HealthFirstLabs (India)
Executive Summary: HealthFirst Labs (“we”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, share, and protect the personal and health-related data you provide when you use our website or services. We collect information you enter when booking tests (via our Forminator form) and communicate via email or phone. We process data only with your consent and as needed to provide services (such as scheduling tests, generating reports, processing payments, and improving our services) and to comply with legal requirements.
We follow India’s privacy laws (the IT Act 2000 and the new Digital Personal Data Protection Act, 2023) and industry best practices, especially for sensitive health data. You have rights over your data (access, correction, deletion, portability, withdraw consent), which you can exercise by contacting us at support@healthfirstlabs.in. We keep data only as long as necessary (e.g. booking info ~2 years, medical records ~7 years) and secure it with encryption and access controls. Please read the sections below for details on scope, data types, purposes, sharing, retention, your rights, and contact information.
Scope and Applicability
This Policy applies to all personal data collected or processed by HealthFirst Labs through our website healthfirstlabs.in and related services (online booking, customer support, etc.) in India. It covers anyone who visits our site, books a lab test, or provides information (patients, users, clients, or their guardians). It does not cover websites or services of other companies (e.g. links you click to external sites). By using our site and services, you consent to this policy.
Information We Collect
We collect different types of personal data, including sensitive health information, only as needed to serve you:
- Personal and Identification Data: Name, date of birth, gender, and government-issued ID (e.g. Aadhaar, PAN).
- Contact Data: Email address, phone number, home address. These let us confirm your booking and send reports. We also collect any emergency contact or referring doctor details you provide.
- Health/Medical Data: Symptoms, medical history, test requests and results, and other diagnostic information. This is sensitive personal data under Indian law and we process it only with your explicit consent for medical purposes (booking tests, communicating results, etc.).
- Payment and Billing Data: Transaction details (amount, date, order ID) and basic payment method information. We do not store full credit/debit card or net-banking details – these are handled by secure payment gateways and only a reference ID or last few digits may be logged for record-keeping.
- Technical/Device Data: Information automatically collected when you use our website, such as IP address, browser type, device type, operating system, pages visited and time spent (often via cookies or similar technologies). This helps us improve site performance and user experience.
We collect this data when you fill our online booking form (Forminator ID=97), contact us, or use our site’s features.
Legal Basis for Processing (Indian Law)
Under India’s data protection framework, the primary lawful basis for processing your personal data is your consent, which you give when you book a test or use our services. Consent must be informed, specific and freely given. We obtain explicit consent for sensitive health data (see “How You Consent” below). In addition to consent, we may process your data in these situations:
- Medical Necessity and Performance of Service: Processing is necessary to provide you with health test services (scheduling tests, generating reports, consulting with doctors). In emergencies, we may process data under “medical necessity” without separate consent.
- Legal Compliance: We process data to comply with legal obligations (e.g. tax laws, medical record-keeping laws, subpoenas, or insurance requirements).
- Legitimate Interests: In limited cases, we use data to improve and secure our services (for fraud prevention, analytics, or direct marketing if you have opted in). Such uses are subject to your rights and expectations.
We comply with India’s Information Technology Act (2000) and the Digital Personal Data Protection Act (2023). Under these laws, you have rights over your data, and we follow required security and breach-notification standards.
How We Use Your Data (Purposes of Processing)
We use your information only for specific purposes, as described below:
- Booking and Test Services: To create and confirm your lab test bookings, send reminders, manage sample collection, and deliver your test reports.
- Customer Support: To answer your inquiries or complaints, and to contact you (e.g. by email, SMS, or phone) about your orders or health information.
- Payment Processing: To process your payments securely and issue receipts/invoices (via third-party gateways). We only access limited payment details needed for transaction history.
- Account and Profile Management: If you create an account, we use your information to manage it (login verification, profile updates).
- Service Improvement: To analyse how our website and services are used (for example, via Google Analytics), so we can improve functionality, fix issues, and measure interest in test packages.
- Marketing and Communications: With your consent, we may send you updates, newsletters or offers about HealthFirst Labs and our partners. You can opt out at any time.
- Legal and Safety: To comply with applicable laws or respond to legal requests. For example, health regulations require us to maintain records of tests performed. We may also use data to investigate or prevent fraud and illegal activities.
Each time we collect data (for example, when you submit the booking form), we will explain the purpose and obtain your consent if needed. We only use your data for the purposes stated at collection.
Data Sharing and Disclosure
We do not sell or rent your personal information. We share your data only as necessary to provide services or comply with law, under strict confidentiality:
- Laboratory Partners: We share health and booking details with our partner labs (such as NABL-accredited facilities or Thyrocare labs) that perform the tests. These labs are bound by confidentiality and only use data to conduct tests and return results.
- Healthcare Professionals: If you are referred by a doctor or another lab, we may share relevant information with them for continuity of care.
- Payment Gateways: We provide necessary transaction data to payment processors (e.g. Razorpay, Instamojo) for billing. These providers do not store your full card data on our site.
