Privacy Policy

1. Introduction

Welcome to GrowGrahak, a comprehensive reputation management and patient communication platform. GrowGrahak is a software product owned and operated by 7star Medtech Private Limited, a company registered and operating in India.

Official Website: https://growgrahak.automizemedialabs.com/

We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains in detail how we collect, use, disclose, process, and safeguard your data when you use our services, including our WhatsApp Business API integration for healthcare communication.

This policy complies with India's Digital Personal Data Protection Act (DPDPA) 2026, Meta's WhatsApp Business API requirements, and other applicable data protection regulations.

2. Information We Collect

To provide our reputation management and patient communication services effectively, we collect various types of information. We are transparent about what data we collect and how it is used.

2.1 Healthcare Provider Information

When you register as a healthcare provider or clinic, we collect:

• Professional Details: Name, clinic/hospital name, medical specialty, professional registration numbers
• Contact Information: Email address, phone number, business address
• WhatsApp Business Account: WhatsApp Business phone number, account credentials, business profile information
• Payment Information: Billing details, payment method information (processed securely through third-party payment gateways)
• Account Credentials: Username, encrypted password, and authentication tokens

2.2 Patient/Client Communication Data

To facilitate doctor-patient or business-client communication via WhatsApp, we collect:

• WhatsApp Phone Numbers: Phone numbers of patients/clients who have consented to receive communications from your clinic
• Message Metadata: Message delivery status, timestamps, read receipts, and delivery confirmations
• Message Content: Review requests, appointment reminders, feedback responses, and other communications sent through our platform
• Lead Information: Patient names, appointment details, visit history (as provided by healthcare providers)
• Feedback Data: Patient satisfaction ratings, review text, sentiment analysis results
• Consent Records: Documentation of patient consent to receive WhatsApp communications

2.3 Automatically Collected Information

We automatically collect certain technical information when you use our platform:

• Device Information: IP address, browser type and version, operating system, device identifiers
• Usage Analytics: Pages visited, features used, time spent on platform, click patterns
• Log Data: Server logs, error reports, API request logs, system performance metrics
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies (see Section 9 for details)
• API Integration Data: WhatsApp API call logs, message queue status, webhook responses

2.4 Information from Third-Party Sources

• WhatsApp/Meta: Message delivery confirmations, account status, API usage metrics
• Payment Processors: Transaction confirmations, payment status updates
• Review Platforms: Public review data from Google, Practo, and other platforms (where applicable)

3. WhatsApp Business API Data Usage

GrowGrahak integrates with WhatsApp Business API (via Evolution API and Meta Cloud API) to enable healthcare providers to communicate with their patients efficiently and securely. This section details how we process WhatsApp-related data.

3.1 API Integration Architecture

We utilize secure API routes to process WhatsApp communications:

• Evolution API: Self-hosted WhatsApp Business API solution for message routing and delivery
• Meta Cloud API: Official Meta-provided WhatsApp Business Platform for enterprise-grade messaging
• Secure Transmission: All API communications are encrypted using TLS 1.3 or higher
• Authentication: API keys, OAuth tokens, and webhook signatures ensure secure data exchange

3.2 Message Data Processing

When you use our WhatsApp Business API integration, we process messages for the following specific purposes:

• Review Requests: Sending automated, personalized review requests to patients after appointments
• Appointment Reminders: Delivering appointment confirmations and reminder notifications
• Follow-up Messages: Post-consultation follow-ups and care instructions
• Feedback Collection: Gathering patient satisfaction ratings and testimonials
• Two-Way Communication: Enabling patients to respond, ask questions, or provide feedback
• Analytics and Reporting: Analyzing message delivery rates, open rates, response rates, and engagement metrics
• Quality Assurance: Monitoring message templates for compliance and effectiveness

3.3 Explicit Consent Requirements

Mandatory Consent: We strictly adhere to consent-based messaging. WhatsApp messages are only sent to individuals who have provided explicit, informed consent. By using GrowGrahak's services, healthcare providers confirm that:

• Prior consent has been obtained from patients to contact them via WhatsApp for appointment-related communications
• Patients were informed about the nature and frequency of messages they will receive
• Patients have the right to opt-out of communications at any time by replying "STOP" or through account settings
• Opt-out requests are processed immediately and honored permanently
• The service will not be used to send unsolicited marketing, spam, or promotional messages
• All communications comply with WhatsApp's Business Policy, Commerce Policy, and Messaging Policy
• Healthcare providers maintain their own consent records as required by law

