Kartavya Privacy Policy

Scope:

This policy applies to the Patient Program, Patient Awareness Camps, and Patient Access Program administered by Kartavya Healtheon Pvt.

Purpose:

The purpose of the Policy is to define the privacy policy of the program in relation to sensitive personal information that is obtained from the Patients & doctors pursuant to the Program. The Policy demonstrates our commitment to respecting individuals’ privacy and safeguarding personal data across Kartavya’s operations.

Definitions:

1. Patient: A Patient is an individual who voluntarily contacts the Patient Support Program for enrollment and to avail program services. The contact may be made through:
   • Phone
   • Email
   • Fax
   • In-person interaction
2. Doctor: The prescribing or treating physician of the Patient who wishes to enroll in the Patient Support Program.
3. Sensitive Personal Data or Information (SPDI): Sensitive Personal Data or Information means personal information relating to:
   • Physical health condition
   • Physiological health condition
   • Mental health condition
   • Sexual orientation
   • biometric information
   • Medical records and medical history
   • Biometric information
   • Any details relating to the above categories provided to a body corporate for the purpose of providing services
   • Any information received under the above categories by a body corporate for processing, whether stored or processed under a lawful contract or otherwise
4. Exclusion: Information that is:
   • Freely available in the public domain; or
   • Furnished under the Right to Information Act, 2005; or
   • Disclosed under any other law for the time being in force

   shall not be regarded as Sensitive Personal Data or Information for the purposes of applicable rules.

5. Administrator: Administrator means Kartavya Healtheon Pvt. Ltd. (Kartavya).
6. Children: Individuals who are below the age of 18 and require additional protections due to their age.
7. Consent: A freely given, specific, informed, and unambiguous indication of an individual’s wishes signified by a clear affirmative action. (Where consent is used as a processing ground.)
   1. Data Fiduciary: The natural or legal person which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
   2. Cookies and Similar Technologies: Technologies (e.g., cookies, SDKs, tags) used to store or access information on a device for functionality, analytics, preferences, or advertising, where such use may involve Personal Data.
   3. Data Minimization: Ensuring that Personal Data processed is adequate, relevant, and limited to what is necessary in relation to the stated purposes.
   4. Data Protection Officer (DPO): The Cipla role designated to advise on privacy obligations, monitor adherence to this Policy, and serve as a contact for privacy matters (and, where applicable, regulators and individuals).
   5. Data Principal: An identified or identifiable natural person to whom the Personal Data relates.
   6. Information Security: The preservation of confidentiality, integrity, and availability of information through appropriate administrative, technical, and physical controls.
   7. International Data Transfer: Any access to or disclosure of Personal Data to a recipient in another country (including remote support/access from abroad).
8. Legitimate Business Purposes: Purposes necessary for company's operations that are identified and documented at design time, compatible with the stated objectives, and balanced against individuals’ rights and interests with proportionate safeguards.
9. Personal Data: Any information relating to an identified or identifiable natural person (a Data Subject).
10. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
11. Data Processor: A natural or legal person that processes Personal Data on behalf of the Controller.
12. Privacy Risk Assessment: Review for new or materially changed Processing to identify alignment with this Policy and applicable requirements, risks, and recommended controls before go live; includes documentation for accountability.
13. Sub Processor: Any natural or legal person engaged by a Processor to carry out specific Processing activities on behalf of the Controller and under the Processor’s supervision.
14. Data Protection Authority: An independent public authority responsible for monitoring compliance with data protection law in a given jurisdiction.
15. Technical and Organizational Measures (TOMs): Appropriate measures to ensure a level of security appropriate to risk (e.g., encryption/pseudonymisation; confidentiality, integrity, availability and resilience; backup/recovery; regular testing and evaluation)
16. Vulnerable Individuals: Individuals who require additional protections due to their circumstances (e.g., age, disability, health, dependency); protections are proportionate to the context and applicable

Policy:

This Privacy Policy describes Patient information collection, use and disclosure of patient Personal Information.

