Privacy Policy — Babynama

Issued by: Gagahealth Private Limited (operator of the Babynama service)

This policy explains how Babynama collects, uses, shares, and protects your personal data, and the data of your child, when you use our service. Babynama is a digital pediatric care service. We connect parents of children aged 0–5 with MD-pediatricians on WhatsApp, our iOS and Android apps, and our website.

We have written this notice in plain language. If anything here is unclear, please email us at privacy@babynama.com and we will explain it.

This policy is issued in compliance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"). A Hindi version of this policy is published alongside this one.

1. About us (Data Fiduciary identity)

The Data Fiduciary responsible for your personal data is:

Gagahealth Private Limited
Corporate Identification Number (CIN): U85190DL2022PTC395325
Registered office: 2-A/3, Kundan Mansion, Asaf Ali Road, New Delhi — 110002, India
Brand / service name: Babynama
Website: https://babynama.com
General contact: contact@gagahealth.com

We operate fully remotely. There is no physical clinic or call centre. All consultations happen over chat (WhatsApp and in-app) and video.

2. Data Protection Officer (DPO) and Grievance Officer

We have appointed a Data Protection Officer (DPO) who is also our designated Grievance Officer for the purposes of the DPDP Act and the Information Technology Act, 2000.

Name: Ashish Meena
Role: Data Protection Officer & Grievance Redressal Officer
Email: privacy@babynama.com
Postal address: c/o Gagahealth Private Limited, 2-A/3, Kundan Mansion, Asaf Ali Road, New Delhi — 110002

The DPO is empowered to receive, investigate, and respond to any complaint, question, or request from you about how we handle your personal data — including your child's data. We aim to acknowledge complaints within 48 hours and resolve them within 30 days, as required by the DPDP Act.

3. Personal data we collect

We collect only the data we need to deliver pediatric consultations safely. Categories of personal data we process:

3.1 Parent / account-holder data

Name, email address, mobile number
WhatsApp number (if you reach us on WhatsApp)
Billing address and city
Payment metadata (transaction ID, amount, payment method — we do NOT store full card numbers or UPI PINs; those stay with our payment partner Razorpay)
Login credentials (password is stored only as a one-way hash)

3.2 Child data (the child you are seeking care for)

Child's first name (or nickname), date of birth, sex
Medical and clinical information you share to enable a consultation: symptoms, photos of skin/stool/rash if relevant, growth measurements (weight, height, head circumference), feeding history, vaccination history, prescriptions, prior medical reports
Doctor's notes, diagnosis, and prescription generated during a consultation (Electronic Medical Record, "EMR")

3.3 Chat and consultation content

Text messages, voice notes, images, and documents exchanged with our doctors and support team
Video consultation metadata (date, time, doctor, duration). By default, we do NOT record video consultations.

3.4 Technical data

Device type, operating system, app version, IP address, crash logs, basic analytics (which screens you opened, what time)
This data is collected through Firebase Crashlytics and Firebase Analytics, configured in a privacy-protective mode.

We do NOT collect: Aadhaar number, PAN, voter ID, biometric data, or precise GPS location. We do not need these to provide pediatric care.

4. Why we collect this data and our lawful basis

Under the DPDP Act, every act of processing must have a lawful basis. The bases we rely on:

Purpose 1 — Providing pediatric consultations and maintaining your child's medical record.
Lawful basis: Your consent (given at sign-up and at the start of each consultation, in line with NMC Telemedicine Practice Guidelines, 2020).

Purpose 2 — Billing, subscription management, invoicing, and refunds.
Lawful basis: Performance of the contract you entered into with us; legitimate use under DPDP Act §7 for payment processing.

Purpose 3 — Customer support and grievance redressal.
Lawful basis: Your consent; legitimate use to respond to your request.

Purpose 4 — Safety and quality (clinical audit, doctor performance review, complaint investigation).
Lawful basis: Your consent; our legal obligation as a healthcare service under NMC guidelines.

Purpose 5 — Service improvement and analytics (understanding which features are used).
Lawful basis: Your consent. Analytics are aggregated and do not profile individual children.

Purpose 6 — Marketing and promotional communication (offers, parenting tips, new feature announcements).
Lawful basis: Your separate, opt-in consent. You can withdraw this consent at any time without affecting your service.

Purpose 7 — Compliance with law (e.g., responding to a lawful order from a court or regulator; tax record-keeping; CERT-In incident reporting).
Lawful basis: Legal obligation.

5. Special protection for children's data (DPDP Act §9)

We are a service for children aged 0–5. The DPDP Act gives children's data special protection. We follow these rules strictly:

5.1 Verifiable parental consent. Before we process any data about a child, we obtain verifiable consent from a parent or lawful guardian. We verify this by confirming the parent's identity through a registered mobile number with OTP, and by recording the parent's express acknowledgement at sign-up and at the start of each consultation.

