1. Who we are

AesthatiQ Health Technologies Pvt. Ltd. ("AesthatiQ", "we", "us") operates a discovery and care-coordination platform for aesthetic healthcare in India. For all data-protection queries, contact our Data Protection Officer at dpo@aesthatiq.com.

Grievance Officer: grievance@aesthatiq.com (see our Grievance Redressal Policy). We aim to acknowledge complaints within 7 days and resolve them within 90 days.

2. Data we collect

We collect only what is needed to run the platform:

• Patient data: name, date of birth, gender, mobile number, email, health concerns and medical history you choose to share, clinical photographs (only with separate consent), appointment history, payment references (not full card numbers), delivery address for pharmacy orders, and optional community content.
• Provider data: clinic and doctor credentials, specialisation, consultation fees, pharmacy licence details where applicable, and settlement information.
• Usage data: device type, IP address, session logs, and app diagnostics collected automatically for security and performance.
• AI interaction data: messages to Aadhya and skin analyser inputs/outputs, retained only as described in our AI & Beta Tools policy.

3. Why we use your data

Each category is processed for a specific purpose:

• Booking and care coordination with the clinic or doctor you select.
• Prescription fulfilment through licensed pharmacy partners.
• Payment processing via PayU (PCI-DSS certified payment gateway).
• CRM and lead management via LeadSquared when you book or engage with care pathways.
• Courier tracking via ShipRocket for pharmacy deliveries.
• Clinical photography for consultation tracking — only with explicit photography consent.
• Platform safety, fraud prevention, and legal compliance.
• Marketing — only if you give separate, withdrawable consent.

4. Legal basis and consent

We process personal data based on your consent, contractual necessity (to complete a booking you request), and legal obligations. Consent must be free, specific, informed, and given through a clear affirmative action. We do not use pre-ticked boxes or bundle optional purposes with mandatory booking.

You may withdraw consent at any time from Profile → Settings → Privacy, or by emailing us. Withdrawal does not affect processing that was lawful before withdrawal, or records we must keep by law.

5. Who we share data with

We do not sell personal data. We share data only as needed to deliver the service you requested:

• The clinic and doctor you book — for care provision, under data-processing terms.
• Licensed pharmacy partners — for prescription fulfilment only.
• PayU — payment processing.
• LeadSquared — CRM and lead lifecycle tracking.
• ShipRocket — shipping and tracking for pharmacy orders.
• Clinicea — clinical records and appointments for partner clinics.
• Cloud infrastructure (Supabase and hosting providers) — encrypted storage and application hosting.

6. Retention

We keep data only as long as needed for the purpose collected, then delete or anonymise it unless law requires longer retention. See our Data Retention summary in section 7 and the Children's Data and Clinical Images policies for category-specific periods.

• Patient profile and health records: up to 7 years after last consultation where medical record rules apply.
• Clinical photographs: for the consent period or up to 3 years after the related appointment.
• Payment records: up to 8 years.
• Appointment history: up to 5 years.
• Aadhya conversation transcripts: 30 days unless shared with your doctor or you request earlier deletion.
• Marketing consent logs: duration of consent plus 2 years for audit.

7. Your rights

Under the DPDP Act, 2023 you may:

• Access a copy of personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request erasure, subject to legal retention duties.
• Withdraw consent for optional processing.
• Nominate another person to exercise your rights in case of death or incapacity.
• File a grievance with our Grievance Officer and, if unresolved, with the Data Protection Board of India.

8. Security and breach notification

We use encryption in transit, access controls, row-level database security, and vendor due diligence. No system is perfectly secure.

If a personal data breach affects you, we will notify you without undue delay in plain language, describing what happened, likely impact, and steps we are taking. We will report to the Data Protection Board of India within 72 hours of discovery where required by law.

9. Children's data

AesthatiQ is not directed at children under 18. We do not knowingly process a minor's data without verifiable parental or guardian consent. See our Children's Data Policy.

10. Cross-border transfers

Primary processing is intended to remain in India. If any subprocessors process data outside India, we will disclose that in this policy and ensure appropriate safeguards before transfer.

11. Changes

We will update this policy when processing activities change materially and publish the new effective date. Continued use after notice constitutes acceptance of the updated policy where permitted by law.

12. Contact

Privacy & DPO: dpo@aesthatiq.com

General privacy requests: privacy@aesthatiq.com

Grievances: grievance@aesthatiq.com