Privacy Policy

We are a rehabilitation platform. That means privacy is not a side issue. It sits inside service delivery, clinical governance, and user trust.

We are committed to:

• collecting personal data only for clear, specific, and lawful purposes
• limiting collection to what is reasonably necessary for those purposes
• protecting personal and health-related data with appropriate safeguards
• giving users a practical route to access, correct, update, erase, or withdraw consent where applicable
• keeping records only for as long as reasonably required for care, compliance, operations, and legal obligations
• being transparent about how data is used, shared, and retained

This Policy applies to:

• patients and clients
• prospective users who submit enquiries or intake forms
• caregivers or family members interacting on behalf of a user
• clinicians and therapists using our controlled systems, to the extent their personal data is processed through those systems
• visitors to our website or app

We may collect the following categories of personal data.

A. Identity and contact data

This may include:

• full name
• date of birth or age
• gender, where relevant
• mobile number
• email address
• city, address, or location details
• emergency contact details wherever provided

B. Health and rehabilitation data

Because we are a rehab platform, we may process health-related and functional information such as:

• presenting complaint
• symptoms and pain details
• relevant medical history
• surgery history
• medications, where disclosed
• diagnosis or suspected diagnosis, where provided
• therapist assessment findings
• mobility, function, ADL, communication, or participation information
• exercise plans
• progress notes
• SOAP notes
• risk flags
• outcomes measures
• clinician observations and follow-up summaries

C. Account and service-use data

This may include:

• account registration details
• appointment history
• package or subscription use
• session attendance
• service preferences
• communication preferences
• complaint or support history

D. Technical and usage data

This may include:

• IP address
• browser type
• device type
• operating system
• app version
• log data
• timestamps
• crash data
• feature usage and interaction patterns

E. Communication data

This may include:

• messages through approved in-app or support channels
• email communication
• OTP and verification logs
• support tickets
• follow-up responses
• forms submitted by you or your caregiver

F. Uploaded content

This may include:

• reports
• prescriptions
• discharge summaries
• photos
• videos
• exercise feedback clips
• completed forms
• questionnaires

G. Payment and transaction data

This may include:

• payment status
• amount paid
• package purchased
• refund status
• transaction reference IDs

We do not store full payment card details unless expressly stated and lawfully permitted to do so. Third-party processors typically handle payment processing.

We collect personal data in the following ways:

• directly from you when you register, book, message us, complete forms, upload reports, or attend sessions
• from your caregiver, guardian, or authorized representative acting on your behalf
• from clinicians documenting care and progress
• from your use of the website, app, or platform
• from third-party service providers supporting payments, communications, hosting, or security
• from partner clinics or healthcare providers where you have authorized sharing or where sharing is otherwise legally permitted

We process personal data only for purposes connected to our services and lawful operations. These purposes may include:

A. Service delivery

• to assess whether our services are appropriate
• to book and deliver sessions
• to create and maintain your account
• to provide rehabilitation advice, plans, programs, and follow-up
• to document clinical interactions and progress

B. Safety and clinical governance

• to identify red flags, risks, and escalation needs
• to maintain continuity of care
• to conduct supervision, audits, incident reviews, and quality assurance
• to investigate complaints, adverse events, or safeguarding concerns

C. Communication

• to confirm appointments
• to send reminders
• to provide technical and service notices
• to respond to support requests
• to share care-related updates

D. Operations and platform improvement

• to analyze service performance
• to improve workflows, accessibility, usability, and user experience
• to detect fraud, misuse, outages, or abuse
• to troubleshoot technical issues

E. Legal and compliance purposes

• to comply with applicable law, regulatory obligations, tax, accounting, and dispute handling
• to establish, exercise, or defend legal claims
• to respond to lawful requests from regulators, courts, or authorities

F. Research, analytics, and improvement

We may use de-identified or aggregated data to improve programs, service quality, user experience, and internal insights, provided such use does not identify individual users.

Where required, we rely on your consent to process your personal data, especially where health-related data is involved.

Where consent is the basis of processing:

• consent will be requested in clear and plain language
• consent must be free, specific, informed, unconditional, and unambiguous
• consent must be provided by a clear affirmative action
• consent will be limited to data reasonably necessary for the stated purpose
• You may withdraw consent with ease, comparable to how it was given

These standards reflect the DPDP Act, which requires clear notice, affirmative consent, and easy withdrawal.

We may also process personal data where reasonably necessary to:

• perform the service you requested
• respond to a request you initiated
• comply with the law
• address safety, fraud, security, or platform integrity issues
• retain records where retention is legally required

If you withdraw consent, we may stop some or all services that depend on that data, but withdrawal will not affect processing already lawfully carried out before withdrawal.

Our services are not intended for children or minors acting independently unless lawfully permitted and managed through a parent, guardian, or authorized representative.

If we provide services to a child, adolescent, or dependent adult through a lawful representative, we may collect and process necessary personal data for service delivery, safety, documentation, and communication.

Our services are not intended for individuals under 18 without appropriate supervision or parental/guardian consent.

We do not sell personal data.

