Privacy Policy

The website 'www.minddhara.com' and all other associated/ancillary websites, products and services ("Website/Platform") are property of and managed by MindDhara Pvt Ltd, a company incorporated under the Companies Act, 2013 having their registered office address at Flat No-102, Tower-25, Palm Hills, Sector-77, Narsinghpur, Gurgaon, Haryana – 122004 (hereinafter referred to as "Company" which expression shall, unless it be repugnant to the context thereof, be deemed to include permitted successors and assigns).

For the purposes of this Privacy Policy, accessing of and/or using the Platform to avail various mental health, mentorship, and professional development services as provided on the Website or accessing the credentials and/or information of the services made available or disseminated or uploaded therein, including all information, tools and services made available shall hereinafter collectively be referred to as the "Services".

As used herein, "Users" shall mean anyone who uses or accesses the Services/Platform on any computer, mobile phone, tablet, or other device. You are encouraged to read this Privacy Policy regarding the collection, use, and disclosure of your information from time to time to keep yourself updated with the changes & updates that are made to this Policy.

The Privacy Policy covers the products and services provided through the Platform. The products and services provided by third-party affiliate or partner platforms are not covered under this Policy. Where the User faces any difficulty or has any query related to the services of such third parties, they may refer to their respective Privacy Policies available on their sites.

This Policy forms an electronic contract within the provisions of the Information Technology Act, 2000 ("IT Act"), the rules made thereunder and the amended provisions pertaining to electronic documents/records in various statutes as amended by the IT Act, from time to time. This Policy does not require any physical, electronic or digital signature. This Policy shall, at all times, be read and construed in consonance and along with the Terms and Conditions of use and access of the Platform ("T&C").

The Company shall not differentiate between who is using the device to access the Platform, so long as the login/access credentials match with yours. In order to make the best use of the Platform and enable your Information to be captured accurately, it is essential that you have logged in using your own credentials. This Policy highlights inter alia the type of data shared/collected from a User in the course of the User's usage of the Platform. The Policy further intends to apprise the User of the purposes for which the data of the User is collected and the Platform's policy with regard to sharing such personal information with third-party entities. The terms "We"/ "Us"/ "Our" individually and collectively refer to and are synonymous with the term 'the Company' and the terms "You"/"Your"/"Yourself" are to be construed to be synonymous with the term 'User'. All defined terms used within this Policy but not specifically defined herein shall draw their meaning from the definition ascribed to such term under the T&C.

1. Consent

By accessing or using the Platform, providing your Personal Information, or making a payment to the Company, you signify that you have read, understood and agreed to the collection, storage, processing, disclosure and transfer of your Personal Information in accordance with the provisions of this Privacy Policy and under applicable law. Where the User is below 18 years of age, the parent or legal guardian of such User shall provide informed consent digitally at the time of registration on behalf of the child or young person, for the receipt of mental health and related services through the Platform and to the collection, storage, processing, disclosure and transfer of their Personal Information in accordance with this Privacy Policy.

The User acknowledges that Personal Information is being provided out of free will, either directly to the Company or through a third-party platform or organisation. The User has the option to not provide the Personal Information sought to be collected. The User may also withdraw consent at any point in time by writing to the Company at hello@minddhara.com. Where the User is accessing the Platform through a third-party platform or organisation, withdrawal of consent must be communicated to such third party or organisation in writing, who shall then notify the Company to take appropriate action. The Company may subsequent to such withdrawal of consent, at its sole discretion, continue or discontinue the provision of its Services to such User. Where the Company introduces newsletter or promotional communications in the future, such communications shall be sent only upon obtaining prior consent from the User, which may be withdrawn at any time by writing to hello@minddhara.com.

