Privacy Policy

1. INTRODUCTION & APPLICABILITY

This Privacy Policy governs the collection, processing, storage, and protection of personal data by Ananya Child Development and Early Intervention Clinic (“Ananya,” “we,” “our,” or “the Centre”), a multi-location early intervention and therapy organisation operating in Hyderabad, Telangana, India, with online therapy services available pan-India and internationally.

Physical Locations:

  • Madhapur Branch
  • Nallagandla Branch
  • Banjara Hills Branch
  • Alkapur Branch

Online Services:

  • Telehealth/online therapy sessions (available across India and internationally)
  • Video consultation services
  • Digital parent training and education programmes

Services Covered:

This policy applies to all services offered by Ananya, including but not limited to:
  • In-person therapeutic interventions (speech therapy, occupational therapy, applied behaviour analysis, special education)
  • Online/telehealth therapy sessions delivered via video consultation platforms
  • Developmental assessments and clinical evaluations (in-person and online)
  • Parent education programmes and training workshops (in-person and online)
  • Mission Talk communication therapy programme
  • Any ancillary services provided at our centres or through digital platforms

Legal Framework:

We comply with the Digital Personal Data Protection Act, 2023 (DPDPA), the Digital Personal Data Protection Rules, 2025 (notified November 2025), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Telemedicine Practice Guidelines, 2020 (for online therapy services), and other applicable Indian legislation governing data protection and child safety.
Regulatory Evolution: The DPDPA framework is newly operationalized and subject to ongoing regulatory guidance from the Data Protection Board of India. We reserve the right to amend this policy to reflect changes in legal interpretations, regulatory guidance, or compliance requirements. Such amendments will be communicated in accordance with Section 11 (Policy Updates & Notification).

Scope:

This policy applies to all personal data collected from:
  • Parents, legal guardians, and family members ("you" or "parents")
  • Children receiving services ("child" or "client")
  • Employees, interns, contractors, and volunteers
  • Visitors to our physical locations and digital platforms
By engaging our services, accessing our premises, or using our digital platforms, you acknowledge that you have read, understood, and agreed to this Privacy Policy in its entirety.

2. DATA WE COLLECT

We collect personal data necessary for delivering therapeutic services, maintaining safety protocols, and fulfilling legal obligations. All data collection is limited to specified purposes and is processed in accordance with data minimisation principles.

2.1 Child Health and Developmental Data

We collect sensitive health information about children, including:
  • Developmental history and milestone assessments
  • Diagnostic reports, medical records, and clinical evaluations
  • Therapy session notes, progress reports, and treatment plans
  • Behavioural observations and functional assessments
  • Video recordings of therapy sessions (for clinical review, training, and progress monitoring)
  • Standardised assessment results and screening data
  • Prescription medications, dietary restrictions, and allergy information
  • Emergency medical information and physician contact details
Legal basis: Healthcare service delivery exemption under Fourth Schedule, Part A of DPDPA (clinical establishments processing child data for healthcare purposes).
Parental consent: All data collection requires verifiable parental consent as mandated by Section 9 of the DPDPA. Parents must verify their identity through reliable identity details or digital tokens before authorising data processing.
Conflicting parental instructions: In the event that parents provide contradictory instructions regarding data processing, sharing, or deletion (common in separated/divorced families), Ananya will: (1) request written clarification and legal documentation within 7 business days, (2) comply with the most restrictive instruction until clarification is received (i.e., if one parent requests deletion and the other requests retention, we will retain pending clarification), and (3) defer to court orders or custody agreements over individual parental requests. We are not liable for delays in data processing resulting from contradictory parental instructions.

2.2 Parent and Family Data

We collect personal information from parents and guardians, including:
  • Names, contact numbers, email addresses, and residential addresses
  • Identity verification documents (Aadhaar, PAN, passport—collected at registration)
  • Relationship to the child and custody/guardianship status
  • Payment information and transaction records
  • Communication history (emails, WhatsApp messages, phone call logs)
  • Attendance records and session booking data
  • Feedback, complaints, and grievance submissions

2.3 Online Therapy and Telehealth Data

For clients receiving online/telehealth services, we additionally collect:
  • Video consultation platform data (Zoom, Google Meet, or other approved platforms)
  • IP addresses and device information (for security and session quality monitoring)
  • Geographical location (country/state for international clients)
  • Internet connection quality logs (to troubleshoot technical issues)
  • Session recordings (only when explicitly consented to for clinical review or training purposes)
  • Digital consent forms and electronic signatures
Important: Online therapy sessions may be recorded only with advance written consent. Recordings are stored securely and subject to the same retention periods as clinical records (3 years).
International clients: For clients located outside India, we comply with applicable data protection laws in your jurisdiction in addition to Indian law. Cross-border data transfers are governed by Section 4.3 of this policy.

2.4 Third-Party Referral and Collaboration Data

When parents authorise us to collaborate with external professionals, we may collect:
  • Medical reports from paediatricians, neurologists, psychiatrists
  • Educational reports from schools and special educators
  • Psychological assessments from external psychologists
  • Insurance claim documentation (if applicable)
  • Court orders or legal documents related to custody or guardianship
Important: We will only share child data with third parties upon receiving explicit written authorisation from parents.

