Data Retention & Deletion Policy Banner

Your Journey
to Parenthood
Starts Here

HomeData Retention & Deletion Policy
  • PURPOSE AND SCOPE

    This Policy sets out how Oasis Fertility ("we", "our", "us") retains and deletes personal data collected and processed through the mobile application (the "App"). It applies to all categories of data, including clinical (ART) and non-clinical data and to all processors acting on our behalf, including ARTis HMS, cloud hosting, communication, and analytics providers.

  • RETENTION PRINCIPLES
    • Legal and clinical requirements prevail: Where law prescribes a minimum retention period, we comply with it (e.g., ART case records – 10 years).
    • Storage limitation: Where no statutory retention applies, we retain data only as long as necessary to fulfil the stated purposes, after which it will be securely deleted or irreversibly anonymized.
    • Proportionality: Retention duration is proportionate to the sensitivity of the data (e.g., health records are retained longer than usage logs).
    • Deletion triggers: Purpose completion, account closure, or expiry of statutory timelines initiate review for deletion/anonymization.
    • Security: Data retained (including archived/backed-up copies) is protected by reasonable security practices.
  • CATEGORY-WISE RETENTION SCHEDULE
    Data CategoryExamplesRetention Trigger & DurationAuthority / Notes
    ART case-related clinical recordsCase files, consent forms, lab results, imaging plates, microscopic pictures, recommendationsMinimum 10 years from date of completion of ART proceduresART Rules, 2022
    Registry & statutory submissionsMonthly ART procedure data submitted to the National RegistryRetained as part of statutory clinical recordsART Act/Rules – reporting obligations
    Telemedicine interaction records (if applicable)Consultation notes, chat/video/audio recordsRetained as part of medical record consistent with clinical/legal standardsTelemedicine Guidelines; medical record norms
    Health / treatment records (general)ARTis reports, test results not covered aboveTypically 7 years after last patient visit/treatment completion, unless longer period mandatedMedical record-keeping standards
    Identity & contact dataProfile, registration data, contact detailsActive accounts + 1 year after closure (for audits, grievance, or defense of claims), then deletion/anonymizationDPDP Act – storage limitation
    Appointment history & usage logsAppointment confirmations, service usage3 years after last appointmentOperational necessity
    Account credentialsHashed passwords, tokensFor life of account; purged upon closure, subject to limited security log retentionSecurity practices
    Billing & payment records (SPDI)Transaction identifiers, masked details7 years (or longer if required under tax/financial laws)Tax & financial regulations
    App telemetry & analyticsCrash logs, performance metrics, device IDsRetained for diagnostics/security for 1–2 years, then deleted/anonymizedDPDP storage limitation principle
    EHR archival formats (if used)Long-term archival formats (PDF/A-2, etc.)Retained in line with clinical retention timelines (e.g., 10 years for ART)MoHFW EHR Standards
  • DELETION AND ANONYMIZATION
    • Upon expiry of retention timelines (and in the absence of legal holds), we delete or irreversibly anonymize data across active systems and reasonably accessible backups in a secure manner.
    • Where clinical data must be archived, we may convert it into compliant archival formats before deletion of active records.
    • If deletion is operationally infeasible (e.g., in disaster recovery backups), data will remain secure and access-restricted until overwritten in normal backup cycles.
  • DELETION UPON REQUEST
    • You may request erasure of your personal data ("right to be forgotten") via in-App settings or by contacting our Grievance Officer/DPO. Requests will be honoured when the original purpose is fulfilled and no legal or regulatory obligation requires retention (e.g., ART case records must be kept for 10 years).
    • We aim to respond to valid deletion requests within 30 days, unless a longer period is mandated by law.
  • EXCEPTIONS
    • Certain data may need to be retained beyond the standard periods for reasons including continuity of care, audits, dispute resolution, fraud prevention, or regulatory reporting.
    • Backup or archival copies may persist temporarily after deletion, but remain secure, access-restricted, and subject to overwrite policies.
  • DATA MINIMIZATION
    • We collect and retain only the minimum personal data necessary for treatment, operational, and regulatory purposes.
    • Sensitive personal data is processed only with explicit consent and safeguarded with enhanced controls.
  • PROCESSORS AND CROSS-BORDER STORAGE
    • Third-party processors (e.g., ARTis HMS, cloud/analytics vendors) act only on our instructions and must implement contractual safeguards, including deletion/return of data upon termination.
    • If data is transferred outside India, we ensure a "same level of protection" in line with SPDI Rules and DPDP Act requirements.
  • DOCUMENTATION AND AUDIT

    We maintain internal retention schedules, deletion logs, and legal hold records to demonstrate compliance. Reviews are conducted periodically to align with evolving legal requirements.

  • POLICY REVIEW AND UPDATES

    This Policy will be reviewed and updated periodically. Material changes will be communicated via the App, and the "Effective Date" will be revised accordingly.

  • GRIEVANCE OFFICER / DPO CONTACT

    Grievance Officer: Mr. Shashi Ranjan

    Email: [email protected]

    Phone: 1800-3001-1000

    Postal Address: As notified on our website and clinic premises.