3.4 Message Content and Privacy

We respect the privacy and confidentiality of patient communications:

• End-to-End Encryption: WhatsApp messages benefit from WhatsApp's end-to-end encryption protocol
• Limited Access: Message content is only accessible to the healthcare provider and the patient
• No Unauthorized Sharing: We do not share, sell, or disclose message content to third parties except as required by law
• Sensitive Health Data: We advise healthcare providers not to share detailed medical records or sensitive health information via WhatsApp
• Compliance Monitoring: Automated systems monitor for policy violations without accessing message content

3.5 Message Storage and Retention

We implement strict data retention policies:

• Message Content: Stored securely for up to 90 days for service delivery, then automatically deleted
• Message Metadata: Delivery status, timestamps, and engagement metrics retained for up to 12 months for analytics
• Consent Records: Maintained for the duration of the business relationship plus 3 years for compliance
• Opt-out Records: Permanently retained to honor patient preferences
• Secure Deletion: All data is securely erased using industry-standard deletion protocols

3.6 WhatsApp Business Account Requirements

Healthcare providers using our platform must:

• Maintain a verified WhatsApp Business Account
• Use approved message templates that comply with Meta's policies
• Respond to patient inquiries within 24 hours to maintain quality ratings
• Adhere to WhatsApp's messaging limits and rate restrictions
• Maintain a business profile with accurate contact information

4. How We Use Your Information

We use the information we collect for specific, legitimate purposes that enable us to provide and improve our services. Our use of data is always transparent, lawful, and aligned with the purposes for which it was collected.

4.1 Service Delivery and Operations

• Platform Access: Creating and managing user accounts, authentication, and access control
• WhatsApp Integration: Connecting healthcare providers' WhatsApp Business accounts to our platform
• Message Orchestration: Scheduling, sending, and tracking review requests and appointment reminders
• Communication Facilitation: Enabling doctor-patient or business-client communication through secure channels
• Dashboard and Reporting: Providing analytics, insights, and performance metrics to healthcare providers
• Lead Management: Organizing and managing patient contact information and communication history

4.2 Service Improvement and Development

• Analytics and Research: Analyzing usage patterns to improve user experience and platform performance
• Feature Development: Developing new features and functionalities based on user needs
• Quality Assurance: Testing and optimizing message templates, delivery rates, and system reliability
• AI and Machine Learning: Training models for sentiment analysis, feedback categorization, and predictive analytics (using anonymized data)

4.3 Customer Support and Communication

• Technical Support: Responding to inquiries, troubleshooting issues, and providing assistance
• Service Notifications: Sending important updates about platform changes, maintenance, or new features
• Billing and Payments: Processing subscription payments, generating invoices, and managing billing inquiries
• Onboarding and Training: Providing guidance and resources to help users maximize platform benefits

4.4 Security, Compliance, and Legal

• Fraud Prevention: Detecting and preventing fraudulent activities, spam, and policy violations
• Security Monitoring: Identifying and responding to security threats, vulnerabilities, and breaches
• Regulatory Compliance: Ensuring compliance with DPDPA 2026, WhatsApp policies, and healthcare regulations
• Legal Obligations: Responding to legal requests, court orders, and regulatory inquiries
• Audit and Accountability: Maintaining logs and records for compliance audits and dispute resolution

4.5 Marketing and Business Development (With Consent)

• Product Updates: Informing users about new features, improvements, and best practices (opt-in only)
• Educational Content: Sharing resources, case studies, and industry insights
• Promotional Offers: Communicating special offers or discounts (with explicit consent, easy opt-out)

5. Legal Basis for Data Processing (DPDPA 2026 Compliance)

7star Medtech Private Limited is committed to full compliance with India's Digital Personal Data Protection Act (DPDPA) 2026. We process personal data only when we have a valid legal basis and in accordance with the principles of transparency, accountability, and data minimization.

