, the Company shall cease processing Personal Data unless required by law.
- The Company shall provide an easy mechanism for withdrawal of consent through the Platform or by contacting the Grievance Officer.
6.Processing of Consultation Information
- Consultation Information constitutes highly sensitive Personal Data and shall be processed with strict confidentiality safeguards.
- Such data shall only be accessed by: (a) the relevant Clinician, (b) authorised personnel on a need-to-know basis, and (c) Data Processors bound by contractual confidentiality obligations.
- Consultation Information shall not be used for advertising or marketing purposes.
- Disclosure of Consultation Information shall only occur: (a) with explicit consent, (b) where required by law, or (c) where necessary to prevent imminent harm or risk to life.
- The Company does not control clinical decisions made by Clinicians and acts solely as a technology intermediary.
7.Sharing and Disclosure
- The Company may share Personal Data with (a) Clinicians for provision of Services (b) Data Processors, including cloud hosting providers, analytics providers, and communication service providers (c) Payment aggregators for processing transactions (d) Affiliates and group entities for operational purposes and (e) Government authorities or regulators where required by law.
- All Data Processors shall be contractually bound to implement appropriate safeguards and process data only on instructions of the Company.
- Wherever feasible, Personal Data shall be anonymised before sharing.
8.Cross-Border Data Transfers
- Personal Data may be transferred outside India in accordance with the DPDP Act and applicable government notifications.
- The Company shall ensure that such transfers are made only to jurisdictions permitted under applicable law and subject to appropriate safeguards.
9.Data Retention and Storage Limitation
- Personal Data shall be retained only for as long as necessary to fulfil the purposes specified in this Privacy Policy.
- Data may be retained for longer durations where required for: (a) legal compliance, (b) dispute resolution, or (c) enforcement of legal rights.
- Upon expiry of retention periods, Personal Data shall be deleted or anonymised.
10.Data Security Safeguards
- The Company implements reasonable security safeguards, including encryption, access controls, and secure storage systems.
- Access to Personal Data is restricted to authorised personnel.
- The Company undertakes periodic security reviews and risk assessments.
11.Personal Data Breach Notification
In the event of a Personal Data breach, the Company shall: (a) take reasonable steps to mitigate harm, (b) notify the Data Protection Board of India as required under law, and (c) inform affected Data Principals where required.
12.Rights of Data Principals
Subject to applicable law, Data Principals have the right to: (a) Obtain information regarding processing of their Personal Data; (b) Seek correction, completion, or updating of Personal Data; (c) Request erasure of Personal Data; (d) Withdraw consent at any time; (e) Nominate another person to exercise rights in case of death or incapacity; (f) Seek grievance redressal from the Company.
13.Duties of Data Principals
Data Principals shall: (a) provide accurate and authentic information, (b) not impersonate another person, and (c) comply with applicable laws while using the Platform.
14.Children's Data
- The Platform does not knowingly process Personal Data of individuals below eighteen (18) years without verifiable parental consent.
- The Company shall implement age-verification and parental consent mechanisms as required under the DPDP Act.
15.Cookies and Tracking Technologies
- The Platform uses cookies and similar technologies to enhance user experience and analyse usage.
- Users may manage cookie preferences through browser settings.
16.Grievance Redressal Mechanism
The Company has appointed a Grievance Officer for addressing concerns related to Personal Data processing:
The Company shall address grievances within timelines prescribed under applicable law.
17.Amendments
- The Company reserves the right to modify this Privacy Policy.
- Updated versions shall be made available on the Platform, and continued use constitutes acceptance.
18.Governing Law
- This Privacy Policy shall be governed by the laws of India.
- Any disputes shall be subject to jurisdiction of courts in Tamil Nadu.