5.2 No behavioural advertising directed at children. We do NOT run behavioural advertising, targeted advertising, or profiling of children. No child's data is used to serve ads.

5.3 No tracking or monitoring of children. We do not track a child's location, behaviour, or activity beyond what is strictly needed to deliver the consultation and maintain the medical record the parent has asked us to keep.

5.4 No sharing with advertisers or data brokers. Children's data is never sold, rented, or shared with advertising networks, data brokers, or third-party marketers — ever.

5.5 Parental control. The parent who signed up controls the child's record. The parent can view, correct, export, or delete the child's data at any time (see Section 9).

6. How we use your data

We use the personal data we collect for the purposes listed in Section 4 and nothing else. Specifically:

To match you to an available pediatrician and run your consultation.
To maintain your child's EMR so the next consultation can build on the previous one.
To send you appointment reminders, prescription PDFs, and follow-up checklists.
To process your subscription payment and send invoices.
To respond when you write to support.
To improve the app (fix bugs, add features that parents ask for).
To send you marketing communications, ONLY if you have opted in.

7. Who we share data with

We share your data only with the parties listed below, only for the purposes stated, and only under written contracts (Data Processing Agreements) that bind them to handle your data lawfully and securely.

7.1 Babynama pediatricians and clinical team. The doctor you consult with sees your child's medical history and the messages relevant to the consultation. All our doctors are NMC-registered, are bound by medical confidentiality, and sign confidentiality agreements with us.

7.2 Internal Babynama team. Our operations, customer support, and engineering team members access only the data they need to do their jobs (least-privilege access, logged and audited).

7.3 Infrastructure: Google Cloud Platform (GCP). Our application, database, and EMR are hosted on GCP infrastructure located in India. GCP is a Data Processor for us.

7.4 Google Workspace. We use Google Workspace for internal email, calendar, and document storage. Data Processor.

7.5 Meta WhatsApp Business Cloud API. If you chat with us on WhatsApp, your messages pass through Meta's WhatsApp Business Cloud API. Meta acts as a Data Processor under WhatsApp's Business Data Transfer Addendum.

7.6 Razorpay. Our payment partner for processing subscription payments. Razorpay is a Data Processor for the payment transaction only.

7.7 Firebase (Crashlytics, Analytics, Cloud Messaging). For crash reporting, usage analytics, and push notifications. Configured to minimise personal data exposure.

7.8 Legal and regulatory bodies. We may share data when required by a valid order from a court, the Data Protection Board of India, CERT-In, the National Medical Commission, or another authority entitled to compel disclosure under Indian law.

We do not sell your data. We do not share your data with advertisers.

8. How long we keep your data

We keep your data only as long as we need it. Our retention schedule:

Child's EMR and medical record — 7 years from the last consultation (in line with healthcare record-keeping norms).
Parent account and child profile — until you delete your account, then for an additional 3 years to honour any clinical-record obligation; we then permanently delete it.
Chat transcripts (in-app) — 3 years from the last consultation.
WhatsApp messages — transient on Meta's servers and purged on delivery; we keep a synced copy in our EMR per the rule above.
Video consultation recordings — we do NOT record by default. If we ever record (e.g., at your written request), the recording is deleted within 30 days.
Customer-account profile — deleted on account closure plus 1 year for dispute resolution.
Payment metadata — 8 years (statutory requirement under Indian tax law).
Audit and security logs — 90 days hot storage and 1 year cold storage (in line with CERT-In Directions, 2022).
Marketing-consent records — until you withdraw consent, plus 3 years for compliance evidence.
Employment records (our staff) — 3 years from termination.

Full retention schedule reference: Babynama internal asset register (REG-01). A copy can be provided on request.

9. Your rights as a Data Principal (DPDP Act §11–§15)

As a Data Principal (the person whose data we process), you have the following rights under the DPDP Act. Where you are processing on behalf of your child, you can exercise these rights on the child's behalf.

9.1 Right to information (§11). You can ask us to confirm what personal data we hold about you (or your child), what we are doing with it, and with whom we have shared it.

9.2 Right to correction (§12). You can ask us to correct, complete, or update any data that is inaccurate or out of date.

9.3 Right to erasure (§12). You can ask us to delete your data (or your child's data), subject to any legal obligation we have to retain it (for example, the 7-year EMR rule or the 8-year tax-record rule). Where we must retain data by law, we will tell you why and for how long.

9.4 Right to grievance redressal (§13). If you are unhappy with our response, you can raise a grievance with our Grievance Officer (Section 2). If still unresolved, you can complain to the Data Protection Board of India.

9.5 Right to nominate (§14). You can nominate another person to exercise these rights on your behalf in the event of your death or incapacity. To do so, please email privacy@babynama.com.

