Privacy Policy
Version 2026-05-27.v3 · Effective immediately · Last reviewed by the Qlinniq Data Protection Officer.
1. Who we are
Qlinniq is a mental-health intake and care-coordination platform operated by [LEGAL ENTITY NAME — TO FILL] (the “controller”, “we”, “us”), with its principal office at [ADDRESS], Mumbai, Maharashtra, India. This policy describes what information we collect from you, why we collect it, who has access to it, how long we keep it, and the rights you have over it.
Our Data Protection Officer (DPO) is contactable at dpo@qlinniq.com and via the contact card on the DPO page. For matters relating to personal data of EU/EEA residents you may also contact our EU representative listed on the DPO page.
2. Information we collect
- Identity details (ITS ID, name, gender, date of birth, contact details, country, language preference).
- Clinical inputs you provide on the intake forms (presenting concerns, symptom severity, safety screening, PHQ-9 / GAD-7 responses, current medications, attachments you upload).
- Operational records from your care episodes (visits, sessions, follow-up tasks, notification delivery status).
- Audit logs of every action taken on your record by you, our administrators, and our clinicians.
- For minors (under 18 years), the identity of the consenting parent or legal guardian.
The intake form, PHQ-9 / GAD-7, and any clinical content you provide are special category data under GDPR Art. 9 (data concerning health, including mental health) and a sensitive personal data category under the DPDP Act.
3. Why we process your data (purposes & legal basis)
The table below maps each purpose to its lawful basis under GDPR Art. 6 and, where the data is special category, its additional basis under Art. 9. Full detail per processing activity is recorded in our Records of Processing Activities.
| Purpose | Art. 6 basis | Art. 9 basis |
|---|---|---|
| Identity verification + account creation | (b) Contract | n/a |
| Intake screening (PHQ-9, GAD-7, presenting concerns) | (a) Explicit consent | (a) Explicit consent; (h) provision of healthcare |
| Clinical care delivery (visits, sessions, notes) | (b) Contract + (c) Legal obligation (MHCA 2017) | (h) provision of healthcare |
| Appointment reminders & transactional notifications | (b) Contract | (h) where care-related |
| Optional outreach (research, programmes, surveys) | (a) Consent — opt-in | n/a (no special category) |
| Audit logging + security monitoring | (c) Legal obligation + (f) Legitimate interest | (h) where the data being audited is health data |
| Error monitoring (Sentry) | (f) Legitimate interest — system reliability | n/a (PII scrubbed before send) |
4. Who has access to your data
Inside the clinic, access is role-gated and least-privilege. Only the providers assigned to your care, the triage team, and a small number of administrators can read your record. Every read is logged.
Outside the clinic, we share the minimum data necessary with a small set of sub-processors that help us deliver the service (notification delivery, error monitoring, hosting). The full list, with country and transfer safeguards, is published at /legal/subprocessors. We do not sell, rent, or share your data with advertisers.
5. International transfers
Our primary application and database are hosted in AWS ap-south-1 (Mumbai, India) — no patient records leave India for storage. However, to deliver SMS messages, WhatsApp notifications, and transactional emails we use three US-based processors. The table below names each one, the data category they receive, and the transfer safeguard.
| Processor | Purpose | Data sent | Country | Transfer safeguard |
|---|---|---|---|---|
| Twilio, Inc. | SMS reminders & OTPs | Phone number, message text | United States | EU 2021 SCCs Module 2 + TIA |
| Meta / WhatsApp Business API | WhatsApp care notifications | Phone number, message text | US / Ireland (EEA) | EU 2021 SCCs Module 2 + WhatsApp Business DPA |
| Resend, Inc. | Transactional email | Email address, message content | United States | EU 2021 SCCs Module 2 + TIA |
| Sentry (Functional Software) | Error monitoring | Anonymised error payloads only — PII scrubbed before transmission | United States | EU 2021 SCCs Module 2 + contractual scrubbing |
DPDP Act 2023, §16 (cross-border transfers). The Government of India’s approved-country whitelist had not been published as of the date of this policy. In the interim, we rely on your explicit consent (collected at onboarding) as the supplementary lawful basis for these transfers, in addition to the SCCs above.
EU/EEA residents. You may obtain a copy of the Standard Contractual Clauses applicable to any transfer by writing to our DPO at dpo@qlinniq.com.
6. How long we keep your data
Retention periods are set out in the separate Data Retention & Deletion Policy. When you withdraw your account, we anonymise identifying information within 30 days; clinical records are kept for the full statutory retention period (typically 7 years under MHCA 2017) and then hard-deleted.
7. Your rights
You have the following rights regarding personal data we hold about you. Most are self-service from your profile page; for anything that cannot be self-served, write to our DPO.
- Access (Art. 15). Download a complete copy of every record we hold about you from your profile (“Export my data”).
- Rectification (Art. 16). Submit a correction request from your profile; an administrator will review.
- Erasure (Art. 17 — “right to be forgotten”). Withdraw your account. Identifiers are anonymised within 30 days. Clinical records may be retained per applicable mental-health rules; once the retention window elapses they are hard-deleted.
- Restriction (Art. 18). Ask us to pause processing of your data while a dispute is being resolved.
- Portability (Art. 20). Receive your data in a structured, machine-readable format — JSON export and an HL7 FHIR R4 Patient Bundle are both available from your profile.
- Object (Art. 21). Object to processing based on legitimate interest. Marketing objections are honoured immediately.
- Withdraw consent (Art. 7(3)). Where processing is based on consent, you can withdraw at any time without affecting prior lawful processing.
- Lodge a complaint (Art. 77). You may complain to a supervisory authority — in the EU/EEA, particularly the one in your Member State of habitual residence or place of work; in India, the Data Protection Board.
8. Automated decision-making
Qlinniq suggests appropriate providers to the triage team based on your intake profile (age category, preference, language, modality). The final assignment is always made by a human administrator. This is not automated individual decision-making under GDPR Art. 22.
9. Children
For patients under 18 years of age, a parent or legal guardian must provide consent and be present at the time of the appointment. The guardian’s acknowledgement is recorded with the patient record. Where the patient is 12–18, we may also seek the patient’s assent in addition to the guardian’s consent.
10. Security
- HTTPS/TLS for all browser traffic.
- Role-based access control with least-privilege defaults; every clinical-data read is audited.
- Multi-factor authentication enforced for administrative and clinical roles.
- Volume-level encryption at rest on the database; password reset tokens stored as SHA-256 hashes.
- Audit logs scrubbed of IP / user-agent at 6 years and pruned at 7 years.
- Sentry PII scrubbing on the server before any error event leaves the host.
11. Breach response
In the event of a personal-data breach, we notify the Indian CERT-In within 6 hours of discovery (CERT-In Cybersecurity Directions, 2022) and the lead supervisory authority in the EU within 72 hours where EU data subjects are affected (GDPR Art. 33). Affected data subjects are notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
12. Cookies & tracking
See the separate Cookies & Tracking page for the full list of cookies, their purposes, and how to change your preferences.
13. Is providing your data mandatory?
Providing identity and intake information is a contractual requirement; without it we cannot provide care. Providing optional outreach consent is, by definition, optional, and declining has no effect on the care you receive.
14. Changes to this policy
Material changes bump the version above and trigger a re-consent prompt at next login. Minor clarifications are versioned but do not re-prompt.
15. Contact
For any privacy concern, write to the DPO at dpo@qlinniq.com or via the contact card at /legal/dpo. For general support write to privacy@qlinniq.com.