At Holy Cross Hospital, we are committed to safeguarding your personal data. This Privacy Policy outlines how we collect, use, disclose, and safeguard your information across all our online platforms, including our hospital website, online patient portal, and electronic payment systems.

This Policy complies with the Information Technology Act, 2000 and the Digital Personal Data Protection (DPDP) Act, 2023, and incorporates global best practices in healthcare data privacy.

1. Introduction
This Privacy Policy governs how Holy Cross Hospital (hereafter referred to as “we,” “our,” or “the Hospital”) handles your data when you:
• Visit our website
• Book appointments online
• Make payments digitally (via UPI, IMPS, NEFT, POS, Internet Banking, etc.)
• Access our online patient portal
• Interact with us through email, WhatsApp, or online chat support

By using any of these services, you consent to the terms of this Privacy Policy.

2. Categories of Personal Data Collected
At Holy Cross Hospital, we collect various types of personal information to provide you with safe, effective, and personalized healthcare services. This information may be gathered directly from you—such as when you fill out forms or interact with our digital services—or indirectly, through automated technologies like cookies.

A. Personal Identification Data
This includes the basic details that help us identify and communicate with you:
• Your full name, gender, date of birth, and residential address
• Your mobile number and email address for appointment updates and communication
• Aadhaar number or other government-issued ID, when required for verification
• Emergency contact information, so we can reach someone close to you in critical situations

B. Medical and Health Information
These are health-related records that support diagnosis, treatment, and follow-up care:
• Your Unique Health ID (UHID)
• Details of your medical history, current or past diagnoses, and treatment plans
• Test reports, prescription records, and consultation notes from doctors
• Admission and discharge summaries, as well as your overall clinical progress

C. Financial and Payment Data
To process payments and maintain transparency, we may collect:
• Your UPI ID, bank account details, and masked credit/debit card numbers
• Transaction IDs, payment timestamps, and associated invoice records
• Details related to your billing history, including any refunds processed

D. Digital Interaction Data
To enhance your experience and ensure secure access, we also capture:
• Your IP address, approximate geolocation, and device/browser specifications
• The date and time of your visit and interactions on our website
• Technical identifiers like cookies and data from web analytics tools

E. Media and Profile Data
In the interest of transparency and trust, our website displays:
• Photographs and professional credentials of our doctors and staff
• These are shared to help patients make informed choices when selecting specialists

3. Method of Data Collection
At Holy Cross Hospital, we collect your personal and health-related data through a variety of secure and convenient channels—both online and offline. These methods ensure that your information is captured accurately and efficiently to support your care journey:

i. Website Registration and Appointment Forms
When you book an appointment or register as a patient through our website, the information you enter—such as your name, contact details, and medical concerns—is securely collected and stored. This helps us schedule your appointments and prepare for your visit.

ii. Payment Gateway Integrations
If you make payments online using UPI apps, POS terminals, or through internet banking, the relevant transaction details are captured through our partnered, secure payment gateways. This ensures smooth financial processing and documentation for your medical bills.

iii. Cookies and Tracking Technologies
To enhance your browsing experience, we use cookies and tracking pixels on our website. These tools help us understand how visitors interact with our site, so we can make improvements and tailor the content to your needs.

iv. Digital Communications
Your interactions with us via email, chatbots, WhatsApp messages, or calls to our helpline may also lead to the collection of personal data—particularly when you inquire about services, request appointments, or share health concerns.

v. Offline to Online Data Entry
Information you provide physically—such as through registration forms filled at the hospital reception—is manually entered into our digital health record systems by authorized staff. This allows us to maintain a complete and centralized patient history.

4. Purpose of Data Processing
At Holy Cross Hospital, we handle your personal data with utmost care and responsibility. Every piece of information we collect is used strictly for defined, lawful, and beneficial purposes to support your healthcare journey and enhance your overall experience with us.

