Privacy Policy

Xphora AI Technology Private Limited ("WhatsUpClinic", "we", "us", or "our"), a company incorporated under the laws of India (CIN: U62011UP2025PTC219786), operates the website whatsupclinic.vercel.app and the WhatsUpClinic telemedicine platform (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose and safeguard your information when you use our Service. Please read it carefully. By accessing the Service you agree to the practices described here.

1. Information We Collect

1.1 Information You Provide

• Doctor Onboarding Data — full name, date of birth, gender, contact details (phone, email, WhatsApp), residential address, medical registration details (degree, registration number, council, system of medicine), clinic information, banking details (for payment settlement), and professional credentials.
• Contact & Callback Requests — name, email or phone number, and any message you include.
• Testimonials — name, clinic name, rating, and your review text.
• Newsletter Subscriptions — email address only.

1.2 Information Collected Automatically

• Device & Browser Data — IP address, browser type, operating system, referring URL and pages visited, collected via standard web server logs.
• Geolocation — approximate country-level location derived from your IP address, used solely to display region-appropriate pricing and currency.

2. How We Use Your Information

• To process and verify doctor onboarding applications.
• To configure your WhatsApp Business clinic, payment gateway and clinic portal.
• To respond to your contact or callback requests.
• To send transactional emails (application confirmations, status updates).
• To send product updates and healthcare insights if you subscribe to our newsletter (you can unsubscribe at any time).
• To improve, maintain and secure the Service.
• To comply with legal obligations.

3. Data Storage & Security

Onboarding and contact data is stored in Google Sheets via an encrypted webhook and processed through Vercel serverless infrastructure. Email notifications are sent via Resend.

We implement industry-standard measures including HTTPS/TLS encryption in transit, access controls, and Strict-Transport-Security headers. Banking details collected during onboarding are used solely for payment gateway setup and are not stored on our servers after initial processing.

4. Data Sharing & Disclosure

We do not sell your personal data. We may share information with:

• Service Providers — Google (Sheets, Apps Script), Vercel (hosting), Resend (email delivery), and payment gateway partners, strictly for operating the Service.
• Legal Requirements — when required by law, regulation, legal process, or governmental request.
• Business Transfers — in connection with a merger, acquisition, or sale of assets, with prior notice to you.

5. Your Rights

5.1 Under India's DPDPA (2023)

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure of your data (subject to legal retention requirements).
• Nominate another person to exercise your rights.
• Lodge a grievance with our Data Protection Officer or the Data Protection Board of India.

5.2 Under GDPR (EU/UK Users)

If you are in the EU or UK, you additionally have the right to data portability, the right to restrict processing, and the right to object to processing. Our lawful basis for processing is (a) consent (onboarding forms, newsletter), (b) legitimate interest (analytics, security), and (c) contractual necessity (service delivery).

5.3 Under HIPAA (US Healthcare Providers)

For US-based healthcare providers, we maintain administrative, physical and technical safeguards consistent with the HIPAA Security Rule. Protected Health Information (PHI) transmitted through the platform is encrypted in transit and at rest. We will enter into a Business Associate Agreement (BAA) where required.

6. Cookies & Tracking

Our website does not use third-party tracking cookies or advertising pixels. We use essential cookies only for site functionality (e.g., country selection preference). No personal data is shared with ad networks.

7. Data Retention

We retain onboarding data for the duration of the doctor's active partnership plus 3 years for regulatory compliance. Contact requests and testimonials are retained indefinitely unless you request deletion. Newsletter subscriptions are retained until you unsubscribe.

8. Children's Privacy

The Service is intended for licensed medical practitioners and healthcare professionals. We do not knowingly collect information from anyone under 18 years of age.

9. International Transfers

Your data may be processed in countries outside your residence (including the United States and India) through our service providers. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect changes. Continued use of the Service after changes constitutes acceptance.

11. Contact & Grievance Officer

For privacy-related questions, data access/deletion requests, or complaints:

• Email: aakashdeep@whatsupclinic.com
• Phone: +91 73583 30377
• Address: Xphora AI Technology Pvt. Ltd., Goa Institute of Management, AIC, Pariye, Goa 403505, India

We will acknowledge your request within 48 hours and resolve it within 30 days, or as required by applicable law.