Questions about your privacy or data?
Email Our TeamMedivaco Healthtech LLP (“Medivaco”, “we”, “us”, or “our”) is a medical tourism facilitation platform registered in India under the Limited Liability Partnership Act, 2008. We operate the website medivaco.com and associated digital platforms that connect international and domestic patients with hospitals, specialists, and healthcare service providers in India.
This Privacy Policy explains how we collect, use, store, protect, and share your personal information — including sensitive health data — when you interact with our platform, make enquiries, or use our facilitation services. It applies to all users regardless of their country of residence.
Plain language summary: We collect your personal and medical information to match you with the right hospital and doctor, coordinate your treatment, and support you through your healthcare journey in India. We do not sell your data. We share it only with healthcare providers directly involved in your care and only as necessary.
By accessing our website, submitting an enquiry, or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use our services.
This policy complies with applicable data protection laws including: the General Data Protection Regulation (GDPR) (EU/UK); the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India); the Digital Personal Data Protection Act 2023 (India, where applicable); and general international privacy principles applicable to the countries from which our patients originate.
Medivaco Healthtech LLP is a healthcare facilitator and platform operator, not a healthcare provider. We act as an intermediary between patients and Indian hospitals/medical professionals. This distinction is important for understanding how your data flows:
Registered Address: B-75, Sector 63, Noida — 201301, Uttar Pradesh, India
Email: [email protected]
WhatsApp: +91 9911130464
We collect the following categories of personal information:
Important: Medical and health data is classified as “Special Category Data” under GDPR and as “Sensitive Personal Data or Information” under Indian law. It receives heightened protection. We only collect and process your health data with your explicit consent or where necessary to provide you with the medical facilitation services you have requested.
The following types of sensitive data may be processed by Medivaco:
Explicit consent for processing your special category data is obtained at the point of enquiry submission. You may withdraw consent at any time by contacting us, though this may affect our ability to provide facilitation services.
We collect personal data through the following channels:
Our website automatically collects certain technical data when you visit, including your IP address, browser type, referring URL, pages viewed, and time spent on each page. This data is collected through cookies and analytics tools and is used to improve our website and understand user behaviour. It is generally not linked to your identity unless you have also submitted an enquiry.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Case assessment & hospital matching Reviewing your medical history to identify the most appropriate specialist and hospital | Medical records, diagnosis, treatment history | Explicit consent; performance of contract |
| Patient coordination Arranging appointments, sending doctor letters, scheduling consultations | Contact details, travel info, medical data | Performance of contract |
| Cost estimation Providing itemised cost estimates and treatment plans | Diagnosis, proposed treatment, insurance details | Performance of contract |
| Medical visa support Preparing invitation letters and documentation for India Medical Visa applications | Name, passport, diagnosis, hospital details | Performance of contract; explicit consent |
| Travel & accommodation coordination Booking or recommending hotels, arranging airport transfers | Travel dates, contact info, location preferences | Performance of contract |
| Post-treatment follow-up Checking on recovery, facilitating telemedicine follow-ups with treating doctors | Contact details, treatment summary | Legitimate interest; explicit consent |
| Payment processing Processing service fees and facilitating hospital payments | Financial and contact details | Performance of contract; legal obligation |
| Marketing communications Sending health articles, treatment updates, and promotional content | Email address, communication preferences | Consent (opt-in only); you may unsubscribe at any time |
| Legal & regulatory compliance Maintaining records as required by Indian law and responding to lawful requests | All categories as required | Legal obligation |
| Website analytics & improvement Understanding how visitors use our website | Technical/usage data, cookies | Legitimate interest; consent (for non-essential cookies) |
We will never use your medical data for insurance profiling, sell it to pharmaceutical companies, use it for research without separate explicit consent, or process it for any purpose unrelated to your healthcare facilitation.
For users located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that apply GDPR-equivalent standards, we rely on the following legal bases:
For special category health data, our legal basis is explicit consent (Article 9(2)(a)) combined, where applicable, with healthcare purposes (Article 9(2)(h)).
Withdrawing Consent: You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent, email us at [email protected]. Please note that withdrawal may mean we can no longer provide facilitation services if we do not have another lawful basis to process your data.
We share your personal data only in the following circumstances and with the following categories of recipients:
Your medical records and personal information are shared with hospitals, doctors, and clinical staff directly involved in your assessment and treatment. This sharing is fundamental to the service — without it, we cannot provide facilitation. We share the minimum necessary data and only with institutions that have agreed to maintain appropriate confidentiality standards consistent with their professional and legal obligations.
Where you require diagnostic tests in India, your identity and relevant clinical information is shared with the laboratory processing your samples.
Your name, contact details, and travel itinerary may be shared with vetted travel agents, hotel partners, and airport transfer services solely for the purpose of coordinating your logistics in India. We do not share your medical information with these partners.
We use third-party platforms that may process your data as processors on our behalf:
All service providers are bound by data processing agreements and are required to process your data only on our instructions and in accordance with applicable law.
We may disclose your data to government authorities, courts, or law enforcement agencies where required by law, court order, or in response to a lawful government request in India or another applicable jurisdiction. We will notify you of such disclosure where permitted by law.
In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity, subject to the same protections as described in this policy. We will notify you of any such transfer.
