Effective Date: [01/09/2025]
Last Updated: [01/07/2025]

INTRODUCTION

Dermasutra.in (“we,” “us,” “our,” “Platform”) is committed to protecting the privacy of its users and handling personal data with transparency and in compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (“DPDPA”). This Privacy Notice explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, or any services offered by Dermasutra.in.

By accessing or using our services, you agree to the collection and use of information in accordance with this Privacy Notice. If you do not agree with our policies and practices, please do not use our services.

1. DEFINITIONS

For clarity, the following terms used in this Privacy Notice shall have these meanings:

• “Personal Data” means any information relating to an identified or identifiable natural person as defined under the DPDPA.
• “Sensitive Personal Data” includes health data, biometric data, financial data, and other categories as specified under the DPDPA.
• “Data Principal” means the individual to whom the Personal Data relates.
• “Data Processor” means any person who processes Personal Data on behalf of Dermasutra.in.
• “Data Fiduciary” refers to Dermasutra Technologies Private Limited, the entity determining the purpose and means of processing Personal Data.
• “Services” refers to the website, mobile application, consultations, assessments, and other offerings provided by Dermasutra.in.

2. SCOPE

This Privacy Notice applies to all personal data collected by Dermasutra.in from users who:

• Visit or use our website or mobile application.
• Register for an account or profile on our Platform.
• Submit information through assessments or consultations.
• Communicate with us via email, chat, or support tools.
• Subscribe to our newsletters or promotional communications.
• Participate in surveys, contests, or other promotional activities.
• Apply for employment or partnership opportunities.

3. ROLE OF DERMASUTRA.IN

Under the DPDPA, Dermasutra Technologies Private Limited acts as a Data Fiduciary with respect to the Personal Data collected through the Platform. When facilitating consultations between users and dermatologists, we may also act as a Data Processor for certain aspects of data handling.

4. DATA WE COLLECT

4.1 Categories of Personal Data

We may collect and process the following categories of personal data:

Identity Data:

• Full name
• Date of birth
• Gender
• Profile pictures (if uploaded)
• Government-issued identification (for KYC purposes, if required)

Contact Data:

• Email address
• Phone number
• Physical address (if provided for delivery of prescribed products)
• Emergency contact information (optional)

Health Data:

• Skin type and concerns
• Medical history related to dermatological conditions
• Allergies and sensitivities
• Current medications and treatments
• Lifestyle factors affecting skin health
• Images of skin conditions (if uploaded)
• Previous treatments and their outcomes

Consultation Data:

• Appointment details
• Chat logs and communication with dermatologists
• Prescriptions and treatment plans
• Doctor notes and recommendations
• Follow-up records

Account Data:

• Username and password (encrypted)
• Account preferences and settings
• Notification preferences

Usage Data:

• Device information (type, model, operating system)
• IP address
• Browser type and version
• Mobile device identifiers
• Access times and dates
• Pages viewed and features used
• Navigation patterns and clickstream data
• Time spent on pages
• Referral sources

Transaction Data:

• Purchase history
• Payment history
• Consultation bookings
• Subscription details (if applicable)
• Refund information

Note: We do not store complete payment card details or bank account information on our servers. Payment processing is handled by authorized third-party payment processors who comply with industry security standards.

4.2 Methods of Collection

We collect personal data through various means:

Direct Collection:

• Information you provide when creating an account
• Data submitted through forms, questionnaires, and assessments
• Information shared during consultations with dermatologists
• Communications with our customer support
• Feedback and reviews submitted

Automated Collection:

• Cookies and similar tracking technologies
• Server logs and analytics tools
• Mobile device permissions (with your consent)

Third-Party Sources:

• Social media platforms (if you choose to link your accounts)
• Third-party authentication services (if you use social login)
• Payment processors (transaction status, not financial details)

5. HOW WE USE YOUR DATA

5.1 Primary Purposes

Your data is used to:

Service Provision:

• Create and manage your account
• Provide personalized product recommendations based on your skin assessment
• Facilitate consultations with qualified dermatologists
• Process payments and manage transactions
• Send service-related notifications and updates
• Respond to inquiries and support requests

Platform Improvement:

• Analyze usage patterns to enhance user experience
• Identify and fix technical issues
• Develop new features and services
• Measure the effectiveness of our content and services
• Conduct internal research and development

Legal and Security:

• Verify your identity and prevent fraud
• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service
• Protect the security and integrity of our Platform
• Resolve disputes and troubleshoot problems

5.2 Secondary Purposes (With Consent)

With your explicit consent, we may also use your data for:

Marketing and Communications:

• Send promotional content about our services
• Provide information about relevant skincare products
• Share educational content related to dermatology
• Invite you to participate in surveys or research
• Notify you about events or webinars

Personalization:

• Customize your experience based on preferences and behavior
• Recommend content that may be of interest to you
• Tailor marketing communications to your interests

Research and Analytics:

• Conduct market research and trend analysis
• Generate anonymized and aggregated insights
• Improve dermatological understanding and treatments

6. LEGAL BASIS FOR PROCESSING

In accordance with the DPDPA, we rely on the following lawful bases for processing your personal data:

Consent:

• For collecting and processing health-related information
• For sending marketing and promotional communications
• For processing sensitive personal data
• For using your data for purposes beyond the primary service provision

Contractual Necessity:

• To fulfill our obligations under our Terms of Service
• To provide the services you have requested
• To process payments and transactions

Legal Obligation:

• To comply with Indian laws and regulations
• To respond to valid legal processes or government requests
• To maintain records as required by applicable laws

Legitimate Interests:

• To improve and develop our services
• To protect the security of our Platform
• To prevent fraud and unauthorized access
• To analyze usage patterns for business planning

Vital Interests:

• To protect your vital interests or those of another person
• In emergency situations affecting health or safety

You may withdraw consent at any time by:

• Using the “unsubscribe” option in our communications
• Updating your preferences in your account settings
• Writing to us at [Insert Email]

Please note that withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

7. DATA SHARING AND DISCLOSURE

7.1 Categories of Recipients

We may share your data with:

Healthcare Providers:

• Licensed dermatologists for consultation purposes
• Medical professionals involved in your care (with your consent)

Service Providers:

• Hosting and cloud service providers
• Payment processors
• Analytics and customer support tools
• Communication and email service providers
• Identity verification services

Legal and Regulatory Bodies:

• Government authorities when required by law
• Law enforcement agencies in response to valid legal requests
• Regulatory bodies for compliance purposes

Business Partners:

• With your explicit consent, trusted partners for specific services
• Third-party product manufacturers for fulfillment purposes

Affiliated Entities:

• Subsidiaries or parent companies of Dermasutra Technologies Private Limited (if applicable)

7.2 Data Sharing Principles

All data sharing adheres to the following principles:

• We share only the minimum necessary information required for the specific purpose.
• We ensure appropriate contractual safeguards are in place with all recipients.
• We verify that recipients maintain adequate security measures.
• We do not sell your personal data to third parties for their marketing purposes.
• We require all recipients to respect the confidentiality of your information.

8. DATA RETENTION

8.1 Retention Periods

We retain personal data only for as long as:

• Required to fulfill the purposes outlined in this Privacy Notice
• Necessary to provide our services and maintain your account
• Mandated by applicable laws or regulatory standards
• Needed to resolve disputes or enforce our agreements

8.2 Specific Retention Periods

Account Information:

• Active accounts: For the duration of your relationship with us
• Inactive accounts: Up to 24 months after last activity

Health Data:

• Medical records: Minimum of 3 years as per medical record retention requirements
• Consultation data: For the duration of your account plus 3 years

Transaction Data:

• 8 years for tax and accounting purposes

Communication Records:

• Customer service interactions: 2 years
• Marketing preferences: Until you opt out

8.3 Data Deletion

After the applicable retention period expires, your personal data will be:

• Securely deleted using industry-standard methods
• Anonymized or aggregated in a manner that prevents identification
• Archived with restricted access if required for legitimate business or legal purposes

9. DATA SECURITY

9.1 Security Measures

We implement comprehensive technical and organizational measures to protect your data, including:

Technical Safeguards:

• End-to-end encryption for data transmission
• Secure HTTPS protocols for all web traffic
• Data encryption at rest for sensitive information
• Firewalls and intrusion detection systems
• Regular security audits and vulnerability assessments
• Multi-factor authentication for system access

Organizational Controls:

• Staff training on data protection and security
• Role-based access controls and least privilege principles
• Background checks for employees handling sensitive data
• Formal incident response procedures
• Regular security awareness programs

Physical Security:

• Secure cloud-based servers located in India or compliant jurisdictions
• Access controls to data processing facilities
• Monitoring and surveillance of physical premises
• Disaster recovery and business continuity plans

9.2 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify the Data Protection Board of India without undue delay
• We will inform affected users in accordance with DPDPA requirements
• We will provide information on the nature of the breach and steps taken
• We will implement remedial measures to prevent recurrence

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. Users are advised to:

• Maintain strong, unique passwords
• Log out after each session, especially on shared devices
• Keep device operating systems and applications updated
• Exercise caution when sharing sensitive information

10. YOUR RIGHTS UNDER DPDPA

As a Data Principal under the DPDPA, you have the following rights:

10.1 Right to Information

You have the right to be informed about the collection and use of your personal data in a clear, transparent manner.

