Privacy Policy

WombTo18 Integrated Care Private Limited ("WombTo18," "we," "us," or "our") operates a Child Health Infrastructure Platform (CHIP) that supports continuity of preventive healthcare from pregnancy through 18 years of age. Our services include pregnancy tracking, maternal care workflows, newborn and child health monitoring, vaccination and developmental milestone tracking, digital health records, healthcare provider coordination, school health programmes, and related communication tools (collectively, the "Services").

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data, health-related data, pregnancy-related data, and child-related data when you access or use our website, mobile applications, or any connected Services (collectively, the "Platform").

WombTo18 acts as a Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 ("DPDPA") in respect of personal data processed through the Platform. Where you provide personal data on behalf of another individual (such as a child, or a patient under your care), you act as a Data Principal exercising that data's processing rights on their behalf, and you confirm you are authorised to do so.

This Policy applies to:

• Parents, guardians, and family members who register directly on the Platform ("Direct Users")
• Users who register through a partner hospital, clinic, or doctor under a white-label arrangement ("Partner-Referred Users")
• Children and adolescents whose health data is recorded by a parent, guardian, or authorised healthcare provider
• Schools, school administrators, teachers, and designated Health/Emergency Ambassadors who interact with the Platform's school health modules
• Healthcare providers, hospitals, clinics, and doctors who access the Platform to coordinate care
• Business Partners, franchise partners, and referral partners engaged in onboarding activities

This Policy does not apply to third-party websites, applications, or services that may be linked from the Platform. We are not responsible for the privacy practices of third parties.

We collect and process personal data for the following specified, legitimate purposes:

• To create and manage user accounts and verify identity
• To deliver core Services including vaccination reminders, growth tracking, pregnancy tracking, and developmental milestone alerts
• To facilitate coordination between parents, healthcare providers, and schools where the user has enabled such sharing
• To send transactional communications (OTPs, account alerts, appointment/vaccination reminders) and, where consented, promotional communications
• To generate aggregated, de-identified analytics for school wellness dashboards and platform improvement
• To process payments and manage subscriptions
• To comply with applicable law, respond to lawful requests from government or regulatory authorities, and enforce our Terms & Conditions
• To detect, investigate, and prevent fraud, misuse, or security incidents

We do not use health, pregnancy, or child-related data for behavioural advertising or sell such data to third parties for marketing purposes.

Under the DPDPA, our processing of personal data is based on one or more of the following grounds:

• Consent: Freely given, specific, informed, and unambiguous consent obtained at the point of data collection, for purposes clearly stated at that time.
• Legitimate Use: Limited circumstances permitted under the DPDPA, such as where a Data Principal has voluntarily provided data for a specified purpose and processing is necessary for that purpose.
• Compliance with Law: Where processing is necessary to comply with a legal obligation, court order, or directive from a competent authority.
• Medical Emergency: Where processing is necessary to respond to a medical emergency involving a threat to life or immediate health risk to the Data Principal or another individual.

Where children's data is processed, consent is obtained from a parent or lawful guardian as required under Section 9 of the DPDPA. See Section 14 (Children's Data Protection) below.

• Consent is collected through clear, itemised checkboxes or toggles at registration and at each point new categories of data are requested; consent is not bundled into a single blanket acceptance.
• You may withdraw consent at any time through your account settings or by writing to our Grievance Officer (Section 21). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Withdrawing consent for a core function (e.g., vaccination reminders) may limit or disable that specific feature, but will not affect your ability to use unrelated parts of the Platform.
• A consent log recording the date, scope, and version of consent given is maintained for audit and compliance purposes.
• Where data is collected by a partner hospital, clinic, doctor, or school on our behalf, that partner is contractually required to obtain valid consent before transmitting data to the Platform.

We implement reasonable security practices and procedures in accordance with the Information Technology Act, 2000 and applicable rules, including:

• Encryption of data in transit using HTTPS/TLS
• Encryption of sensitive data at rest, including health and pregnancy-related records
• Role-based access controls limiting data visibility to personnel and systems on a need-to-know basis
• Audit logging of access to health and child-related records
• Periodic vulnerability assessments and security reviews
• Multi-factor authentication for administrative and healthcare provider accounts

While we take reasonable measures to protect personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from circumstances beyond our reasonable control, including user negligence in protecting login credentials.

