1. Who we are

This Privacy Policy applies to HealthNine Health Care Suppliers (also referred to as “Health9”), a brand operated by HealthNine Health Care Suppliers, a business registered in India, with principal place of business in Kolkata, West Bengal.

We operate the website healthnine.in and the Health9 OS suite of software products (CuraHIS, VedaHR, ClinicPro, PathologyPro), collectively the “Services.”

For purposes of the Digital Personal Data Protection (DPDP) Act 2023, Health9 acts as a Data Fiduciary when it processes personal data of end users, providers, and employees. It may act as a Data Processor when processing data on behalf of healthcare provider customers (hospitals, clinics, labs) who use our software.

2. Data we collect

3. How we use your data

• Service delivery: Provisioning, operating, and supporting the Health9 OS products you have subscribed to.
• Billing and payments: Generating invoices, processing subscription payments, and maintaining financial records as required by GST law.
• Communication: Service notifications, security alerts, support responses, and product updates relevant to your subscription.
• Product improvement: Aggregated, anonymised usage analytics to improve the Services. Individual user data is not used for this purpose without explicit consent.
• Legal compliance: Compliance with applicable Indian law, regulatory requests from competent authorities, and our legal obligations.

We do not: sell personal data to third parties; use personal data for targeted advertising; share data with marketing partners; or transfer data outside India except to our contracted cloud infrastructure providers (see Section 5).

4. Legal basis for processing (DPDP Act 2023)

Under the Digital Personal Data Protection Act 2023, Health9 processes personal data on the following grounds:

• Consent: For direct users who register accounts or submit contact forms, we process data on the basis of consent provided at the time of registration.
• Legitimate use: For processing necessary to perform our contract with provider subscribers and to comply with legal obligations (GST, Companies Act, etc.).
• Healthcare provider instruction: Patient data processed through our products is done under the instruction and authority of the healthcare provider (Data Fiduciary), who holds their own consent obligations toward patients under applicable law.

5. Where your data is stored

Health9 products are hosted on cloud infrastructure within India wherever available. Current infrastructure providers:

• Vercel (Singapore/Mumbai regions) — website hosting and CuraHIS / VedaHR web layer
• Supabase (hosted on AWS ap-south-1, Mumbai) — ClinicPro database
• Google Firebase (asia-south1 region) — PathologyPro database and functions

Patient health records processed through CuraHIS, VedaHR, ClinicPro, and PathologyPro are stored in India-region data centres. Health9 does not deliberately transfer patient health data to servers outside India.

6. Data retention

We retain account and subscription data for the duration of the active subscription plus seven years, in compliance with GST and Companies Act financial record-keeping requirements. Contact form and lead data is retained for 24 months unless you request earlier deletion. Patient medical records processed on behalf of provider customers are retained per the provider's instruction and applicable medical records law (Indian Medical Council guidelines recommend minimum 3 years; our systems support provider-configured retention).

7. Your rights (DPDP Act 2023)

Under the DPDP Act 2023 and applicable Indian data protection law, you have the right to:

• Access: Request a summary of personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Erasure: Request deletion of personal data, subject to legal retention requirements.
• Grievance redressal: Lodge a grievance with our Data Protection Officer (details below) or with the Data Protection Board of India once constituted.
• Nomination: Nominate another person to exercise rights on your behalf in case of incapacity or death.

For patient data processed by Health9 on behalf of a healthcare provider, please first contact your provider (clinic, hospital, or lab) directly. They are the Data Fiduciary and responsible for exercising patient rights.

8. Security

Health9 implements industry-standard security practices appropriate for a healthcare software provider: role-based access controls, encrypted data in transit (TLS 1.2+), encrypted data at rest, regular access reviews, and audit logging for sensitive operations. We do not store payment card data — all card processing is handled by our PCI-compliant payment gateway partners.

We conduct quarterly vulnerability assessments (VAPT) across our products and remediate critical and high findings within 7 days.

In the event of a personal data breach affecting your data, we will notify you without undue delay as required by the DPDP Act 2023 and applicable law.

9. Cookies and tracking

The Health9 website (healthnine.in) uses minimal, privacy-preserving analytics. We do not use third-party advertising cookies or cross-site tracking pixels. Session cookies are used for authentication in our SaaS products and are strictly necessary for service operation.

10. Changes to this policy

We will update this policy when we make material changes to how we process personal data. Material changes will be communicated to active subscribers via email at least 30 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact / Grievance Officer

For privacy inquiries, data subject requests, or grievances:

We aim to acknowledge grievances within 48 hours and resolve them within 30 days.