We comply with:

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000 and SPDI Rules, 2011
• Consumer Protection Act, 2019 and E-commerce Rules, 2020
• Clinical Establishments (Registration and Regulation) Act, 2010
• Indian Nursing Council Act, 1947 and National Nursing and Midwifery Commission Act, 2023

• Personal Data: Data relating to an identifiable natural person.
• Sensitive Personal Data: Health data, financial data, passwords, etc.
• Processing: Any operation on personal data.
• Consent: Freely given, specific, informed, and unambiguous indication of wishes.

• Care Members: Identification, health and medical data, contact, payment, location.
• Nurses: Credentials, licensing, performance metrics, financial and tax data, background checks.
• Platform Usage: Device and technical data, cookies, logs.

• Right to information, access, correction, erasure, portability, grievance redressal.
• Requests via in-app settings, email to privacy@nursenow.co.in
• Acknowledgment within 72 hours; resolution within 30 days (60 days if complex).

• Encryption (AES-256 for data at rest, TLS 1.3 in transit)
• Role-based access control with multi-factor authentication
• Regular security audits, vulnerability assessments, incident response procedures
• HIPAA-equivalent controls for health data

• Primary data storage in India
• Transfers only with legal basis, adequate safeguards, or explicit consent
• Standard contractual clauses, binding corporate rules, or consent

• 24/7 monitoring and detection
• Containment within 1 hour, notification to Data Protection Board within 72 hours
• User notification without undue delay, remediation and root-cause analysis

• Internal: grievance@nursenow.co.in (acknowledgment within 24 hours; resolution within 15 days)
• Escalation: Data Protection Board of India, Consumer Forums, Healthcare Regulators

10. Health Data Processing for Care Members

• Explicit Consent required for health data.
• Special categories (mental health, genetic data, reproductive health) need separate explicit consent.
• Purpose: Service delivery, emergency care, quality improvement, public health reporting.

• Compliance with Clinical Establishments Act and EHR Standards.
• Care Member Access: Records provided within 72 hours in machine-readable format.
• Retention: 7 years from last treatment (longer for minors or mental health).
• Secure Disposal via cryptographic erasure or physical destruction.

• Processing of emergency contacts and caregiver information with explicit consent.
• Special protections for minors and dependents.
• Guardian or proxy consent for incapacitated care members.

• PCI DSS compliance for payment data.
• Tokenization of credit card data, encrypted storage.
• Insurance data sharing with explicit care member consent; minimum necessary principle.

• Granular Consent: Separate consents for different purposes and data types.
• Dynamic Consent Dashboard: Real-time updates, withdrawal, impact notifications.
• Emergency Override: Temporary consent for life-threatening situations, with post-emergency review.

16. Professional Credential Processing

• Secure handling of nursing degrees, licenses, NUID, continuing education records.
• Automated and manual verification with audit trails.
• Periodic re-verification and compliance checks.

• Collection of care member feedback, clinical outcome metrics, peer reviews.
• Usage for coaching, quality improvement, platform recommendations.
• Nurses' right to access, dispute, and correct performance data.

• Encrypted storage of earnings, payouts, PAN, TDS certificates, GST details.
• Automated tax calculations, TDS certificate generation, annual summaries.
• Nurses control sharing of financial data; correction mechanisms.

• Secure processing of identity, criminal checks, employment history.
• Confidential handling, restricted access, dispute resolution for inaccuracies.
• Periodic re-screening and ongoing monitoring.

• Storage of insurance policy details, claims history, settlements.
• Real-time coverage verification, alerts for policy expiration.
• Confidential handling and audit logging.

• Processing under "legitimate use" for contractor management, scheduling, performance evaluations.
• No employment relationship; compliance with labour codes.
• Nurses' rights to review, correct, and limit employment data processing.

22. Children's Data

• NurseNow does not knowingly collect personal data from children under the age of 18.
• Care members under 18 must have a parent or legal guardian provide consent and book services on their behalf.
• Parental/guardian consent must be verifiable under the DPDP Act, 2023.
• In emergencies, data may be processed for immediate care, with post-event review and guardian notification.

• Essential Cookies: Authentication, security, performance.
• Analytics Cookies: Usage patterns, performance analytics.
• Marketing Cookies: Personalized offers, remarketing.
• Consent Management: Granular opt-in/opt-out dashboard, renewal prompts.

• Consent-Based: Explicit opt-in for promotional emails, SMS, push.
• Preferences: Category, channel, and frequency controls; mandatory service alerts.
• Compliance: TCPA, CAN-SPAM, GDPR for EU residents.

• Healthcare Partners: EHR, telehealth, remote monitoring, insurance systems.
• Infrastructure Partners: AWS, Azure, GCP, CDN, messaging, analytics.
• Vendor Management: Due diligence, DPAs, regular audits, breach notification clauses.

• Retention Periods: Medical records (7–10 years), financial/tax (7 years), background checks (as required), cookies (13 months).
• Automated Deletion: Lifecycle policies, legal holds, audit logs.
• User-Initiated Deletion: Verified deletion requests, confirmation within 30 days, legal exceptions.

• Review Cadence: Annual legal review, quarterly security review.
• Notification: 30 days for material changes, 15 days for significant changes, immediate for emergencies.
• User Consent: Explicit for material changes; opt-out and account suspension options.