MERLIN HEALTH

Privacy Policy

Merlin Health (“Merlin Health”, “we”, “our”, “us”) takes your privacy very seriously. We are committed to protecting the confidentiality of your personal data. We do this in a way that follows international standards and the laws of India.

This privacy policy outlines how we handle your personal data. Here, we explain how we collect, use, disclose, and safeguard your personal data when you engage with our services.

1. PERSONAL DATA COLLECTION

A. Data Collection Overview

We collect your personal data in two primary ways:

1.1 Voluntary Submission

When you book an appointment through our website, you may voluntarily provide personal information, such as your email address and contact number.

1.2 Automatic Data Collection

When you access our website, certain personal data is automatically generated or recorded. This includes:

  • Device Information: We collect details about your device, including its type, operating system, settings, unique identifiers, and crash data. This information helps us ensure optimal functionality and display of our website on your device.
  • Log Data: When you access our website, our servers automatically record certain personal data sent by your browser. This log data may include your IP address, browser type and settings, operating system, referring web page, pages visited, location, search terms, and cookie data.
  • Cookie Data: We may use “cookies”—small text files unique to your browser—when you access our services. These cookies help us record log data, analyze trends, gather demographic information, and track your navigation on our website.

Additional Information We May Collect:

  • Behavioral Information: We may collect data on how you use the website, including usage statistics, traffic patterns, access times, and locations.
  • Customer Support Data: When you contact us for support via email, phone, or other tools on the website, we may gather information about your identity and maintain records of your communications with our support staff. This data helps us monitor and improve service quality.
  • Sensitive Personal Data (SPDI): We may collect sensitive information related to your health, including clinical assessments, care plans, records of communication with you, and details from telephone conversations.

While we automatically collect log data, cookie data, device information, demographic information, and behavioral information when you use the website, you also provide additional data—such as SPDI, email address, and contact number—voluntarily. By sharing this information, you consent to our collection, storage, processing, transfer, and disclosure of your data in accordance with this Privacy Policy.

B. Purpose of Data Collection

We at Merlin Health collect and process your personal data to deliver the best possible care. This enables us to:

  • Confirm your identity and contact details
  • Make informed decisions regarding your ongoing care and treatment
  • Provide our staff with accurate, up-to-date information to assess your needs and enhance your care
  • Investigate complaints, claims, and incidents effectively

2. TO WHOM DO WE SHARE YOUR DATA?

We may share your personal information under the following circumstances:

  • With Service Providers: We may share your data with third-party service providers who help us operate our platform, process payments, or deliver services. These providers are obligated to protect your information and use it solely for the intended purposes.
  • For Legal Compliance: We may disclose your information as required by law or in response to valid requests from public authorities, including compliance with applicable laws and legal processes.
  • In Emergency Situations: We may share your data if we believe it is necessary to prevent physical harm, financial loss, or to assist in investigations of suspected illegal activity.
  • Business Transfers: In the event of a merger, acquisition, or sale of our assets, your personal information may be transferred as part of that transaction.

3. HOW LONG DO WE RETAIN YOUR DATA?

TO WHOM DO WE SHARE YOUR DATA?

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, in accordance with our legitimate business interests and applicable laws. In some cases, we may retain information longer to meet legal, tax, and accounting requirements set by industry or government authorities.

To determine the appropriate retention period, we consider various factors, including the nature and sensitivity of the data, potential risks of unauthorized access or disclosure, the feasibility of achieving our objectives through other means, and our legal obligations.

Once your personal information is no longer needed, we will either delete or de-identify it. If deletion or de-identification is not possible, we will securely store the information and limit its processing until it can be properly deleted or de-identified.

4. EXTERNAL LINKS CAUTION

When accessing our website, please exercise caution before clicking on any third-party or external links. We have no control over services provided by entities other than us and are not responsible for any collection or disclosure of your information by these third parties.

Your use of external links is subject to the terms of use and privacy policies of those websites. We disclaim all liability for any losses incurred from accessing these external links or from third parties collecting and disclosing your information.

5. DATA SECURITY

  • Protection Measures: We prioritize the security, integrity, and confidentiality of your information. We have implemented technical, administrative, and physical security measures to protect against unauthorized access, disclosure, use, and modification. Our security procedures are regularly reviewed to incorporate new technologies and methods.
  • Limitation of Liability: While we take reasonable precautions to safeguard your personal data, you agree not to hold us liable for any loss or damage resulting from unauthorized access beyond our control, such as hacking or cybercrimes.
  • No Guarantees: We do not guarantee that your use of our systems or platform is completely safe from malware or other vulnerabilities. Additionally, we cannot ensure the security of the data you choose to send us electronically; doing so is at your own risk.
  • Disclosure to Authorities: We may be required to share your information with government authorities for identity verification or to assist in the prevention, detection, and investigation of cyber incidents and other offenses. By using our website, you consent to such disclosures as required by applicable law in accordance with this Privacy Policy.

