Data And Personal Privacy Policy

We, at AMITA, are committed to ensuring and protecting the personal information and data privacy of our visitors 1, user of services 2 and practitioners 3 on our web portal, social media and other forms of media. AMITA is a software application for service promoted by PEARLSS 4 Development Private Limited and this Privacy Policy applies to digital, social and software applications and provided by AMITA, not just limited to this website. This Privacy Policy is our sincere effort to document and explain to the user, visitor and practitioner on the manner on how we are, and the reasons for, collecting, defining, protecting, utilising and disclosing personal information shared by the user, visitor and practitioner during the process of exploring and/or using our services. It is our utmost endeavour to guarantee accurate information and services of integrity and quality and hence, we take greatest care when publishing our data, photographs, graphics, videos and messages.

We have used a simple, clear, concise and easily understandable language.Whenever necessary, we will have the Privacy Policy in languages other than English. This policy will be read along with the 'terms for use of services' and the 'practitioner terms for practice' and will apply to the services owned and operated by AMITA. The policy does not vouch for the privacy of other services, such as advertisements or searches run by third party providers on our web portal or the social media and hence, we bring this to the user's, visitors and practitioners' consideration that they explore the web portal, social media and other forms of media with their independent judgement assessing the risks involved. We have tried to be as informed as possible on the needs and the legal considerations while framing this policy.

The Purpose of the Privacy and Data Protection Policy

1. To maintain a maximum level of professionalism, assuring high levels of privacy and safety of user data.
2. To describe and establish procedures for expressed consent and delimit the purpose for data protection and privacy.
3. To elucidate the safeguards and code of practice in data processing, storage of data, and user data protection.
4. To lay down the obligations and considerations taken within the legal requirements and regulatory compliances.
5. To confer the rights of the user to obtain data, correct inaccuracies, erase, update, port to other fiduciaries, and restrict/prevent disclosure of personal data.
6. To inform users on the institutional instruments of AMITA for data protection, consent, grievance redressal, and fiduciary responsibilities for protecting user interests, preventing misuse of data, ensuring compliance, and promoting safety awareness including intermediaries for social media.
7. To institutionalise proper recording procedures ensuring adequate procedures and processes for data protection and privacy.

Legal instruments governing the Privacy Policy

This Privacy Policy is governed under the following Acts and in compliance with:

1. Personal Data Protection Act 2019 (PDPA, 2019)
2. Information Technology Act, 2000

1. Section 43A of the Information Technology Act, 2000;
2. Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules,2011 (the "SPIRules");
3. Regulation 3(1) of the Information Technology (Intermediaries Guidelines)Rules, 2011

Consenting to providing personal data When any user visits the website, social media pages or seeks therapy services, s/he will leave behind some footprints. When the user seeks services and marks her acceptance on the consent form, s/he enters into a contractual agreement to receive services as laid down in the section 14 of the Indian Contract Act, 1872. The user is expected to read the consent form and 'tick' inside the box, to demonstrate that s/he is willing to share personal details and to ascent to the processing of sensitive personal data for the purposes listed in sub-section 1, clause 3(36) in PDPA Act 2019 and to draw inferences from the anonymised data. The users' consent to the services is based on premise that s/he has read this privacy and other policy documents provided on the website. Through the acceptance of the consent form, the user, visitor and practitioner affirm that s/he is exploring or using the platforms such as website, social media and therapy services out of her/his free will and has got a clear and adequate information on the specific privacy considerations with regards to their use

We pre-suppose that user, visitor and practitioner has read the privacy policy before exploring the platform and consent to the terms and conditions of the privacy policy, terms of use and the practitioner before one decides to become a stakeholder of AMITA. The policy is binding and hence everyone who is using the website will need to read it. We assure that the data will be used only for the purposes consented by the user or that is incidental or connected with the purpose and will be used for purposes that the user will reasonably expect with regard to the purpose and in the context and circumstances in which the personal data was collected. We have tried to be as informed as possible on the needs and the legal considerations while framing this policy.

