- Category of Personal Data
- Identity & Contact
- Specific Data Points
- Full name, date of birth, gender, phone number, email address, residential address, profile photo
- Source
- Provided by you at registration
- Purpose
- Account creation, appointment booking, communication
Privacy Policy
Effective May 1, 2026 · Last updated May 1, 2026 · Version 1.0 · Republic of India
Healthcare CRM & Telemedicine Platform
IMPORTANT: Please read this document carefully before using the Platform. By accessing or using any part of the Platform, you agree to be bound by the terms set out in this document. If you do not agree, please discontinue use immediately.
1. Who We Are & How to Contact Us
unTaboo (“Company”, “we”, “us”, “our”) is a healthcare technology company registered under the Companies Act, 2013, providing a telemedicine and healthcare CRM platform that connects patients with doctors, therapists, and health coaches.
- Registered Address: House No. 4075, Sector 68 Mohali, SAS Nagar, Punjab. PIN code - 160062, India
- Data Protection Officer: [DPO Name], dpo@untaboo.com, +91 [Phone]
- Privacy Enquiries: privacy@untaboo.com
- CIN: U21003PB2024PTC060910
This Privacy Policy applies to all users of the Platform including patients, doctors, therapists, health coaches, staff, HR administrators, finance teams, and any other registered users. Different categories of data are collected depending on your role.
2. Definitions
In this Privacy Policy, the following terms have the meanings set out below:
- “Data Principal”
- The individual to whom Personal Data relates — in most cases, you, the user.
- “Data Fiduciary”
- The Company — the entity that determines the purpose and means of processing your Personal Data.
- “Personal Data”
- Any data about an individual who is identifiable by or in relation to such data, including name, contact details, financial information, and health information.
- “Sensitive Personal Data or Information (SPDI)”
- Personal data defined as sensitive under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including passwords, financial information, physical/physiological/mental health conditions, biometric data, and medical records.
- “Protected Health Information (PHI)”
- Health-related Personal Data including diagnoses, clinical notes, treatment plans, prescriptions, lab results, and session recordings that relate to the physical or mental health of an identifiable individual.
- “Processing”
- Any operation performed on Personal Data, including collection, storage, use, disclosure, sharing, transfer, or erasure.
- “Consent”
- A free, specific, informed, unconditional, and unambiguous indication of agreement to the processing of Personal Data, given through a clear affirmative action.
- “Platform”
- The web application, mobile application, and API services operated by the Company, including all features described in these terms.
3. Personal Data We Collect
We collect the following categories of personal data, depending on your role and how you use the Platform:
| Category of Personal Data | Specific Data Points | Source | Purpose |
|---|---|---|---|
| Identity & Contact | Full name, date of birth, gender, phone number, email address, residential address, profile photo | Provided by you at registration | Account creation, appointment booking, communication |
| Health / Medical (PHI) | Medical history, current conditions, diagnoses, prescriptions, clinical notes, chief complaints, lab test results (Thyrocare reports), treatment plans, therapy session notes, recorded consultations (audio/video) | Provided by you or your treating doctor during use | Clinical care delivery, treatment planning, medical records |
| Financial | Razorpay order ID, payment ID, transaction history, invoice details, refund records. We do not store card numbers, CVVs, or bank account credentials. | Generated during payment transactions | Billing, invoicing, payment reconciliation |