10.2 Right to Access

You can request confirmation of whether we process your personal data and obtain a copy of the data we hold about you.

10.3 Right to Correction

You may request the correction of inaccurate or incomplete personal data we maintain about you.

10.4 Right to Erasure

You can request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

10.5 Right to Restriction of Processing

You may request that we limit the processing of your data under certain circumstances.

10.6 Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format.

10.7 Right to Withdraw Consent

You may withdraw your consent at any time where we rely on consent to process your personal data.

10.8 Right to Be Informed of Data Breaches

You have the right to be notified of data breaches that pose a significant risk to your rights and freedoms.

10.9 Right to Lodge a Complaint

You can file a complaint with the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, please submit a verifiable request to: [Insert Email Address]

We will respond to all legitimate requests within 30 days. In some cases, we may need additional information to verify your identity before processing your request.

11. CHILDREN’S PRIVACY

We do not knowingly collect or solicit personal data from individuals under 18 years of age without verified parental consent. Our services are not directed to minors, and we do not intentionally gather personal information from children.

If a minor uses our services, we require:

• Parental or guardian consent for data collection
• Limited data collection, only what is strictly necessary
• Enhanced privacy protections for minors’ data

If you believe a minor has submitted personal data without proper consent, please contact us immediately at [Insert Email]. We will take steps to delete such information from our records.

12. COOKIES & TRACKING TECHNOLOGIES

12.1 What We Use

We use cookies and similar tracking technologies to:

• Improve user experience and site functionality
• Remember your preferences and settings
• Analyze usage patterns and traffic
• Enable certain features of the Platform
• Personalize content and recommendations
• Monitor the effectiveness of our marketing campaigns

12.2 Types of Cookies

Essential Cookies:

• Required for basic site functionality
• Cannot be disabled as they are necessary for the Platform to work properly

Functional Cookies:

• Remember your preferences and settings
• Enable enhanced features and personalization

Analytical/Performance Cookies:

• Collect anonymous information about how visitors use our Platform
• Help us improve site performance and user experience

Targeting/Advertising Cookies:

• Track your browsing habits to display relevant advertising
• Used only with your explicit consent

12.3 Cookie Management

You can manage cookie preferences through:

• Our cookie consent banner
• Your browser settings to refuse or delete cookies
• Opt-out mechanisms for specific analytics services

13. INTERNATIONAL DATA TRANSFERS

13.1 Data Localization

In accordance with the DPDPA, we maintain primary storage and processing of personal data within India. Our primary data centers are located in [Insert Location in India].

13.2 Cross-Border Transfers

In limited circumstances, we may transfer your personal data to countries outside India. Such transfers occur only when:

• Necessary for the provision of our services
• Required for technical or operational reasons
• The recipient country ensures an adequate level of protection
• Appropriate safeguards are in place as required by the DPDPA

13.3 Transfer Safeguards

For international transfers, we implement safeguards such as:

• Standard contractual clauses approved by Indian authorities
• Binding corporate rules for intra-group transfers
• Explicit consent for specific transfers
• Necessary transfers for important reasons of public interest

You can request information about specific transfers by contacting our Data Protection Officer.

14. MARKETING COMMUNICATIONS

14.1 Opt-In Consent

We send marketing communications only with your explicit consent. When you register or use our services, you may choose to receive:

• Newsletters about skincare and dermatological health
• Product recommendations based on your profile
• Promotional offers for consultations or services
• Educational content and webinar invitations

14.2 Opt-Out Options

You can opt out of marketing communications at any time through:

• The “unsubscribe” link in any marketing email
• Your account preferences settings
• Contacting our customer support team
• Sending a request to [Insert Email]

After you opt out, we may still send non-promotional communications related to your account or ongoing services.

15. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice periodically to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the “Last Updated” date at the top of this Privacy Notice
• We will post a prominent notice on our Platform or send a direct notification
• For significant changes, we may seek renewed consent where required by law

The most current version will always be available on our website. We encourage you to review this Privacy Notice regularly. Continued use of our services after any changes constitutes acceptance of the revised Privacy Notice.

16. THIRD-PARTY LINKS AND SERVICES

Our Platform may contain links to third-party websites, plugins, or applications that are not operated by us. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy statements or practices.

