Privacy Policy
Who this policy covers: If you are a patient who received a WhatsApp message from a clinic powered by RxHQ, this policy explains how your data is handled. If you are a doctor or clinic owner using RxHQ to manage your practice, this policy applies to you as well.
Who We Are and Our Role Under DPDPA 2023
RxHQ is a WhatsApp-native practice management platform for independent clinic doctors in India. It is operated as a sole proprietorship, GST registered in India.
Under the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and the Information Technology Act, 2000:
- The doctor or clinic who has signed up for RxHQ is the Data Fiduciary — they decide the purpose and means of processing patient personal data.
- RxHQ acts as the Data Processor — we process personal data on behalf of the clinic, under their instructions, to deliver our services.
When we collect data from you directly (for example, when you sign up as a doctor), RxHQ acts as the Data Fiduciary for that information.
Data We Collect
Patient data (collected on behalf of clinics)
| Data type | Description | Source |
|---|---|---|
| WhatsApp number | Your mobile number as used on WhatsApp, used to send and receive messages | You (patient) |
| Name | Your name as provided during booking or obtained from WhatsApp profile | You (patient) |
| Appointment details | Date, time, and clinic of booked or cancelled appointments | You (patient) / clinic |
| Chief complaint | A brief description of your reason for visiting — provided voluntarily in conversation | You (patient) |
| Conversation history | Text content of WhatsApp messages exchanged between you and the clinic's AI receptionist | You (patient) |
| Follow-up responses | Your replies to post-visit check-in messages (e.g., how you are feeling after your visit) | You (patient) |
Doctor / clinic data (collected directly)
| Data type | Description |
|---|---|
| Name and mobile number | Used for account creation and communication |
| Clinic name and address | Used to generate clinic profile and microsite |
| WhatsApp Business number | The number connected to the AI receptionist |
| Google Calendar access token | OAuth token used to read and write appointments; stored encrypted |
| Google Business Profile ID | Used to route review requests to the correct Google listing |
| Billing information | Processed by Razorpay; RxHQ does not store card or bank details |
Automatically collected data
When you visit our website (rxhq.in), we may collect standard server logs including IP address, browser type, referring URL, and pages visited. We do not use third-party analytics tracking cookies.
What we do not collect: RxHQ's AI receptionist is strictly prohibited from soliciting or storing clinical data such as diagnoses, prescriptions, treatment plans, lab results, or detailed medical history. If a patient volunteers such information in conversation, it may be stored as part of the conversation record but is never used for any purpose other than the immediate booking interaction.
How We Use Your Data
For patients
- Booking, rescheduling, and cancelling appointments at the clinic you contacted
- Sending appointment reminder messages (24 hours and 1 hour before your appointment)
- Sending post-visit follow-up check-ins to ask how you are feeling
- Requesting a Google review on behalf of the clinic if your follow-up response indicates a positive experience
- Sending recall or health-tip campaigns authorised by your clinic
- Routing AI-generated replies to your questions about the clinic's availability and services
The AI never provides medical advice. RxHQ's AI receptionist is designed exclusively for scheduling and administrative tasks. It will never offer a diagnosis, recommend a treatment, or provide any clinical guidance. All clinical decisions remain with your doctor.
For doctors and clinics
- Creating and managing your RxHQ account
- Delivering the AI receptionist service on your WhatsApp Business number
- Syncing appointment bookings to your Google Calendar
- Generating your clinic microsite at yourname.rxhq.in
- Sending you daily appointment digests and monthly practice reports via WhatsApp
- Processing payments via Razorpay
- Providing customer support
Legal bases for processing
Under DPDPA 2023, we process personal data on the following bases:
- Consent: Patients provide consent to receive WhatsApp messages when they initiate a conversation with a clinic's WhatsApp Business number. Consent may be withdrawn at any time (see Section 8).
- Legitimate use: Processing necessary to provide the services the clinic has contracted for, including operating the AI receptionist and delivering reminders.
- Legal obligation: Where required to comply with applicable Indian law.
Third-Party Services and Data Sharing
We do not sell your personal data. We share data only with third-party service providers as necessary to deliver our services, and only under appropriate data processing agreements.
| Service | Provider | Purpose | Data shared |
|---|---|---|---|
| AI / LLM processing | Anthropic (USA) | Generating AI receptionist responses | Conversation text for inference only — Anthropic does not retain or train on this data per our API agreement |
| Calendar integration | Google LLC (USA) | Reading and writing appointment slots | Appointment times and patient names, subject to Google's API Terms |
| Review routing | Google LLC (USA) | Directing patients to the correct Google Business Profile review link | No patient data sent to Google; only a link is delivered to the patient |
| Messaging | Meta / WhatsApp (USA) | Delivering and receiving WhatsApp messages | Message content routed via WhatsApp Business API, subject to Meta's Data Policy |
| Payments | Razorpay Software Pvt. Ltd. (India) | Processing patient booking fees | Payment amount and order metadata; card/bank details handled by Razorpay directly |
| Transactional email | Resend (USA) | Sending operational emails to doctors | Doctor email address and email body content |
| Cloud infrastructure | Amazon Web Services (AWS) | Hosting all RxHQ services and data | All data is stored on AWS in the ap-south-1 (Mumbai) region |
We do not share personal data with any other third parties, including advertisers, data brokers, or analytics providers.