| Employment / HR (Staff only) | Employee ID, designation, department, salary details, payslips, attendance records, leave history, bank account number (for payroll), KYC documents, PAN/Aadhaar number | Provided by employer (us) or by you as an employee | Payroll processing, HR management, compliance |
| Appointment & Usage | Appointment dates and times, doctor selected, appointment type (consultation/session/discovery), join/cancellation records, session recordings (with consent) | Generated automatically during use | Service delivery, quality assurance, clinical continuity |
| Communication | Inbound/outbound call logs via Acefone, SMS records, chat messages, email correspondence, lead notes and journal entries | Generated during Platform interactions | Customer support, care coordination, sales follow-up |
| Technical | IP address, device type, browser/app version, session tokens, cookie data, API request logs (without PHI payload values) | Automatically collected | Security, fraud prevention, debugging, rate limiting |
| Shipping / Delivery | Delivery address, pincode, shipment tracking ID (Shiprocket) | Provided by you when ordering products | Order fulfilment and delivery |
| Lab Orders | Pincode, preferred slot, lab test selection, sample collection address (for Thyrocare home collection) | Provided by you when booking lab tests | Diagnostic test booking and coordination |
- Category of Personal Data
- Health / Medical (PHI)
- Specific Data Points
- Medical history, current conditions, diagnoses, prescriptions, clinical notes, chief complaints, lab test results (Thyrocare reports), treatment plans, therapy session notes, recorded consultations (audio/video)
- Source
- Provided by you or your treating doctor during use
- Purpose
- Clinical care delivery, treatment planning, medical records
- Category of Personal Data
- Financial
- Specific Data Points
- Razorpay order ID, payment ID, transaction history, invoice details, refund records. We do not store card numbers, CVVs, or bank account credentials.
- Source
- Generated during payment transactions
- Purpose
- Billing, invoicing, payment reconciliation
- Category of Personal Data
- Employment / HR (Staff only)
- Specific Data Points
- Employee ID, designation, department, salary details, payslips, attendance records, leave history, bank account number (for payroll), KYC documents, PAN/Aadhaar number
- Source
- Provided by employer (us) or by you as an employee
- Purpose
- Payroll processing, HR management, compliance
- Category of Personal Data
- Appointment & Usage
- Specific Data Points
- Appointment dates and times, doctor selected, appointment type (consultation/session/discovery), join/cancellation records, session recordings (with consent)
- Source
- Generated automatically during use
- Purpose
- Service delivery, quality assurance, clinical continuity
- Category of Personal Data
- Communication
- Specific Data Points
- Inbound/outbound call logs via Acefone, SMS records, chat messages, email correspondence, lead notes and journal entries
- Source
- Generated during Platform interactions
- Purpose
- Customer support, care coordination, sales follow-up
- Category of Personal Data
- Technical
- Specific Data Points
- IP address, device type, browser/app version, session tokens, cookie data, API request logs (without PHI payload values)
- Source
- Automatically collected
- Purpose
- Security, fraud prevention, debugging, rate limiting
- Category of Personal Data
- Shipping / Delivery
- Specific Data Points
- Delivery address, pincode, shipment tracking ID (Shiprocket)
- Source
- Provided by you when ordering products
- Purpose
- Order fulfilment and delivery
- Category of Personal Data
- Lab Orders
- Specific Data Points
- Pincode, preferred slot, lab test selection, sample collection address (for Thyrocare home collection)
- Source
- Provided by you when booking lab tests
- Purpose
- Diagnostic test booking and coordination
We never collect Aadhaar biometric data, and we do not store raw payment card data (card numbers, CVVs, expiry dates). All payments are processed directly by Razorpay under their PCI-DSS compliant infrastructure. We receive only a payment reference ID and status.