The user, visitor and practitioner acknowledge that one has read through this document and abides by the Privacy policy:

1. That the type of data collected contains Personal Information (under the PDPA Sec 2, 3(28) and Sensitive Personal data (Sub-section 1, clause 11(3)) related to the user and his/her family)
2. That the personal data:
1. is collected under fair, informed and reasonable contexts and circumstances
2. has ensured the users' and family privacy
3. can be used, as agreed upon in this privacy policy, for purpose of:

1. Processing data
2. Retaining data
3. Destroying data
4. Disclosing data

We use a layered approach for consent for our therapy session to facilitate informed decisions. There is a consent taken for recording of the therapy sessions too. When the user or therapist records the session from his/her end, s/he needs to take permission from the therapist/user. The Consent Manager for the psychotherapy sessions will be the user's therapist. Just in case the user wishes to have some additional privacy terms, s/he has a choice to separately consent for each of the features, such as the purposes of, operations in, the use of different categories of sensitive personal data relevant to processing and so on by writing an email to the official contact address '[email protected]'. The user will receive redressal email from the AMITA informing about the changes made.

Withdrawal of consent

During the process, the user has the right to withdraw the consent with ease for whatsoever reason and s/he will not be compelled to continue the therapy sessions. The reasons for withdrawal of consent, when the user has previously consented, need to be clearly mentioned. The user will need to send an email to the official address ‘[email protected]’ and s/he will receive an acknowledgment for the same. S/he should be able to resolve the same within a few days as laid down by the regulations. When the user withdraws the consent from the processing of any personal data without any valid reason, there may be legal consequences for the effects of such withdrawal. If for any purpose or reason for withdrawal of consent is not aligned with the regulations, the user will have to bear the costs of the legal procedures.

Consent for Children

Children are considered as those below the age of 18 years according to the Juvenile Justice Act, 2015 (Care and Protection of Children). When the user seeks services as an authorised authority for another person who is a child under the definition of Juvenile Justice Act 2015 (Care and Protection of Children) or incapacitated to provide consent under the Indian Contract Act, 1872, the user will be whole and sole responsible for acting on the best interest on behalf of that person.

When children seek services, the parents or the adult guardian of the child will provide the consent to the services, while the assent will be taken from the children. We will make efforts to talk to the child to involve the parents in the therapeutic process in contexts where the child is not willing to involve parents. However, the older children, especially adolescents, may seek services on their own and making it mandatory for them to involve parents may be counterproductive to promoting teenagers to approach services.

Hence, we will need to further deliberate with the Internal Ethics Committee to draw guidelines for ethics, including issues related to tele-psychotherapy and data protection for teenage children. This is in line with the PDPA 2019, where we, as guardian data fiduciary providers of exclusive counselling services to a child, shall not require to obtain the consent of the parent or guardian of the child under sub-section 2 ‘Obligations of Data Fiduciary’ of the PDPA Act.

Nature and Categories of Personal Details Captured

Any service or service improvement starts with knowing the client and their needs. It is our sincere effort and desire that the user understands personal data and associated terminology adequately. The information that we collect will only be to the extent necessary for the processing of such personal data required for our therapeutic services. As we collect the data, we need the user to understand some terms of relevance covered under the PDPA 2019:

1. Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
2. Sensitive Personal Data or Information of a person means personal information about that person relating to passwords; financial information such as bank accounts, credit and debit card details or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; information received by body corporate under lawful contract or otherwise; visitor details as provided at the time of registration or thereafter; and call data records.
3. Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
4. Health data means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services.

Any user registering for our psychotherapy and mental health interventions will be required to provide all four categories of information. When the user desires to use our psychotherapy and mental health services, we will ask for the name, contact details and basic personal details as identifiers before they register and engage in therapy. This will help the psychotherapist to be prepared for a session with the user.

We take the user’s email ID to send an email, and the user will open the email using the password. In addition, the user will be asked to enter their mobile number and some basic data. This number is primarily to contact the user in need and will not be used for marketing purposes or to push messages. The user can opt for the ‘do not call registry’, a clause available under the PDPA 2019, by a clear, unambiguous expressed written communication to ascertain non-consent to receive mobile/telephone calls/push emails.