A. Healthcare Delivery
Our primary goal is to deliver quality healthcare. Your data helps us:
• Schedule and confirm appointments efficiently, ensuring you receive timely care
• Assist doctors in diagnosis, treatment planning, prescription generation, and medical follow-ups
• Maintain accurate medical records for future reference, continuity of care, or referrals to specialists

B. Payment Processing
We use your financial data to support smooth and secure transactions:
• Process payments through certified payment gateways like UPI, POS, or internet banking
• Generate official receipts, track transactions, and handle refunds when necessary
• Ensure our financial systems align with accounting and audit requirements

C. Operational and Administrative Use
To enhance efficiency and ensure patient convenience, we also use your data for:
• Sending appointment confirmations, reminders, and relevant notifications
• Communicating about any delays, cancellations, or rescheduled consultations
• Analyzing internal processes to improve the hospital's workflow and patient service

D. Regulatory and Legal Compliance
As a responsible healthcare provider, we are obligated to:
• Meet legal and regulatory requirements under healthcare and income tax laws
• Cooperate with government authorities when information is legally requested during audits or investigations

E. Website and User Experience
To make your online interaction seamless and secure, we process your data to:
• Analyze user behavior on the website, helping us enhance design, layout, and accessibility
• Prevent unauthorized access, data misuse, or fraudulent activities on our digital platforms

5. Legal Basis for Processing – In Compliance with the IT Act and DPDP Act
At Holy Cross Hospital, we uphold your right to data privacy by ensuring that all personal information is processed strictly in accordance with the Information Technology (IT) Act, 2000 and the Digital Personal Data Protection (DPDP) Act, 2023. These laws guide how we lawfully collect, use, and protect your data.

Your personal and medical data is processed only under clear and legally valid grounds, which include:

1. Your Explicit Consent
We seek your explicit consent before collecting or processing any personal data—whether during website registration, appointment booking, or online payments. This consent serves as a foundation for us to engage with you responsibly and transparently.

2. Fulfillment of Contractual Obligations
When you book an appointment or undergo treatment at our hospital, a contractual relationship is established. We process your data to fulfill our end of this contract—ensuring proper care, accurate billing, and follow-up services.

3. Legal and Regulatory Compliance
We are required by law to retain and, when necessary, disclose certain personal and financial data. This includes compliance with mandatory medical reporting, public health surveillance, and income tax or insurance regulations. All such processing is done strictly as permitted under the applicable laws.

4. Legitimate Interests
In some cases, we process data to protect our legitimate interests—such as maintaining operational continuity, safeguarding patient safety, and ensuring secure, uninterrupted access to our services. This is done with appropriate safeguards in place to protect your rights and freedoms.

6. Data Sharing and Disclosures
At Holy Cross Hospital, we value your trust and treat your personal information with the highest level of confidentiality. We want to assure you that we do not sell, rent, or trade your personal data under any circumstances.
However, in the interest of providing you with quality care, operational support, and legal compliance, there may be specific instances where your data is shared securely and responsibly. These situations include:

A. Internal Medical Personnel
Your medical and personal information may be accessed by our authorized hospital staff, including:
• Doctors, for diagnosis and treatment
• Nurses and clinical assistants, to provide you with care and manage your treatment
• Administrative and support staff, to assist with scheduling, billing, and recordkeeping
Access is granted strictly on a need-to-know basis, ensuring your privacy at every step.

B. External Third Parties
In some cases, we engage third-party service providers to support our operations. We may share your data with:
• Payment gateway partners such as Razorpay, PayTM, Google Pay, and others, for secure financial transactions
• IT service providers, who manage website hosting, system security, data backups, and technical maintenance
• Laboratories or diagnostic centers, in case of medical referrals for tests, scans, or imaging services
All such partners are carefully vetted and bound by legal agreements that require them to maintain strict confidentiality and data protection standards, in line with this Privacy Policy and applicable laws.

C. Government and Regulatory Authorities
We may be legally required to disclose your data to government authorities or regulators, including:
• Law enforcement agencies, under criminal procedure laws (CrPC)
• Health departments or regulatory bodies under medical council or public health guidelines
• Tax authorities, in compliance with financial regulations
Such disclosures are made only when mandated by law, and we ensure that the scope of information shared is limited to what is strictly necessary.

In every scenario of data sharing, we take steps to ensure that your rights, dignity, and privacy are fully respected, and that your data remains protected against unauthorized use or disclosure.