Data Storage and Security
Where data is stored
All personal data is stored on Amazon Web Services (AWS) infrastructure located in the ap-south-1 (Mumbai) region, within India. We do not store personal data outside India, except where it transiently passes through third-party APIs (Anthropic, Google, Meta) for processing as described in Section 4.
How data is protected
- Data at rest is encrypted using AES-256 encryption via AWS managed keys
- Data in transit is protected by TLS 1.2 or higher on all connections
- Google OAuth tokens are stored encrypted and scoped to minimum necessary permissions (read/write calendar events only)
- Access to production systems is restricted to authorised personnel and protected by multi-factor authentication
- We conduct periodic security reviews and apply security patches promptly
LLM data processing
When the AI receptionist processes a patient message, the conversation text is sent to Anthropic's API for inference. This transmission occurs over TLS. Per our agreement with Anthropic, they do not log, retain, or train on API request data. No patient data persists on Anthropic's systems after the API call completes.
Data Retention
| Data type | Retention period |
|---|---|
| Conversation text (message content) | 90 days from date of conversation, then permanently deleted |
| Appointment metadata (date, time, status) | Until the clinic deletes the record or requests account deletion |
| Patient contact details (name, WA number) | Until the clinic requests deletion or the patient opts out |
| Doctor account data | Until account deletion is requested, plus 30 days for backup recovery |
| Billing records | 7 years as required under applicable Indian tax law |
| Server logs | 30 days, then automatically purged |
When a patient's data is deleted, it is removed from all active systems and flagged for removal from backups within 30 days.
Your Rights Under DPDPA 2023
Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:
Right to access
You may request a summary of personal data we hold about you and the purposes for which it has been used.
Right to correction and erasure
You may request correction of inaccurate data or erasure of data we hold about you, subject to any legal retention obligations.
Right to grievance redressal
You may raise a grievance with us and receive a response within a reasonable time. If unresolved, you may escalate to the Data Protection Board of India once constituted.
Right to nominate
You may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
How to exercise your rights
To exercise any of these rights, email us at hello@rxhq.in with the subject line "Data Rights Request". We will acknowledge your request within 72 hours and respond within 30 days.
Note for patients: Because your data is processed on behalf of a clinic (the Data Fiduciary), we may need to coordinate with the clinic to fulfil certain requests. We will inform you if this is necessary.
Opt-Out and Consent Withdrawal
For patients — WhatsApp opt-out
You may opt out of receiving WhatsApp messages from a clinic powered by RxHQ at any time by replying STOP to any message you receive. Once you opt out:
- No further automated messages will be sent to your number by that clinic's RxHQ account
- The opt-out is registered immediately and is permanent unless you explicitly re-engage
- Opting out does not delete data already collected; to request deletion, see Section 7
For doctors — account closure
Doctors may request account closure and data deletion at any time by emailing hello@rxhq.in. Upon closure, patient data associated with your account will be deleted in accordance with the retention schedule in Section 6.
Data Breach Notification
In the event of a personal data breach that is likely to result in harm to individuals, we will:
- Notify the affected clinic (Data Fiduciary) within 72 hours of becoming aware of the breach
- Take immediate steps to contain and investigate the incident
- Notify the Data Protection Board of India as required under DPDPA 2023
- Provide affected individuals with information about the nature of the breach, data involved, and steps taken, within a reasonable time
We maintain an incident response plan and conduct periodic security audits to minimise breach risk.
Children's Data
RxHQ services are intended for use by adults (18 years and above) — both as clinic doctors and as patients booking their own appointments. We do not knowingly collect personal data from persons under 18 years of age.
If a clinic needs to manage appointments for a minor, the accompanying guardian's contact details should be used, and the guardian's consent obtained. If we become aware that personal data of a minor has been collected without appropriate consent, we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or practices. When we make material changes:
- We will update the "Last updated" date at the top of this page
- Registered doctors will receive a WhatsApp notification summarising the key changes
- For significant changes affecting patient rights, we will provide at least 14 days' notice before the changes take effect
Continued use of RxHQ services after the effective date of a revised policy constitutes acceptance of the updated terms.
Contact and Grievance Officer
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our Grievance Officer:
Grievance Officer — RxHQ
Email: hello@rxhq.in
Subject line: Privacy / Data Rights Request
We aim to acknowledge all queries within 72 hours and resolve them within 30 days. If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.