When the user starts the psychotherapy session with the psychotherapist, they will once again explain the consent form. They will ask the user about personal and demographic details, problems, personal and family details. They will also collect information on the user and family mental health condition, sexual orientation, medical records and history, to name a few. This is necessary to diagnose the problem and plan an appropriate intervention that matches the user’s personality, family conditions, and cultural realities using theoretical frameworks for intervention.

Other Points Where Personal Information is Shared

1. The user may also send an email or contact AMITA over phone or email and share some personal information at that time.
2. When the user makes payments, the financial information such as bank accounts, credit and debit card details or other payment instrument details will be used.
3. The user may have personal information on public domains and we may decide to collate free to use data from the public domain. For such information available on the public domain, we will be using it without going through the process of consent for disclosing information.
4. Visitors on the website leave a footprint on the web which we may choose to track and gain understanding on the people who are visiting the website, selecting the service or exploring the website.

Purposes for Collecting Data

1. To provide the user mental health interventions and psychotherapy and maintain electronic recording systems that meets the best standards for professional practice and as consented by user.
2. To institute a well-planned and recorded need-based referral service system for users of AMITA services.
3. To generate reports on psychological tests, evaluations, certificates and recommendations to be shared, submitted or provided on behalf of users. It may be for self, workplaces, insurance organisations, etc.
4. For issuance of any certificate, licence or permit for any action, activity or provisioning under the State or otherwise as requested by user.
5. To contact user in need especially in special circumstances, such as incomplete registration, follow-up or grievance management.
6. To provide analytic perspective to inform the team on the patterns of individual and group presentation of users and the symptomatology using analysis of anonymised data.
7. To respond to any medical emergency involving a threat to the life or a severe threat to user’s health.
8. To undertake any measure to provide medical treatment or health services to the user or community with psychiatric disorders using anonymised data during an epidemic, outbreak of disease or any other threat to public health.
9. To undertake measures that ensure the safety of, or provide assistance to or services to, any individual during any disaster or any breakdown of public order.
10. To track and improvise efficiency and efficacy of interventions, appointment booking systems, ascertain customer satisfaction trends and practitioner practice patterns.
11. For research, analysis and business intelligence using anonymised data published as research reports, published articles and newsletters.
12. To meet routine and other legal or regulatory compliance including those arising out of any order or judgement of any Court or Tribunal in India.
13. To generate data to advocate with the State on behalf of user needs under any law/program.
14. To assist in the billing and accounting processes.
15. For performance improvement or problem solving of information systems, for example, debugging exercise.
16. To publish anonymised data on website, social media and annual/monthly reports, especially client feedback, including:
    • For promoting and publishing and studying customer feedback on new and existing products and services.
    • For product and software improvement on design and utility.
    • For payment purposes including third-party payment gateways and service providers such as banks, financial institutions, etc.

Accuracy of Data

It is the user’s responsibility to provide accurate information on the contact details and background details related to the problem in concern. The capturing of the therapy information is carried out by the therapist in good faith and hence the responsibility is shared between the user and the therapist as the situation may be. The user will have access to review and correct, delete, modify or amend the information that is stored by AMITA. In case the data that is capture or modified is not true, complete or out of date, we will not be held responsible for it. When the data provided by users has legal or regulatory issues due to incomplete and wrong information provided, we may have the sole discretion to make decisions using the reasonable grounds and terminate services. We will also have the discretion not to make the changes suggested by the user and when that happens, we will communicate the same with the user in response to request made.

Confidentiality and Shared Confidentiality

The user’s data will be known to his/her psychotherapist. The data may also be overseen by the admin, IT personnel, supervisory mental health professionals, institutional bodies for privacy, safety and ethics, and research personnel as need basis to carry out the processes we have elucidate as part of the purposes. Some part of the information may be accessible by a few employees, agents or partners and third parties on a need-based basis. When these confidentiality limits are expanded, we will bind them through robust contractual agreements that bind them and their employees with strict confidentiality obligations. At times, we hold case conferences where we may discuss the user case details or conference presentations and research papers for localised or wider dissemination and learning for the goal of enhancing skill sets of the therapist or other professionals.