2.5 Premises Security Data

We operate CCTV surveillance at all branch locations for safety, security, and child protection purposes. CCTV footage captures:
  • Common areas, reception zones, corridors
  • Therapy rooms (where installed for child safety monitoring)
  • Entry and exit points
Critical boundary: CCTV footage is not accessible to clients under any circumstances. This boundary protects therapist safety, professional integrity, and confidentiality of other clients. Requests for CCTV footage will be declined, except where legally mandated by court order or law enforcement authorities.
Explicit waiver: By engaging our services, parents expressly waive any right to access, view, copy, or obtain CCTV footage, including during disputes, complaints, or legal proceedings. CCTV footage may only be reviewed internally by authorised personnel for safety investigations, compliance audits, or when compelled by valid legal process (court order, police investigation, or child protection authority directive). This waiver applies even if the parent believes footage contains evidence relevant to their claim.

2.6 Staff and Intern Data

We collect personal data from employees, interns, contractors, and volunteers, including:
  • Employment records, educational certificates, professional credentials
  • Background verification reports and police clearance certificates
  • Performance evaluations, training records, and attendance logs
  • Confidentiality agreements, POCSO training certifications, and code of conduct acknowledgements

3. HOW WE USE YOUR DATA

We process personal data exclusively for the following lawful purposes:

3.1 Service Delivery and Clinical Care

  • Conducting developmental assessments, therapy sessions, and clinical evaluations
  • Creating individualised treatment plans and progress monitoring
  • Coordinating care with parents, educators, and external professionals (with consent)
  • Maintaining accurate clinical records as required by professional standards

3.2 Administrative and Operational Purposes

  • Managing appointments, session scheduling, and billing
  • Processing payments and maintaining financial records
  • Communicating with parents regarding appointments, updates, and emergencies
  • Resolving complaints, grievances, and service quality issues

3.3 Safety, Security, and Compliance

  • Monitoring premises via CCTV for child protection and staff safety
  • Investigating incidents, accidents, or safety concerns
  • Complying with legal obligations, court orders, and regulatory requirements
  • Enforcing our Zero Tolerance Policy and Terms & Conditions

3.4 Training and Quality Improvement

  • Training staff, interns, and students using anonymised case examples
  • Analysing service outcomes and clinical effectiveness
  • Developing evidence-based intervention protocols
Anonymisation standard: For training purposes, we anonymise data by removing all direct identifiers (names, photographs, dates of birth, addresses, parent names) and modifying or aggregating indirect identifiers (diagnosis details, specific incidents, therapist names) to prevent identification. However, we cannot guarantee absolute non-identification, as individuals familiar with the child may be able to infer identity from clinical details. By engaging our services, you acknowledge this limitation.
Important: We will never publish identifiable case studies, video recordings, or clinical details without obtaining separate, explicit written consent from parents.

3.5 Marketing and Communication (with Consent)

  • Sending newsletters, educational resources, and programme updates
  • Inviting families to workshops, webinars, and community events
  • Sharing testimonials and success stories (only with explicit parental permission)
Parents may opt out of marketing communications at any time by contacting us at marketing@asap.org.in.

4. DATA SHARING & THIRD PARTIES

We do not sell, rent, or trade personal data to third parties. However, we may share data under the following circumstances:

4.1 With Parental Authorisation

  • Schools, educators, and special education coordinators (to support Individualised Education Plans)
  • Paediatricians, neurologists, psychiatrists, and other medical professionals
  • Insurance companies (for claim processing, if applicable)

4.2 Legal and Regulatory Obligations

  • Law enforcement agencies, child protection authorities, or courts (when legally mandated)
  • Regulatory bodies conducting audits or investigations
  • Data Protection Board of India (in the event of a breach investigation)

4.3 Service Providers and Processors

  • Payment gateways and financial institutions (for transaction processing)
  • Cloud storage providers (preference for India-based servers; international providers such as Google Drive and AWS used only with appropriate data security standards and contractual safeguards)
  • CRM and communication platforms (WhatsApp Business, email providers)
  • IT support and cybersecurity vendors
Data processing agreements: All third-party service providers are bound by confidentiality agreements and must comply with DPDPA standards.
Cross-border data transfer: In the event that personal data is transferred outside India for processing, such transfers will comply with applicable DPDPA provisions and restrictions. We will ensure that recipient jurisdictions provide adequate data protection standards or implement appropriate contractual safeguards.

5. DATA SECURITY MEASURES

We implement reasonable technical, organisational, and physical safeguards to protect personal data from unauthorised access, disclosure, alteration, or destruction.