4. How and Why We Use Your Data — Legal Basis & Retention
Every processing activity we perform has a documented legal basis under the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), and applicable sector regulations:
| Processing Activity | Legal Basis (IT Act / DPDP Act 2023) | Retention Period |
|---|---|---|
| Account registration and management | Consent (Section 43A IT Act; DPDP s.6) | Duration of account + 3 years post-closure |
| Clinical notes, diagnoses, treatment plans (PHI) | Consent + Legal obligation (DISHA; MCI guidelines) | Minimum 7 years from last clinical interaction |
| Appointment booking and video consultations | Consent; Performance of contract | 2 years from appointment date |
| Appointment recording (audio/video) | Explicit separate consent captured before recording | As agreed at consent; max 7 years |
| Payment processing via Razorpay | Performance of contract; Legal obligation (RBI guidelines) | 7 years (Companies Act 2013 s.128) |
| Payroll and salary processing (staff) | Legal obligation (Payment of Wages Act; Income Tax Act) | 7 years from financial year end |
| Acefone call logs and recordings | Legitimate interest (quality assurance); Consent where required | 90 days for call logs; 1 year for recordings |
| Marketing communications and campaigns | Consent (opt-in only) | Until consent withdrawn |
| Security logging and fraud detection | Legitimate interest; Legal obligation | 12 months online; 7 years archived |
| Lab test results (Thyrocare) | Consent; Performance of contract | 7 years (medical record obligation) |
| Shipping information (Shiprocket) | Performance of contract | 2 years from delivery date |
- Processing Activity
- Account registration and management
- Legal Basis (IT Act / DPDP Act 2023)
- Consent (Section 43A IT Act; DPDP s.6)
- Retention Period
- Duration of account + 3 years post-closure
- Processing Activity
- Clinical notes, diagnoses, treatment plans (PHI)
- Legal Basis (IT Act / DPDP Act 2023)
- Consent + Legal obligation (DISHA; MCI guidelines)
- Retention Period
- Minimum 7 years from last clinical interaction
- Processing Activity
- Appointment booking and video consultations
- Legal Basis (IT Act / DPDP Act 2023)
- Consent; Performance of contract
- Retention Period
- 2 years from appointment date
- Processing Activity
- Appointment recording (audio/video)
- Legal Basis (IT Act / DPDP Act 2023)
- Explicit separate consent captured before recording
- Retention Period
- As agreed at consent; max 7 years
- Processing Activity
- Payment processing via Razorpay
- Legal Basis (IT Act / DPDP Act 2023)
- Performance of contract; Legal obligation (RBI guidelines)
- Retention Period
- 7 years (Companies Act 2013 s.128)
- Processing Activity
- Payroll and salary processing (staff)
- Legal Basis (IT Act / DPDP Act 2023)
- Legal obligation (Payment of Wages Act; Income Tax Act)
- Retention Period
- 7 years from financial year end
- Processing Activity
- Acefone call logs and recordings
- Legal Basis (IT Act / DPDP Act 2023)
- Legitimate interest (quality assurance); Consent where required
- Retention Period
- 90 days for call logs; 1 year for recordings
- Processing Activity
- Marketing communications and campaigns
- Legal Basis (IT Act / DPDP Act 2023)
- Consent (opt-in only)
- Retention Period
- Until consent withdrawn
- Processing Activity
- Security logging and fraud detection
- Legal Basis (IT Act / DPDP Act 2023)
- Legitimate interest; Legal obligation
- Retention Period
- 12 months online; 7 years archived
- Processing Activity
- Lab test results (Thyrocare)
- Legal Basis (IT Act / DPDP Act 2023)
- Consent; Performance of contract
- Retention Period
- 7 years (medical record obligation)
- Processing Activity
- Shipping information (Shiprocket)
- Legal Basis (IT Act / DPDP Act 2023)
- Performance of contract
- Retention Period
- 2 years from delivery date
After the applicable retention period expires, Personal Data is securely deleted or anonymised in accordance with our Data Retention and Disposal Procedure. Anonymised, aggregated data may be retained indefinitely for research and analytics.