9.6 Right to withdraw consent (§6(4)). You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing done before withdrawal. If you withdraw consent for service delivery, we will stop the service; if you withdraw only marketing consent, the service continues unaffected.

10. How to exercise your rights

You can exercise any of the rights above by:

Emailing us at privacy@babynama.com, OR
Using the "Privacy and Data" section in the Babynama app (Settings → Privacy and Data → Submit Request), OR
Writing to: The Data Protection Officer, Gagahealth Private Limited, 2-A/3, Kundan Mansion, Asaf Ali Road, New Delhi — 110002.

Response timeline. We will acknowledge your request within 48 hours and respond substantively within 30 days, as required by the DPDP Act and Rules.

There is no fee for exercising your rights. We may ask you to verify your identity (typically through an OTP to your registered mobile number) before we act on a request, to protect your data from being released to someone else.

11. Cross-border data transfers

Your data is primarily stored on infrastructure located in India.

Two categories of data may cross India's borders:

11.1 WhatsApp messages. If you contact us on WhatsApp, the messages pass through Meta's WhatsApp Business Cloud API. Meta's infrastructure is global; some processing may occur outside India. This transfer is covered by Meta's WhatsApp Business Data Transfer Addendum and standard contractual safeguards.

11.2 Customer support and engineering tooling. Some of our internal tools (e.g., Google Workspace email, certain Google Cloud support functions) may involve data being viewed by Google personnel located outside India under their global support model, subject to Google's contractual safeguards.

We do not transfer data to any country that the Government of India has restricted under the DPDP Act. We will update this section if our transfer footprint changes.

12. Security measures

We follow industry-standard security practices. Highlights:

TLS 1.2 or higher for all data in transit.
AES-256 encryption at rest for our database, EMR, and backups.
Multi-factor authentication (MFA) enforced for all our staff and administrative accounts; doctor authentication uses one-time password (OTP) per consultation session on the Babynama Doctors App.
Role-based access control (RBAC): staff only see the data they need for their role.
All access to patient data is logged and reviewed.
Passwords are stored as one-way hashes (bcrypt / Argon2id), never in plain text.
We run periodic vulnerability assessments and penetration tests (VAPT) by independent specialists.
We operate an Information Security Management System aligned with ISO/IEC 27001:2022.

Despite these measures, no system on the internet is 100% secure. If a security incident affects your data, we will act under Section 13 below.

13. Data breach notification

If a personal data breach occurs that is likely to harm you or your child:

We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by DPDP Rule 7.
We will report to the Indian Computer Emergency Response Team (CERT-In) within 6 hours where the incident falls within CERT-In Directions, 2022 (covering cyber security incidents).
We will notify you directly — by in-app message, email, or SMS — about the nature of the breach, the data affected, what we are doing about it, and what you should do.

Routine, low-risk incidents that do not affect personal data are handled internally and may not result in a direct notification to you.

14. Children's data — in summary

Because our entire service is built around children's healthcare, we repeat the key promises:

We process a child's personal data only with verifiable parental consent.
We do NOT serve advertising of any kind to children.
We do NOT profile, behaviourally advertise to, track, or monitor children beyond what is needed for the consultation.
We do NOT sell or share children's data with marketers or data brokers.
A parent can view, correct, export, or delete a child's record at any time.

If you believe a child's data has been collected without proper parental consent, please write to privacy@babynama.com and we will investigate within 48 hours.

15. Updates to this policy

We may update this policy from time to time as our service evolves or as the law changes. When we make a material change, we will:

Post a notice on this page and in the Babynama app.
For material changes that affect your rights, email you directly.

Older versions of this policy are available on request from privacy@babynama.com.

Significant Data Fiduciary status. Under DPDP Act §10 and DPDP Rule 8, the Central Government may designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on volume and sensitivity of data processed. Gagahealth is currently reassessing its status against the published criteria; this assessment is scheduled for completion in Q3 2026. If our status changes, we will update this policy and add the additional disclosures the Rules require (independent Data Auditor, Data Protection Impact Assessment summary, and an India-resident DPO confirmation).

16. Contact us / grievance redressal

For any question, request, or complaint about your data or this policy, please contact:

Data Protection Officer & Grievance Redressal Officer
Name: Ashish Meena
Email: privacy@babynama.com
Postal address: Gagahealth Private Limited, 2-A/3, Kundan Mansion, Asaf Ali Road, New Delhi — 110002, India

For general questions about the Babynama service: contact@gagahealth.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India established under the DPDP Act, 2023.

A Hindi (Devanagari) version of this Privacy Policy is published alongside this version. In case of any inconsistency between the two, the English version prevails for legal purposes, but we will work in good faith to honour the spirit of both.

End of Privacy Policy.