Privacy Policy

Effective Date: 21st Nov 2022
Last Updated: 02nd June 2025

1. Introduction

Heaps Health Solutions India Private Limited (“Organization”, “we”, “our”, “us”) is committed to protecting the privacy and security of Personal Data entrusted to us.

This Privacy Policy explains how we collect, use, process, disclose, store, and protect Personal Data in accordance with applicable data protection laws and regulations.

Where we process Personal Data on behalf of our clients, we act as a Data Processor and process such data strictly in accordance with the instructions of the relevant Data Controller.

2. Applicability

This Policy applies to all individuals whose Personal Data is processed by Organization, including:

  • Employees, contractors, and associates
  • Clients and their representatives
  • End customers
  • Vendors and third-party partners
  • Website visitors
  • Individuals located within or outside India

“Processing” includes collecting, recording, organizing, structuring, storing, adapting, retrieving, consulting, using, transferring, disclosing, restricting, erasing, or destroying Personal Data.

3. Purpose of Processing

We process Personal Data for purposes including:

  • Delivering contracted services
  • Managing business relationships
  • Ensuring regulatory compliance
  • Managing employees and associates
  • Maintaining system security and preventing fraud
  • Responding to data subject requests
  • Improving services and operations

We process Personal Data only for legitimate, specified purposes and limit use to what is necessary.

4. Types of Personal Data Collected

We may process:

  • Identification information (name, contact details, ID numbers)
  • Professional information
  • Account and transactional data
  • Technical data (IP address, device information, logs)
  • Sensitive Personal Information (where applicable and legally permitted)

Sensitive Personal Information may include health data, biometric data, or other data categories defined under applicable law.

5. Legal Basis for Processing

Depending on the context, processing may be based on:

  • Consent
  • Contractual necessity
  • Legal obligation
  • Legitimate business interests
  • Instructions from Data Controllers (where acting as Processor)

6. Notice and Consent

Where required by law, we provide notice prior to collecting Personal Data and obtain consent where applicable.

If we collect Personal Data directly from individuals, we:

  • Provide clear privacy notices
  • Obtain valid consent where required
  • Respect withdrawal of consent
  • Provide access and correction mechanisms

Where we act as a Data Processor, consent responsibilities remain with the Data Controller unless otherwise agreed.

7. Data Minimization and Use Limitation

We collect only Personal Data necessary for specified purposes and do not use it beyond those purposes without lawful basis.

8. Data Subject Rights

Subject to applicable laws, individuals may have the right to:

  • Access their Personal Data
  • Correct inaccurate data
  • Request deletion or restriction
  • Object to processing
  • Withdraw consent
  • Request data portability

Requests may be submitted to:
Email: dpooffice@heaps.ai

We respond within legally prescribed timelines.

9. Security of Personal Data

We implement appropriate technical and organizational safeguards to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.

Security measures include:

  • Encryption and secure communication protocols
  • Access controls and authentication mechanisms
  • Firewalls and anti-malware systems
  • Logging and monitoring
  • Data masking and pseudonymization (where applicable)
  • Physical security controls
  • Confidentiality agreements for personnel

All personnel are required to maintain strict confidentiality.

10. Data Masking and Protection

Sensitive data may be protected through:

  • Encryption
  • Tokenization
  • Pseudonymization
  • Masking in non-production environments
  • Restricted visibility based on role

Masking techniques are reviewed periodically for effectiveness.

11. Disclosure to Third Parties

We may disclose Personal Data to:

  • Service providers and vendors
  • Regulatory authorities (where legally required)
  • Clients (where contractually required)

All third parties are subject to confidentiality and data protection obligations.

Due diligence is conducted before onboarding third parties.

12. Cross-Border Data Transfers

Personal Data may be transferred to jurisdictions outside India or outside the country of origin.

Where such transfers occur, we implement appropriate safeguards to ensure adequate protection in accordance with applicable law.

13. Retention and Disposal

We retain Personal Data only as long as necessary for:

  • Business purposes
  • Legal and regulatory obligations
  • Contractual requirements

When no longer required, data is securely deleted or anonymized.

14. Privacy Incident Management

We maintain procedures for identifying, reporting, and managing privacy incidents.

In case of a data breach, we will:

  • Assess impact
  • Notify relevant authorities where required
  • Inform affected individuals where legally mandated

Privacy incidents may be reported to:
Email: dpooffice@heaps.ai

15. Privacy Governance

We have appointed a Data Protection Officer (DPO) responsible for:

  • Monitoring compliance
  • Acting as a point of contact for data subjects
  • Advising management
  • Overseeing privacy risk assessments
  • Coordinating data protection impact assessments

DPO Contact Details:
Email: dpooffice@heaps.ai

16. Privacy Assessments

We conduct:

  • Personal Information inventory
  • Data Protection Impact Assessments (DPIA)
  • Periodic privacy compliance reviews

17. Training and Awareness

All personnel handling Personal Data receive periodic privacy and security awareness training.

18. Accountability

Organization is accountable for compliance with applicable privacy laws and implements policies, procedures, and controls to demonstrate such compliance.

19. Changes to this Privacy Policy

We may update this Privacy Policy periodically.
Any changes will be published on this page with an updated revision date.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please contact:

Data Protection Officer (DPO)
Email: dpooffice@heaps.ai

Connect With Us
Facebook Twitter Youtube Instagram Linkedin
What We Do
Company
  • All Rights Reserved. Copyright 2026 HEAPS HEALTH SOLUTIONS INDIA PRIVATE LIMITED.