TheraTreat Data Security Policy

• All sensitive data (health records, therapy notes, payment info) is encrypted using AES‑256.
• Data is encrypted in transit via HTTPS/TLS 1.3 and at rest in secure storage.
• Payment transactions are processed by PCI‑DSS compliant gateways (e.g., Razorpay).

• We process personal data only for clear, lawful purposes related to therapy and operations.
• Consent is obtained before collecting personal or health information.
• You may access, correct, update, or request deletion of your data.
• A Data Protection Officer (DPO) oversees compliance and responds to requests.

• Only authorised personnel (therapists, clinics, and you) can access relevant data.
• MFA is required for therapists and clinics; session controls and activity logging enforced.
• Periodic access reviews keep privileges current and minimal.

• Hosted on ISO 27001 certified providers with regular vulnerability scans.
• Firewalls, intrusion detection, and real‑time monitoring safeguard systems.
• Regular security audits and penetration testing ensure ongoing protection.

• Health and therapy data is stored only for required durations and service continuity.
• You may request deletion at any time, subject to legal requirements.
• Deleted data is irreversibly removed from live and backup systems per schedule.

In the unlikely event of a data breach:

• Users will be informed promptly.
• Corrective measures will be taken immediately.
• Authorities will be notified as required by the DPDP Act.

• Use strong passwords and don’t share your credentials.
• Log out after using shared devices.
• Report suspicious activity immediately at security@theratreat.com.

For details on personal data handling, see our Privacy Policy. For platform‑wide policies (accessibility, cancellation, etc.), visit Policies.