A major responsibility at our end is to get both internal and external persons’ having access to the user personal data following the regulatory and ethical responsibility towards his/her personal data. We are committed to this and will build mechanisms for expanding know-how on rights of the user and the standards and the safety mechanisms. We, however, wish to draw the limits of our responsibility and inform the user that anything beyond the scope of this privacy document will not be addressed by us. We will not be held responsible for the breach of security or for any actions of the third-party arrangements that are beyond our reasonable control, including but not limited to, acts of government, computer hacking, unauthorised access to computer data and storage device, computer crashes, breach of security and encryption, poor quality of Internet service or telephone service providers of the User etc.

We also wish to inform the user, visitor and practitioner that the legal rights of the processed personal information and data will rest with AMITA and no user, visitor or practitioner will hold any right over it.

Preservation of Personal Data

Under the PDPA 2019, the "official identifier" means any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal (user). The user’s personal data will be preserved in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments. Every user of psychotherapy and mental health interventions registering for our services will be provided a number for identification.

Data Processing

There are some terms that may be of important to know before the user understands the privacy considerations in data processing and analysis

1. "Profiling" means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal (user);
2. "Processing" in relation to personal data, according to the Personal Data Protection Act 2019, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. The data processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary (AMITA).
3. "Significant harm" means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm. Some of the harm mentioned by the Personal Data Protection Act 2019 include, bodily or mental injury; loss of reputation or humiliation;loss of employment; any discriminatory treatment; any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal (user); any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or under surveillance; anyobservation or surveillance that is not reasonably expected by the data principal.

These terms have applicability in our operations and data management systems. Our effort is to minimise and reduce the consequences of significant harms if any. The user needs to understand how we might process the data. As the processing of personal data may be for research, archiving and statistical purposes, the PDPA 2019 recognises that the compliance with the provisions of this Act shall disproportionately divert resources from such purpose.

For archiving, anonymising data may not serve the purposes of processing and hence de-identification in accordance with the code of practice specified under Code of Practice (Sub-section 9, Clause 50) and the processing can be achieved if the personal data is in de-identified form. Any personal data that is not being sensitive personal data may be processed for "reasonable purposes" that may include but not exhaustive, whistle blowing; network and information security; processing of publicly available personal data; and the operation of search engines.

The personal data will not be used to take any decision specific to or action directed to the user or other users. The personal data will not be processed in a manner that puts user to a risk of significant harm to self or others. The PDPA 2019 exempts research, archiving, or statistical purposes from the application of any of the provisions of the Act and the specified regulations.

We shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated; having regard to the purpose for which it is processed. If any data information or data processing involves cross-border transfer of the personal data, it will be carried out as per the legal instruments of the government and in such situations, the user will be informed on the same through an email on the registered email ID.

Our online services are not intentionally targeted to children but there is possibility that children may explore our web portal and reach out for services. When we process personal data of children, it will be assured that the rights of the child are protected and every action is in the best interest of the child. In situations where the child needs services but for whatever reasons the parental permissions are difficult to ascertain, we will be considering seeking support from our Internal Ethics Committee to make decisions on provisioning on the necessary support to continue the services to the child who most need them. This is in line with the PDPA 2019, where we as guardian data fiduciary as providers of providing exclusive counselling services to a child, we shall not require to obtain the consent of parent or guardian of the child under sub-section 2 ‘Obligations of Data Fiduciary’ (AMITA) of the PDPA Act.

Before processing of any personal data of a child, we will verify his/her/ age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations. The PDPA 2019 suggests the following considerations for verification of the age of the child; the volume of personal data processed; the proportion of such personal data likely to be that of child; possibility of harm to child arising out of processing of personal data; and such other factors as may be prescribed. We shall make all efforts to ensure that we do not profile, track or behaviourally monitor of, or targeted advertising directly at children, especially those that can cause significant harm to the child (Sub-section 4, clause 16(5) of the PDPA 2019).

