Privacy Policy

NEXTBIG Healthcare Private Limited (inticure)

This Privacy Policy is published in compliance with, inter alia, Section 43A and Section 72A of the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023, together with all other Applicable Law.

PRIVACY POLICY

This Privacy Policy ("Privacy Policy") is issued by NEXTBIG HEALTHCARE PRIVATE LIMITED, a company incorporated under the Companies Act, 2013, having its registered office at Gopala Complex, 1st Floor, No. 45/3, Residency Road, Bangalore - 560025, Karnataka, India, operating under the brand name "inticure" and marketed as "India's First Medical Center for Relationship Health" (hereinafter referred to as the "Company", "inticure", "We", "Our" or "Us").

This Privacy Policy shall be read in conjunction with the Terms of Use, the Telehealth Consent, the Services Agreement, and the Cancellation and Refund Policy (collectively, the "Governing Documents").

By accessing, visiting, registering on, or using the Platform, or by otherwise availing any Services, You acknowledge that You have read, understood and accepted the terms of this Privacy Policy, and consent to the collection, storage, use, processing, transfer and disclosure of Your information in the manner set out herein.

IF YOU DO NOT AGREE TO BE BOUND BY THIS PRIVACY POLICY, YOU ARE REQUESTED NOT TO ACCESS OR USE THE PLATFORM OR AVAIL ANY SERVICES.

1. DEFINITIONS

1.1. Incorporation of Terms

Unless otherwise defined herein, capitalized terms shall have the meaning ascribed under the Terms of Use.

1.2. Privacy-Specific Definitions

For the purposes of this Privacy Policy:

(a) "Personal Information" or "Personal Data"

means information relating to a natural person (Data Principal), which, either directly or indirectly, in combination with other information available or likely to be available with the Company, is capable of identifying such person. This includes but is not limited to:

  • Name, age, gender, date of birth
  • Email address, phone number, contact details
  • Residential address, billing address
  • IP address, device identifiers, location data
  • Account credentials, user ID

(b) "Sensitive Personal Data or Information" ("SPDI")

includes information that requires heightened protection and consent, specifically:

  • Passwords and account security credentials
  • Financial information such as bank account details, credit/debit card numbers, or other payment instrument details
  • Physical, physiological, and mental health condition and history
  • Sexual orientation, sexual health information, intimate relationship details
  • Medical records, diagnoses, treatment histories, prescriptions
  • Consultation recordings, clinical notes, and health assessments
  • Biometric information (if collected)
  • Information received under lawful contract or otherwise
  • Visitor details provided at registration or thereafter
  • Call, communication, and consultation data records
  • Quiz responses and wellness assessment results

(c) "Applicable Law"

means all laws, rules, regulations, guidelines, circulars, and notifications in force in India, including but not limited to:

  • • Digital Personal Data Protection Act, 2023
  • • Information Technology Act, 2000
  • • Indian Medical Council regulations

(d)-(g) Key Terms

Data Fiduciary: The Company

Data Principal: You, the User

Data Processor: Third-party service providers

Processing: Any operation on Personal Data

2. COLLECTION OF INFORMATION

2.1. Information You Provide Directly

The Company collects, receives, stores, and processes Personal Information and SPDI when:

(a) Registration and Account Creation:

Full name, age (confirmation of 18+ requirement), gender, email address, mobile number, WhatsApp number, password, location/country of residence, profile photograph (optional).

(b) Booking and Consultation Services:

Medical history, symptoms, health concerns, sexual health information, reproductive health history, mental health status, relationship concerns, current medications, allergies, previous treatments, family medical history, lifestyle information, prescriptions, medical reports, diagnostic test results, consultation preferences, specialist selection.

(c) Quiz and Assessment Tools:

Responses to "Relationship Health Score," "Vibe Check," or similar wellness questionnaires. Self-reported relationship patterns, intimacy concerns, general wellness indicators. Note: Quiz data collection is minimal and responses are used only for generating automated results and suggesting consultations.

(d) Communication with Practitioners:

All information shared during audio, video, or chat consultations. Questions asked, symptoms described, concerns raised, follow-up communications and inquiries.

