Oasis Fertility ("Clinic", "we", "our", "us") is committed to protecting the privacy and security of the personal data of its patients and users. This Mobile App Privacy Policy ("Policy") explains how we collect, use, disclose, retain, transfer, and protect personal data when you access or use our mobile application (the "App").

This Policy applies to personal data processed through the App, including data synchronized from our hospital management system, ARTis ("ARTis HMS"), and other clinical and administrative systems. It is intended to complement – and not contradict – the privacy policy applicable to our website, but is tailored to the App environment, mobile SDKs, and device-based data collection.

We comply with applicable Indian laws and regulations relating to data protection, information technology, and healthcare, including:

• The Digital Personal Data Protection Act, 2023 ("DPDP Act");
• The Information Technology Act, 2000 (including section 43A) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
• The Assisted Reproductive Technology (Regulation) Act, 2021 and Rules, 2022 ("ART Act/Rules");
• The Telemedicine Practice Guidelines, 2020, where tele-consultation services are offered; and
• Other applicable laws and professional standards relating to medical confidentiality and record-keeping.

This Policy must be read together with the Mobile App Terms & Conditions, the Data Retention & Deletion Policy, and any specific consent forms and medical documentation you sign while availing services at the Clinic.

To promote transparency, we use a layered approach:

• Short notices and prompts within the App (for example, during registration, when enabling tele-consultations, or when requesting device permissions) summarizing the key purposes and the type of data collected; and
• This detailed Policy providing full information on categories of personal data, purposes, lawful bases, retention, sharing, cross-border transfers, and your rights.

We may collect and process the following categories of personal data through the App or via systems integrated with the App.

Personal and Identity Information:

• Name, date of birth/age, gender, marital status;
• Contact information (such as postal address, phone number, email address);
• Government-issued identification or unique identifiers, where required for registration, KYC, or compliance.

Health and Treatment Information (Sensitive Personal Data/SPDI):

• Medical history, current and past diagnoses, treatment plans, clinical notes, lab results, radiology reports, prescriptions, and outcome information related to fertility and other treatments;
• ART case records, including details of procedures, gamete/embryo details, donor-related information (where applicable), and consents required under the ART Act/Rules; such records must be retained for at least 10 years as mandated by law;
• Information you provide through the App about symptoms, cycle tracking, or other clinical inputs, which may become part of your medical record;
• Consents and preferences relating to ART procedures, storage of embryos/gametes, donor anonymity (where applicable), and telemedicine.

Telemedicine and Communication Records:

• Tele-consultation notes, assessments, and prescriptions;
• Text/chat transcripts within tele-consult modules;
• Where maintained in accordance with law and our policies, audio or video recordings of tele-consultations;
• Metadata such as timestamps and duration, along with identity of consulting doctor.

Account and Authentication Data:

• Account username/login ID, hashed passwords, and authentication tokens;
• Security, access, and activity logs associated with your account.

Financial and Payment Information (SPDI):

• When you make payments via the App, we may collect limited financial details such as transaction amount, date/time, payment method, transaction ID, and partial or masked payment instrument details; full card credentials may be handled by payment gateways and not stored by us;
• Payment-related records may be retained to comply with financial and tax regulations and for reconciliation, refunds, and dispute resolution.

Technical and Usage Information:

• Device identifiers (for example, device ID, advertising ID), operating system and version, mobile network information, time zone, language settings;
• IP address, App version, crash logs, performance metrics, and diagnostics;
• In-App behavior and usage analytics (such as screens visited, session durations, clickstream data), collected via SDKs, analytics tools, and similar technologies.

We may collect personal data:

• Directly from you when you register an account, update your profile, submit forms or clinical information via the App, participate in tele-consultations, or communicate with us via in-App channels;
• From Clinic systems and professionals, including ARTis HMS and other clinical or administrative systems where your ART and general clinical records are maintained;
• Automatically through the App: via SDKs, analytics tools, logs, cookies-equivalent technologies, and device permissions (for example, camera for tele-consultation, storage for document upload, notifications for reminders).

We process personal data only for lawful, specific, and limited purposes. The primary purposes include:

Treatment, Care Delivery, and Clinical Operations:

• Providing you with personalized access to your treatment journey (appointments, test results, treatment updates, prescriptions);
• Managing ART procedures and clinical workflows, including ARTis HMS integration, and complying with ART Act/Rules (including mandatory reporting to the National Registry and record retention requirements);
• Ensuring continuity and coordination of care among treating clinicians.