We may share personal data only where reasonably necessary with:

A. Internal teams

• authorized clinicians
• operations staff
• support staff
• governance and quality personnel
• finance or admin personnel with need-based access

B. Service providers and vendors

• hosting and cloud providers
• video consultation providers
• secure messaging or OTP providers
• analytics providers
• customer support tools
• payment processors
• cybersecurity and infrastructure vendors

C. Partner providers

• partner clinics, hospitals, or professionals involved in your care, where you have consented or where sharing is otherwise legally permitted

D. Legal and regulatory recipients

• regulators
• law enforcement
• courts
• government authorities
• insurers or legal advisers, where necessary for lawful claims or compliance

Any sharing is limited to what is reasonably necessary for the relevant purpose.

Because Connect Therapies is designed as an India-first but globally scalable platform, your data may be processed, accessed, or stored in locations outside your home jurisdiction, including through cloud providers, infrastructure vendors, support systems, or partner arrangements.

Where cross-border processing occurs, we will take reasonable contractual, organizational, and technical steps to protect personal data in line with applicable law.

We may use communication and analytics tools to understand engagement, improve service awareness, and assess platform performance.

We may send:

• service-related messages
• appointment reminders
• account notices
• support replies
• operational updates

We may also send promotional or educational communication where permitted by law and subject to your preferences.

We do not knowingly share identifiable clinical notes, diagnoses, or session content with advertising platforms for ad targeting.

We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including:

• service delivery
• clinical continuity
• record-keeping
• complaint handling
• audit and governance
• tax and accounting
• legal and regulatory compliance
• fraud prevention and dispute resolution

Unless a longer period is required by law or justified by the service context:

• clinical records may be retained for 7 years from the last interaction, or up to 10 years where legally required by healthcare regulations
• Records relating to minors may be retained for a longer lawful period
• Billing and tax records may be retained for statutory accounting periods
• support records may be retained for 36 months (3 years) or as required by law
• de-identified analytics may be retained longer where no individual is identifiable

When data is no longer required, we will securely delete, erase, anonymize, or de-identify it as appropriate.

Subject to applicable law, you may have the right to:

• request access to your personal data
• request correction, completion, or updating of inaccurate or incomplete data
• request erasure or deletion where retention is not legally required
• withdraw consent where consent is the basis of processing
• request account closure
• raise a grievance or complaint

You may submit rights requests by contacting:

Privacy / Data Requests: ct.support@theranexa.co.in

Grievance Officer: ct.support@theranexa.co.in

We may request reasonable verification before acting on a request.

We may deny or limit a request where:

• the request is unlawful or unfounded
• We cannot verify identity or authority
• retention is required by law
• the request would adversely affect another person's lawful rights
• the data is necessary for an ongoing complaint, investigation, claim, or safety matter

If you have a complaint, concern, or request regarding personal data, privacy, consent, or this Policy, you may contact our designated grievance contact.

Grievance Officer

Name: Sudarshan Rathod

Designation: Grievance Officer / Director

Company: Thera Nexa Private Limited

Email: ct.support@theranexa.co.in

Address: 1207, E Wing, Unique Aurum, Poonam Garden, Mira Road East, Thane, Maharashtra-401107

We aim to:

• acknowledge complaints within 72 hours
• review and respond within 30 days, subject to complexity and applicable law

We use reasonable administrative, technical, physical, and organizational safeguards to protect personal data, including measures such as:

• role-based access controls
• restricted access for authorized personnel only
• secure authentication controls
• encryption in transit, where supported
• vendor due diligence
• logging and monitoring
• secure backup and recovery processes
• device and account security practices
• internal confidentiality controls

No digital system is completely secure. We cannot guarantee absolute security, but we take reasonable steps to reduce risk and improve controls over time.

If we become aware of a personal data breach or security incident affecting personal data, we will assess the incident, take containment and remediation steps, and provide notifications where required by applicable law or contractual obligations.

We may also require our vendors and processors to notify us promptly of relevant incidents affecting CT data.

Our services may rely on third-party systems and technology platforms for hosting, video delivery, analytics, communication, support, scheduling, and payment processing.

These providers act as infrastructure or support services. They do not independently decide your rehabilitation plan merely because they process or transmit data on our behalf.

Sessions are not recorded by default unless:

• recording is clearly disclosed, and
• the necessary consent is obtained

If you upload a photo, video, or document, or explicitly consent to one being captured or stored, we may process it for:

• clinical review
• progress tracking
• documentation
• support
• quality review
• complaint handling
• legal compliance

You should not upload content that is unlawful, deceptive, abusive, or infringes the rights of others.

Where consent is the basis of processing, you may withdraw consent at any time by:

• using the withdrawal option in the app or website, where available
• contacting support
• contacting the grievance or privacy email address

We will act on a valid withdrawal request within a reasonable time, unless continued processing is required or authorized by law.

We may update this Privacy Policy from time to time to reflect changes in:

• law
• regulation
• platform features
• clinical operations
• vendor arrangements
• privacy practices

Where changes are material, we will take reasonable steps to notify users through the website, app, email, or another appropriate channel.

Continued use after the updated version takes effect means you acknowledge the revised Policy.

Thera Nexa Private Limited

1207, E Wing, Unique Aurum, Poonam Garden, Mira Road East, Thane, Maharashtra-401107

Support: ct.support@theranexa.co.in

Privacy: ct.support@theranexa.co.in

Grievance: ct.support@theranexa.co.in