(e) Payment Information:

Billing name and address, payment method type (credit card, debit card, UPI, etc.). Note: Actual payment card numbers, CVV codes, and banking credentials are NOT stored by the Company; they are processed exclusively by third-party payment gateways (Stripe, Razorpay).

(f) Wellness Services Information:

For Tarot/Astrology services: Date of birth, time of birth, place of birth, specific questions or concerns. For coaching services: Goals, challenges, preferences.

(g) Voluntary Submissions:

Feedback, reviews, testimonials, customer support inquiries, complaints, grievances, survey responses, research participation, any other information You voluntarily provide.

2.2. Information Collected Automatically

(a) Device and Technical Information

  • • IP address and geolocation data
  • • Device type, model, OS, browser
  • • Unique device identifiers
  • • Screen resolution, time zone
  • • Internet Service Provider

(b) Usage and Behavioral Data

  • • Pages visited, features used
  • • Navigation patterns, click-through rates
  • • Search queries, filters applied
  • • Booking patterns, consultation frequency
  • • Email open rates, SMS delivery status

(c) Cookies and Similar Technologies

Session cookies, persistent cookies, analytics cookies (Google Analytics), marketing cookies (if consent provided).

Users can manage cookie preferences through browser settings, though disabling certain cookies may impact Platform functionality.

2.3. Information from Third-Party Sources

The Company may receive information about You from lawful third-party sources, including:

Payment Processors

Transaction confirmation, payment status, billing address verification, fraud detection indicators.

Authentication Services

Sign in with Google/Facebook: basic profile information (name, email, profile photo).

Analytics & Marketing

Aggregated demographic insights, campaign performance metrics, anonymized user behavior patterns.

2.4. Special Categories: Minors

The Platform is strictly for individuals 18 years of age or older. The Company does NOT knowingly collect Personal Information or SPDI from minors (persons under 18 years).

If the Company discovers that a minor has provided information or accessed Services:

  • The account will be immediately terminated
  • All data will be promptly deleted from systems
  • Parents/guardians will be notified if contact information is available
  • No refunds will be provided

If You are a parent/guardian and believe Your child has provided information to the Platform, please immediately contact don.thomas@inticure.com with subject line "MINOR DATA DELETION REQUEST".

2.5. Collection via Direct Booking Channels

Multiple Booking Methods:

We facilitate consultations through both our Platform (www.inticure.com and mobile applications) and direct booking channels (email, WhatsApp, telephone, SMS, or other direct communication).

Data Collected via Direct Booking:

When You book consultations via email, WhatsApp, SMS, telephone, or other direct communication channels (without accessing our Platform), we collect and process:

(a) Contact Information

Email address, mobile phone number / WhatsApp number, any other contact details You provide

(b) Personal Information

Name, Age (minimum 18 years required), Location / Country, Demographic information

(c) Health Information

Medical history and health information shared during consultation, Consultation notes and records, Practitioner assessments and recommendations, Treatment information

(d) Financial Information

Payment information, Transaction details, Billing information

(e) Technical Information

IP address, Device information, Video call connection data (metadata only, not recordings), Google Meet session data (temporary, not stored)

(f) Communication Records

Email communications, WhatsApp messages, SMS messages, Telephone call records, Any other communications with us

Recording Policy:

Current Practice: We do NOT record consultations to respect patient privacy and comfort, particularly for sensitive relationship and sexual health consultations.

If we implement recording in the future, we will:

  • • Provide advance notice to all users
  • • Obtain explicit consent before any recording
  • • Update this Privacy Policy accordingly
  • • Provide option to decline recording

Consent for Data Collection:

For direct bookings (email, WhatsApp, telephone, etc.), Your consent to data collection and processing is obtained through:

  • • Your participation in the booking process
  • • Your receipt of our confirmation message containing links to this Privacy Policy
  • • Your participation in the Consultation
  • • Your explicit consent statements during the consultation

By participating in a Consultation booked via direct channels, You confirm You have received, reviewed, and consent to this Privacy Policy with the same legal effect as if You had clicked "I Consent" on our Platform.

3. USE OF INFORMATION

3.1. Lawful Basis for Processing

(a) Contractual Necessity

Performance of contract between You and the Company

(b) Explicit Consent

Specific, informed, unambiguous consent for SPDI

(c) Legitimate Business Interests

Provided such interests do not override Your rights

(d) Legal Obligations

Compliance with Telemedicine Guidelines, tax laws, etc.

