Call Today! +91 9958009305
Book Appointment

Privacy Policy

HomePrivacy Policy

  1. Introduction & Applicability

    This Policy describes how CIFAR IVF (“we”, “us”) collects, processes, stores, and protects your personal data—whether European/EU resident (GDPR), U.S. patient (HIPAA), or Indian resident (DPDP Act, 2023).

  2. Data We Collect

  • Identifiers: name, contact, address, date of birth, government ID.
  • Medical data: health history, diagnostics, lab results, images, treatment plans (PHI/Sensitive PDI).
  • Billing & insurance: financial transaction records.
  • Website & device data: IP, cookies, usage patterns.

  1. Legal Bases for Processing

  • HIPAA: permissible uses for treatment, payment, healthcare operations .
  • GDPR: consent, contract necessity, legal obligation, vital interests.
  • DPDP Act 2023: explicit consent, performance of contract, compliance with legal obligations, legitimate interest of data fiduciary .

  1. How We Use Your Data

  • Treatment, diagnostics, and care coordination
  • Billing, insurance claims, payment processing
  • Regulatory reporting under ART Act 2021 and Surrogacy (Regulation )Act 2021.
  • Anonymized clinical research and quality improvement
  • Patient communication (appointment reminders, results, follow-up)

  1. Data Sharing & International Transfers

    We may share data with third‑party laboratories, clinics, insurers, or international partners.

  • GDPR compliance: EU‑India transfers via adequacy decision or Standard Contractual Clauses.
  • DPDP Act: transfers only with explicit consent or legal compliance, and to entities with adequate safeguards
  • HIPAA: uses Business Associate Agreements for U.S. entities.

  1. Data Retention

  • HIPAA: patient health records retained at least 11 years.
  • Indian ART law: adhere to minimum retention periods (typically 10 years).
  • After expiry, records are securely archived or deleted as per policy.

  1. Data Subject Rights

    Under GDPR and DPDP Act:

  • Access, correction, deletion/erasure, withdraw consent, data portability
  • Right to nominate nominee or consent manager
  • Grievance redressal with our designated Privacy Officer, then the Data Protection Board of India if unresolved .

  1. Security Measures

    We implement encryption at rest and in transit, role-based access controls, regular audits, staff training, and privacy-by-design principles .

  2. Breach Notification

  • GDPR: breaches reported to supervisory authority within 72 hours; data subjects notified if high risk .
  • HIPAA: breach notification to affected individuals and HHS per US regulations.
  • DPDP Act: timely notification to Data Protection Board and individuals, where required.
  1. Contact & Complaints
    Privacy/Data Protection Officer: [Name, email/contact]
    You may file a complaint via:
  1. Our internal grievance mechanism
  2. The Data Protection Board of India (after internal escalation)
  3. EU supervisory authorities (for GDPR) or U.S. HHS OCR (for HIPAA)