5. Third-Party Service Providers (Data Processors)
We share your Personal Data with the following third-party processors strictly to deliver the services you have requested. All processors are bound by data processing agreements that require them to protect your data to at least the same standard as this Policy:
| Processor | Service | Data Shared | Country | Safeguard |
|---|---|---|---|---|
| Razorpay Software Pvt. Ltd. | Payment gateway — order creation, verification, refunds | Name, phone, email, payment amount, order ID. NO card data shared with us. | India | RBI-regulated payment aggregator; PCI-DSS compliant |
| Thyrocare Technologies Ltd. | Diagnostic lab test booking, sample collection, report delivery | Name, phone, address, pincode, test selection, DOB | India | NABL-accredited lab; bound by contractual PHI protections |
| Shiprocket (Bigfoot Retail Solutions Pvt. Ltd.) | Shipping and courier management for product orders | Name, delivery address, phone number, pincode | India | Contractual data processing agreement |
| Acefone (Telcom Group) | VoIP call dialer for outbound patient/lead calls; inbound call management | Phone number, call duration, call recording (where consented) | India / UK | Contractual DPA; call data stored on Indian servers |
| Amazon Web Services (AWS) | Cloud hosting — servers, databases, storage (ap-south-1 primary, ap-south-2 DR) | All Platform data at rest and in transit | India | ISO 27001; SOC 2; AWS DPA; data stays within India |
| Google (Firebase / FCM) | Push notification delivery to mobile devices | Device token, notification content (no PHI in notifications) | USA | Standard Contractual Clauses; notification content does not include PHI |
- Processor
- Razorpay Software Pvt. Ltd.
- Service
- Payment gateway — order creation, verification, refunds
- Data Shared
- Name, phone, email, payment amount, order ID. NO card data shared with us.
- Country
- India
- Safeguard
- RBI-regulated payment aggregator; PCI-DSS compliant
- Processor
- Thyrocare Technologies Ltd.
- Service
- Diagnostic lab test booking, sample collection, report delivery
- Data Shared
- Name, phone, address, pincode, test selection, DOB
- Country
- India
- Safeguard
- NABL-accredited lab; bound by contractual PHI protections
- Processor
- Shiprocket (Bigfoot Retail Solutions Pvt. Ltd.)
- Service
- Shipping and courier management for product orders
- Data Shared
- Name, delivery address, phone number, pincode
- Country
- India
- Safeguard
- Contractual data processing agreement
- Processor
- Acefone (Telcom Group)
- Service
- VoIP call dialer for outbound patient/lead calls; inbound call management
- Data Shared
- Phone number, call duration, call recording (where consented)
- Country
- India / UK
- Safeguard
- Contractual DPA; call data stored on Indian servers
- Processor
- Amazon Web Services (AWS)
- Service
- Cloud hosting — servers, databases, storage (ap-south-1 primary, ap-south-2 DR)
- Data Shared
- All Platform data at rest and in transit
- Country
- India
- Safeguard
- ISO 27001; SOC 2; AWS DPA; data stays within India
- Processor
- Google (Firebase / FCM)
- Service
- Push notification delivery to mobile devices
- Data Shared
- Device token, notification content (no PHI in notifications)
- Country
- USA
- Safeguard
- Standard Contractual Clauses; notification content does not include PHI
We do not sell your Personal Data to any third party. We do not share your data with advertisers. We do not use your data for any purpose incompatible with the purposes for which it was collected without obtaining fresh consent.
6. Consent — Collection, Scope & Withdrawal
6.1 How We Obtain Consent
- Registration: by completing registration you consent to collection and use of identity and contact data for account management purposes.
- Clinical data: a separate, explicit consent is presented before any clinical note, diagnosis, or treatment plan is created under your profile. This consent is captured in our system and timestamped.
- Appointment recording: an additional, specific consent is displayed and recorded before any consultation recording begins. Recording does not start until consent is confirmed (
/api/appointments/recording/consent/). - Marketing: promotional communications require a separate opt-in. You will never receive marketing emails or SMS without having explicitly opted in.
- Cookies: a cookie consent banner is displayed on first use of the web application. You may accept, reject, or customise cookie preferences at any time.
6.2 Withdrawal of Consent
- You may withdraw consent for any processing activity at any time through your Account Settings > Privacy, or by emailing privacy@untaboo.com.
- Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
- Where processing is necessary for the performance of a contract (e.g., delivering your appointment) or required by law (e.g., retaining medical records for 7 years), we may be unable to delete the relevant data even upon withdrawal of consent. We will inform you clearly if this applies.