(e) Vital Interests

Protect Your life or health in emergency situations

3.2. Purposes of Data Processing

(a) Service Provision and Administration

Facilitating registration, account management, login; enabling booking, scheduling, conducting Consultations; connecting Users with Practitioners; processing payments; customer support; sending confirmations, reminders, joining links.

(b) Medical and Clinical Purposes

Creating and maintaining electronic health records (EHR); enabling Practitioners to provide diagnoses, treatment, prescriptions; facilitating continuity of care; generating medical documentation; storing consultation recordings for medico-legal protection.

(c) Geographic and Pricing Verification

Determining User location (India vs. International) for pricing purposes; verifying jurisdiction for regulatory compliance; detecting location misrepresentation or VPN usage for fraud prevention; applying appropriate currency and payment gateway routing.

(d) Quiz and Assessment Tools

Processing quiz responses to generate Relationship Health Scores or Vibe Check results; providing automated wellness insights and consultation suggestions; temporarily displaying results (not permanently stored unless consented).

(e) Quality Assurance and Improvement

Monitoring and evaluating Practitioner performance; conducting quality audits and compliance checks; identifying areas for service improvement; training and professional development.

(f) Research and Analytics (Anonymized/Aggregated)

Conducting medical research, public health studies, or clinical trials (with anonymized data); generating statistical insights on health trends, treatment outcomes; business intelligence, market research; platform optimization.

(g) Communication and Marketing

Sending transactional communications (booking confirmations, payment receipts); providing service updates, new features, policy changes; promotional communications (with consent); surveys and feedback requests.

(h) Legal and Regulatory Compliance

Complying with Telemedicine Practice Guidelines, 2020; meeting AYUSH regulatory requirements; fulfilling data protection obligations under DPDP Act, 2023; responding to court orders, government requests; maintaining records; preventing fraud.

(i) Security and Fraud Prevention

Detecting and preventing fraudulent transactions, account takeovers; identifying location manipulation, chargeback abuse; protecting against cyber attacks, data breaches; ensuring Platform security.

3.3. Consent Withdrawal

You have the right to withdraw consent for processing SPDI at any time by emailing don.thomas@inticure.com with subject "DATA PROCESSING CONSENT WITHDRAWAL".

However, please note:

  • • Withdrawal does not affect lawful processing conducted prior to withdrawal
  • • Withdrawal may result in inability to provide certain Services
  • • The Company may retain data where required by law
  • • Withdrawal does not apply to processing based on legal obligations or contractual necessity

4. DISCLOSURE AND SHARING OF INFORMATION

4.1. Sharing with Practitioners

Personal Information and SPDI are shared with the specific Practitioner(s) You book for Consultation on a strict need-to-know basis necessary for clinical care. Practitioners have access to Your medical history, symptoms, concerns, previous consultation notes, prescriptions, and relevant health information.

Practitioners are bound by confidentiality obligations, professional codes of conduct, and Privacy Policy compliance requirements.

4.2. Sharing with Company Personnel

Personal Data may be accessed by authorized Company employees, officers, and contractors under strict confidentiality obligations for technical support, customer service, quality assurance, security, and legal compliance purposes.

4.3. Third-Party Service Providers (Data Processors)

(a) Payment Gateways

Stripe: International payments, PCI-DSS compliant

Razorpay: Indian payments, RBI compliant

Purpose: Payment processing, fraud detection

(b) Video Conferencing

Google Meet/Workspace: Real-time video/audio communication

Purpose: Facilitate video Consultations

Users expressly consent to Google Meet usage with understanding of international data processing.

(c) Cloud Storage

DigitalOcean/AWS: Servers for Platform hosting and data storage

Data Localization: All medical and health data stored on servers physically located in India

(d) Communication Services

SMS Gateways, Email Service Providers

Purpose: Appointment reminders, OTP verification, transactional emails

4.4. Data Processing Agreements (DPAs)

The Company has executed or is in the process of executing Data Processing Agreements with all third-party processors to ensure DPDP Act, 2023 compliance, appropriate security measures, limited data usage, confidentiality obligations, and data breach notification procedures.

