Privacy Policy

1. Introduction

This Privacy Policy describes how Telerad RxDx Healthcare Pvt Ltd (“RxDx Clinics”) collects, uses, stores, and protects personal and health information in the course of providing its services.

This Privacy Policy applies to interactions with RxDx Clinics across its service network, including services accessed through a common website, patient portal, and other digital platforms, as well as through in-person visits, diagnostic services, pharmacy services, home healthcare, and teleconsultation.

While a unified digital interface may be used to facilitate access to services, such services may be delivered by different entities within the RxDx network or in association with partner organisations (including RxDx SAMANVAY LLP and RxDx-NM Medicals).

Personal and health information collected through such interactions is processed under the governance of RxDx Clinics, which acts as the primary Data Fiduciary. Where services are delivered by associated or partner entities, such entities may process data in connection with service delivery and are required to adhere to applicable data protection obligations and contractual arrangements with RxDx Clinics.

By availing our services or interacting with us through any of these channels, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy forms an integral part of the Terms of Service and is published in compliance with applicable Indian laws, including:

• Information Technology Act, 2000
• IT (Reasonable Security Practices and SPDI) Rules, 2011
• Digital Personal Data Protection Act, 2023

2. Scope and Purpose

This Privacy Policy explains:

• The type of Personal Information collected
• The purpose and manner of usage
• Disclosure practices
• Security safeguards
• Your rights in relation to your data

For the purpose of this Policy, references to “patients” or “users” include individuals interacting with RxDx Clinics through any mode, including in-person visits, diagnostics, home healthcare, teleconsultation, and digital platforms.

3. Definitions

Personal Information: Information that relates to a natural person and is capable of identifying such person.

Sensitive Personal Data or Information: Includes health records, medical history, financial information, biometric data, and related information.

Data Fiduciary: Entity determining the purpose and means of processing personal data.

4. Information We Collect

Information may be collected directly from patients during in-person visits, through clinical and diagnostic interactions, or via digital channels including website, mobile platforms, teleconsultation, and other communication interfaces. Information may also be received, where applicable, from authorised caregivers, referring healthcare providers, or other entities involved in the patient’s care.

We may collect:

• Personal details (name, age, gender, contact details, address)
• Health information (medical records, prescriptions, diagnostic reports, clinical notes)
• Financial information (billing and payment details)
• Technical data (IP address, device information, browser type, system logs)
• Communication records (calls, emails, support interactions)

Patients may provide medical records, prescriptions, or other information required for diagnosis and treatment, which will be processed in accordance with this Policy.

5. Use of Information

Information collected across all service delivery channels is used for:

• Providing healthcare services including consultations, diagnostics, pharmacy, and home healthcare
• Patient registration, clinical management, and administration
• Billing, payment processing, and financial reconciliation
• Improving services, systems, and quality of care
• Research and analytics (in anonymised or aggregated form)
• Addressing queries, complaints, and grievances
• Compliance with legal and regulatory requirements
• Prevention and detection of fraud or misuse

6. Digital Health & ABDM Compliance

RxDx Clinics may participate in the Ayushman Bharat Digital Mission (ABDM).

• We may act as a Health Information Provider (HIP) and/or Health Information User (HIU)
• Health data is shared or accessed only after obtaining explicit patient consent
• Consent is captured through secure, auditable mechanisms and may be withdrawn at any time
• Patients may choose to create or link their ABHA (Ayushman Bharat Health Account)

These provisions shall apply upon activation of ABDM-enabled services.

7. Data Protection & DPDP Compliance

RxDx Clinics processes personal data in accordance with the Digital Personal Data Protection Act, 2023.

Role

RxDx Clinics acts as a Data Fiduciary, determining the purpose and means of processing personal data.

Consent

• Consent, where required, is obtained through appropriate physical or digital mechanisms and may be recorded for audit and compliance purposes.
• Personal data is processed only for specific and lawful purposes
• Explicit, informed, and unambiguous consent is obtained where required
• Consent may be withdrawn at any time, subject to legal and operational requirements

Purpose Limitation & Data Minimisation

Only data necessary for defined purposes is collected and processed.

