Privacy Policy

1. Introduction

Aestheva Skin Clinic ("we," "us," "our," or the "Clinic"), located in South Tukoganj, Indore, Madhya Pradesh, India, is committed to protecting your privacy and personal data.

This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with applicable Indian laws.

2. Applicable Laws

This Privacy Policy is governed by the following Indian legislations:

• Information Technology Act, 2000 - Primary legislation for electronic governance and data protection
• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 - Rules for handling sensitive personal data
• Digital Personal Data Protection Act, 2023 (DPDP Act) - Comprehensive data protection framework
• Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 - Medical record confidentiality requirements
• Consumer Protection Act, 2019 - Consumer rights and data protection

3. Information We Collect

3.1 Personal Information

• Full name and contact details (address, phone, email)
• Date of birth and gender
• Government-issued identification (for certain treatments)
• Emergency contact information

3.2 Sensitive Personal Data (as defined under IT Rules, 2011)

• Medical history and health records
• Allergies and current medications
• Treatment records and progress notes
• Photographs (before/after treatment documentation)
• Payment and financial information

3.3 Technical Information

• IP address and browser type
• Device information and operating system
• Website usage data and cookies

4. Purpose of Data Collection

We collect and process your data for:

• Medical Treatment: Providing safe and effective aesthetic treatments
• Appointment Management: Scheduling and reminders
• Communication: Treatment updates, follow-ups, and inquiries
• Billing: Processing payments and generating GST-compliant invoices
• Legal Compliance: Meeting regulatory requirements
• Quality Improvement: Enhancing our services and patient experience
• Marketing: Promotional communications (with your consent)

5. Consent and Lawful Basis

5.1 Consent Requirements

As per the DPDP Act, 2023 and IT Rules, 2011:

• We obtain explicit written consent before collecting sensitive personal data
• Consent is informed, specific, and freely given
• You have the right to withdraw consent at any time
• Minor's data (below 18 years) requires verifiable parental consent

5.2 Lawful Purposes

We process data only for lawful purposes as defined under Indian law:

• Performance of medical services contracted
• Legitimate interests of the Clinic
• Compliance with legal obligations
• Vital interests (emergency medical care)

6. Data Storage and Security

6.1 Security Measures

We implement reasonable security practices as required under IT (SPDI) Rules, 2011:

• Encrypted storage for sensitive personal data
• Secure access controls and authentication
• Regular security audits and assessments
• Secure physical storage for paper records
• Staff training on data protection

6.2 Data Retention

• Medical Records: Minimum 3 years as per MCI guidelines; may be retained longer for legal purposes
• Financial Records: 8 years as per Income Tax Act requirements
• Marketing Data: Until consent is withdrawn
• Website Analytics: 26 months

7. Data Sharing and Disclosure

7.1 We May Share Your Data With:

• Healthcare Providers: Specialists, laboratories, or hospitals for your treatment
• Payment Processors: Banks and payment gateways (RBI regulated)
• Legal Authorities: When required by law or court order
• Insurance Companies: With your consent, for claim processing

7.2 We DO NOT:

• Sell your personal data to third parties
• Share medical information without consent (except as legally required)
• Transfer data outside India without adequate safeguards

8. Your Rights Under Indian Law

Under the DPDP Act, 2023 and IT Rules, 2011, you have the following rights:

• Right to Access: Obtain information about your data being processed
• Right to Correction: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Withdraw Consent: Withdraw consent for data processing
• Right to Grievance Redressal: Lodge complaints with our Grievance Officer
• Right to Nominate: Nominate another person to exercise your rights

To exercise these rights, contact our Grievance Officer (details below).

9. Cookies and Website Tracking

Our website uses cookies for:

• Essential Cookies: Required for website functionality
• Analytics Cookies: Understanding website usage patterns
• Preference Cookies: Remembering your settings

You can manage cookie preferences through your browser settings. Disabling cookies may affect website functionality.

10. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify the Data Protection Board of India as required under DPDP Act
• Inform affected individuals without undue delay
• Take immediate remedial measures
• Document the breach and actions taken

11. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

12. Children's Privacy

For patients under 18 years of age:

• We obtain verifiable parental/guardian consent before treatment
• Parents/guardians have access to their child's data
• Special care is taken in processing minors' data

13. Grievance Officer

As required under the IT Act, 2000 and DPDP Act, 2023, we have appointed a Grievance Officer:

If not satisfied, you may approach the Data Protection Board of India established under the DPDP Act, 2023.

14. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated revision date. Significant changes will be communicated via email or website notice.

15. Contact Us