4.5. Disclosure for Legal and Regulatory Purposes

The Company may disclose Personal Information and SPDI to governmental authorities, law enforcement, regulatory bodies, and in connection with legal proceedings as required by applicable law, court orders, or for the protection of public health and safety.

4.6. Business Transfers

In the event of merger, acquisition, consolidation, sale of assets, bankruptcy, or corporate restructuring, Your Personal Information may be transferred to successor entities or acquirers, subject to equivalent or stronger privacy protections and notification to Users.

4.7. Anonymized and Aggregated Data

The Company may freely use, share, and disclose anonymized or aggregated data that does not identify individual Users for statistical health trends, treatment outcomes, platform usage patterns, research findings, clinical insights, and marketing materials.

4.8. What the Company Does NOT Do

The Company will NEVER:

  • Sell Your Personal Information or SPDI to third parties for commercial purposes
  • Share Your data with advertisers for targeted advertising without consent
  • Disclose Your medical information to employers, insurance companies, or family members without Your authorization
  • Use SPDI for purposes incompatible with those disclosed in this Privacy Policy
  • Transfer data outside India except as expressly stated (Google Meet, payment gateways)

5. DATA STORAGE, RETENTION, AND SECURITY

5.1. Data Localization - India Storage

All medical records, health data, and SPDI are stored and maintained exclusively on servers physically located within the territory of India.

This includes:

  • • Electronic health records (EHR)
  • • Consultation recordings and notes
  • • Prescriptions and medical documents
  • • Medical history and clinical data
  • • Sexual and mental health information
  • • Quiz responses and wellness assessments

5.2. International Data Processing - Limited Exceptions

(a) Google Meet

Video Consultation data temporarily processed on Google's international servers during live transmission. Permanent storage exclusively in India.

(b) Payment Gateways

Stripe (USA/Europe servers), Razorpay (primarily India). Payment card details NEVER stored by Company.

5.3. Data Retention Periods

Data CategoryRetention Period
Medical RecordsMinimum 3 years (Telemedicine Guidelines)
Account DataActive account + 6 months after deletion
Payment Transactions7 years (tax compliance)
Communication Records2 years for customer service
Quiz ResponsesTemporary, deleted unless consented

5.4. Data Security Measures

(a) Technical Safeguards

  • • TLS/SSL 256-bit encryption
  • • AES-256 encryption at rest
  • • Role-based access control
  • • Multi-factor authentication
  • • Firewalls, IDS/IPS

(b) Administrative Safeguards

  • • Data protection policies
  • • Employee training
  • • Confidentiality agreements
  • • Incident response plan
  • • Vendor management

(c) Physical Safeguards

  • • Restricted physical access
  • • Biometric authentication
  • • Video surveillance
  • • Environmental controls
  • • Backup power/disaster recovery

6. CROSS-BORDER DATA TRANSFERS

6.1. Consultations Deemed to Occur in India

All Consultations with Registered Medical Practitioners (RMPs) and AYUSH Practitioners are deemed to occur exclusively within the territory of India, regardless of User's physical location.

6.5. User Consent and Waiver

By using the Platform, especially if accessing from outside India or booking international Practitioners, You expressly consent to cross-border data transfers as described in this Privacy Policy.

You acknowledge that such transfers are preconditions for service delivery and the Company cannot fully guarantee compliance with all foreign data protection laws.

7. USER RIGHTS UNDER DPDP ACT, 2023

Your Rights:

  • Right to Access
  • Right to Correction
  • Right to Data Portability
  • Right to Erasure/Deletion
  • Right to Withdraw Consent
  • Right to Grievance Redressal
  • Right to Nominate
  • Right to Be Informed of Data Breach

Limitations to Deletion:

Medical records CANNOT be deleted for 3 years from last consultation due to Telemedicine Practice Guidelines, 2020 requirements and medico-legal obligations.

Tax records: 7 years retention.

7.2. Exercising Your Rights

All requests to exercise Data Principal rights must be submitted to:

Email: don.thomas@inticure.com
Subject: "DATA PRINCIPAL RIGHTS REQUEST: [Specify Right]"

Response Timeline: Acknowledgment within 48 hours, substantive response within 30 days.

