Data Protection

1. Purpose and Commitment

Shakti Digital Health (“Shakti”, “we”, “us”, “our”) is committed to protecting the confidentiality, integrity, and availability of all personal and health-related data entrusted to us.

As a digital healthcare platform handling highly sensitive medical information — including reproductive, sexual, mental health, and diagnostic data — we implement strict technical, organizational, and administrative safeguards to ensure the highest standards of data protection.

This Policy outlines how we protect, process, store, and secure personal data in compliance with applicable Indian laws.

2. Regulatory Framework

Shakti’s data protection framework aligns with:

Digital Personal Data Protection Act, 2023
Information Technology Act, 2000
Applicable IT Rules relating to Sensitive Personal Data
Telemedicine Practice Guidelines issued under Indian medical regulations
Applicable healthcare confidentiality standards

Where global best practices exceed statutory minimums, we endeavor to adopt higher standards.

3. Categories of Data Processed

Shakti’s data protection framework aligns with:

A. Personal Identification Data

Name
Age
Gender
Contact details
Government-issued ID (where required)

B. Sensitive Health Data

Medical history
Consultation notes
Fertility and reproductive health records
Sexual health information
Mental health assessments
Prescriptions
Lab reports
Imaging results
Treatment plans

C. Financial Data

Payment information (processed via secure payment partners)

D. Technical & Usage Data

Device identifiers
IP addresses
Session logs
Communication metadata

Sensitive health data is treated as high-risk data and subject to enhanced safeguards.

4. Core Data Protection Principles

Shakti operates under the following principles:

Lawfulness & Transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity & Confidentiality
Accountability

We collect only what is necessary for clinical care and regulatory compliance.

5. Legal Basis for Processing

We process data on the basis of:

Explicit patient consent
Medical necessity
Contractual obligation
Compliance with legal and regulatory requirements
Legitimate business interest (limited to operational purposes)

Explicit consent is obtained before processing sensitive health data.

6. Data Security Architecture

Shakti implements multi-layered security controls, including but not limited to:

A. Encryption

Data encrypted in transit using secure protocols (TLS/SSL)
Data encrypted at rest where technically feasible

B. Access Controls

Role-based access management
Strict doctor-to-patient record access limitation
Multi-factor authentication for administrative access
Periodic access review audits

C. Infrastructure Security

Secure cloud hosting environments
Firewall protection
Intrusion detection systems
Secure API architecture

D. Logging & Monitoring

Access logs for all medical record interactions
Audit trails for data modification
Real-time anomaly detection (where available)

7. Data Retention Policy

Medical records are retained in accordance with:

Telemedicine record retention requirements
Applicable Indian medical regulations
Legal limitation periods

Data is securely deleted or anonymized once retention obligations expire.

Deletion is irreversible and performed using secure erasure standards.

8. Patient Rights

Subject to applicable laws, patients have the right to:

Access their data
Request correction of inaccurate data
Withdraw consent (where applicable)
Request deletion (subject to legal retention requirements)
Lodge complaints with the designated Grievance Officer

Requests are processed within legally mandated timelines.

9. Data Sharing & Third-Party Processors

Shakti may share data only with:

Consulting Registered Medical Practitioners
Diagnostic laboratories (with consent)
Payment processors
Cloud hosting providers
Regulatory authorities (when legally required)

All third-party vendors:

Sign confidentiality agreements
Execute Data Processing Agreements
Maintain security standards equivalent to ours
Are restricted from using data for independent purposes

We do not sell or rent patient data.

10. Cross-Border Data Transfers

If data is processed or stored outside India (for example, via cloud infrastructure), we ensure

Adequate safeguards are implemented
Contracts with data processors include data protection clauses
Transfers comply with DPDP Act and applicable regulations

11. Data Breach Response Plan

In the event of a suspected or confirmed data breach:

Immediate containment measures are implemented.
A formal internal investigation is initiated.
Regulatory authorities are notified where required.
Affected individuals are informed where legally mandated.
Corrective measures are implemented to prevent recurrence.

We maintain an internal incident response protocol for such events.

12. Internal Governance & Accountability

Shakti maintains:

Designated Data Protection Responsibility
Internal security policies
Periodic compliance reviews
Employee confidentiality agreements
Staff training on handling sensitive medical data

Only authorized personnel are permitted to handle patient information.

13. Children’s Data

If services are provided to minors, verifiable parental or guardian consent will be obtained prior to data processing.

14. Data Minimization & Purpose Restriction

We do not:

Collect unnecessary medical data
Use medical data for marketing without explicit consent
Retain inactive accounts beyond regulatory necessity

Health data is used solely for clinical care and platform operation.

15. Security Limitations

While we implement robust security measures, no system can guarantee absolute security. Users are encouraged to:

Maintain secure passwords
Avoid sharing login credentials
Use secure networks when accessing the Platform

16. Policy Updates

This Policy may be updated periodically to reflect:

Legal changes
Technological advancements
Operational improveme

Updated versions will be published on the Platform.