5.1 Lawful Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: Your explicit, informed, and freely given consent for specific processing activities (e.g., WhatsApp communications, marketing emails)
• Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing platform access, delivering services)
• Legal Obligations: Compliance with applicable laws, regulations, and legal processes
• Legitimate Interests: Our legitimate business interests (e.g., fraud prevention, security, service improvement) balanced against your rights and interests

5.2 Your Rights Under DPDPA 2026

As a data principal under India's DPDPA 2026, you have comprehensive rights regarding your personal data:

• Right to Access: Request access to your personal data we hold, including details about processing activities
• Right to Correction: Request correction of inaccurate, incomplete, or outdated personal data
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON)
• Right to Withdraw Consent: Withdraw consent for data processing at any time without affecting prior lawful processing
• Right to Grievance Redressal: File complaints regarding data processing practices with our Grievance Officer or the Data Protection Board of India
• Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity

5.3 Exercising Your Rights

To exercise any of your rights under DPDPA 2026:

• Submit a request via email to privacy@growgrahak.com
• Use the data management tools available in your account dashboard
• Contact our Data Protection Officer at dpo@7starmedtech.com

We will respond to your request within 72 hours and fulfill valid requests within 30 days as required by DPDPA 2026.

5.4 Data Localization and Cross-Border Transfers

In compliance with DPDPA 2026's data localization requirements:

• Primary Storage: All personal data of Indian users is primarily stored on servers located within India
• Critical Personal Data: Sensitive health information and financial data are stored exclusively in India
• Cross-Border Transfers: When necessary (e.g., cloud services, analytics), data transfers to approved countries are protected by Standard Contractual Clauses (SCCs) and encryption
• Third-Party Compliance: All international service providers (e.g., Meta/WhatsApp) comply with DPDPA 2026 and provide adequate data protection safeguards

5.5 Data Protection Impact Assessments

We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including WhatsApp Business API integration, to ensure compliance and minimize privacy risks.

6. Data Sharing and Disclosure

We may share your information with:

• Service Providers: Third-party vendors who assist in providing our services (e.g., cloud hosting, analytics, payment processing)
• WhatsApp/Meta: As required for WhatsApp Business API functionality
• Legal Authorities: When required by law or to protect our legal rights
• Business Transfers: In connection with mergers, acquisitions, or asset sales

We do not sell your personal data to third parties. All third-party service providers are contractually obligated to maintain data confidentiality and security.

7. Data Security Measures

7star Medtech Private Limited implements comprehensive, industry-leading security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

7.1 Technical Security Controls

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Secure API Routes: All WhatsApp Business API communications (Evolution API and Meta Cloud API) are processed through encrypted, authenticated API endpoints
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
• Network Security: Firewalls, intrusion detection systems (IDS), and DDoS protection
• Database Security: Encrypted databases with access logging and query monitoring
• API Security: API key rotation, rate limiting, webhook signature verification, and OAuth 2.0 authentication

7.2 Organizational Security Measures

• Employee Training: Regular data protection and security awareness training for all staff
• Background Checks: Verification of employees with access to sensitive data
• Confidentiality Agreements: All employees and contractors sign non-disclosure agreements (NDAs)
• Access Audits: Regular reviews of user access rights and permissions
• Vendor Management: Security assessments of third-party service providers

7.3 Security Monitoring and Testing

• 24/7 Monitoring: Continuous monitoring of systems for suspicious activity and security incidents
• Vulnerability Assessments: Regular security scans and penetration testing
• Security Audits: Annual third-party security audits and compliance reviews
• Incident Response: Documented incident response plan with defined escalation procedures
• Backup and Recovery: Regular encrypted backups with tested disaster recovery procedures

7.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach
• Affected individuals will be notified without undue delay via email or platform notification
• Notifications will include the nature of the breach, potential consequences, and remedial measures taken
• We will provide guidance on steps you can take to protect yourself

Disclaimer: While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to using commercially reasonable efforts to protect your data.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. Retention periods vary based on data type:

• Account information: Duration of account plus 12 months
• WhatsApp message metadata: Up to 12 months
• Financial records: As required by applicable tax and accounting laws
• Analytics data: Aggregated and anonymized indefinitely

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance user experience, analyze usage patterns, and improve our services. You can control cookie preferences through your browser settings.

10. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware of such collection, we will take steps to delete the information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

14. Grievance Redressal Mechanism

In accordance with DPDPA 2026, 7star Medtech Private Limited has appointed a dedicated Grievance Officer to address your concerns regarding data processing and privacy:

If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India.