- Withdrawal of consent to clinical data processing may mean we are unable to provide healthcare services to you. We will notify you of this consequence before processing your withdrawal.
7. Children's Privacy
The Platform is intended for users aged 18 and above. We do not knowingly collect Personal Data from children under the age of 18 without verifiable parental or guardian consent.
Where a minor (under 18) requires healthcare services through the Platform, their account must be created and managed by a parent or legal guardian. The parent/guardian is the Data Principal for all data relating to the minor and is responsible for all consents.
If you believe we have inadvertently collected data from a child without appropriate consent, please contact us immediately at privacy@untaboo.com. We will investigate and delete such data promptly.
8. Data Security
8.1 Technical Safeguards
- Encryption at rest: all data stored on AWS RDS, S3, and EBS is encrypted using AES-256 with AWS KMS-managed keys.
- Encryption in transit: all data in transit is protected by TLS 1.2 or higher. HTTP connections are rejected.
- Access control: role-based access control (RBAC) ensures staff can only access the minimum data required for their function.
- PHI access logging: every access to clinical notes, diagnoses, and treatment plans generates an immutable audit log entry recording the user, timestamp, and patient record accessed.
- Appointment recordings: stored as encrypted chunks in AWS S3 with presigned URLs (15-minute expiry). Temporary files are deleted immediately after processing.
- JWT authentication: all API access requires a time-limited JSON Web Token (maximum 15-minute expiry) signed with an RS256 asymmetric key.
- Penetration testing: the Platform undergoes external penetration testing annually and after major releases.
8.2 Organisational Safeguards
- All staff handling PHI or SPDI complete mandatory data protection training annually.
- Access to production systems requires multi-factor authentication (MFA).
- Third-party processors undergo security due diligence before onboarding and are audited annually.
- A documented Incident Response Plan ensures breaches are contained, investigated, and notified within required timeframes.
8.3 In the Event of a Data Breach
If we suffer a data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant regulatory authority (CERT-In for cyber incidents; Data Protection Board under DPDP Act) within 72 hours of becoming aware of the breach.
- Notify affected Data Principals without undue delay when the breach is likely to result in high risk to them.
- Provide clear information on: the nature of the breach, the data affected, the likely consequences, and the steps we are taking to address the breach.
To report a suspected security vulnerability, please email security@untaboo.com.
9. Cookies and Tracking
| Cookie Type | Purpose | Duration | Can You Opt Out? |
|---|---|---|---|
| Strictly Necessary | Session management, CSRF protection, JWT cookie (_auth). Required for the Platform to function. | Session / 7 days | No — required for service |
| Functional | Remember your language, timezone, and display preferences. | 1 year | Yes — via Cookie Settings |
| Analytics | Anonymised usage analytics (page views, feature usage) to improve the Platform. No PHI is included. | 90 days | Yes — via Cookie Settings |
| Marketing | Used only if you opt into marketing communications. Tracks campaign performance. | 30 days | Yes — opt out anytime |
- Cookie Type
- Strictly Necessary
- Purpose
- Session management, CSRF protection, JWT cookie (_auth). Required for the Platform to function.
- Duration
- Session / 7 days
- Can You Opt Out?
- No — required for service
- Cookie Type
- Functional
- Purpose
- Remember your language, timezone, and display preferences.
- Duration
- 1 year
- Can You Opt Out?
- Yes — via Cookie Settings
- Cookie Type
- Analytics
- Purpose
- Anonymised usage analytics (page views, feature usage) to improve the Platform. No PHI is included.
- Duration
- 90 days
- Can You Opt Out?
- Yes — via Cookie Settings
- Cookie Type
- Marketing
- Purpose
- Used only if you opt into marketing communications. Tracks campaign performance.
- Duration
- 30 days
- Can You Opt Out?
