FC
FertilityConnectFind ยท Match ยท Conceive
Legal

Data Policy

Last updated: 1 April 2025 ยท DPDP Act 2023 ยท GDPR ยท HIPAA ยท UAE PDPL ยท Singapore PDPA ยท Thailand PDPA ยท Oman PDPL

๐Ÿ‡ฎ๐Ÿ‡ณ DPDP 2023๐Ÿ‡ช๐Ÿ‡บ GDPR๐Ÿ‡บ๐Ÿ‡ธ HIPAA๐Ÿ‡ฌ๐Ÿ‡ง UK GDPR๐Ÿ‡ฆ๐Ÿ‡ช UAE PDPL๐Ÿ‡ด๐Ÿ‡ฒ Oman PDPL๐Ÿ‡น๐Ÿ‡ญ Thailand PDPA๐Ÿ‡ธ๐Ÿ‡ฌ Singapore PDPA

1. Data Controller

FertilityConnect India Private Limited is the Data Controller / Data Fiduciary for personal data processed through this Platform.

Data Protection Officerprivacy@fertilityconnect.in
Grievance Officer (DPDP)grievance@fertilityconnect.in
UK/EU Representative[EU Rep Name & Address]
Response Time30 days for all jurisdictions

Where FertilityConnect processes personal data on behalf of clinics (e.g. appointment data passed to a clinic), we act as a Data Processor under GDPR / DPDP Act, and the clinic is the Data Controller / Data Fiduciary for that data. A Data Processing Agreement (DPA) governs this relationship.

2. Data We Collect

We collect the minimum data necessary for our services (data minimisation principle โ€” GDPR Art. 5(1)(c), DPDP S.6).

CategoryExamplesLegal BasisRetention
Identity DataName, email address, phone number, date of birthConsent (Art. 6(1)(a) GDPR / DPDP S.5)3 years from last login or account deletion
Health & Fertility DataSensitiveAssessment responses, medical history, diagnosis, treatment history, AMH levels, menstrual data, sperm parametersExplicit consent (Art. 9(2)(a) GDPR / DPDP S.9 / HIPAA authorisation)3 years from collection or consent withdrawal
Location DataCity, state, country, approximate GPS (for clinic distance matching)Consent / Legitimate interest (clinic matching)Duration of session; city/state stored with account
Usage & Technical DataIP address (pseudonymised), browser type, pages visited, session durationLegitimate interest (security, analytics) / Consent for non-essential analytics13 months (analytics); 90 days (security logs)
Booking & Transaction DataAppointment dates, clinic selected, payment reference (no card data stored)Contract performance7 years (financial records per Companies Act)
CommunicationsSupport emails, chat transcripts, feedback submittedLegitimate interest / Contract performance2 years

3. Health Data โ€” Special Category Processing

Health data receives the highest level of protection under all applicable laws.

๐Ÿ‡ฎ๐Ÿ‡ณ DPDP Act 2023 (India): Sensitive personal data โ€” processed only under explicit consent; special obligations on Data Fiduciary

๐Ÿ‡ช๐Ÿ‡บ GDPR (EU/UK) Art. 9: Special category data โ€” requires explicit consent under Art. 9(2)(a); additional safeguards mandatory

๐Ÿ‡บ๐Ÿ‡ธ HIPAA (US): Protected Health Information (PHI) equivalent โ€” HIPAA-standard encryption, access controls, audit trails

๐Ÿ‡ฆ๐Ÿ‡ช UAE PDPL 2021: Sensitive data โ€” processing requires express consent; health data of residents protected

๐Ÿ‡ธ๐Ÿ‡ฌ Singapore PDPA: Deemed sensitive โ€” enhanced security and access controls required

๐Ÿ‡น๐Ÿ‡ญ Thailand PDPA 2019: Sensitive personal data โ€” explicit consent required; Data Protection Impact Assessment mandatory

Your health data from the fertility assessment is used solely for: (a) generating personalised clinic recommendations; (b) facilitating clinic bookings you initiate; and (c) improving our matching algorithm in anonymised/aggregated form only. We never sell health data. We never share identifiable health data with third parties for advertising purposes.

Pseudonymisation: IP addresses are hashed (SHA-256) before storage. Assessment data is linked to a pseudonymous user ID rather than directly to your name or email.

Consent withdrawal: You may withdraw your consent to health data processing at any time by deleting your account or emailing privacy@fertilityconnect.in. Withdrawal does not affect the lawfulness of processing before withdrawal.

4. How We Use Your Data

We process your data for the following specific, explicit, and legitimate purposes:

  • Clinic matching: Match your assessment profile against verified clinics using our scoring engine. Health data is the primary input.(Explicit consent)
  • Appointment facilitation: Pass booking details to your selected clinic.(Contract performance)
  • Platform communications: Send appointment confirmations, assessment results, and essential service communications.(Contract performance)
  • Safety and fraud prevention: Detect and prevent fraudulent activity, abuse, and security incidents.(Legitimate interest)
  • Legal compliance: Respond to court orders, regulatory requests, or legal obligations.(Legal obligation)
  • Service improvement: Analyse anonymised/aggregated usage patterns to improve matching accuracy.(Legitimate interest)
  • Marketing (optional): Send fertility education content and platform updates โ€” only with your separate opt-in consent, which you can withdraw at any time.(Consent (withdrawable))

We do not: sell personal data; use health data for advertising targeting; share identifiable health data with employers, insurers, or government agencies except where legally required; or use data for purposes materially different from those above without renewed consent.

