Privacy Policy — INDHEAL

1. Information we collect

Information you provide to us

When you use INDHEAL's services — whether by submitting an enquiry form, contacting us via WhatsApp, email, or phone, or engaging with our case management team — you may provide:

Identity data: full name, date of birth, nationality, passport or government ID details
Contact data: email address, phone number, WhatsApp number, country of residence
Medical data: diagnosis, medical reports, test results, imaging, treatment history, current medications, and related health information
Financial data: billing address and payment preferences (we do not store full card details)
Travel data: passport details, visa information, travel dates, accommodation preferences
Communications: records of your conversations with our team by any channel

Information collected automatically

When you visit indheal.com, our systems automatically collect:

IP address, browser type, operating system, and device type
Pages visited, time spent, referring URL, and click paths
Cookie identifiers and session data (see Section 5)

Information from third parties

We may receive information about you from our partner hospitals (for example, appointment confirmations or discharge summaries), from referral partners, or from publicly available sources.

2. How we use your information

We use the information we hold about you to:

Provide, manage, and personalise our medical travel facilitation services
Match you with appropriate hospitals and specialists based on your condition and preferences
Obtain cost estimates and appointment availability from partner hospitals on your behalf
Coordinate visa assistance, accommodation, transport, and airport transfers
Communicate with you about your case, including updates and aftercare coordination
Process payments and maintain our financial records
Comply with legal and regulatory obligations applicable in India and relevant jurisdictions
Improve our website and services through aggregate, anonymised analytics
Send you relevant health and service communications where you have consented

We do not sell your personal or medical data to third parties. Ever. Our revenue comes from service fees paid by our hospital partners, not from monetising your data.

3. Sharing your information

We share your information only in the following circumstances:

Partner hospitals and specialists

To facilitate your treatment, we share your medical and identity information with the hospitals and doctors you are considering or have confirmed with. We share only what is necessary for clinical evaluation, appointment scheduling, and treatment planning.

Service providers

We engage trusted third-party providers who assist us in operating our services — including cloud hosting, CRM software, payment processing, and communication platforms. All providers are bound by data processing agreements requiring them to maintain appropriate security and to process data only on our instructions.

Legal requirements

We may disclose your information if required to do so by law, court order, or a competent government authority in India or any jurisdiction in which we operate.

Business transfers

If INDHEAL is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent website notice before your information becomes subject to a different privacy policy.

With your consent

We will share your information with any other party where you have given us explicit consent to do so — for example, sharing your case with a specialist you have specifically requested.

4. Medical information

Medical and health information is a special category of sensitive personal data. We treat it with the highest level of care:

Medical data is collected and processed solely to facilitate your treatment journey
It is shared only with clinical staff at hospitals and specialists directly involved in your care, and only with your knowledge
It is never used for marketing, advertising, or sold to insurers, pharmaceutical companies, or any third party
All medical data is stored in encrypted form at rest and transmitted over encrypted connections
Access within INDHEAL is restricted on a strict need-to-know basis

By submitting your medical information to us, you explicitly consent to its use as described above. You may withdraw this consent at any time (see Section 8), though doing so may affect our ability to continue facilitating your care.

5. Cookies & tracking

We use cookies and similar technologies on indheal.com to:

Essential cookies: maintain your session, enable security features, and remember your preferences — these cannot be disabled without affecting site functionality
Analytics cookies: understand how visitors use our site (using tools such as Google Analytics) so we can improve content and navigation — these are anonymised and aggregate
Marketing cookies: where you have consented, deliver relevant advertisements on third-party platforms

You can manage cookie preferences through your browser settings or our cookie consent banner. Withdrawing consent for non-essential cookies will not affect the services we provide to you directly.

6. Data retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, and to comply with our legal obligations. Our general retention periods are:

Active case files: retained for the duration of your engagement with INDHEAL and for 2 years thereafter, in accordance with Indian medical records requirements
Contact and communication records: 5 years from last contact
Website analytics data: 26 months in anonymised aggregate form

When data is no longer required, we delete or irreversibly anonymise it in a secure manner.

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These include:

TLS encryption for all data in transit
AES-256 encryption for sensitive data at rest
Role-based access controls and audit logging
Regular security reviews and staff training
Secure destruction of physical documents containing personal data

No method of transmission or storage is 100% secure. If you believe your information has been compromised, please contact us immediately at privacy@indheal.com.

8. Your rights

Subject to applicable law, you have the following rights over your personal data:

Access: request a copy of the personal data we hold about you
Correction: ask us to correct inaccurate or incomplete data
Erasure: request deletion of your data where we no longer have a lawful basis to retain it
Restriction: ask us to restrict processing of your data in certain circumstances
Portability: receive your data in a structured, machine-readable format
Objection: object to processing based on legitimate interests or for direct marketing
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@indheal.com. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Children's privacy

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from children without the explicit consent and involvement of a parent or legal guardian. If a child is the patient, all communications and consent are handled through the accompanying adult.

If you believe we have inadvertently collected data from a child without appropriate consent, please contact us and we will promptly delete it.

10. International data transfers

INDHEAL operates from India and serves patients globally. Your personal data may be transferred to, and processed in, India and other countries where our partner hospitals or service providers are located.

When transferring data outside your country of residence, we ensure appropriate safeguards are in place — including standard contractual clauses approved by relevant data protection authorities — to provide a level of protection equivalent to that in your home jurisdiction.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if we hold your contact details) and by posting a prominent notice on our website at least 14 days before the changes take effect.

Your continued use of our services after the effective date constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use of our services and contact us to exercise your rights under Section 8.

12. Contact us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us at

Email: hello@indheal.com