1. The Information Collection We may collect & hold information relating to patient that have been provided to us (such as on Program Consent form, Feedback form, Camp attendance form, Email, Voice) or that we may have obtained from another source (such as patient Prescribing / Treating doctor prescription or report). This information may include, amongst other things name, address, telephone numbers, medical information (such as the medicine name, dosage, disease indication, disease state, Rx), lifestyle information and any other information collected in relation to patient use of our services ("information")
2. Sensitive Personal Information The personal information given to us is presumed to be true, complete and accurate in all respects and patient may or may not agree to notify us immediately of any changes to that. Personal information held by Patient Programs Patient Support Program, patient awareness camps may include name, date of birth, current and previous addresses, telephone/mobile phone number, email address, Income.

Information usage:

Patient personal information may be used by Kartavya for a number of purposes connected with the patient programs and functions, which includes:

• Verify patient identity
• Assist patient to subscribe to Patient Programs Patient Support services /programs
• Provide the required services
• Dealing with requests, enquiries or complaints and other patient care related activities; and all other general administrative purposes;
• Carrying out market and product analysis
• Contacting patient (including by post, email, fax, short text message (SMS), or telephone) for our services which we think may be of interest to patient (unless patient ask us in writing not to contact)
• Registering patient details and allocating or offering patient’s value added services, discounts or other benefits and fulfilling any requests or requirements patients’ may have in respect of our services / programs;
• Carrying out any activity in connection with Pharmacovigilance norms and adverse event reporting;
• Carrying out activities connected with the running of our program such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of data in respect of which patient data is used.
• Provide free medicine to patients who are eligible under patient access program as per terms & conditions of the program and the complete terms of the program signed by them.
• Kartavya however, assures that it will not disclose patient personal information to any other companies, its sponsors (clients) or persons, marketing agents, affiliates which could lead to invasion of patient’s privacy. However, Patient programs may tie-up with such agencies like diagnostic center, hospitals, and Treating doctors from time to time and provide patient identifiable data to such agencies for providing services or offers that may be beneficial to the patient as part of the program services only.

Sharing / disclosing Patient personal information:

In order to deliver the services patients, require, Patient Support program may disclose patient personal information to departments within the organization (i.e. Kartavya). The personal information is disclosed to these departments only in relation to Patient Programs program providing its services to its patients. These organizations carry out -

• Customer services
• Mailing operations
• Fulfillment services
• Information technology service
• Supply chain / Medicine Delivery services
• MIS

Kartavya takes reasonable steps to ensure that these departments are bound by confidentiality and privacy obligations in relation to the protection of patient personal information. In addition, Patient program may disclose patient personal information to

• Authorized treating doctors of the patient
• Financial Institutions who provide loans (EMI) for treatment and medicine purchase to patients
• Government, regulatory authorities and other organizations, as required or authorized by law
• Kartavya program may also disclose patient personal information acting in good faith if it believes such action is necessary to confirm with a legal requirement or comply with the legal process, protect and defend the rights or property of Patient.

Limiting Use, Disclosure, and Retention

Kartavya shall process Personal Data only for specified, clear, and lawful purposes, and shall not further process such Personal Data in a manner that is inconsistent with those purposes, except where such processing is permitted under the Digital Personal Data Protection Act, 2023 (“DPDP Act”)

Personal Data shall be retained only for as long as is necessary to fulfil the purposes for which it is processed or to comply with legal, regulatory, or contractual obligations. Upon expiry of the applicable retention period or achievement of the stated purpose, Personal Data shall be securely deleted, anonymised, or otherwise rendered inaccessible, unless retention is required under applicable law.

Disclosure of Personal Data shall be limited to what is necessary for the stated purpose and shall be carried out only where a valid lawful ground under the DPDP Act applies.

Data Principal Rights Management

In accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), Data Principals whose Personal Data is processed by Kartavya, acting as a Data Fiduciary, are entitled to exercise the following rights, subject to applicable conditions, limitations, and exemptions under law:

• Right to access information about personal data
• Right to correction & erasure of personal data
• Right of grievance redressal
• Right to nominate

Breach Notification

Karatvya shall handle Personal Data Breaches in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and shall take appropriate measures to ensure the timely identification, assessment, containment, mitigation, and remediation of such breaches.