5. Data Sharing & Third-Party Processors

We share your data with third parties only as necessary and under strict contractual safeguards (Data Processing Agreements where required):

RecipientPurposeData SharedLocation
Supabase (cloud database)Secure storageAll account and assessment dataIndia (ap-south-1)
Selected fertility clinicsBooking facilitationName, contact, appointment details โ€” only on user actionIndia / Country of clinic
Resend / email providerTransactional emailEmail address, nameEU (Resend)
Vercel (hosting)Platform deliveryAnonymised request logs onlyGlobal CDN
Analytics (privacy-respecting)Platform improvementAnonymised/aggregated usageEU or India

We never share personal data with third parties for their own marketing purposes. All processors are contractually bound to GDPR-standard data processing terms.

6. Storage, Security & Technical Measures

We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure:

256-bit AES encryption at rest

All health data encrypted in database

TLS 1.3 in transit

All data in transit encrypted end-to-end

SHA-256 pseudonymisation

IP addresses hashed before any storage

Role-based access control

Only authorised staff can access identifiable data

Audit logging

All access to health data is logged (HIPAA ยง 164.312)

Vulnerability scanning

Regular penetration testing and security audits

Data minimisation

Only minimum necessary data collected per GDPR Art. 5

Incident response plan

Breach notification within 72h (GDPR) / 60 days (DPDP)

Data breach notification: In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law: 72 hours under GDPR/UK GDPR; as soon as practicable under DPDP Act 2023; 60 days under HIPAA Breach Notification Rule; 72 hours under UAE PDPL.

7. International Data Transfers

Your data is primarily stored in India. Where data is transferred to or accessed from outside India, we ensure appropriate safeguards are in place:

  • EU/UK transfers: Standard Contractual Clauses (SCCs) under GDPR Art. 46 / UK International Data Transfer Agreements
  • India outbound: Compliant with DPDP Act 2023 and any cross-border data transfer restrictions notified by the Indian government
  • HIPAA transfers: Business Associate Agreements (BAAs) in place with all US-related processors
  • UAE: Data relating to UAE residents is not transferred to jurisdictions lacking adequate protection under UAE PDPL 2021

We do not transfer personal data to countries or territories that have been designated as inadequate or restricted by applicable regulatory authorities in your jurisdiction.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. When retention periods expire, data is securely deleted or irreversibly anonymised.

Key retention periods: Health assessment data โ€” 3 years from collection or consent withdrawal. Account data โ€” 3 years from last active use. Booking records โ€” 7 years (statutory financial records). Security logs โ€” 90 days. Marketing consent records โ€” Until withdrawal plus 3 years (legal proof).

Right to erasure: You may request earlier deletion at any time. We will erase your data within 30 days except where retention is legally required (e.g. fraud investigation records, tax records, HIPAA 6-year retention requirement).

9. Your Rights by Jurisdiction

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, contact privacy@fertilityconnect.in:

LawRightsResponse Deadline
GDPR (EU/UK)Access, Rectification, Erasure, Restriction, Portability, Object, Not subject to automated decisions30 days
DPDP Act 2023 (India)Access (S.11), Correction & Erasure (S.12), Grievance redressal (S.13), Nomination (S.14), Withdraw consent30 days
HIPAA (US)Access, Amendment, Accounting of disclosures, Restriction requests, Confidential communications30โ€“60 days
UAE PDPL (2021)Access, Rectification, Erasure, Object to processing30 days
Singapore PDPA (2012)Access, Correction30 days
Thailand PDPA (2019)Access, Data portability, Erasure, Object, Restrict processing, Withdraw consent30 days
Oman PDPL (2022)Access, Rectification, Erasure, Object30 days
Access your dataDownload your dataDelete your accountData portability

10. Children's Data

FertilityConnect is intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18.

DPDP Act 2023 (India) S.9: Processing of personal data of children (under 18) requires verifiable parental consent. We implement age-gating mechanisms to prevent minor registration.

GDPR (EU/UK): We do not process personal data of children under 13 (or 16 in some Member States) without verifiable parental consent.

COPPA (US): We do not knowingly collect personal information from children under 13.

If we become aware that we have inadvertently collected personal data from a minor, we will delete it immediately. Parents or guardians who believe their child's data has been collected should contact privacy@fertilityconnect.in.

11. Automated Decision-Making

The FertilityConnect clinic matching engine uses automated processing to generate clinic recommendations from your assessment data. Under GDPR Art. 22, you have the right to request human review of any automated decision that significantly affects you.

The matching score is an informational recommendation only โ€” it does not make or influence medical decisions, deny you access to care, or produce legal effects. You are free to disregard the recommendation and contact any clinic directly.

Under the DPDP Act 2023, we ensure that automated processing of sensitive personal data does not result in unjust outcomes, and we provide a mechanism for users to raise concerns about automated recommendations.

12. Contact Our Data Protection Officer

Raise a Data Request or Complaint

DPO Email: privacy@fertilityconnect.in

Grievance Officer (India โ€” DPDP S.13): grievance@fertilityconnect.in

Response time: 30 days for all requests; 7 days for urgent security matters

EU/UK users may also complain to their national supervisory authority (e.g. ICO in the UK: ico.org.uk)

Privacy PolicyTerms of ServiceCookie Policy