Appointments, Reminders, and Patient Communications:

• Managing and updating appointments and schedules;
• Communicating with you by phone, SMS, WhatsApp, email, in-App messaging, or notifications regarding appointments, follow-ups, billing, reminders, and other service-related matters;
• With your consent, sending educational or promotional material about our services, events, and offers, subject to your right to opt out of promotional communications.

Payments and Financial Compliance:

Processing payments, handling refunds where applicable, reconciling accounts, and complying with financial, accounting, and taxation obligations.

Telemedicine and Remote Care:

Facilitating tele-consultations, maintaining records as required by the Telemedicine Guidelines, and integrating telemedicine data with your medical record.

App Operations, Security, and Improvement:

• Operating and maintaining the App, ensuring security, preventing fraud or abuse, and troubleshooting issues;
• Conducting analytics, performance monitoring, and user experience optimization (for example, understanding usage patterns and improving App design), using de-identified or aggregated data where feasible.

Legal Compliance, Audits, and Disputes:

• Complying with obligations under ART Act/Rules, DPDP Act, SPDI Rules, and other healthcare, tax, and regulatory laws;
• Responding to lawful requests from courts, regulators, or law enforcement;
• Conducting audits and handling grievances, complaints, and legal disputes.

De-identified and Aggregated Insights:

We may anonymize or aggregate personal data to generate statistics or insights for internal analytics, quality improvement, or bona fide research consistent with ethical guidelines. Once data is irreversibly anonymized, it is no longer personal data; however, underlying identifiable data is retained or deleted according to this Policy and our Data Retention & Deletion Policy.

By submitting your personal data via the App, registering, or using our services, you expressly consent to the collection, storage, processing, disclosure, and transfer of your personal data (including sensitive personal data) in accordance with this Policy, the Mobile App Terms & Conditions, and applicable laws.

For processing of sensitive personal data or information (such as health, financial, biometric, or genetic data), we obtain your explicit consent through:

• Clear in-App consent prompts, checkboxes, or digital consent forms; and/or
• Written or electronic consents taken at the Clinic and reflected in our systems.

We may process certain personal data without consent where permitted or required by law, including:

• To respond to medical emergencies;
• To comply with ART Act/Rules and other statutory obligations (for example, mandatory National Registry reporting and minimum retention periods); or
• Pursuant to lawful orders from courts or regulators.

You may withdraw your consent prospectively at any time by using in-App controls (where available) or by contacting our Grievance Officer. Upon withdrawal, we may no longer be able to provide some or all App features or related services; however, withdrawal does not affect processing already undertaken based on valid consent, and we may continue to retain certain data where required by law (for example, ART records for at least 10 years, financial records for statutory periods).

The App exchanges data with ARTis HMS and other clinical systems to fetch and update your health records, appointments, lab results, and billing data, ensuring a unified view of your treatment journey.

Disclosures to Processors and Third Parties:

We may share personal data with:

• ARTis HMS and similar clinical/administrative processors, under contracts that require confidentiality, security, and limited-purpose processing;
• Cloud hosting, IT infrastructure, and communication providers, to host the App and support notifications and communications;
• Analytics and telemetry providers, for App performance, usage analysis, and crash reporting;
• Payment gateways and financial institutions, to process payments and prevent fraud;
• Regulators and National Registry, where required by the ART Act/Rules and other healthcare laws;
• Courts, tribunals, or law enforcement agencies, when required by due process of law.

We do not sell your personal data. Third parties are given access only on a need-to-know basis and subject to suitable contractual and technical safeguards.

Some of our service providers or cloud/analytics vendors may be located outside India or may store data in servers located outside India. Where personal data is transferred outside India, we ensure that:

• Such transfer is in compliance with SPDI Rules, which require a “same level of protection” as in India; and
• Any applicable conditions or restrictions notified under the DPDP Act are followed, including contractual safeguards, technical protections, and access controls.

We retain personal data only for as long as necessary to fulfil the purposes identified in this Policy or as required by law or internal policy, applying the principles of purpose limitation and storage limitation.