2. Legal Basis for Processing

The Company processes your Personal Information on the following legal grounds:

• Your Consent: The Company relies on your explicit consent as the primary legal basis for the collection, storage, processing, disclosure and transfer of your Personal Information. Such consent is obtained at the time of registration on the Platform. In respect of sensitive personal data, including any health-related information, a separate and explicit opt-in consent shall be obtained prior to the collection of such data. You may withdraw your consent at any time in accordance with the provisions of the Consent section of this Policy.
• Contractual Necessity: Certain Personal Information is necessary for the Company to deliver the Services you have subscribed to or paid for. Where such Information is not provided, the Company may be unable to fulfil its contractual obligations to the User.
• Legal Obligation: The Company may collect, retain or disclose certain Personal Information where required to do so under applicable Indian law, including but not limited to the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Mental Healthcare Act, 2017, and applicable financial record-keeping requirements under the Income Tax Act, 1961 and the Goods and Services Tax Act.
• Legitimate Interest: The Company may process certain limited categories of Personal Information on the basis of its legitimate interests, including fraud prevention, platform security, and internal reporting, provided that such interests are not overridden by the fundamental rights and freedoms of the User.

Where the Company processes the personal data of individuals located in the European Union or the United Kingdom, it does so on the following legal bases under the General Data Protection Regulation (GDPR): consent (Article 6(1)(a) and Article 9(2)(a)) for the collection of sensitive health data and for marketing communications; performance of a contract (Article 6(1)(b)) for the delivery of Services; compliance with a legal obligation (Article 6(1)(c)) for data retained under applicable law; and legitimate interests (Article 6(1)(f)) for fraud prevention, platform security, and internal reporting.

DPDP Act Compliance Note: Processing of sensitive personal data, including any health, mental health, or clinical information, requires the User's explicit opt-in consent under the DPDP Act, 2023. The Company shall never process sensitive personal data on the basis of implied or assumed consent. The User shall always be given the opportunity to review and explicitly accept the Company's Sensitive Data Processing Notice before any such data is collected. The Company's Sensitive Data Processing Notice is presented to the User as a separate and explicit step during the registration process, prior to the commencement of any MindDhara Couch service, and must be expressly accepted before any sensitive personal data is collected.

3. Sensitive Data and Confidentiality

MindDhara recognises that mental health information is among the most sensitive categories of personal data. The Company applies the highest standard of care and protection to any sensitive personal data that passes through the Platform.

• Access Controls: Session notes, mental health history, diagnoses, clinical observations, and any ancillary data generated in the course of a therapeutic or psychiatric engagement are maintained exclusively by the relevant Practitioners. The Company and its staff have no access to or visibility over such records at any time.
• Not Used for Advertising or Profiling: Sensitive personal data, including any health or mental health information shared by the User on or through the Platform, shall never be used for advertising, marketing, behavioural profiling, or any commercial purpose, directly or indirectly. This prohibition applies without exception.
• Explicit Opt-In Required: The Company shall not collect any sensitive personal data unless and until the User has explicitly opted in by agreeing to the Sensitive Data Processing Notice, which is presented as a separate and distinct step in the Platform flow prior to the commencement of any MindDhara Couch service.
• Confidentiality: All Practitioners operating on the Platform are bound by their respective professional codes of conduct, including the ethical guidelines of the Rehabilitation Council of India (RCI) and the Medical Council of India (MCI), as applicable. The confidentiality of all information disclosed during a therapeutic or psychiatric engagement is the professional responsibility of the relevant Practitioners.
• Session Recording: The recording of any consultation or therapy session conducted through the Platform is strictly prohibited. No session, whether conducted by video, audio, or text, may be recorded by the Company, the Practitioners, or the User, except with the prior express written consent of all parties to the session. The Company does not record any sessions by default and does not store any session recordings on its servers.

4. Collection of Information

The Company may, during the User's usage of the Platform, collect the following personal and non-personal information and such other information from the Users for accessing the Platform ("Information"), as part of the voluntary registration process, any online survey or interaction on the Platform or combination thereof, as may be required from time to time.