We do not sell, rent, or trade your personal data to any third party for their own commercial purposes, ever.
As a medical tourism platform, international data transfers are inherent to our service. When you are located outside India and seek treatment in India, your data will necessarily be transferred to India and to Indian healthcare institutions.
India is not currently designated as a country with “adequate” data protection by the European Commission. Accordingly, for transfers from the EEA or UK to India, we rely on the following safeguards:
Where we use technology services based in other countries (e.g., USA-based Formspree, Google services), such transfers are governed by the data processing agreements with those providers, which incorporate appropriate safeguards such as SCCs.
You have the right to request information about the specific safeguards in place for any international transfer of your data. Contact us at [email protected] for details.
We retain your personal data only for as long as necessary for the purposes described in this policy, subject to legal obligations. Our retention periods are:
| Data Category | Retention Period | Reason |
|---|---|---|
| Enquiry data (non-converted) | 12 months | To allow re-engagement; deleted if no conversion |
| Patient coordination records | 7 years from end of service | Medical record-keeping standards; legal liability period |
| Medical documents & reports | 7 years from treatment date | Indian medical record requirements; international standards |
| Financial & payment records | 8 years | Indian Income Tax Act; GST compliance requirements |
| Communication records (email, WhatsApp) | 3 years | Dispute resolution; service quality monitoring |
| Marketing consent records | Until withdrawal + 3 years | Proof of consent for regulatory purposes |
| Website analytics data | 26 months (Google Analytics default) | Website improvement; anonymised after this period |
| Employment applications | 12 months if unsuccessful | Potential future opportunities; legal period |
After the applicable retention period, your data is securely deleted or anonymised so that it can no longer be attributed to you. You may request earlier deletion subject to our legal obligations (see Section 11).
Depending on your country of residence, you may have the following rights regarding your personal data. We respect these rights for all users regardless of jurisdiction:
Request a copy of all personal data we hold about you (Subject Access Request). We respond within 30 days at no charge.
Request correction of inaccurate or incomplete personal data we hold about you.
Request deletion of your personal data, subject to legal retention obligations. Also known as the “right to be forgotten”.
Request that we restrict processing of your data in certain circumstances, e.g., while disputing accuracy.
Receive your personal data in a structured, machine-readable format to transfer to another provider. Applies where processing is based on consent or contract.
Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we can demonstrate compelling legitimate grounds.
We do not make automated decisions that produce legal or similarly significant effects on you. All case assessments involve human review.
Withdraw consent at any time without affecting the lawfulness of prior processing. Contact us directly to withdraw.
Submit a written request to [email protected] with subject line “Data Rights Request”. We will verify your identity before processing. Response within 30 days (extendable to 60 days for complex requests, with notice to you).
EEA/UK residents have the right to lodge a complaint with their local Data Protection Authority. UK residents may contact the Information Commissioner’s Office (ICO). EEA residents should contact the supervisory authority in their EU member state. Indian residents may contact the Data Protection Board of India once established under the DPDPA 2023.
Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device that helps us recognise you and remember your preferences.
| Cookie Type | Purpose | Duration | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Essential for website functionality (navigation, form submission, security) | Session / up to 1 year | No (functional necessity) |
| Analytics | Google Analytics — understanding how users interact with our website; page views, session duration, traffic sources | Up to 26 months | Yes (opt-in) |
| Marketing / Targeting | Facebook Pixel, Google Ads conversion tracking — measuring ad effectiveness, retargeting visitors | Up to 90 days | Yes (opt-in) |
| Preference | Remembering your language, notification preferences, and form data | Up to 12 months | No (functional) |
You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling certain cookies may affect website functionality. You can also opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.
Medivaco’s services may be used on behalf of children (minors under 18 years of age) where a parent or legal guardian is seeking medical treatment for their child in India. In such cases:
If you believe we have inadvertently collected data from a child without appropriate parental consent, please contact us immediately at [email protected].
We take the security of your personal and medical data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:
Data breach notification: In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant supervisory authority where legally required.
No data transmission over the internet or electronic storage system is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. Sensitive medical documents should not be sent via unsecured channels.
Our website may contain links to third-party websites, including partner hospitals, travel booking platforms, and informational resources. These websites are independent of Medivaco and have their own privacy policies. We are not responsible for the privacy practices or content of linked third-party sites.
We encourage you to review the privacy policy of any website you visit. The presence of a link on our site does not constitute an endorsement of the privacy practices of that site.
When you click through to a partner hospital’s website or patient portal, you are subject to that institution’s privacy policy for any data you provide directly to them.
As a company registered in India, we comply with the following applicable Indian legislation:
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy, subject to applicable consent requirements for material changes.
Previous versions of this policy are available on request by emailing [email protected].
For all data privacy queries, rights requests, complaints, or concerns, please contact us:
Medivaco Healthtech LLP
B-75, Sector 63, Noida — 201301, Uttar Pradesh, India
Privacy enquiries: [email protected]
Subject line: “Privacy Enquiry” or “Data Rights Request”
Response time: Within 30 calendar days
We are committed to working with you to resolve any concerns about how we handle your personal data. If you are not satisfied with our response, you have the right to escalate to your national data protection authority (see Section 11).