8. INTERNATIONAL USERS AND CONFLICTING LAWS

8.1. Primary Governance: Indian Law

This Privacy Policy and all data processing activities are governed by Digital Personal Data Protection Act, 2023 (India), Information Technology Act, 2000, and Indian medical and healthcare regulations.

8.3. Conflicting Requirements - Resolution Hierarchy

Priority Order:

  1. Mandatory Indian Law
  2. DPDP Act, 2023 and IT Act requirements
  3. Contractual obligations under Terms of Use
  4. Foreign law (to extent compatible with above)
  5. Best efforts basis for foreign requests not legally required

Example: GDPR "Right to be Forgotten" vs. Indian medical records retention (3 years): Indian law prevails, deletion denied.

9. COOKIES AND TRACKING TECHNOLOGIES

Strictly Necessary

Session management, authentication, security. Cannot be disabled.

Performance & Analytics

Google Analytics, usage patterns. Can be disabled via browser.

Functional

Language preferences, location/timezone, remember login status.

10. CHILDREN'S PRIVACY (STRICT 18+ POLICY)

STRICT 18+ POLICY

The Platform and Services are STRICTLY for individuals 18 years of age or older. The Company has a zero-tolerance policy for minors' use of the Platform.

The Company does NOT knowingly collect Personal Information or SPDI from minors (under 18).

If You are a parent/guardian:

Contact: don.thomas@inticure.com

Subject: "MINOR DATA DELETION REQUEST"

11. GRIEVANCE REDRESSAL

Grievance Officer

Name

Don Thomas

Designation

CEO & Grievance Officer

Email

don.thomas@inticure.com

Address

NEXTBIG HEALTHCARE PRIVATE LIMITED,
Gopala Complex, 1st Floor, No. 45/3,
Residency Road, Bangalore - 560025,
Karnataka, India

Office Hours: Monday to Friday, 9:00 AM to 6:00 PM IST (excluding public holidays)

The Grievance Officer will acknowledge receipt within 48 hours and provide substantive response within 30 days.

12. UPDATES AND AMENDMENTS TO PRIVACY POLICY

The Company reserves the right to amend, modify, or update this Privacy Policy at any time, at its sole discretion.

Material Changes

• Notification via email and Platform notice

• 15 days advance notice

• Summary of key changes provided

Non-Material Changes

• Effective immediately upon posting

• Updated "Last Updated" date

• Minor, technical, or clarifying updates

Continued access or use of the Platform after Privacy Policy updates constitutes Your acceptance of the amended Privacy Policy.

13. DISPUTE RESOLUTION AND GOVERNING LAW

13.1. Governing Law

This Privacy Policy shall be governed by, construed, and enforced in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, Information Technology Act, 2000, and Indian Contract Act, 1872.

13.2. Arbitration and Jurisdiction

Any dispute shall be resolved through good faith negotiation (15 days), followed by mandatory arbitration under MCIA Rules. Seat: Bangalore, Karnataka, India. Language: English. Class Action Waiver applies.

Subject to arbitration, the courts at Bangalore, Karnataka, India shall have exclusive jurisdiction.

14. ACCEPTANCE AND CONSENT

BY ACCESSING OR USING THE PLATFORM, YOU ACKNOWLEDGE THAT:

  1. 1You have read and understood this Privacy Policy in its entirety
  2. 2You consent to the collection, use, storage, processing, transfer, and disclosure of Your Personal Information and SPDI as described herein
  3. 3You understand Your rights under the DPDP Act, 2023 and how to exercise them
  4. 4You accept the terms of data processing, including: storage of medical data in India, temporary international processing via Google Meet, sharing with Practitioners and necessary third parties, retention periods and deletion limitations
  5. 5For international Users: You consent to governance by Indian law and waive conflicting foreign data protection claims
  6. 6You agree that continued use constitutes acceptance of Privacy Policy updates

IF YOU DO NOT CONSENT TO THIS PRIVACY POLICY, YOU MUST IMMEDIATELY CEASE USING THE PLATFORM AND REQUEST ACCOUNT DELETION (SUBJECT TO RETENTION OBLIGATIONS).

Last Updated

February 2026

Effective Date

February 2026

Governing Law

India (DPDP Act, 2023; IT Act, 2000)

END OF PRIVACY POLICY

© 2026 NEXTBIG HEALTHCARE PRIVATE LIMITED. All rights reserved.