Privacy Policy.

1. Introduction

We are committed to protecting the privacy and confidentiality of our patients and website visitors in accordance with:

• The Digital Personal Data Protection Act, 2023 ("DPDP Act")
• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
• The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations and National Medical Commission (NMC) guidelines
• Applicable rules of medical confidentiality

By accessing this website or providing your personal data to us, you confirm that you have read, understood, and agreed to this Privacy Policy.

2. Data Fiduciary Identity

For the purposes of the DPDP Act, the Data Fiduciary is:

iRUS Healthcare Private Limited
A registered company under the Companies Act, 2013
CIN: [TO BE INSERTED FROM CERTIFICATE OF INCORPORATION]
Trading as: iRUS - Institute of Robotic Uro-Oncology and Surgery
Registered/Practice address: Gagan Kapitol, 302, Chatrapati Shahu Maharaj Rd, Sangamvadi, Pune, Maharashtra - 411001
Email: irusinstitute@gmail.com
Phone: +91 92255 29848

Treating physician: Dr. Himesh Gandhi, MCh Urology
MMC Registration No.: 2017073071

3. Personal Data We Collect

We may collect the following categories of personal data:

A. Identity and Contact Information

• Full name
• Date of birth and age
• Gender
• Email address
• Phone number / mobile number / WhatsApp number
• Postal address and city
• Country (for international patients)

B. Health Information (Sensitive Personal Data)

• Medical history and existing conditions
• Symptoms, complaints, and clinical concerns shared during consultation booking
• Previous diagnoses, investigations, scans, and reports you share with us
• Family medical history (where relevant)
• Medications and allergies
• Lifestyle information relevant to urological care

C. Booking and Communication Data

• Appointment preferences (date, time, consultation type)
• Communications with our reception or clinical team (phone, email, WhatsApp, chat)
• Records of consultations, treatment recommendations, and follow-up notes

D. Technical and Usage Data

• IP address
• Browser type and version
• Device type, operating system
• Pages visited, time spent, referring URLs
• Cookies and similar tracking technologies (see Section 9)

E. Payment Data (where applicable)

We do not directly store credit/debit card or banking details on our website. Payments, when applicable, are processed by third-party payment gateways subject to their own privacy policies.

4. How We Collect Your Data

We collect personal data through:

• The booking form on our website
• Telephone, email, and WhatsApp inquiries
• In-person consultations at our Sangamwadi clinic
• Cookies and analytics tools when you browse our website
• Information you voluntarily share via email or messaging
• Referrals from other healthcare providers (with your knowledge)

We do not knowingly collect personal data from children under 18 years of age without verifiable consent from a parent or legal guardian, as required under the DPDP Act.

5. Purposes for Which We Use Your Data

We process your personal data for the following specific, lawful purposes:

1. Medical consultation and care - to assess your condition, plan treatment, perform procedures, and provide follow-up
2. Appointment booking and management - to schedule, confirm, reschedule, or cancel consultations
3. Surgical coordination - to coordinate procedures with Ruby Hall Clinic, Sahyadri Hospital, D.Y. Patil Medical College, Kalyani Institute of Robotic HIFU Therapy, or other partner hospitals where surgery is performed
4. Communication - to respond to your inquiries, send appointment reminders, share reports, and provide aftercare instructions
5. Multidisciplinary review - to share your case (with your consent) with our tumour board including oncologists, radiologists, and other specialists
6. Medical records maintenance - as required by law and clinical best practice
7. Billing and payment - for fees associated with consultations and procedures
8. Quality improvement and research - in fully anonymised form only, for clinical audit, quality improvement, and (where you have given explicit consent) academic research
9. Legal and regulatory compliance - including responding to lawful requests from medical councils, courts, or law enforcement
10. Website analytics - to understand how our website is used and improve its performance

6. Legal Basis for Processing (Under the DPDP Act)

We process your personal data on the following legal grounds:

• Your consent - for non-essential processing, marketing communications, and case sharing for research
• Legitimate medical use - for direct provision of healthcare, where consent is established by your engagement with our practice
• Legal obligation - for record-keeping, regulatory reporting, and statutory disclosures
• Public interest - limited to public health and emergency situations as permitted by law

7. Consent and Your Rights

Your Consent

Where consent is the legal basis, you have the right to:

• Give consent freely, specifically, and after being informed
• Withdraw your consent at any time (without affecting prior lawful processing)
• Provide consent for specific purposes only

To withdraw consent, contact our Grievance Officer (Section 13).

