Skip to main content
TheraTreat Logo

Privacy · DPDP · HIPAA-aware

TheraTreat Privacy & Security Policy

TheraTreat Health Pvt. Ltd. ("TheraTreat") values the privacy and security of all users — clients, therapists, and partners. By using our website, mobile app, or services you agree to the practices described in this policy.

Last Updated: 28 Feb 2026Jurisdiction: India (DPDP)HIPAA Aware

1. Information We Collect

  • Personal Information: Name, age, gender, email, phone, address, IDs (where legally required).
  • Health & Therapy Information: Medical history, therapy goals, assessments, consultation details, prescriptions, uploaded reports.
  • Payment Information: Card / UPI / bank details processed via secure PCI-DSS compliant gateways (we do not store raw card numbers).
  • Technical Information: Device type, IP address, browser, cookies, usage patterns, performance telemetry for reliability.
  • Communications: Messages, calls or session notes (sessions are not recorded unless you explicitly consent).

2. How We Use Your Data

  • Enable booking, consultations, and client–therapist communication.
  • Personalize recommendations & enhance user experience.
  • Process secure payments and generate invoices / receipts.
  • Send reminders, notifications, and occasional offers (opt-out available).
  • Meet legal, ethical, and regulatory obligations.

3. Data Sharing & Disclosure

  • With Therapists: Only relevant information required for therapy delivery.
  • With Payment Partners: For secure transaction processing.
  • With Regulators / Authorities: Where required by applicable law or court order.

We never sell or rent your data to advertisers or unrelated third parties.

4. Data Security & Storage

  • Encryption in transit (TLS) & at rest (provider-managed storage).
  • Role-based & least-privilege access controls.
  • Firewalls, periodic audits, security testing & dependency patching.
  • Secure backups with restricted access.

5. HIPAA-like Safeguards (Global Standard)

  • Confidentiality: No disclosure without consent except emergencies / legal duty.
  • Integrity: Controls to prevent unauthorized changes.
  • Access Controls: Strong authentication & session management.
  • Audit Trails: Logged access & critical actions for compliance review.
  • Breach Notification: Users notified within 72 hours of a confirmed material breach.

6. India's DPDP Act Compliance

  • Consent First: Explicit consent for collection & use.
  • User Rights: Access, correction, withdrawal & deletion supported.
  • Data Fiduciary Responsibility: TheraTreat assumes accountability for lawful use.
  • Grievance Redressal: Dedicated Data Protection Officer (DPO) contact channel.

6A. GDPR & UK GDPR (EEA / UK Users)

TheraTreat is based in India and does not currently target or actively offer services to individuals in the European Economic Area (EEA) or the United Kingdom. Where we nonetheless process the personal data of individuals located in the EEA or UK, we apply the principles of the EU General Data Protection Regulation (GDPR) and the UK GDPR:

  • Lawful bases: consent (Art 6(1)(a)); performance of your booking / service contract (Art 6(1)(b)); compliance with legal obligations (Art 6(1)(c)); and, for health data, your explicit consent and the provision of health care (Art 9(2)(a) / (h)).
  • Your rights: access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent at any time — exercisable through in-app tools or by contacting our DPO.
  • International transfers: data is processed on secure servers in India; any transfer out of the EEA / UK relies on appropriate safeguards (e.g., Standard Contractual Clauses) or a valid adequacy basis.
  • Supervisory authority: you may lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner's Office).
  • EU / UK representative: if and when we begin offering services to EEA / UK users, we will appoint an Article 27 representative and publish their contact details here.

7. User Rights

  • Request a copy / export of your data.
  • Correct inaccuracies and update profile information.
  • Request deletion (subject to clinical / legal retention requirements).
  • Withdraw consent for non-essential processing.
  • File a complaint with us or escalate to the Data Protection Board of India.

8. Cookies & Tracking

  • Essential: Core session & security functions.
  • Analytics: Performance & feature improvement.
  • Marketing (Optional): Only set with consent.

You can manage or clear cookies in your browser settings. Blocking some may impact functionality.

9. Data Retention

  • Health Records: Retained for at least 3 years (per Indian telemedicine / medical guidelines) unless longer retention is mandated.
  • Other Data: Kept only as long as necessary for service or compliance.
  • Deleted Data: Purged from active systems and removed from backups on lifecycle expiry.

10. International Data Transfers

Data may be processed on secure servers located in India. For cross-border therapist collaboration or infrastructure providers, we apply equivalent contractual and technical safeguards.

11. Children's Privacy

Accounts are not intended for children under 13, and we do not knowingly collect their data. For minors aged 13–17, a parent or guardian must provide consent during sign-up, and pediatric therapy accounts operate under guardian oversight. If you believe a minor has registered without appropriate parental or guardian consent, contact our DPO and we will act on it.

12. Third-Party Services

We integrate vetted third parties (e.g., payment gateways, communications, analytics). Each provider operates under its own privacy terms; we enforce contractual safeguards and minimum necessary data sharing.

13. Your Responsibilities

  • Maintain confidentiality of your login credentials.
  • Avoid sharing exported session notes with unauthorized persons.
  • Report suspicious or unauthorized account activity immediately.

14. Grievance Redressal & Data Protection Officer (DPO)

For any concern about your personal / health data, perceived misuse, breach notification queries, or to exercise a data right, please reach out using the channels below. We aim to acknowledge all legitimate grievances within 48 hoursand to provide a substantive response within 15 working days.

Primary Contact (Support / Rights Requests)
📞 +91-8446602680 (Mon–Fri 9:30 AM – 6:30 PM IST)
Data Protection & Escalations
📧 Grievance Officer: grievance@theratreat.in

If you remain unsatisfied after our final response, you may escalate to the Data Protection Board of India under the Digital Personal Data Protection Act, 2023.

For security incidents, please include: a brief description, suspected date/time, any indicators (logs / headers), and impact scope if known.

15. Policy Updates

We may update this Policy periodically. Revised versions will show a new "Last Updated" date. Material changes will be communicated via in-app notification or email. Continued use indicates acceptance.

Privacy Promise

Your trust matters most. We keep sessions private, data safeguarded, and user rights respected. If you believe any aspect of this policy is unclear or incomplete, reach out so we can improve transparency.
If translation differences occur, the English version prevails.