• Personal Information: Full name; email address (primary/alternative); phone number (mobile and/or alternative); date of birth; and personal information received from Google through which the User has registered to the Platform, including name, profile picture and email address. The Company does not access any other information associated with the User's Google account.
• Documents Uploaded for MindDhara Forward: Where the User engages with MindDhara Forward (mentorship and career guidance services), the User may upload documents including academic transcripts, Statements of Purpose, CVs, and recommendation letters. These documents are stored on the Company's servers solely for the purpose of facilitating the mentorship or advisory engagement. Such documents and all associated personal data shall be deleted from the Company's servers upon conclusion of the relevant Service, or upon account closure, whichever is earlier.
• MindDhara Couch – Therapist and Counsellor Engagements: Session notes, clinical observations, prescriptions, and any ancillary data generated in the course of a therapeutic or psychiatric engagement are maintained exclusively by the relevant Practitioners and do not reside on the Company's servers.
• MindDhara ATLAS – Research Data: Where the User wishes to participate in applied psychological research conducted through MindDhara ATLAS, separate and explicit consent shall be obtained. Only anonymised and aggregated data is used for such purposes. Research data is never sold, licensed, or shared with commercial third parties.
• Payment Information: The Company collects transactional details including the amount charged, the date of transaction, and the payment method used. The Company does not store full payment card numbers. All payment card data is processed directly by Razorpay Software Private Limited, the Company's PCI-DSS compliant payment gateway provider.
• Technical and Device Data: Internet Protocol (IP) address; browser type and version; device model and operating system; and configuration of the Platform at the time of access.
• Usage Data: Information about how the User interacts with the Platform, including the pages visited, features used, and duration of sessions. This information is collected in aggregated and anonymised form where reasonably practicable.
• Communications: Where the User contacts the Company through email or any feedback mechanism, the Company may collect and retain the content of such communications, solely for the purpose of responding to and resolving the User's communication.

5. Purpose and Use of Information

All Information collected/stored by the Platform shall be used for:

• Identifying and reaching the User in connection with the Services;
• Resolving service and billing problems via email;
• Scheduling appointments with Practitioners and sending reminders;
• Informing the User of the Company's products, services, and where prior consent has been obtained, promotional communications and newsletters;
• Continually improving the existing Platform and service offerings;
• Conducting research and surveys using Information in anonymised form only;
• Implementing necessary security practices to ensure all personal data is protected;
• Administering User accounts in the normal course of business;
• Contacting the User in cases where fraud, illegal activities, or breach of privacy is recorded;
• Enabling Practitioners and Psychiatrists on the Platform to communicate with the User as necessary to provide the Services requested;
• Making disclosures as may be required under applicable law; and
• Processing the User's financial transactions in a timely manner.

6. Who We Share Your Data With

The Company does not sell, rent, or trade your personal data to any third party for commercial purposes, under any circumstances. The Company may share your Information with the following parties, strictly to the extent necessary for the delivery of its Services:

• Your assigned Practitioner on MindDhara Couch will receive only the personal information relevant to your care.
• Razorpay Software Private Limited receives transactional details solely for the purpose of processing your payment.
• Third-party cloud and hosting infrastructure providers store your data on secure servers located in India, bound by data processing agreements.
• Regulatory and governmental authorities, courts, or law enforcement agencies may receive your personal data where the Company is required to disclose it under applicable Indian law.
• Where a Practitioner determines that a user poses a risk of harm to themselves or to others, they may share necessary information with emergency services or the user's emergency contact.
• Where the Company provides employee wellness services to a corporate partner, only aggregated and fully anonymised data is shared. Individual session data is never disclosed to an employer or partner organisation.

7. Retention of Data

The Company retains your personal Information for as long as your account remains active on the Platform. Following the closure of your account, personal data that is not subject to any legal retention obligation will be deleted or irreversibly anonymised within 30 days of the date of closure. You may request deletion of your data at any time by writing to hello@minddhara.com, and the Company will process such request within 30 days.