Our Data Retention & Deletion Policy provides detailed retention periods. In summary:

• ART case records are retained for a minimum of 10 years from completion of the ART cycle, as mandated by the ART Act/Rules;
• General health/treatment records are typically retained for up to 7 years from the last interaction, unless longer retention is mandated;
• Identity and contact information is retained while your App account is active and for at least one (1) year thereafter for audits and grievance handling;
• Appointment and interaction logs are generally retained for at least three (3) years from the last date of use of the App or for such period as required by law;
• Billing and payment records are retained for at least seven (7) years (or longer if required) to comply with financial and tax obligations;
• App telemetry and analytics data are generally retained for 1–2 years for diagnostics and security, then anonymized or deleted.
• Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymized. Where immediate deletion from backup media is not feasible, data remains access-restricted and is overwritten as part of regular backup cycles.
• You may request deletion of your personal data (subject to legal exceptions) as described in Section 10. However, we may not be able to delete data that we are legally required to retain (for example, ART records).

We implement reasonable security practices and procedures as required under section 43A of the Information Technology Act and SPDI Rules, as well as the DPDP Act, including:

• “Need-to-know” access controls and role-based access for personnel;
• Strong password requirements, authentication tokens, and session management;
• Encryption of data in transit and, where appropriate, at rest;
• Secure coding practices and periodic security testing;
• Physical and network security controls; and
• Vendor due diligence and contractual safeguards with processors.
• We maintain an incident response process and will notify affected individuals and/or authorities of personal data breaches in accordance with applicable law. However, no method of electronic transmission or storage is fully secure, and we cannot guarantee absolute security. We are not responsible for unintended disclosure that occurs despite reasonable safeguards and is not attributable to our negligence.

Subject to applicable law, you have the following rights in relation to your personal data:

• Right to Access: to obtain confirmation whether we process your personal data and to access such data;
• Right to Correction: to request correction or updating of inaccurate or incomplete personal data;
• Right to Erasure: to request deletion of personal data when it is no longer necessary for the stated purposes and no legal obligation requires further retention (for example, ART records cannot be erased before statutory retention periods expire);
• Right to Withdraw Consent: to withdraw consent prospectively for processing that is based on consent; this may impact service delivery via the App;
• Right to Grievance Redressal: to raise complaints regarding processing of your personal data and seek resolution within prescribed timelines;
• Right to Nominate: to nominate another individual (“Nominated Person”) who may, in the event of your death or incapacity, exercise your data principal rights in accordance with the DPDP Act, where such functionality or process is enabled by the Clinic.

You may exercise these rights through in-App features (where available) or by contacting our Grievance Officer using the contact details in Section 13. We may need to verify your identity (or that of your Nominated Person) before acting on a request.

The App may use SDKs and similar technologies to:

• Measure App usage and performance;
• Detect and rectify crashes or errors; and
• Deliver push notifications and in-App messages.
• The App may request permissions such as:
  • Camera and microphone (for tele-consultations or uploading documents);
  • Storage (for uploading or downloading reports);
  • Notifications (for alerts and reminders).

Permission prompts will explain the purpose of these requests. You may manage permissions via device settings; however, disabling certain permissions may limit or prevent some App features from functioning properly.

The App may link to or embed content from third-party websites and services. We do not control, and are not responsible for, the privacy practices, security, or content of such third parties. Inclusion of any link does not imply endorsement by the Clinic.

We are not responsible for cookies or tracking technologies used by third-party websites. When you follow a link from the App to a third-party site, their terms and policies apply, not this Policy.

In accordance with applicable law, the Clinic has designated a Grievance Officer to address complaints and queries relating to this Policy and the processing of personal data. You may contact:

Grievance Officer:

• Name: Mr. Shashi Ranjan
• Designation: Chief Customer Officer
• Email: [email protected]
• Phone: 1800-3001-1000
• Postal Address: As notified on our website and clinic premises.

If a Data Protection Officer (DPO) is separately appointed under the DPDP Act, the DPO’s contact details may be published on the website and will also serve as a valid contact for data protection queries.

We may modify this Policy from time to time to reflect changes in legal requirements, technology, or our practices. When we do so, we will:

• Update the “Effective Date” at the top of this Policy; and
• Where changes are material, provide a notice through the App (for example, via an in-App notification or banner) and, where appropriate, seek renewed consent for material changes that affect how we process your sensitive personal data.

Your continued use of the App after the effective date of any revised Policy will constitute your acknowledgment of the changes. If you do not agree with the changes, you should discontinue use of the App and may contact us regarding your data rights.