1. Introduction

Omniva Telehealth (“Omniva,” “Company,” “we,” “us,” or “our”), operated by Knovator Technologies Pvt. Ltd., is committed to protecting the privacy and security of personal data. This GDPR Compliance Policy outlines how we collect, process, store, and protect data in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

2. Scope

This policy applies to all users, customers, healthcare providers, and employees interacting with our platform, applications, and services. It covers:

• Data collection and processing practices
• User rights regarding their personal data
• Security measures implemented to safeguard data
• Procedures for handling data breaches
• Third-party processors involved in data processing
• Data retention and deletion policies

3. Data Collection & Processing

Types of Data Collected:

• Personal Information: Name, email, phone, address, date of birth, gender, physician details, pharmacy information.
• Usage Data: IP address, device information, activity logs, navigation patterns.
• Technical Data: Cookies, API logs, error reports, session tracking.
• Healthcare Data: Medical history, vitals, remote monitoring data, goals, mood logs, and communications with healthcare providers.
• Compliance Data: Physician license details, professional insurance information, education history, and patient insurance details.
• Financial Data: Payment transactions, billing details, subscription information.
• Communication Data: Messages exchanged within the platform.

Legal Basis for Processing Data:

• Consent (Article 6(1)(a)) – When users voluntarily provide data.
• Contractual necessity (Article 6(1)(b)) – Processing needed to provide services.
• Legal obligations (Article 6(1)(c)) – Compliance with legal and regulatory requirements.
• Legitimate interests (Article 6(1)(f)) – Business operations, fraud prevention, and platform security.

4. Data Protection & Security Measures

• Access Controls: Role-based access, strong authentication mechanisms, and logging of access activities.
• Encryption: Data encrypted at rest and in transit using industry-standard cryptographic techniques.
• Network Security: Firewalls, intrusion detection systems, secure VPNs.
• Regular Audits: Periodic security assessments, vulnerability testing, and compliance reviews.
• Data Minimization: Collect only necessary data and ensure data anonymization where possible.

5. Data Retention & Deletion Policy

• Retention Periods:
  • User activity logs: 6–12 months.
  • Customer data: Retained during active subscription and deleted within 30–90 days post-termination.
  • Backups: Retained for 30–90 days.
• Deletion Process:
  • Users can request data deletion via the user interface or support.
  • Data is securely erased from live systems within 90 days.
  • Backup data is purged within the same retention period.
  • Customer communication records are retained for 24 months unless legally required for longer periods.

6. Data Transfers & International Compliance

• Omniva stores data in India, utilizing Azure Cloud Central India data centers.
• Where data is transferred outside the EU, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) and ISO 27001 compliance.

7. Data Subject Rights

Under GDPR, individuals have the right to:

• Right to Access (Article 15): Request a copy of personal data held.
• Right to Rectification (Article 16): Correct inaccuracies in personal data.
• Right to Erasure (Article 17): Request deletion of personal data.
• Right to Restriction of Processing (Article 18): Limit processing under certain conditions.
• Right to Data Portability (Article 20): Request transfer of data to another provider.
• Right to Object (Article 21): Object to processing based on legitimate interest.
• Right to Lodge a Complaint: File complaints with the relevant Data Protection Authority.

8. Third-Party Processors & Sub-Processors

We work with the following service providers to process personal data securely:

• AWS S3 – File storage services
• CloudFront – Content distribution for speed and performance
• Microsoft Azure – Hosting and infrastructure services
• Agora – Video and voice call hosting
• Stripe, Razorpay – Payment processing (When selected)
• Firebase – Cross-platform mobile application development
• Amplitude – User behavior tracking and analytics
• Google Apps (Calendar, Analytics, Tag Manager) – Scheduling, tracking, and performance analysis
• Facebook Ads (FCP), Google Ads (GCP) – Advertisement tracking
• Twilio – SMS notifications and OTP services
• Zepto – Zoho, Zoho CRM – Email communication and customer journey tracking
• Zoho Marketing Automation – Promotional and marketing campaigns
• SRFax – Secure document faxing
• ABDM – ABHA user account validation (When selected)
• MongoDB Atlas – Database storage and management
• Make.com – Workflow automation

9. Data Breach Response Plan

• Detection & Containment: Immediate identification of breaches and containment measures.
• Regulatory Reporting: Notification to affected users and regulators within 72 hours.
• Investigation & Remediation: Root cause analysis, resolution, and future mitigation strategies.

10. Cookie & Tracking Policy

We use cookies for essential functionality, performance analytics, and marketing. Users can manage preferences via browser settings or opt-out mechanisms.

11. Payment & Transaction Processing

• Omniva processes payments securely through third-party payment providers.
• Users can review pricing details before scheduling healthcare services.
• All transactions comply with PCI-DSS security standards.

12. Contact Information

For any data protection inquiries, please contact our Data Protection Officer (DPO):

DPO Contact Details:

• Name: Bhavik Chavda
• Email: [email protected]
• Phone: +1 305 600 0455
• Mailing Address: First Floor, Ramakrishna Society, B/45-46, Lambe Hanuman Rd, near Ram Krushna School, Surat, Gujarat 395006

This policy is reviewed periodically to ensure compliance with GDPR and relevant regulations. Users will be notified of significant updates.