7. Data Security Practices
At Holy Cross Hospital, protecting your personal and medical information is not just a legal requirement—it is a core part of our commitment to patient care and digital responsibility. We have implemented robust technical, organizational, and administrative safeguards to ensure your data remains confidential, secure, and protected against misuse.
Our security framework includes:

1. SSL Encryption
All data exchanged between you and our digital platforms is protected using Secure Sockets Layer (SSL) technology. This ensures that sensitive information—such as appointment details and payment transactions—is encrypted during transmission, making it unreadable to unauthorized parties.

2. Firewalls and Intrusion Detection Systems
Our systems are shielded by advanced firewalls and intrusion detection mechanisms that monitor network traffic in real time. These tools help us detect, prevent, and block any unauthorized attempts to access hospital data.

3. Access Controls
We operate on a strict access control policy. Only authorized personnel—such as your treating physician or support staff—are granted access to your personal or medical information. Even within the hospital, access is granted only on a need-to-know basis, with proper authentication.

4. Audit Logs and Monitoring
Every data transaction within our systems is logged and continuously monitored. This allows us to track how, when, and by whom patient data is accessed, ensuring transparency and accountability in all digital operations.

5. Data Breach Notifications
Despite all precautions, in the rare event of a data breach, we are committed to promptly notifying affected individuals. In line with the Digital Personal Data Protection (DPDP) Act, 2023, we will take swift action to mitigate the impact, investigate the cause, and report the breach to relevant authorities, if required.

Through these layered security practices, Holy Cross Hospital ensures that your personal health information is handled with utmost care, integrity, and compliance with national data protection laws.

8. Your Rights under the Digital Personal Data Protection (DPDP) Act
As a valued patient and user of our digital services, you are recognized as a Data Principal under the Digital Personal Data Protection Act, 2023. This law empowers you with specific rights regarding how your personal and health-related data is used and protected.
At Holy Cross Hospital, we fully respect and uphold these rights. Here’s what you’re entitled to:

1. Right to Access
You have the right to view the personal and medical data that we maintain about you. Whether it’s your contact information, health history, or payment records, you can request a copy of the data we hold.

2. Right to Correction
If any of your personal information is inaccurate, incomplete, or outdated, you can request us to make the necessary corrections. Ensuring the accuracy of your data is essential for providing effective medical care.

3. Right to Deletion
You may request the erasure of your personal data from our systems, provided it is no longer required for legal, regulatory, or treatment-related purposes. We will honor such requests wherever legally permissible.

4. Right to Restrict Processing
In specific cases—such as ongoing disputes or during the verification of data—you may limit or pause the processing of your information, except where processing is essential for medical or legal purposes.

5. Right to Data Portability
You can request your data in a structured, commonly used, and machine-readable format, allowing you to transfer it to another healthcare provider or digital service of your choice.

6. Right to Withdraw Consent
If you've given us consent for non-essential uses of your data (e.g., feedback surveys or optional services), you have the right to withdraw that consent at any time, and we will stop using your data for those specific purposes.

To exercise any of these rights or to seek assistance regarding your data privacy, please contact our Data Protection Officer at:

📧 inquiry@holycrosskottiyam.org

We are committed to responding to your requests promptly and in accordance with the timeframes specified under the DPDP Act.

9. Cookies and Web Tracking
To make your interaction with our website smoother, faster, and more personalized, Holy Cross Hospital uses cookies and tracking technologies. These tools help us understand how visitors use our site, improve its performance, and offer features that enhance your experience.

What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They do not harm your system or access any personal data stored on your device. Instead, they help our website remember your preferences and actions for a better, customized experience.
Types of Cookies We Use:

1. Strictly Necessary Cookies
These are essential for the website to function properly. They:
• Allow you to log in securely
• Help maintain active sessions while using the online patient portal
• Enable important security features

2. Performance Cookies
These cookies collect anonymous information about how visitors use our website. They help us:
• Understand which pages are most visited
• Monitor website traffic patterns
• Identify and fix any technical issues to optimize performance

3. Functionality Cookies
These cookies remember the choices you make—like language preferences or layout settings—so that you don’t have to reset them each time you visit. They’re designed to make your visit more comfortable and user-friendly.
Managing Your Preferences
You have full control over how cookies are used. You can:
• Adjust your cookie settings through your web browser
• Choose to disable some or all cookies, although doing so may affect the functionality of certain parts of our website

We use cookies responsibly and in full compliance with privacy regulations to provide you with a safe, secure, and tailored online experience.

