HomePrivacy Policy

Privacy Policy

Last updated: 22 April 2026

1. Who We Are

MedWorksPlus ("we", "us", "our") is a multi-specialty polyclinic and certified diagnostic lab operating in Chennai, Tamil Nadu, India. We are the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") for the personal data we collect through this website and our services.

Contact: connect@medworksplus.com
Address: MedWorksPlus Polyclinic, Chennai, Tamil Nadu
Phone: +91 73388 33692

2. Personal Data We Collect

We collect the following categories of personal data:

  • Identity data: Full name, date of birth, gender
  • Contact data: Mobile number, email address, physical address, pin code
  • Health data: Lab test orders, diagnostic reports (PDF), health package selections, medical appointment records
  • Payment data: Transaction IDs processed via Razorpay (we do not store card numbers or bank details)
  • Technical data: Browser type, device information, and cookies (see Section 9)

3. Purpose of Processing

We process your personal data for the following specific purposes:

  • Providing diagnostic lab testing and clinical consultation services
  • Processing home sample collection requests and scheduling phlebotomist visits
  • Delivering lab reports via email
  • Processing payments through our payment partner Razorpay
  • Sending order confirmations and status updates via SMS and email
  • Managing doctor appointment bookings
  • Internal administration and quality assurance

4. Legal Basis for Processing

We process your personal data based on your explicit consent obtained at the time of booking (Section 6, DPDP Act). For existing customers, we may also rely on legitimate uses under Section 7 of the DPDP Act for providing the services you have requested.

You may withdraw your consent at any time by contacting us at connect@medworksplus.com. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.

5. Third Parties and Data Processors

We share your data with the following Data Processors who act on our behalf:

  • Supabase Pte. Ltd. (Singapore) -- Cloud database hosting for patient records and order data
  • Razorpay Software Pvt. Ltd. (India) -- Payment processing (PCI DSS Level 1 certified)
  • Walkover Web Solutions Pvt. Ltd. (MSG91) (India) -- SMS delivery for OTP and order confirmations
  • Google LLC -- Email delivery via Google Workspace SMTP
  • Vercel Inc. (US) -- Website hosting and serverless computing
  • Partner diagnostic labs -- Sample processing for outsourced tests (when applicable)

Each processor is contractually bound to protect your data and process it only for the purposes specified by us.

6. Cross-Border Data Transfer

Your personal data is stored on servers located in Singapore operated by Supabase Pte. Ltd. Website hosting is provided by Vercel Inc. with serverless functions configured to process requests within the Asia-Pacific region. These transfers are carried out in compliance with Section 16 of the DPDP Act. We monitor government notifications regarding restricted jurisdictions and will update our practices accordingly.

7. Your Rights (Data Principal Rights)

Under the DPDP Act, 2023, you have the following rights:

  • Right to Access: Request a summary of all personal data we hold about you
  • Right to Correction: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements for medical records)
  • Right to Withdraw Consent: Withdraw your consent for data processing at any time
  • Right to Nominate: Nominate a person to exercise your rights in case of death or incapacity

To exercise any of these rights, email us at connect@medworksplus.com with the subject line "Data Principal Rights Request". We will respond within 30 days.

8. Data Retention

  • Medical records and lab reports: Retained for a minimum of 3 years from the date of service, as required by the Clinical Establishments Act and Indian Medical Council Regulations
  • Payment records: Retained for 8 years as required under the Income Tax Act
  • Patient profiles: Retained while your account is active, plus 1 year after last activity
  • Consent records: Retained for 7 years

After the retention period, personal data is anonymised or securely deleted.

9. Cookies and Tracking

Our website uses strictly necessary cookies for session management and cart functionality. We do not use advertising cookies or third-party tracking pixels. You can manage cookie preferences via the cookie banner on your first visit.

10. Children's Data

We provide paediatric services and may process data of individuals under 18. For patients under 18, we require verifiable parental or guardian consent before processing their personal and health data, as required under Section 9 of the DPDP Act. We do not use children's data for marketing or profiling purposes.

11. Security Measures

We implement reasonable security safeguards as required under Section 8(5) of the DPDP Act, including: encrypted data transmission (TLS/SSL), database access controls (row-level security), authenticated access to health reports (time-limited signed URLs), and regular security reviews.

12. Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected individuals as required under Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025.

13. Grievance Redressal

If you have concerns about how your data is processed, please contact our Grievance Officer:

Email: grievance@medworksplus.com
Address: MedWorksPlus Polyclinic, Chennai, Tamil Nadu

We will acknowledge your complaint within 48 hours and endeavour to resolve it within 30 days. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

14. Changes to This Policy

We may update this privacy policy from time to time. The updated version will be posted on this page with a revised "Last updated" date. We will notify you of significant changes via email or a prominent notice on our website.