Privacy & Data Protection Policy

1. Introduction & Purpose

This Privacy & Data Protection Policy ("Policy") establishes the principles, legal basis, governance framework, and operational controls adopted by Selfeey Infotech Private Limited ("Selfeey", "Company", "We", "Us") to safeguard Personal Data and Sensitive / Regulated Data processed across its digital platforms, software solutions, and AI-enabled systems.

This Policy is designed to:

• Protect the fundamental privacy and data protection rights of individuals
• Ensure lawful, fair, transparent, and secure processing of data
• Comply with applicable legal, regulatory, contractual, and industry obligations
• Demonstrate accountability to customers, hospitals, enterprise clients, regulators, and partners

Privacy and data protection are integral to Selfeey's product design, development, and operational practices.

2. Scope & Applicability

This Policy applies to:

• • All Selfeey-owned, developed, licensed, or operated software platforms, products, and AI systems
• • All forms of Personal Data and Sensitive / Regulated Data, whether processed electronically or physically
• • All stages of the data lifecycle, including collection, access, use, disclosure, storage, transfer, archival, anonymization, and deletion
• • All infrastructure environments, including cloud-based, on-premise, hybrid, and third-party systems
• • All employees, directors, contractors, consultants, customers, patients, partners, and vendors

Compliance with this Policy is mandatory and constitutes a condition of access, employment, or contractual engagement with Selfeey.

3. Definitions

4. Core Privacy Principles

5. Lawful Basis for Processing

Personal Data is processed based on one or more lawful grounds, including:

• • Consent of the Data Principal
• • Performance of contractual obligations or service delivery
• • Compliance with legal or regulatory requirements
• • Protection of vital interests, particularly in healthcare contexts
• • Legitimate business interests permitted under applicable law

6. Consent Management

• Consent shall be informed, specific, freely given, and revocable
• Explicit consent shall be obtained for Sensitive and Health Data
• Consent records shall be securely stored and auditable
• Withdrawal of consent shall be honored unless retention is required by law

7. Data Collection & Usage Practices

Depending on the product or service, Selfeey may collect and process:

• • Identity and contact information
• • Patient, clinical, and hospital data (HMIS/HIS)
• • Customer and user account information
• • Recruitment and professional data (RPS/RMS)
• • System usage, audit trails, security, and access logs

Personal Data shall not be used for unlawful profiling, surveillance, or unauthorized automated decision-making.

8. AI, Analytics & Automated Decision Systems

Selfeey adopts responsible AI and analytics practices, including:

• Clearly defined and documented AI use cases
• Governed and protected training datasets
• Controls to prevent bias, data poisoning, and misuse
• Human oversight for automated decisions with legal or significant impact
• Explainable, logged, and auditable AI outputs

9. Data Sharing & Disclosure

Personal Data may be disclosed only to:

• • Authorized Selfeey personnel on a need-to-know basis
• • Customers, hospitals, or enterprises under valid contractual arrangements
• • Government or regulatory authorities when legally required
• • Third-party processors operating under binding Data Processing Agreements (DPAs)

Selfeey does not sell Personal Data.

10. Data Security & Encryption

Selfeey enforces comprehensive security controls, including:

• Encryption of Sensitive Data at rest and in transit
• Secure key, credential, and identity management
• Role-based access controls and continuous monitoring
• Periodic vulnerability assessments and security audits

11. Data Retention, Archival & Deletion

• • Retention schedules align with legal, healthcare, and contractual obligations
• • Secure deletion, anonymization, or pseudonymization methods are applied
• • Backup data is governed by controlled retention and restoration policies

12. Data Principal Rights

Subject to applicable law, individuals may exercise rights including:

• • Access to Personal Data
• • Correction and erasure
• • Withdrawal of consent
• • Grievance redressal
• • Nomination of authorized representatives

Requests shall be addressed within statutory timelines.

13. Data Breach & Incident Management

Selfeey maintains a structured incident response framework covering:

• Immediate detection, containment, and mitigation
• Impact and root cause analysis
• Regulatory, customer, and individual notifications where required
• Incident documentation and corrective actions

14. Third-Party & Vendor Data Protection

• • Privacy and security due diligence prior to onboarding
• • Mandatory contractual data protection clauses
• • Ongoing monitoring of vendor compliance
• • Controlled and audited third-party access

15. Training & Awareness

Mandatory privacy and data protection training is conducted periodically for employees and relevant personnel to ensure awareness and compliance.

16. Governance, Audit & Assurance

• • Periodic internal and external audits
• • Management review of privacy and security posture
• • Continuous improvement and risk mitigation initiatives

17. Policy Review, Amendment & Communication

This Policy is reviewed periodically and updated in response to legal, technological, or organizational changes. Material updates are communicated through appropriate channels.

18. Governing Law & Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of India.

Courts of competent jurisdiction in India shall have exclusive jurisdiction.