Data Retention

Personal data is retained only for the duration required under applicable laws and medical regulations, after which it is securely deleted or anonymised.

Data Principal Rights

Patients and users have the right to:

• Access their personal data
• Request correction of inaccurate or incomplete data
• Request erasure, where permitted by law
• Withdraw consent
• Nominate a representative

Requests are processed within reasonable timelines in accordance with applicable laws.

Security Safeguards

We implement appropriate technical and organisational safeguards, including:

• Encryption
• Role-based access controls
• Audit logs and monitoring systems

Data Breach Notification

In the event of a data breach, appropriate steps will be taken to contain the incident and notify affected individuals and relevant authorities, as required.

Third-Party Processors and Affiliates

Where services are delivered through affiliated entities, partner organisations, vendors, or service providers using RxDx Clinics’ centralised systems and infrastructure, such parties may process personal and health information only to the extent necessary for authorised service delivery.

Telerad RxDx Healthcare Pvt Ltd (“RxDx Clinics”) acts as the primary Data Fiduciary for personal data processed through its systems and requires all such parties to adhere to applicable data protection laws, confidentiality obligations, and information security standards. Such parties are contractually bound to process personal data only in accordance with documented instructions, where applicable, and are not permitted to use personal data for independent or unrelated purposes without appropriate legal basis or consent.

RxDx Clinics implements appropriate oversight and safeguards to ensure that personal data processed by such parties is protected in accordance with this Privacy Policy and applicable laws.

8. Disclosure and Transfer of Information

Personal Information may be disclosed:

• To authorised service providers for delivery of services
• To affiliates for legitimate operational purposes
• To regulatory authorities, as required by law
• To protect legal rights and prevent fraud or misuse

In the context of ABDM, health data is shared strictly based on patient consent.

RxDx Clinics does not sell personal data.

Aggregated and non-identifiable data may be used for research, analytics, and business intelligence purposes. Such disclosures are subject to appropriate contractual, confidentiality, and data protection safeguards.

9. Data Retention

Information is stored in secure electronic systems and, where necessary, in physical form.

Data is retained only as long as necessary to fulfil the purposes outlined in this Policy or as required under applicable laws and medical regulations.

10. Security Practices

RxDx Clinics adopts reasonable administrative, technical, and physical safeguards to protect personal data from unauthorised access, disclosure, alteration, or destruction.

Access to data is restricted to authorised personnel on a need-to-know basis.

11. User Rights and Choices

Patients and users may:

• Access and review their personal data
• Request corrections or updates
• Withdraw consent for processing

In the context of ABDM, users may manage consent for digital health data sharing.

12. Third-Party Links

Our digital platforms, including the website, may contain links to third-party websites. RxDx Clinics is not responsible for the privacy practices or content of such websites.

13. Limitation of Liability

While reasonable measures are taken to ensure data security, RxDx Clinics shall not be liable for unauthorised access or events beyond its reasonable control, including system failures, cyber incidents, or force majeure events.

14. User Responsibilities

Patients and users are responsible for maintaining the confidentiality of their account credentials and ensuring the accuracy of the information provided.

15. Changes to this Policy

This Privacy Policy may be updated periodically. Updates will be published on the website and become effective upon posting.

16. Grievance Redressal

For concerns relating to privacy or data protection:

Grievance Officer:

Mr Chetan Gupta
Email: dataprivacy@rxdx.in

Address:
Plot No. 7G, Council Khata 180/63
Vishweshwaraiah Industrial Area
Whitefield, Bengaluru – 560048

17. Contact

For any queries regarding this Privacy Policy:
Email: info@rxdx.in

18. Declaration

By using our services, you acknowledge that you have read and understood this Privacy Policy.

You further acknowledge that your personal and health information may be collected, used, stored, and processed as described in this Privacy Policy, in accordance with applicable laws.

Where required, specific and informed consent will be obtained separately for defined purposes.

You understand that you have the right to access, correct, and withdraw consent for your personal data, subject to applicable legal and operational requirements.