6. RIGHTS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (DPDP Act)

  • Right of Access. Under Section 11 of the DPDP Act, Data Principals have the right to access information about their personal data being processed. This includes a summary of the data, the purposes of processing, and details about any other Data Fiduciaries or Data Processors with whom their data is shared.
  • Right to Correction. As per Section 12(1) of the DPDP Act, Data Principals can request corrections to their personal data if it has become inaccurate or if there were errors during its initial collection.
  • Right to Erasure. Section 12(1) also grants Data Principals the right to request the correction, completion, updating, or erasure of their personal data that they previously consented to have processed.
  • Right to Withdraw Consent: According to Section 6(4) of the DPDP Act, Data Principals can withdraw their consent at any time, and this process should be as straightforward as giving consent. Section 6(7) allows Data Principals to manage their consent through a Consent Manager.
  • Right to Object to Marketing: Section 6(4) specifies that consent given by Data Principals is limited to specific purposes. Therefore, if their data is used for marketing activities, including targeted advertising, they have the right to object.
  • Right of Grievance Redressal: Under Section 13(1) of the DPDP Act, Data Principals can utilize grievance redressal mechanisms provided by the Data Fiduciary or Consent Manager for any issues related to their personal data handling. If dissatisfied with this process, they may escalate their complaint to the Data Protection Board as outlined in Section 13(3).
  • Right to Nominate: Section 14(1) introduces a unique provision allowing Data Principals to nominate another individual to exercise their rights in case of death or incapacity.

7. CHILDREN’S PRIVACY

Children under the age of eighteen (18) are not permitted to access the Site. We also do not intentionally collect personal information from children. If you become aware or suspect that a child under eighteen is using the Site, please contact us immediately. We will take swift action to delete any personal information associated with that child.

Processing of Children’s Data under the DPDP Act

  • Section 9(1) of the DPDP Act states that before processing children’s personal data, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian.
  • Further, Section 9(2) clarifies that the Data Fiduciary shall not undertake any processing of personal data that is likely to have a detrimental effect on the well-being of a child.
  • Section 9(3) prohibits the tracking or behavioral monitoring of children or targeted advertising directed at children.

8. YOUR DATA PROTECTION RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

If you are a resident of the European Union (EU) or European Economic Area (EEA), you have specific data protection rights under the GDPR.

In certain circumstances, you have the following rights:

  • Right of Access. You can access, update, or delete the information we hold about you.
  • Right to Rectification. You have the right to correct any inaccurate or incomplete information.
  • Right to Object. You can object to our processing of your personal data.
  • Right to Restriction. You can request that we limit the processing of your personal information.
  • Right to Data Portability. You have the right to receive a copy of your personal data in a structured, commonly used format.
  • Right to Withdraw Consent. You can withdraw your consent at any time if we rely on it to process your personal information.

Please be aware that we may need to verify your identity before responding to these requests. Additionally, some necessary data may be required for us to provide our services.

You also have the right to lodge a complaint with a Data Protection Authority regarding our collection and use of your personal data. For more information, please contact your local data protection authority in the EEA.

9. ADDITIONAL U.S. STATE PRIVACY DISCLOSURES

For residents of California, Colorado, Connecticut, Montana, Nevada, Oregon, Texas, Utah, and Virginia: These Additional U.S. State Privacy Disclosures (“U.S. Disclosures”) enhance our Privacy Policy by providing further details about our personal data processing practices for individuals in these states. For a comprehensive overview of how we collect, use, disclose, and process personal data in connection with our services, please refer to our Privacy Policy. Unless otherwise specified, all terms defined in our Privacy Policy have the same meaning in these U.S. Disclosures.

Your Privacy Choices

Depending on your jurisdiction and applicable privacy laws, you may have some or all of the following rights regarding your personal data:

  • Right of Access. You may request a copy of the personal data we hold about you.
  • Right to Portability. In certain circumstances, you may have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format or to request its transfer to another entity.
  • Right to Rectification. You may request the correction of any inaccurate or incomplete personal data we hold about you.
  • Right to Deletion. You may request the deletion of your personal data in certain circumstances.
  • Right to Restriction. You may request to limit the purposes for which we process your personal data.
  • Right to Opt-Out. You may have the right to opt-out of certain processing activities, including the use of your personal data for targeted advertising or the “selling” or “sharing” of your data with third parties.
  • Right to Control Automated Decision-Making. You may request that we refrain from using automated decision-making or profiling for specific purposes.
  • Right to Withdraw Consent. If you have consented to the processing of your personal data, you can withdraw that consent at any time. Withdrawal will not affect the legality of our prior use of your data.
  • Right to Appeal. If we deny your request to exercise any of your rights, you have the right to appeal our decision. If your appeal is rejected, you may file a complaint with your state attorney general.
  • Right to Nondiscrimination. You have the right to be free from retaliatory or discriminatory treatment when exercising your rights. However, exercising these rights may lead to changes in pricing, rates, or service quality if such changes are reasonably related to the impact of your request and permitted by law.

10. SPECIFIC RIGHTS FOR RESIDENTS OF CALIFORNIA

This section applies only to individuals residing in California and should be read alongside our entire Privacy Policy. As a California resident, you have the right to:

  • Obtain additional information about your “personal information” as defined by the California Consumer Privacy Act (CCPA).
  • Request disclosure of certain information we collect, use, disclose, and sell about you.
  • Request the deletion of your personal information.
  • Opt out of the sale of your personal information.

These rights pertain to information that can be reasonably linked to you, excluding data that cannot be associated with you.

11. DISCLAIMER

As a user of the platform, you assume all responsibility and risk associated with your use of the platform, the internet, and any information you post or access, as well as your conduct both on and off the platform.

12. INDEMNITY

You agree to indemnify us against any claims or disputes from third parties arising from your disclosure of information to them, whether through our platforms or otherwise, and from your use of third-party websites, applications, and resources. We are not liable for any actions taken by third parties regarding your information or personal data that you have shared with them.

13. CHANGES TO THE PRIVACY POLICY

We may update this Privacy Policy periodically. Any changes will be posted on the site, and we encourage you to review it whenever you use our services.

14. CONTACT US

If you have any questions or concerns regarding this Privacy Policy or our data practices, you may contact us by clicking the “Contact Us” button on our website. We are here to assist you and will respond to your inquiries as promptly as possible.