We may share personal data, limited to what is necessary for the stated purpose, with the following categories of recipients:

We do not sell personal data, health data, or child-related data to third parties for marketing or advertising purposes.

The Platform may integrate with or link to third-party services (e.g., payment gateways, map services, communication APIs). Use of such third-party services is governed by their respective privacy policies. We encourage you to review those policies. We are not responsible for the data practices of independent third parties not under our control.

We use cookies and similar tracking technologies to:

• Maintain login sessions and platform functionality (strictly necessary cookies)
• Measure usage patterns and improve Platform performance (analytics cookies)
• Personalise content and remember user preferences (functional cookies)

You may manage or withdraw cookie consent at any time through your browser settings or the cookie preference centre on our website. Disabling certain cookies may affect Platform functionality. We do not use cookies to share data with third-party advertisers.

Subject to applicable law and the DPDPA, you have the right to:

• Access a summary of personal data we hold about you and the purposes for which it is processed
• Correct inaccurate or incomplete personal data
• Request erasure of personal data that is no longer necessary for the purpose it was collected, subject to legal retention requirements
• Withdraw consent for processing at any time (Section 6)
• Nominate another individual to exercise these rights on your behalf in the event of death or incapacity
• Lodge a grievance with our Grievance Officer, and subsequently with the Data Protection Board of India if unresolved

Requests may be submitted through your account dashboard or directly to our Grievance Officer (Section 21). We will respond within the timeframe required under applicable law.

• Active account data is retained for as long as the account remains active and the Services are in use.
• Health, pregnancy, and child-related records are retained until the earlier of: (a) the child reaching 18 years of age and the account being archived per Section 14, or (b) a valid deletion request, subject to legal retention obligations.
• Transactional and billing records are retained for the period required under applicable tax and financial regulations (currently up to 8 years under Indian law).
• Communication logs are retained for 180 days for service quality and dispute resolution purposes, after which they are anonymised or deleted.
• Upon account closure, personal data is deleted or anonymised within a reasonable period, except where retention is required by law.

• Submit a deletion request via your account settings or by emailing our Grievance Officer with your registered email/mobile number for verification.
• We will verify your identity before processing any deletion request, to prevent unauthorised deletion of another individual's data.
• We will confirm the scope of deletion (full account vs. specific data categories) and any limitations arising from legal retention requirements before completing the request.
• Deletion requests will be processed within the period prescribed under applicable law, and you will receive written confirmation once completed.
• Certain data may be retained in anonymised or aggregated form for statistical and research purposes, where such data can no longer be linked to an identifiable individual.

• WombTo18's Services are designed to be used by parents, guardians, or authorised healthcare providers on behalf of a child. The Platform is not intended for direct, unsupervised use by children under 18 years of age.
• Processing of a child's personal data, including health and developmental data, requires verifiable consent from a parent or lawful guardian, in accordance with Section 9 of the DPDPA.
• We do not knowingly process children's data for behavioural advertising or tracking for marketing purposes.
• Upon a child reaching 18 years of age, the account will be flagged for transition. The individual may then choose to continue independently, request data export, or request deletion of historical records, subject to legal retention requirements.
• If we become aware that a child's data has been collected without appropriate parental/guardian consent, we will take steps to delete such data promptly, except where retention is otherwise required by law.

• Personal data collected through the Platform is primarily stored on servers located within India.
• Where we engage cloud infrastructure or service providers with servers located outside India, such transfers are made only to jurisdictions and entities permitted under the DPDPA and any notifications issued by the Central Government restricting cross-border transfer to specific countries.
• Any cross-border processing is governed by contractual safeguards requiring the recipient to maintain a standard of data protection consistent with this Policy and applicable Indian law.

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. Material changes affecting the scope of data collection or sharing will be communicated through a prominent notice on the Platform or via registered email/SMS/WhatsApp prior to taking effect. Continued use of the Platform after such notice constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.

Depending on the volume and sensitivity of personal data processed (including children's data and health data at scale), WombTo18 may be notified as a Significant Data Fiduciary under the DPDPA. In such an event, we will appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and undertake independent data audits, as required under the Act.

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in the manner and timeframe prescribed under the DPDPA and applicable rules, including a description of the nature of the breach, likely consequences, and measures taken to mitigate harm.

In accordance with the Information Technology Act, 2000, the IT (SPDI) Rules, 2011, and the DPDPA, we have appointed a Grievance Officer to address concerns regarding this Policy.