RGT Privacy Policy

1. Introduction

Ratna Global Technologies, Inc. ("RGT," "we," "our," or "us") is committed to protecting the privacy and security of our users' personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our Healthcare Ecosystem mobile application (the "App") and related services.

This Privacy Policy applies to all users of our App, including patients, healthcare providers, and authorized family members. By using our App, you consent to the data practices described in this Privacy Policy.

2. Information We Collect

2.1 Personal Health Information (PHI)

We collect health-related information necessary to provide healthcare services, including:

• Medical history and health records
• Current medications and prescriptions
• Laboratory test results and diagnostic reports
• Imaging studies (X-rays, MRIs, CT scans)
• Appointment schedules and treatment plans
• Allergies and medical conditions
• Immunization records
• Insurance information and claims data

2.2 Personal Identification Information

• Full name, date of birth, and gender
• Contact information (email address, phone number, mailing address)
• Government-issued identification numbers (where legally required)
• Account credentials (username and encrypted password)
• Profile photograph (optional)
• Emergency contact information

2.3 Device and Technical Information

We automatically collect certain information about your device and App usage:

• Device type, model, and manufacturer
• Operating system and version
• Unique device identifiers and mobile network information
• IP address and approximate location (with your permission)
• App version and usage statistics
• Crash reports and performance data
• Browser type and language preferences

2.4 Location Information

With your explicit permission, we may collect:

• Precise location data to help you find nearby healthcare facilities
• Location information for emergency services
• Travel history relevant to health assessments (e.g., for infectious disease screening)

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Healthcare Service Delivery

• Providing medical consultations and healthcare services
• Managing appointments and sending reminders
• Maintaining accurate health records
• Facilitating communication between you and healthcare providers
• Processing prescriptions and medication refills
• Coordinating laboratory tests and sharing results

3.2 Administrative Functions

• Creating and managing user accounts
• Verifying identity and authenticating users
• Processing payments and insurance claims
• Providing customer support
• Sending administrative notifications

3.3 Safety and Quality Improvement

• Ensuring the safety and security of our App and services
• Detecting and preventing fraud, abuse, or illegal activities
• Conducting quality assessments and improving healthcare outcomes
• Analyzing usage patterns to enhance user experience
• Training our AI systems to provide better healthcare insights

3.4 Legal and Regulatory Compliance

• Complying with healthcare laws and regulations (HIPAA, GDPR, DPDP)
• Responding to legal requests and court orders
• Reporting required information to public health authorities
• Maintaining audit trails as required by law

3.5 Consent-Based Processing

Based on our consent management system, we process data for the following purposes only with your explicit consent:

• Treatment & Care Coordination: Sharing between your healthcare team (Required for service)
• Insurance & Billing: Claims processing and pre-authorization requests
• Communications:
  • Appointment reminders (SMS/Email/Phone)
  • Test result notifications
  • Health education materials
• Research & Quality: Anonymous data for medical research and service improvement
• Family Access: Sharing with designated family members or caregivers

You can manage all consent preferences through the Privacy Center in your patient portal.

4. Information Sharing and Disclosure

We take your privacy seriously and only share your information in the following limited circumstances:

4.1 With Healthcare Providers

We share your health information with authorized healthcare providers involved in your care, including:

• Doctors, nurses, and medical specialists
• Hospitals and clinics
• Laboratories and diagnostic centers
• Pharmacies (for prescription fulfillment)

4.2 With Your Consent

• When you explicitly authorize us to share information
• With family members or caregivers you designate
• For participation in medical research (with separate consent)

4.3 Service Providers

We work with carefully selected third-party service providers:

• Cloud Infrastructure: Amazon Web Services (AWS EC2) - for application hosting
• Database Storage: Amazon Web Services (AWS RDS) - for secure encrypted data storage
• Payment Processing: Razorpay - for billing and payment processing (PCI-DSS compliant)
• Communication Services: MSG91 - for SMS and email communications including OTP verification

All service providers are contractually obligated to protect your information and use it only for the services they provide to us.

4.4 Legal Requirements

We may disclose information when required by law, including:

• In response to court orders or subpoenas
• To comply with government investigations
• To report suspected abuse or neglect
• For public health activities (e.g., disease outbreak tracking)
• To prevent imminent harm to you or others

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5. Data Security

We implement comprehensive security measures to protect your information:

5.1 Technical Safeguards

• End-to-end encryption for data transmission using TLS 1.3
• AES-256 encryption for data at rest in AWS RDS
• Secure servers hosted on AWS EC2 with firewall protection
• Regular security audits and penetration testing
• Multi-factor authentication available through OTP via MSG91
• Automatic session timeout after 15 minutes of inactivity
• Session warning at 2 minutes before timeout

5.2 Administrative Safeguards

• Limited access to personal information on a need-to-know basis
• Background checks for employees handling sensitive data
• Regular privacy and security training for staff
• Confidentiality agreements with all personnel
• Comprehensive audit logs for all data access
• Role-based access control in patient portal