10. Data Retention Policy
At Holy Cross Hospital, we retain your personal and medical data only for as long as it is necessary, useful, and legally required. This ensures that your health records are available when needed while also respecting your right to data privacy.
How Long Do We Keep Your Data?
We keep your personal and health-related information:
• For the duration of your treatment and for any follow-up services you may require
• As required by medical and legal guidelines, such as the Indian Medical Council norms, which mandate that medical records must be preserved for a minimum of 3 years
This period allows us to:
• Maintain accurate medical histories for continuity of care
• Respond to medical queries or referrals
• Meet our obligations under healthcare and tax regulations
What Happens After the Retention Period?
Once your data is no longer needed for medical, legal, or operational purposes, we take appropriate action to safely dispose of it. This means:
• Secure deletion of digital records from our systems
• Anonymization of data for use in statistical or research purposes without identifying you in any way
We follow strict protocols to ensure that this process is irreversible and compliant with applicable data protection laws.

Our goal is to balance effective care and compliance with respect for your privacy, ensuring that your data is only kept as long as it genuinely serves a purpose.

11. Children’s Privacy
At Holy Cross Hospital, we place great importance on protecting the privacy and safety of children and minors who may access our healthcare services.
Age Requirement for Online Services
Our website and online platforms are not intended for use by individuals under the age of 18 unless they are doing so under the direct supervision of a parent or legal guardian.
Parental Consent is Mandatory
If a child under 18 needs to register online, book appointments, or share medical information through our digital channels, it is essential that a parent or legal guardian provides explicit consent. This consent is necessary for:
• Collecting any personal or medical data related to the minor
• Communicating treatment-related updates
• Ensuring the lawful and ethical use of the child's information
We do not knowingly collect or process data from minors without such verified consent. If we discover that data has been collected without appropriate authorization, we will take immediate steps to securely delete the information.

By enforcing this policy, we aim to provide safe, respectful, and legally compliant digital healthcare access for patients of all ages, with a special focus on protecting our younger users.

12. Third-Party Services and Websites
To provide you with a seamless and efficient experience, the Holy Cross Hospital website may include links to third-party websites and services, such as:
• Online payment gateways (e.g., Razorpay, PayTM, Google Pay)
• Diagnostic partners or external lab portals
• Health insurance verification or government health portals
Your Responsibility When Leaving Our Website
While these external links are provided for your convenience, it’s important to understand that:
• These third-party websites operate independently and are governed by their own privacy policies and data protection practices
• Holy Cross Hospital is not responsible for the content, accuracy, or data handling methods of these external websites
Read Their Privacy Policies First
Before interacting with any external website linked from ours—whether you're making a payment, submitting a lab request, or entering personal information—we strongly encourage you to review their privacy policy. This will help you understand:
• What information they collect
• How they use and store your data
• Whether and how they share your data with others

Your privacy and trust are important to us, and we want you to be fully informed when navigating beyond our website.

13. Updates to the Privacy Policy
At Holy Cross Hospital, we are committed to staying current with legal, technological, and operational developments that impact data privacy. As such, this Privacy Policy may be updated from time to time to reflect:
• Changes in applicable laws or regulations
• Technological advancements in our digital platforms or security systems
• Modifications in how we collect, use, or protect your data
Transparency in Updates
Whenever we make changes to this policy, the revised version will be published on our official website, clearly stating the updated effective date at the top of the page. We encourage all users to review the policy periodically to stay informed about how we safeguard your personal information.

By continuing to use our services after such updates are made, you agree to the revised terms. Your privacy remains our priority, and we are dedicated to keeping you informed every step of the way.
14. Contact Us
For inquiries, complaints, or data-related concerns, please contact:

Holy Cross Hospital, Kottiyam
📧 inquiry@holycrosskottiyam.org
📞 0474 - 3504808