- Service Providers: We may use third-party services (web hosts, email systems, analytics tools, CRM software) to operate our business. These vendors have contractual obligations to keep your data secure and confidential.
- Legal Authorities: If required by law (e.g. court order, tax authorities, police inquiry), we may disclose your information. Sensitive health data is only disclosed under strict legal safeguards.
- Affiliates: If HealthFirst Labs is legally merged or sold, customer data would be transferred to the new entity under the same privacy terms.
We require all third parties to protect your data at least to our standards. They may only use data for the purposes we specify (e.g. processing payments, delivering results).
Data Retention Periods
We retain personal data only as long as needed for the purposes above or as legally required. For example:
- Booking and Transaction Records: We generally keep booking and billing data for about 2 years for customer service and audit purposes.
- Medical Reports: We retain medical test results and related health records for at least 7 years after your last treatment or as required by medical regulations. This aligns with Indian medical record guidelines, which call for multi-year retention of clinical data. After that, data is securely deleted or anonymised.
- Consent Records: Proof of your consent and communications (e.g. emails, signed forms) are kept for at least the duration of our relationship, plus any additional period required by law.
- Support and Marketing Data: We keep marketing preferences or inquiry emails until you request deletion or opt-out, or for a reasonable period (e.g. 1–2 years) if inactive.
At the end of each retention period, we delete or anonymize data so it cannot be linked to you. Exceptions apply if there is an unresolved complaint or legal requirement (e.g. court case, tax audit) that legally compels us to keep data longer.
Data Security Measures
We take data security seriously. We implement multiple safeguards to protect your information:
- Encryption: Our website uses HTTPS (SSL/TLS) to encrypt data in transit. Sensitive data (e.g. database records) is encrypted or hashed at rest where feasible.
- Access Controls: We limit access to personal data within our organization on a “need-to-know” basis. Only authorized staff and service providers can access your data, and they must use strong credentials and secure networks.
- Secure Infrastructure: Our servers and databases are hosted with reputable providers who maintain strong security (firewalls, intrusion detection, regular patches). Payment data is handled only by PCI-compliant payment gateways.
- Regular Audits and Updates: We perform periodic security reviews, vulnerability scans and software updates. Our personnel are trained in data protection and confidentiality.
- Contractual Protections: We require any third-party processor (e.g. hosting, analytics, email) to sign Data Processing Agreements ensuring they meet DPDP Act security standards.
No system is perfectly secure, but we strive to use “reasonable security practices” as required by Indian law.
Your Rights and Choices
You have the following rights regarding your personal data:
- Right to Access and Portability: You may request a copy of the personal data we hold about you in a commonly used digital format.
- Right to Correction: You can ask us to correct or update any inaccurate or incomplete data (e.g. wrong contact details).
- Right to Deletion: You may request deletion of your personal data when it is no longer needed for our purposes, you withdraw consent, or if we are processing it unlawfully.
- Right to Withdraw Consent: If you previously gave consent (for example, for marketing or handling of sensitive health data), you can withdraw it at any time. After withdrawal, we will stop using that data (unless another lawful basis applies) and delete it if appropriate.
- Right to Object to Processing: You may object to our processing of your data for direct marketing or activities based on legitimate interests. We will stop those activities unless we have compelling reasons.
- Right to Restrict Processing: In some cases you can ask us to “freeze” your data (stop processing but not delete) if you contest its accuracy or our use.
- Right to Complain: You can lodge a grievance with us (see “Contact Us” below) or with the Data Protection Board of India if you believe your rights are violated.
To exercise any of these rights, please email support@healthfirstlabs.in with “Privacy Data Request” in the subject. We will respond promptly (within the timeframes required by law, typically 30 days). We may ask for proof of identity to process your request securely. There is no fee for accessing your data.
Cookies and Tracking Technologies
Our website uses cookies and similar technologies to improve your experience and for analytics. For example:
- Necessary Cookies: These help with website functionality (e.g. remembering your language preference, keeping you logged in). They are required for the site to work.
- Analytics Cookies: We use tools like Google Analytics to understand how our site is used (pages visited, device type, etc.). This helps us improve content and performance. The data is aggregated and does not personally identify you.
- Marketing/Tracking Cookies: If you opt in to our newsletters or marketing, we may use cookies or pixels (e.g. Google/Facebook tags) to measure campaign effectiveness.
You can manage cookies through your browser settings (e.g. delete cookies or refuse new ones). However, disabling cookies may affect site features. We do not track personal data through cookies beyond these purposes.
For more details, see our Cookie Policy [link here] or browser privacy settings.
Children’s Data
Our services are intended for adults. We do not knowingly collect data from children under 18. If a minor uses our site or booking form, we require consent from a parent or guardian. If we discover we have inadvertently collected a child’s data without consent, we will promptly delete it. Parents who believe their child has provided us personal data should contact support@healthfirstlabs.in immediately.