5.3 Physical Safeguards

• AWS data centers with SOC 2 compliance
• Geographically distributed backups
• 24/7 monitoring and security
• Secure disposal of any physical records

5.4 Data Breach Notification

In the event of a data breach that may impact your personal information:

• GDPR Requirements: We will notify relevant authorities within 72 hours of discovery
• HIPAA Requirements: We will notify affected individuals within 60 days
• DPDP Requirements: We will notify the Data Protection Board and affected individuals without unreasonable delay
• Notifications will be sent via MSG91 SMS and email to your registered contact information
• Breach notifications will include: nature of breach, data involved, steps taken, and protective recommendations
• We maintain a breach register and conduct post-incident reviews

5.5 Infrastructure Security

• AWS EC2: Application hosting with auto-scaling and load balancing
• AWS RDS: Encrypted database with automated backups
• Razorpay: PCI-DSS compliant payment processing
• MSG91: Secure communication channels for OTP and notifications
• All third-party services are vetted for security compliance

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

6.1 Healthcare Records

• Medical Records: 7 years for adults as per HIPAA requirements
• Pediatric Records: Until the patient reaches 21 years of age plus 7 years
• Immunization Records: Permanently retained
• X-rays and Imaging: 5 years from the date of service

6.2 Administrative Data

• Account Information: Duration of account plus 7 years
• Appointment History: 7 years from appointment date
• Communication Logs: 2 years for non-medical communications
• Consent Records: Lifetime of account plus legal retention period

6.3 Financial Records

• Billing Information: 7 years for tax and audit purposes
• Insurance Claims: 7 years from claim resolution
• Payment History: 7 years as per financial regulations

6.4 Technical Data

• Access Logs: 2 years for security and audit purposes
• Session Data: Deleted after session expiry (15 minutes of inactivity)
• Draft Data: Stored in encrypted session storage, cleared on logout
• Analytics Data: Anonymized after 90 days

6.5 Data Deletion

When retention periods expire or upon valid deletion requests:

• Data is securely deleted from AWS RDS using cryptographic erasure
• Backups are purged according to retention schedules
• Deletion logs are maintained for compliance verification
• Some data may be retained longer if required by law or legal proceedings

7. Your Rights and Choices

You have several rights regarding your personal information through our Patient Portal:

7.1 Privacy Center Access

Through the Privacy Center in your patient portal, you can:

• View all active consents and their status
• Manage consent preferences for different data uses
• See who has accessed your health information
• Exercise your data rights

7.2 Consent Management

Our granular consent system allows you to control:

• Treatment & Care Coordination: Required for healthcare services
• Insurance Processing: For claims and pre-authorizations
• Communication Preferences: Choose SMS, Email, or Phone for different types of messages
• Research Participation: Opt-in for anonymous data use
• Family Access: Designate specific family members

7.3 Data Access and Portability

• Request a copy of your personal health information
• Download your health records in standard formats
• Export medical records, test results, and prescriptions
• Transfer your data to another healthcare provider

7.4 Correction and Update

• Update your personal information through the patient portal
• Request corrections to medical records
• Add clarifications to disputed information
• Identity verification required for certain changes

7.5 Access History

View comprehensive audit logs showing:

• Who accessed your records and when
• Purpose of access (treatment, billing, etc.)
• What information was viewed or downloaded
• Filter by date, access type, or user

7.6 Communication Controls

• Set preferences for appointment reminders
• Choose notification methods for test results
• Opt-out of non-essential communications
• Manage secure messaging preferences

7.7 Account Management

• Enable two-factor authentication for added security
• Set up security questions for account recovery
• View login history and active sessions
• Request account deletion (subject to legal retention)

8. Children's Privacy

We take special precautions when handling information about children as implemented in our registration system:

8.1 Children Under 13

• We require verifiable parental consent before collecting personal information
• Parents/guardians have full access to their child's information
• We collect only the minimum information necessary for healthcare
• No behavioral advertising or unnecessary data collection
• Parents can request deletion of their child's information at any time

8.2 Parental Consent Verification Methods

Our registration system verifies parental consent through:

• OTP Verification: One-time password sent to parent's registered mobile number via MSG91
• Digital Signature: Electronic signature with identity verification
• Video Verification: Live video call with our support team (for sensitive cases)
• Document Upload: Government-issued ID of parent/guardian
• Credit Card Verification: Small charge verification through Razorpay (refunded immediately)

8.3 Age-Specific Access Controls

Our patient portal implements age-based access levels:

• Under 13: Parent-managed accounts only, no direct access
• 13-15 years: Limited access with parental oversight, certain features restricted
• 16-17 years: Fuller access with some restrictions on sensitive health data
• Age verification required during registration with date of birth validation
• Automatic access upgrades when users reach age milestones

8.4 Teenagers (13-17)

• May have limited independent access based on local laws
• Certain sensitive health information may be kept confidential from parents as required by law
• Enhanced privacy controls and education about data sharing
• Special consent workflows for sensitive services

8.5 Emergency Contact for Minors

For all minor accounts, we require:

• Mandatory emergency contact information
• Parent/guardian consent for emergency medical care
• Clear data sharing permissions for emergency situations

9. AI and Automated Decision-Making

9.1 How We Use AI

Our healthcare AI systems assist in:

• Symptom analysis and preliminary health assessments
• Appointment scheduling optimization
• Medication interaction checking
• Health trend analysis and predictive insights
• Test result interpretation assistance

9.2 Human Oversight

Important: All AI-generated health insights are reviewed by qualified healthcare professionals:

• AI recommendations are always marked as "AI-assisted"
• Critical health decisions require human doctor approval
• You can request human review of any AI-generated assessment
• Emergency cases bypass AI and connect directly to healthcare providers

9.3 Your Rights Regarding AI Processing

• Right to Human Review: Request human review of any automated decision
• Right to Contest: Challenge AI-generated assessments or recommendations
• Right to Opt-Out: Choose traditional non-AI assisted healthcare services
• Right to Explanation: Receive clear explanations of AI decision logic
• Right to Correction: Report and correct AI errors or biases

9.4 AI Transparency

• We clearly label all AI-generated content
• AI confidence levels are displayed for recommendations
• Data sources used for AI training are documented
• Regular AI audits ensure accuracy and fairness

10. Digital Personal Data Protection (DPDP) Compliance

In accordance with the Digital Personal Data Protection Act, 2023 (India), we ensure:

10.1 Lawful Processing

• We process personal data only with your explicit consent or as permitted by law
• Consent can be withdrawn at any time through the App settings or by contacting us
• We maintain records of consent for audit purposes

10.2 Data Principal Rights

As a data principal, you have the right to:

• Access your personal data and obtain information about its processing
• Correct or update inaccurate or incomplete personal data
• Erase your personal data (subject to legal retention requirements)
• Nominate another individual to exercise these rights in case of incapacity
• Grievance redressal through our designated channels

10.3 Data Fiduciary Obligations

As a data fiduciary, we commit to:

• Process data only for lawful purposes with appropriate consent
• Implement reasonable security safeguards
• Delete personal data upon withdrawal of consent (unless legally required to retain)
• Provide notice of data breaches as required by law
• Ensure accuracy and completeness of data

10.4 Cross-Border Data Transfer

In compliance with DPDP Act requirements:

• Permitted Countries: We transfer data only to countries notified by the Central Government as permissible
• Current Transfer Locations:
  • United States (for cloud infrastructure - AWS)
  • Singapore (for backup and disaster recovery)
  • European Union countries (for users accessing from EU)
• Appropriate safeguards including Standard Contractual Clauses are in place
• You will be notified before any new international transfer destinations are added
• You can request details of safeguards implemented for international transfers

10.5 Grievance Redressal Mechanism

As implemented in our patient portal, we have established a comprehensive grievance redressal process:

• Initial Response: Within 24 hours of receiving your complaint
• Resolution Timeline: Within 7 days for general queries, 15 days for complex issues
• Escalation Matrix:
  1. Level 1: Customer Support Team (privacy@ratnaglobaltech.com)
  2. Level 2: Data Protection Officer (dpo@ratnaglobaltech.com)
  3. Level 3: Compliance Officer (compliance@ratnaglobaltech.com)
  4. Level 4: Chief Privacy Officer
• External Escalation: You may approach the Data Protection Board of India if unsatisfied
• All grievances are tracked with unique ticket numbers
• Regular updates provided every 48 hours until resolution
• Access grievance status through your patient portal

10.6 Patient Portal Privacy Features

Our patient portal provides comprehensive privacy management tools:

• Privacy Center: Central hub for all privacy settings and controls
• Consent Management: Granular control over data usage with instant updates
• Access History: Complete audit trail of who accessed your data and when
• Data Rights Portal: Exercise all your rights from one location
• Real-time Notifications: Instant alerts for any data access or changes

11. International Data Transfers

If you use our App from outside India or the United States:

• Your information may be transferred to and processed in:
  • India: Primary data processing and healthcare services
  • United States: Cloud infrastructure and technical support
  • Singapore: Backup and disaster recovery
  • European Union: For EU-based users only
• We use appropriate safeguards for international transfers:
  • Standard Contractual Clauses (EU approved)
  • Binding Corporate Rules where applicable
  • Adequacy decisions recognized by relevant authorities
• You have the right to request copies of transfer safeguards
• We comply with applicable data protection laws in your jurisdiction
• Transfers comply with DPDP Act requirements for cross-border data flow

11.1 Infrastructure and Processing Locations

Your data is processed and stored in the following locations:

• Primary Data Center: AWS Mumbai Region (ap-south-1) for Indian users
• Database Storage: AWS RDS within the same region
• Backup Location: AWS automated backups within region
• Payment Processing: Razorpay servers in India
• Communication Services: MSG91 servers for SMS/Email delivery

All data transfers are encrypted and comply with local data residency requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements:

• We will notify you of material changes via email or App notification
• The "Last Updated" date will be revised
• Your continued use after changes constitutes acceptance
• You can always access the current version in the App