5.1 Technical Safeguards

  • Encrypted storage for sensitive health data
  • Password-protected systems with role-based access controls
  • Regular software updates and security patches
  • Firewall protection and intrusion detection systems

5.2 Organisational Safeguards

  • Mandatory confidentiality agreements for all staff, interns, and contractors
  • POCSO Act training and child protection protocols
  • Data access limited to authorised personnel on a "need-to-know" basis
  • Annual data security audits and staff training

5.3 Physical Safeguards

  • Locked file cabinets for physical records
  • Restricted access to therapy rooms and clinical areas
  • CCTV surveillance for premises security
  • Visitor logs and controlled entry systems
Breach Notification: In the event of a personal data breach, we will notify the Data Protection Board of India immediately and affected parents within 72 hours, as required by DPDPA Rules 2025.

6. YOUR RIGHTS (DATA PRINCIPAL RIGHTS)

Under the DPDPA, you have the following rights:

6.1 Right to Access

You may request a summary of the personal data we hold about your child and family.

6.2 Right to Correction

You may request correction of inaccurate or incomplete data.

6.3 Right to Deletion

You may request deletion of personal data, subject to our legal and professional obligations to retain clinical records.
Important Limitation: We may retain data where necessary for:
  • Compliance with legal obligations (e.g., record-keeping requirements under healthcare regulations, tax laws, income tax audits)
  • Defence against legal claims or disputes (including claims filed after service termination)
  • Enforcement of outstanding payment obligations or debt recovery
  • Compliance with court orders, regulatory investigations, or law enforcement requests

6.4 Right to Withdraw Consent

You may withdraw consent for data processing at any time. However, withdrawal of consent may result in our inability to continue providing services.

6.5 Right to Grievance Redressal

You may lodge a complaint with our Data Protection Officer (see Section 10) or with the Data Protection Board of India.
Timeframe: We will respond to data rights requests within a reasonable time (typically within 30 days).

7. CHILDREN'S DATA PROTECTION (UNDER-18 SPECIFIC)

Definition of Child: Under the DPDPA, a “child” is any individual under 18 years of age.

7.1 Verifiable Parental Consent

Before processing any child’s personal data, we obtain verifiable parental consent through:
  • Signed consent forms during onboarding
  • Identity verification via Aadhaar, passport, or other government-issued ID
  • Digital consent mechanisms (where applicable)

7.2 Prohibition on Harmful Processing

We do not engage in any processing that could cause detrimental effects on a child’s wellbeing, including:
  • Behavioural tracking for advertising purposes
  • Targeted advertising directed at children
  • Data sharing for commercial profiling

7.3 Custody and Guardianship Considerations

In cases of separated or divorced parents:
  • We require legal documentation specifying custodial rights and decision-making authority
  • Both parents must provide consent unless a court order specifies otherwise
  • We will not share child data with non-custodial parents without explicit authorisation from the custodial parent or court order
Important disclaimer: Parents are responsible for informing Ananya of any custody arrangements, court orders, or restrictions on data sharing. We will make reasonable efforts to comply with documented custody arrangements but are not responsible for verifying the accuracy of information provided by parents or for any disputes between parents regarding data access. In the absence of a court order, we will presume that the enrolling parent has sole authority to provide consent. If custody status changes, parents must immediately notify Ananya in writing with supporting legal documentation.

8. COOKIE & WEBSITE TRACKING POLICY

Our website may use cookies and similar tracking technologies for:
  • Session management and user authentication
  • Analytics to improve user experience (Google Analytics, anonymised)
  • Security and fraud prevention
Cookie Preferences: You may disable cookies through your browser settings. However, this may affect the functionality of our digital platforms.
Third-Party Tracking: We do not permit third-party advertising or tracking cookies on our platforms.

9. DATA RETENTION & DELETION SCHEDULE

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or as required by law.
Data type Retention period Rationale
Clinical records, therapy notes 3 years from last service date Professional standards, legal requirements, statute of limitations for claims
Financial records, payment data 7 years from transaction date Tax compliance, audit requirements
CCTV footage 72 hours from recording (extended indefinitely when required for active investigations, legal proceedings, or safety incident reviews) Security purposes, storage limitations, evidence preservation
Email and communication logs 3 years from last communication Dispute resolution, service quality
Staff/intern records 5 years from termination of employment Employment law compliance
Deletion Process: Upon expiry of retention periods, data will be securely deleted or anonymised.

10. GRIEVANCE REDRESSAL & CONTACT

For any questions, complaints, or requests regarding this Privacy Policy or your data rights, please contact:
Data Protection Officer
Ananya Child Development and Early Intervention Clinic
55-A, Hitech Chambers, Jubilee Enclave, Hitec City,
Madhapur, Hyderabad, Telangana – 500081
Email: info@asap.org.in
Phone: +91 9000272504
We will acknowledge your grievance within 7 working days and provide a substantive response within 30 days.

11. POLICY UPDATES & NOTIFICATION

We reserve the right to amend this Privacy Policy at any time to reflect changes in legal requirements, industry standards, or business practices.
Notification: We will notify you of material changes by:
  • Posting the updated policy on our website and digital platforms
  • Sending email notifications to registered users
Effective date of changes: Amendments will take effect immediately upon publication, unless otherwise specified.

12. EFFECTIVE DATE

This Privacy Policy is effective as of 1 December 2025.
By engaging our services, you acknowledge reading, understanding, and agreeing to this Privacy Policy in its entirety.