Cross-Border Data Transfers
We operate primarily in India, but some of our service providers (e.g. cloud hosting, email servers, payment gateways) may be located outside India (for example, in the US, EU, or other countries). By using our services, you agree that your data may be processed or stored outside India. We ensure such international transfers comply with Indian law (DPDP Act), which currently permits transfers subject to government guidelines. If required, we will use standard contractual clauses or other approved mechanisms to safeguard your data abroad.
Data Breach Notification
Although we strive to protect your data, data breaches can occur. In the unlikely event of a security breach affecting your personal data, we will act swiftly:
- We will assess and contain the breach immediately, secure the systems and prevent further unauthorized access.
- If the breach poses a significant risk to your rights or interests, we will notify you via email or phone without undue delay.
- We will also notify the Data Protection Board of India within the timeframes required (generally without delay, and a full follow-up report within 72 hours) as per the Digital Personal Data Protection Act.
- Our notification will describe what happened, what information was involved, and what measures we took to address the breach.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time (for example, if laws change or we introduce new services). The current version will always be posted on our website with a “Last updated” date. If the changes are significant, we will also notify you (e.g. via email or a banner). Please review the policy periodically. Your continued use of our services after changes means you accept the revised policy.
Contact and Grievance
For any questions, requests, or concerns about privacy, you can contact our Privacy Officer / Grievance Officer at:
Support Email: support@healthfirstlabs.in
Address: HealthFirst Labs, 123 Lab Street, Mumbai, Maharashtra, India
We endeavour to respond to all requests within 30 days. If your complaint is not addressed to your satisfaction, you may lodge a grievance with the Data Protection Board of India (an independent regulator under the DPDP Act) using the prescribed procedure. (The Board’s contact information is available on its website.)
HealthFirst Labs is dedicated to maintaining your trust. We do not give legal advice in this policy. For detailed legal guidance, please consult a qualified attorney.
Forminator Integration Notes
To ensure compliance when collecting bookings via Forminator :
- Consent Checkbox: Add a mandatory checkbox field labeled “I agree to the HealthFirst Labs Privacy Policy”. Link the text “Privacy Policy” to https://healthfirstlabs.in/privacy-policy.html. This obtains explicit consent for processing.
- Save Timestamp and IP: Use Forminator’s built-in features to record submission time and user IP. In Forminator Pro, add two hidden fields: one mapped to Date and one to IP Address. This automatically stores the date/time of submission and the submitter’s IP in the form entry.
- Store Entries Securely: Enable Forminator’s data storage so all form submissions (with field values, timestamp, and IP) are saved in the WP admin area. Limit access to this data to authorized staff.
- Email Notification: Configure Forminator to send a copy of submissions to support@healthfirstlabs.in. This provides a backup record and timestamps.
- Data Deletion Options: To comply with deletion requests, ensure you can export and remove form entries when a user asks to delete their data.
- Logs and Audit Trail: Enable WordPress logging or Forminator logs to track who accesses or exports form data (for audit purposes).
By implementing these, each booking record will have proof of consent, date/time, and IP address, meeting the DPDP Act’s consent and record-keeping requirements.
Compliance Checklist (Technical & Organisational)
- Legal & Policy Framework: Maintain this Privacy Policy, Terms of Use, and, if needed, a Data Protection Policy (DPP). Keep records of data inventory (what you collect and why).
- Consent & Notices: Use clear opt-in consent forms (as above) and provide accessible notices on data use. Ensure privacy notices cover all DPDP-required points (data collected, purpose, retention, sharing, rights).
- Data Minimisation: Only collect data necessary for the stated purpose (e.g. avoid unnecessary fields). Review forms and databases to delete obsolete data.
- Access Controls: Implement strong authentication (unique logins for admins) and role-based access. Regularly review who has access to sensitive data. Limit access to service providers and employees as needed.
- Encryption & Security: Use SSL/TLS for the website and secure servers. Encrypt data at rest when possible. Keep software and plugins up-to-date.
- Backup & Disaster Recovery: Regularly back up data securely (with off-site copy). Test backups periodically. Have a plan to restore services in case of system failure.
- Vendor Management: Establish written agreements (Data Processing Agreements) with labs, payment gateways, hosting, and analytics providers to ensure they follow DPDP-grade security. Audit them periodically.
- Incident Response: Develop a breach-response plan. Train staff on how to identify and report incidents. Ensure procedures to notify affected individuals and authorities quickly as required.
- User Rights Process: Set up procedures and points of contact to handle data requests (access, correction, deletion) within required timeframes. Monitor compliance.
- Employee Training: Train all staff on data protection best practices and confidentiality. Conduct periodic reviews. Emphasise the sensitivity of health data.
- Governance: Consider appointing a Data Protection Officer or designate a privacy lead (especially if handling large volumes of sensitive data). Keep documentation of policies, data flows, and compliance audits.
- Cookie Consent: Implement a cookie banner or settings so users can consent to non-essential cookies (like analytics or marketing tags).
- Regular Audit: Periodically audit practices against this checklist. Stay updated on DPDP rules, IT Act amendments, and medical data guidelines.
By following the above policy and implementing these measures, HealthFirst Labs aims to meet high data protection standards and comply with Indian law, while maintaining transparency and trust with our users.