A Personal Data Breach means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Where a Personal Data Breach occurs, Kartavya shall, as soon as practicable, notify:

• the Data Protection Board of India
• the affected Data Principals

Such notification shall include, to the extent practicable, information relating to the nature of the Personal Data Breach, the categories of Personal Data affected, the approximate number of affected Data Principals, the likely consequences or potential harm arising from the breach, and the measures taken or proposed to mitigate such harm, in accordance with Section 8(6) of the Digital Personal Data Protection Act, 2023.

Where all required information cannot be provided at the same time, such information may be provided in phases without undue delay, in accordance with the DPDP Act and applicable rules.

Kartavya Limited shall maintain appropriate records of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken, in order to demonstrate compliance with its obligations as a Data Fiduciary under the DPDP Act.

Information Security:

• Patient Programs program requires its employees /contractors / service providers to perform their duties in a manner that is consistent with legal responsibilities in relation to privacy. Client also reviews on a regular and ongoing basis the information security practices to ascertain how ongoing responsibilities can be achieved and maintained. Kartavya reiterate Patient programs commitment to respect patient Privacy at all times on a priority basis by ensuring that this information does not fall in the hands of any outside Agency other than organizations (i.e. Kartavya) or its departments
• Employees /contractors / service providers of kartavya will take reasonable steps to ensure that the personal information collected, use or disclose in relation to its program is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, Intrusion or breach, modification or disclosure. In case of any concerns the privacy officer can be contacted at privacyofficer@kartavyahealtheon.com
• All access to patient data will have stringent password controls and Audit trails / logs with highest physical security for data storage and secured transmission within the Kartavya Patient programs information network.

Internet use/ Email:

Kartavya will make every effort to maintain the security of its internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from any online website’s or services or email’s will therefore be at patient’s own risk, however we will use our best efforts to ensure that any such information remains secure and accurate within our Information Security framework. We cannot protect any information that patient make available to the general public – for example, on message boards or in chat rooms. Please note that when patient are accessing a non Patient Programs Program website, they should always read their privacy policy or website terms and conditions – especially if they are considering providing them with their personal information. Patients are also responsible for maintaining the secrecy of their passwords and/or any account information.

We may use cookies and other interactive techniques such as web beacons to collect non-personal information about how patient interact with our website, and web-related products and services, to:

• understand what patient’s like and use about our website;
• understand what patient’s do not like and do not use on our website;
• provide a more enjoyable, customized service and experience, and
• help us develop and deliver better products and services tailored to our patients’ interests and needs.
• We may use a persistent cookie to record details such as a unique user identity and general registration details on patient’s PC. This helps us recognize patient’s on subsequent visits to this website so that patient’s don't have to re-enter their registration details each time they visit us and allows us to carry out the activities mentioned above.
• Most browser technology (such as Internet Explorer, Netscape etc) allows choosing whether to accept cookies or not – patient can either refuse all cookies or can set their browser to alert them each time that a website tries to set a cookie.

Changes to Privacy Policy

The Administrator reserves the right to amend or discontinue this document at any time with prior consent of Clients / Our clients. Patient programs are committed to protecting patient privacy, however if any query arises about the handling or protection of patient personal information or about Patient Programs program privacy statement, please write to: privacyofficer@kartavyahealtheon.com

Disclaimer

The information contained on this website is provided by Kartavya for general informational purposes and is intended to support awareness and understanding of our services. We make reasonable efforts to ensure that the information published on this website is accurate, current, and reliable, and we regularly review and update the content to maintain its relevance and correctness.

While we strive to present information that is complete and dependable, certain content may evolve over time due to changes in medical, regulatory, or operational practices. Kartavya does not exclude its responsibility to act with due care and diligence and undertakes to correct any material inaccuracies brought to its notice in a timely manner.

The website and its contents are not intended to substitute professional medical advice, diagnosis, or treatment. Users are encouraged to seek appropriate professional guidance where required. Any use of the information on this website should be in conjunction with such professional advice and in accordance with applicable laws and regulations.

Kartavya shall not be liable for any loss or damage arising solely from the use of this website where such use is beyond the reasonable control or intended purpose of the information provided.