Privacy Policy

Effective: 6 May 2026 · Version: 1.0

1. Who we are

Shivam Medicare is the family medical practice of Dr. Gaurav Chhaya in Ahmedabad, Gujarat. This policy explains what personal information we collect when you use our clinic and our online services, why we collect it, and what your rights are under the Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

2. The information we collect

We collect only what we need to give you good care:

• Identity and contact details: your name, date of birth, gender, mobile number, and (if you provide them) email address and home address.
• Clinical information: visit notes, prescriptions, lab reports, vital signs, allergies, medications, and any other medical information you share with us or that we record during your care.
• Communication records: WhatsApp and SMS messages we send you about your appointments and care, and any messages you send back.
• Payment records: payment amount, date, and transaction reference. We do not store your card number, UPI PIN, or bank credentials — those stay with our payment provider, Razorpay.
• Voice recordings (only with your consent): if you send us voice notes, we store the audio and the text transcript.

3. Why we collect this information (lawful basis)

Under the DPDP Act, we process your information for these specific reasons:

• To provide medical care — we need your clinical history to treat you safely.
• To meet legal duties — medical records, prescriptions, and certificates have statutory retention rules we must follow.
• With your specific consent — for things like WhatsApp communication, sharing your record with a caregiver, or processing your voice notes through AI services. Each of these is a separate, optional consent that you can withdraw at any time from your privacy settings.

4. Who we share your information with

We share your information only when it is needed to give you care or to meet a legal obligation. Operationally, this means:

• The clinic team (doctor, nurse, pharmacy staff, reception) treating you.
• The pharmacy and laboratory you use, only for the active order or prescription, and only for the data they need.
• Specialists you are referred to, with consent that is specific to that referral.
• Razorpay, for payment processing.

We do not sell your information. We do not use it for advertising. We do not share it with insurance companies, employers, or anyone else, except where you have asked us to or where the law requires it.

5. Where your data lives

Your medical records are stored in India, on infrastructure located in Mumbai. The DPDP Act treats this as the safest default and so do we.

Some specific services we use are hosted outside India, and we transmit only what is needed:

• Anthropic (United States) — for our AI assistant, when you have opted in.
• OpenAI (United States) — for transcribing voice notes, when you have opted in.
• Meta WhatsApp (United States) — for delivering WhatsApp messages you have opted to receive.
• Resend (United States) — for sending email, when applicable.

Each cross-border processor is documented in our internal register, with what is sent and why.

6. How long we keep your information

Medical records are retained for at least three years after your last visit, as the law requires. Some records (like prescriptions and certificates) have specific statutory retention periods that run longer.

Communication records, voice notes, and AI conversation logs are retained for shorter periods unless they form part of your clinical record. Specific retention periods are listed in our internal data register and available on request.

7. Your rights

The DPDP Act gives you the following rights, and we honour them:

• Access — download a complete copy of your record, usually within seven days of asking.
• Correction — flag any data point you believe is wrong; we will look into it within fourteen days.
• Erasure — request deletion of your personal data. Clinical records may need to be retained for legal periods, but we will tell you clearly what is kept and why.
• Portability — receive your data in a machine-readable format you can take elsewhere.
• Grievance — raise a privacy concern with us; we will acknowledge within 48 hours and respond within 30 days.
• Nominate — appoint someone to act on your behalf if you become unable to.

8. Children

Patients under 18 must be registered by a parent or legal guardian. We record the guardian’s identity and the consent they give on behalf of the child. When the child turns 18, we ask them to confirm consent in their own name.

9. Security and breach notification

We protect your information with industry-standard measures: encrypted storage, access controls based on role, and a complete audit log of who accessed what.

If a security incident affects your information, we will notify the Data Protection Board of India within 72 hours and notify you directly within 7 days, in your preferred language.

10. How to contact us

For any privacy question, request, or grievance:

• Data Protection Contact: Dr. Gaurav Chhaya
• Email: shivammedicare.ahmedabad@gmail.com
• Address: Shivam Medicare, Ahmedabad, Gujarat (full address to be published shortly)

If we cannot resolve your concern, you have the right to escalate to the Data Protection Board of India.

11. Changes to this policy

We may update this policy from time to time. When we make a meaningful change, we will tell you and ask you to review the new version. The version number and effective date at the top of this page reflect the current policy.