- Yes — opt out anytime
We do not use cross-site tracking cookies. We do not serve third-party advertising cookies. Analytics data is anonymised before storage.
10. International Data Transfers
We are an Indian company and our primary data centre is located in AWS ap-south-1 (Mumbai, India). Our DR data centre is in AWS ap-south-2 (Hyderabad, India). All personally identifiable data and all PHI remains within India at all times.
Limited technical data (device tokens for push notifications) is processed by Google Firebase, which may involve transfer to servers outside India. We rely on Standard Contractual Clauses and Google's Data Processing Addendum for this transfer. Notification payloads do not include Personal Data or PHI.
We will never transfer your health data, financial data, or identity data outside India without your explicit consent and appropriate legal safeguards.
11. Your Rights
Under the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, you have the following rights with respect to your Personal Data:
| Your Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access | Obtain a copy of all personal data we hold about you | Submit a request to privacy@untaboo.com; we respond within 30 days |
| Right to Correction | Correct inaccurate or incomplete personal data | Update directly in your profile settings, or submit a correction request |
| Right to Erasure | Request deletion of your personal data (subject to legal retention obligations) | Submit a deletion request; we will inform you of any data we are legally required to retain |
| Right to Data Portability | Receive your data in a structured, machine-readable format | Request via privacy@untaboo.com; we provide JSON/CSV export within 30 days |
| Right to Withdraw Consent | Withdraw any consent given at any time (does not affect prior processing) | Use in-app consent settings, or email privacy@untaboo.com |
| Right to Grievance Redressal | File a complaint with our Data Protection Officer if unsatisfied | Email dpo@untaboo.com; response within 15 business days |
| Right to Nominate | Nominate an individual to exercise rights on your behalf in the event of your incapacity or death | Submit written nomination to dpo@untaboo.com |
To exercise any of the above rights, please email dpo@untaboo.com with the subject line “Data Rights Request — [Your Name]”. We will verify your identity before processing the request and respond within 30 days. Complex requests may take up to 45 days; we will notify you if additional time is required.
If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India, once constituted, or approach the appropriate court of law.
12. Data Retention
We retain Personal Data only for as long as necessary for the purpose for which it was collected, or as required by law. The key retention periods are:
- Medical records (PHI): minimum 7 years from last clinical interaction, per Medical Council of India guidelines and DISHA.
- Financial records (payments, invoices, payroll): 7 years from the relevant financial year end, per Companies Act 2013 s.128 and Income Tax Act.
- Appointment and call records: 2 years.
- Marketing consent and communication records: 3 years from last interaction or consent withdrawal.
- Security and access logs: 12 months online, 7 years archived.
- Inactive accounts: if your account has had no activity for 3 consecutive years, we will notify you by email and delete the account 90 days thereafter, subject to any legal retention obligations.
Upon the expiry of the applicable retention period, your Personal Data is securely deleted or irreversibly anonymised. Deletion requests do not override legal retention obligations; we will inform you clearly if this applies to your request.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, our services, or our data practices. When we make material changes we will:
- Update the “Effective Date” at the top of this document.
- Notify registered users by email at least 30 days before the new policy takes effect.
- Display a prominent notice on the Platform.
- Where required by law, obtain fresh consent for any new processing activities.
Your continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform and may request account deletion.
14. Governing Law & Grievance Redressal
This Privacy Policy is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; the Digital Personal Data Protection Act, 2023; and applicable sector regulations including DISHA.
Any disputes arising out of this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of New Delhi, India.
Grievance Officer
- Name: [Grievance Officer Name]
- Email: grievance@untaboo.com
- Phone: +91 [Phone Number]
Grievances will be acknowledged within 24 hours and resolved within 30 days of receipt, as required by Rule 5(9) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
15. Document History
| Version | Effective Date | Summary of Changes |
|---|---|---|
| 1.0 | May 1, 2026 | Initial publication |
- Version
- 1.0
- Effective Date
- May 1, 2026
- Summary of Changes
- Initial publication