Certain categories of data are subject to mandatory retention periods under applicable Indian law, irrespective of account status or deletion requests: Financial and transactional records, including payment history, are retained for a period of 7 years from the date of the transaction, as required under the Income Tax Act, 1961 and the Goods and Services Tax Act.

8. Cookies

The Platform uses cookies, small data files stored on your device, to enable core functionality, remember your preferences, and collect aggregated usage statistics that help the Company improve the Platform. The Company uses three categories of cookies: essential cookies that are necessary for the Platform to function; functional cookies that remember your settings and preferences; and analytics cookies that collect anonymised information about how you interact with the Platform.

You can manage or disable non-essential cookies at any time through your browser or device settings, or through the cookie preferences tool on the Platform. The Company does not use advertising cookies and does not track your activity across third-party websites for the purposes of targeted advertising or behavioural profiling.

9. Data Security

The Company implements administrative, technical, and physical security measures designed to protect your personal Information from unauthorised access, use, disclosure, alteration, or destruction. All data transmitted between your device and the Platform is encrypted using HTTPS/TLS protocols. Data stored on the Company's servers is encrypted at rest.

In the event the Company becomes aware of a breach of security that compromises your personal data, the Company will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable law, and will take all reasonable steps to contain and remediate the breach.

10. Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable Indian law, you have the following rights in respect of your personal Information held by the Company:

• Right to Access: You may request a copy of the personal Information the Company holds about you, along with a summary of the purposes for which it is being processed.
• Right to Correction: You may request that any inaccurate or incomplete personal Information held by the Company be corrected or updated.
• Right to Erasure: You may request that the Company delete your personal Information. Such requests will be processed within 30 days, subject to any legal obligation the Company may have to retain certain categories of data.
• Right to Withdraw Consent: You may withdraw your consent to the processing of your personal Information at any time by writing to hello@minddhara.com. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to such withdrawal.
• Right to Grievance Redressal: You may raise a complaint in respect of any aspect of the Company's handling of your personal Information by writing to hello@minddhara.com. The Company will acknowledge and respond to all such complaints within 30 days of receipt.
• Right to Nominate: Under the DPDP Act, 2023, you may nominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity.

11. Children's Privacy

The Platform does not knowingly collect personal Information from users under the age of 18 without verifiable parental or guardian consent. Where a user is below 18 years of age, the parent or legal guardian of such user shall provide informed consent digitally at the time of registration on behalf of the child or young person. The Company shall never use the personal Information of a minor for advertising, marketing, or behavioural profiling purposes, under any circumstances.

12. Data Storage and Transfers

All personal Information collected by the Company is stored on servers located within India. The Company complies with applicable data localisation requirements under Indian law, including the Digital Personal Data Protection Act, 2023. In the event that any personal Information is required to be transferred outside India, including for the purposes of cloud infrastructure, technical operations, or service delivery, such transfer will be carried out only in accordance with the safeguards and conditions prescribed under the DPDP Act and applicable rules, and only to jurisdictions or recipients that provide an adequate level of data protection.

13. Changes to This Policy

The Company reserves the right to update or modify this Policy at any time. Where any change materially affects your rights or the manner in which your personal Information is processed, the Company will notify you by email or through an in-app notification prior to the change taking effect. The date of the most recent update to this Policy is displayed at the top of this page. Your continued use of the Platform following notification of any change constitutes your acceptance of the revised Policy.

14. Contact and Grievances

For any queries, concerns, or complaints relating to this Policy or the processing of your personal Information, you may contact the Company's Grievance Redressal Officer at the details set out below. All complaints will be acknowledged and responded to within 30 days of receipt.

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the Company has appointed a Grievance Redressal Officer whose details are set out below. Users are encouraged to first raise their complaint with the Grievance Redressal Officer before escalating to the Data Protection Board of India.

If you are not satisfied with the Company's response to your complaint, you have the right to escalate your grievance to the Data Protection Board of India, which has been established under the Digital Personal Data Protection Act, 2023 to adjudicate disputes relating to personal data processing.