Privacy Policy

1. Information We Collect

Medical and Health Information

To coordinate your care, we may collect:

• Medical history and records
• Diagnosis, imaging, and pathology reports
• Treatment information and clinical notes
• Prescriptions and medications
• Lab results and test reports
• Consultation notes and doctor correspondence
• Documents you upload (including PDFs, images, and DICOM imaging files) through our intake and case workflow

Personal and Account Information

We collect:

• Full name
• Date of birth
• Email address
• Phone number
• Residential address
• Emergency contact details
• Travel and accommodation preferences
• Visa and passport information where relevant
• Payment or billing information as needed for our coordination services

Automatically Collected Information

When you use our platform, we may automatically collect:

• Device type and browser information
• IP address and approximate location
• Pages visited and interaction data
• Date and time of access

2. Legal Basis for Processing

Under the DPDP Act 2023, the primary legal basis for processing your personal data is your consent, which we obtain before or at the time of data collection. We process your data only for the purposes you have consented to.

For patients in the EEA/UK, we additionally rely on:

• Performance of a contract — to deliver the medical coordination services you have engaged us for
• Legitimate interests — for platform security, fraud prevention, and service improvement
• Legal obligation — to comply with applicable laws and regulations

3. How We Use Your Information

• To facilitate Expert Opinion, Tumor Board Consultation, and treatment planning with doctors and hospitals in India
• To coordinate your case, including medical record organisation, clinical blueprint preparation, and cost estimation
• To arrange teleconsultations, appointments, and follow-up care
• To support travel coordination (visa, accommodation, transport, local support)
• To communicate with you about your case, appointments, and platform updates
• To operate, secure, and improve our platform and services
• To comply with legal and regulatory obligations

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Data Protection Measures

We implement technical and organisational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Role-based access controls so only authorised personnel and care teams access your data
• Audit logging of all access to your medical and personal information
• Secure storage and access policies, with regular review of our security practices
• Access monitoring and detection of unauthorised access attempts
• Regular data backups with secure recovery procedures

Your data is shared only with the care team and clinicians involved in your case, based on your consent and as needed to deliver our services.

5. Data Sharing

We may share your information only in these circumstances:

• With your consent, with healthcare providers (doctors, hospitals) and partners involved in your care or travel
• With service providers who assist our platform under strict confidentiality obligations, including:
  • Cloud infrastructure and hosting providers
  • Payment processing services
  • Communication services (email, SMS, video consultation platforms)
  • Healthcare provider partners (hospitals, specialists, diagnostic centres)
• When required by law, court order, or regulatory authority
• Where necessary to prevent serious harm to you or others, or for public health purposes as permitted by law

All third-party service providers are bound by Data Processing Agreements ensuring equivalent data protection standards. We do not sell your personal data to any third party.

6. Your Rights

Under the DPDP Act 2023 and applicable law, you have the right to:

• Access — Obtain a summary of your personal data we hold and the processing activities related to it
• Correction — Request correction of inaccurate or incomplete personal data
• Erasure — Request deletion of your personal data, subject to legal and operational requirements
• Portability — Receive your data in a structured, commonly used, machine-readable format where technically feasible
• Restriction — Request restriction of how we use or disclose your information
• Withdraw consent — Withdraw your consent for data processing at any time (see Section 7 below)
• Nominate — Nominate another individual to exercise your rights in case of your death or incapacity, as provided under the DPDP Act

For patients in the EEA or UK, you may also have the right to:

• Object to processing based on legitimate interests
• Lodge a complaint with a supervisory authority in your jurisdiction

To exercise any of these rights, contact us at contact@ecuretrip.com. We will respond to your request within 72 hours and fulfil it within 30 days.

7. Consent Withdrawal

You may withdraw your consent for data processing at any time by:

• Emailing contact@ecuretrip.com with the subject line "Withdraw Consent"
• Specifying which consent(s) you wish to withdraw (e.g., data collection, sharing with hospitals, marketing)

We will process your withdrawal request within 72 hours and confirm via email. Please note:

• Withdrawal of consent does not affect the lawfulness of processing done before withdrawal
• Certain data may be retained where required by law or for legitimate clinical/operational purposes even after consent withdrawal
• Withdrawal may affect our ability to continue providing coordination services

8. Data Breach Notification

In the event of a personal data breach that may affect your rights, we will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act 2023
• Notify affected individuals without unreasonable delay, informing you of the nature of the breach, the data affected, and the steps we are taking
• Take immediate steps to contain, investigate, and remediate the breach
• Document all breaches and remedial actions taken

9. Retention

We retain your information based on the following purpose-specific timelines:

After the retention period expires, your data will be securely erased. Where required by law, we will notify you at least 48 hours before erasure of your personal data, as mandated by the DPDP Rules, 2025.

If you request deletion of your data, we will erase it within 30 days, except where retention is legally required.

10. International Transfers

eCureTrip operates in India and coordinates care with healthcare providers in India. If you are located outside India, your information will be transferred to and processed in India.

We take steps to ensure that such transfers are subject to appropriate safeguards:

• For EEA/UK patients: Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by GDPR
• For all patients: encryption in transit, access controls, and contractual obligations on data recipients

By using our services and providing consent, you acknowledge that your personal and medical data will be transferred to India for processing.

11. Children's Data

Our services are primarily intended for individuals aged 18 and above. For patients under 18 years of age:

• We require verifiable consent from a parent or legal guardian before collecting or processing their data
• We do not target advertising towards children
• A parent or legal guardian must manage the engagement with eCureTrip on behalf of the minor

If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data promptly.

12. Cookies and Tracking

Our platform may use essential cookies required for the website to function. If we implement analytics or tracking tools, we will:

• Disclose which tools are used and what data they collect
• Provide an option to accept or reject non-essential cookies before they are set
• Update this section accordingly

We may use analytics to improve our services. See our cookie consent banner for details. You can manage your preferences at any time.

13. Grievance Redressal

For any grievances related to your personal data or this Privacy Policy:

1. Contact us at contact@ecuretrip.com with the subject line "Privacy Grievance"
2. We will acknowledge your grievance within 48 hours
3. We will investigate and resolve it within 30 days
4. You will receive a written response with the outcome and any actions taken

If you are not satisfied with our response, you may file a complaint with:

• Data Protection Board of India — as established under the DPDP Act 2023 (details will be updated once the Board is operational)
• Supervisory authority in your jurisdiction (for EEA/UK patients)

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify you via email or through our platform at least 30 days before material changes take effect
• Continued use of our services after notification constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

15. Contact

For questions about this Privacy Policy, to exercise your rights, or for any data protection matters:

Email: contact@ecuretrip.com

Phone: +91 92747 21800

Address: eCureTrip HealthTech Pvt. Ltd., Ahmedabad, Gujarat, India