Your Rights Under the DPDP Act

As a Data Principal, you have the right to:

1. Right to information - to know what personal data we hold about you and how it is processed
2. Right to correction and erasure - to correct inaccurate data or, where lawfully permitted, request deletion
3. Right to grievance redressal - to file a complaint with our Grievance Officer
4. Right to nominate - to nominate another person to exercise your rights in the event of your death or incapacity

To exercise any of these rights, write to our Grievance Officer at the contact details in Section 13. We will respond within the timelines prescribed under the DPDP Act.

8. Sharing of Your Data

We do not sell your personal data to anyone. We share data only as follows:

A. With your treatment team and partner hospitals

• Ruby Hall Clinic, Sassoon Road, Pune (primary surgical centre)
• Sahyadri Hospital, Deccan, Pune
• D.Y. Patil Medical College & Research Centre, Pimpri, Pune
• Kalyani Institute of Robotic HIFU Therapy, Pune
• Other partner hospitals where your surgery may be performed
• Visiting or referring physicians, anaesthetists, pathology labs, imaging centres involved in your care
• Multidisciplinary tumour board members for case review

B. With service providers we engage

• IT and cloud hosting providers (with appropriate data protection agreements)
• Communication and messaging platforms (email, WhatsApp Business, SMS gateways)
• Payment processors
• Website analytics providers (e.g. Google Analytics - in anonymised form where possible)

All such service providers are contractually bound to protect your data and use it only for the specific purpose for which it is shared.

C. With regulators and authorities

• When required by law, court order, or regulatory request
• For mandatory disease notifications to public health authorities
• To medical councils investigating professional matters

D. With insurance providers and TPAs

• Only with your specific consent for cashless or reimbursement claims

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to:

• Remember your preferences
• Measure website traffic and performance (via Google Analytics or equivalent)
• Improve user experience

You can control cookies through your browser settings. Disabling cookies may affect website functionality. Our cookie banner allows you to accept or decline non-essential cookies.

10. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, and in accordance with applicable legal and medical record-keeping requirements:

• Medical records: Retained for the minimum statutory period required under applicable medical regulations (typically a minimum of 3 years for outpatient records and longer for surgical and oncology records). Some records may be retained longer where there is ongoing care or potential medico-legal relevance.
• Booking and inquiry data (non-converting): Retained for up to 24 months, then deleted or anonymised.
• Website analytics data: Retained per the policies of the analytics provider (typically 14-26 months).
• Marketing consent records: Retained for as long as you remain subscribed, plus 12 months after withdrawal for audit purposes.

11. Data Security

We implement reasonable physical, technical, and administrative safeguards to protect your personal data, including:

• Access controls limiting data access to authorised clinical and administrative staff
• Encrypted storage and transmission where applicable
• Regular review of security practices
• Confidentiality undertakings from all staff
• Secure handling of physical medical records

No system is 100% secure. While we take every reasonable measure, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you and the relevant authorities as required under the DPDP Act.

12. International Data Transfers

If you are accessing this website from outside India, please be aware that your data is processed and stored in India. We do not currently transfer personal data to other countries except where required for the care of international patients (e.g. sharing reports back to your home country physician at your request, or sharing case information with Jahmale Medical Centre, Liberia, or Hitech Sai Hospital, Tanzania, where Dr. Gandhi serves as a visiting consultant - only with your specific consent).

13. Grievance Officer

In accordance with the DPDP Act, 2023 and the IT Rules, the following individual has been designated as the Grievance Officer for handling data protection concerns:

Name: Dr. Himesh Gandhi
Designation: Director, iRUS Healthcare Private Limited
Email: irusinstitute@gmail.com
Phone: +91 92255 29848
Postal address: iRUS, Gagan Kapitol, 302, Chatrapati Shahu Maharaj Rd, Sangamvadi, Pune, Maharashtra - 411001

We will acknowledge grievances within 48 hours and resolve them within 30 days of receipt, as required under the DPDP Act.

If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India through the channels notified under the DPDP Act.

14. Children's Privacy

Our services are not intended for children under 18 years of age. We do not knowingly collect personal data from children without verifiable parental or guardian consent. If you believe we have inadvertently collected such data, please contact our Grievance Officer for immediate deletion.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. The updated policy will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.

For material changes affecting your rights, we will make reasonable efforts to notify you directly (where we have your contact details).

16. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:

iRUS Healthcare Private Limited
iRUS - Institute of Robotic Uro-Oncology and Surgery
Gagan Kapitol, 302, Chatrapati Shahu Maharaj Rd, Sangamvadi, Pune, Maharashtra - 411001
Email: irusinstitute@gmail.com
Phone: +91 92255 29848