We recommend reviewing the privacy policies of any third-party sites you visit or services you use. This Privacy Notice applies only to information collected through our Platform.

17. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions regarding this Privacy Notice. For inquiries about our privacy practices, exercising your rights, or making a complaint, contact our DPO at:

Data Protection Officer
[Insert Name]
Email: [Insert Email]
Phone: [Insert Number]
Address: [Insert Full Office Address]

18. GRIEVANCE REDRESSAL

18.1 Internal Complaint Process

For complaints, queries, or data access requests, please contact our Grievance Officer:

Grievance Officer
[Insert Name]
Email: [Insert Email]
Phone: [Insert Number]
Address: [Insert Full Office Address]

Our grievance redressal process includes:

1. Acknowledgment of your complaint within 24 hours
2. Investigation of the issue by our dedicated team
3. Resolution and response within 15 days
4. Escalation options if you are not satisfied with the resolution

18.2 External Redressal

If you are not satisfied with our response, you have the right to:

• File a complaint with the Data Protection Board of India
• Seek judicial remedies through appropriate legal channels

19. ADDITIONAL INFORMATION FOR SPECIFIC USER CATEGORIES

19.1 Healthcare Professionals

If you are a dermatologist or healthcare professional using our Platform:

• We collect additional verification data including medical registration numbers and credentials
• Your professional profile information may be visible to users seeking consultations
• You have specific obligations regarding patient confidentiality that complement this Privacy Notice

19.2 Business Customers

For corporate or institutional users:

• Additional terms may apply as specified in separate business agreements
• Aggregated and anonymized data may be used for business intelligence purposes
• Custom data retention policies may be implemented based on contractual requirements

20. CONSENT DECLARATION

By using our services, you acknowledge that you have read and understood this Privacy Notice and agree to the collection, use, and disclosure of your information as described. For sensitive personal data, we will obtain explicit consent through clear affirmative actions such as:

• Checking specific consent boxes
• Confirming consent through double opt-in procedures
• Explicit authorization during account creation or service activation

Contact Us
Dermasutra Technologies Private Limited 

[Insert Complete Registered Address]
Email: [Insert Contact Email]
Phone: [Insert Contact Number]
Website: www.dermasutra.in

We value your privacy. This Privacy Policy outlines how we collect, use, and protect your personal information.

1. Information We Collect
We collect the following types of information:

a. Personal Information
When you sign up or use our platform, we may collect:

• Full name
• Email address
• Date of birth (optional)
• Gender (optional)
• Skin type and skin concerns
• Responses to our skincare quiz

b. Device & Usage Data
We may automatically collect data such as:

• IP address
• Browser type and version
• Device type and OS
• Pages visited and time spent
• Clickstream and interaction data

c. Cookies & Tracking Technologies
We use cookies and similar technologies to improve user experience, analyze site performance, and personalize recommendations.

2. How We Use Your Information
We use your information to:

• Deliver personalized skincare routines and product suggestions
• Provide dermatologically informed recommendations
• Improve and optimize our services
• Communicate with you (e.g., service updates, promotions, support)
• Monitor usage trends and diagnose technical issues
• Comply with legal obligations

3. How We Share Your Information
We do not sell your personal data.
However, we may share data with:

• Trusted third-party service providers who support business functions (e.g., cloud hosting, analytics, email services)
• Dermatological experts or medical advisors (in anonymized or aggregated form only)
• Legal authorities, if required by law or to protect our rights or users’ safety
• All third-party partners are contractually obligated to maintain the confidentiality and security of your data.

4. Data Storage & Security
We use industry-standard security measures to protect your information, including:

• Data encryption (SSL)
• Secure storage on trusted cloud infrastructure
• Access controls and internal data policies
• Despite our best efforts, no method of transmission over the Internet is 100% secure. We recommend using strong passwords and being cautious with sensitive data.

5. Your Rights and Choices
You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or outdated information
• Delete your data (subject to legal or contractual obligations)
• Withdraw consent at any time for processing your data
• Request data portability
• To exercise any of these rights, please contact us at core.dermasutra@gmail.com

6. Children’s Privacy
Our platform is not intended for users under the age of 13. We do not knowingly collect personal information from children. If we become aware that a child has submitted personal data, we will delete it promptly.

7. Third-Party Links
Our website or app may contain links to external sites. We are not responsible for the content, security, or privacy practices of those sites. We encourage you to review their privacy policies before interacting.

8. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our services. When we do, we’ll notify you via email or an in-app alert.

9. Contact Us
If you have any questions or concerns about this Privacy Policy, or if you wish to update or delete your information, please contact us core.dermasutra@gmail.com