Data Processing Agreement
For Clinic Partners | Last Updated: February 18, 2026
1. Parties
- Data Fiduciary (Controller): Health Companion 360 Private Limited ("HC360")
- Data Processor (Sub-Processor): Registered clinic entities on the platform ("Clinic")
This DPA is incorporated into and forms part of the Terms of Service between HC360 and the Clinic.
2. Definitions
- Patient Data — Personal data of patients submitted through the HC360 platform, including name, phone number, symptoms, and inquiry details
- Processing — Any operation performed on Patient Data, including access, use, storage, disclosure
- Purpose — Responding to patient healthcare inquiries and providing medical services
3. Patient Data Shared with Clinics
When a patient submits an inquiry to your clinic, HC360 shares the following data with your clinic:
- Patient's full name
- Patient's phone number
- Patient's email address (if provided)
- Reported symptoms or health concern
- Message/additional details
- Timestamp of inquiry
Importantly: The patient has explicitly consented to this data sharing before submitting the inquiry.
4. Clinic Obligations as Data Processor
By registering on HC360 and accepting patient inquiries, you agree to:
4.1 Legal Compliance
- Process Patient Data only for the purpose of responding to the inquiry and providing healthcare services
- Comply with the DPDP Act 2023 and all applicable healthcare data regulations
- Maintain appropriate privacy notices for patients
4.2 Data Security
- Implement appropriate technical and organizational security measures
- Restrict access to Patient Data to staff who need it for the stated purpose
- Not share Patient Data with unauthorized third parties
- Report any data breaches to HC360 within 72 hours of discovery
4.3 Data Retention and Deletion
- Retain Patient Data only as long as necessary for the stated purpose or as required by law
- Securely delete Patient Data upon request from the patient or HC360
- Not use Patient Data for marketing or solicitation without separate explicit consent
4.4 Patient Rights
- Respond to patient requests to access, correct, or delete their data within 30 days
- Forward data subject requests received to HC360 if they relate to HC360's processing
5. HC360 Obligations
- Obtain valid patient consent before sharing data with clinics
- Provide secure infrastructure for data transmission
- Maintain audit logs of all data sharing events
- Notify clinics of material changes to this DPA with 30 days advance notice
- Provide clinics with tools to view and manage patient inquiries securely
6. Sub-Processors
HC360 uses the following sub-processors to provide the service:
- OpenAI — AI symptom classification (anonymized queries only)
- Redis/Upstash — Response caching
- PostgreSQL/Supabase — Data storage
- MSG91 — SMS notifications
- Razorpay — Payment processing
- Vercel — Application hosting
7. Data Breach Notification
In case of a data breach:
- Clinics must notify HC360 within 72 hours of discovering a breach
- HC360 will notify affected patients and the Data Protection Board as required by law
- Both parties will cooperate in investigation and remediation
8. Termination
Upon termination of your clinic account:
- You must cease using Patient Data received through HC360
- Delete all Patient Data received through HC360 within 30 days
- Provide written confirmation of deletion upon request
9. Governing Law
This DPA is governed by Indian law. Disputes will be resolved per the arbitration clause in the Terms of Service.
10. Acceptance
By registering your clinic on HC360 and checking the DPA acceptance checkbox, you agree to this Data Processing Agreement on behalf of your clinic entity.
11. Contact
- DPA Queries: legal@healthcompanion360.in
- Data Breach Reports: security@healthcompanion360.in
- Patient Data Requests: privacy@healthcompanion360.in
Compliant with DPDP Act 2023 (India). Health Companion 360 Private Limited.