Period of retaining personal data

The personal data considered for the process will not be retained beyond the period necessary to satisfy the purpose for which it is collected unless and until it is necessary to comply with any obligation under any law for the time being in force. When the data is disclosed for the purpose of processing, it shall be deleted at the end of the processing by ourselves and/or by the process intermediaries. In certain circumstances, the personal data in our possession may be required to be retained for a longer period for the purpose of processing. We will undertake periodic review to determine whether it is necessary to retain the personal data in our possession. In such circumstances, we will review the purpose for which we collected and that we need to retain the data and come to a realistic determination on the time period for which we need to retain the data. Once this purpose is met, we are expected to securely delete user information when user data is no longer need for the purpose; this is a little difficult to follow with therapy linked data as we do not know when the user may reach to use the services once again. When personal data is deleted, it shall be done as specified by regulations under the Act. When there is a change of terms for retaining or on the security of the data, we will keep the user updated through intimation on the website. The user will be informed in case the processing is not for the said purpose the user has agreed under the consent ascertained.

Rights of the user

The PDPA 2019 provides rights for the user and this includes right to obtain from the data fiduciary (AMITA)

1. confirmation whether the data fiduciary (AMITA) is processing or has processed personal data of the data principal (user);
2. the personal data of the data principal (user) being processed or that has been processed by the data fiduciary (AMITA), or any summary thereof;
3. a brief summary of processing activities undertaken by the data fiduciary (AMITA) with respect to the personal data of the data principal (user), including any information provided in the notice under section 7 in relation to such processing.

In addition, the user has specifically the following rights, subject to such conditions and specified by the regulations:

1. Access to personal data: The user has the right to ask us a copy of the personal data that was provided by him/her. The user also has the right to ask and review the nature of the data we possess and how we intend to use it. In an eventuality we refuse to respond, the user has the right to ask us the reason on why we have refused to share the data and get a reply on the reasons for refusal.
2. Correction of incomplete and misleading data or updation: The user has the right to ask for the correction amendment or updation of the incomplete/errored/out of date data.
3. Deletion of data: The user has the right to request for deletion of data on certain grounds. The reasons may include, the data is no longer serving the purposes of the consent provided, infringements on the right of the user or has other legal requirements that mandate the deletion of the data. The user may have to bear the costs in any legalities emerge as part of the process. We may decide to inform the persons associated with providing the data on the changes made in case the changes are asked by persons’ other than the user.
4. Object or restrict data processing: The user has the right to object or restrict the processing of the user’s personal data in parts or as a whole
5. Consent: The user has the right to withdraw consent at any time during the course of the engagement with valid reasons through communication over an email and receive a response to that effect; including the reasons why the request could be entertained. The consent for using processed data can be applicable to whole data or parts of the data.
6. Disclosure of data: The user has the right to restrict or prevent the continuing disclosure of personal data and that may be enforced only on an order of the Adjudicating Officer made on an application filed by user on the grounds that the right or interest in preventing or restricting the continued disclosure of personal data overrides the right to freedom of speech and expression and the right to information of any other citizen, where such disclosure:
1. has served the purpose for which it was collected or is no longer necessary for the purpose;
2. was made with the consent of the data principal under section 11 and such consent has since been withdrawn; or
3. was made contrary to the provisions of this Act or any other law for the time being in force.
7. Identities of data fiduciaries: The user shall have the right to access in one place the identities of the data fiduciaries with whom personal data have been shared together with the categories of personal data shared with them, in such manner as may be specified by regulations.
8. Deceased user: The legal representative of the user has the right to request AMITA to delete the data of the deceased person through a request over an email followed by a postal letter, providing the legal documents to prove his/her as the legal representative and the death certificate.

When we are processing the personal data through automated means, the user has the right to

1. receive the following personal data in a structured, commonly used and machine-readable format
1. the personal data provided to the data fiduciary;
2. the data which has been generated in the course of provision of services or use of goods by the data fiduciary (AMITA); or
3. the data which forms part of any profile on the data principal (user), or which the data fiduciary (AMITA or other associates) has otherwise obtained; and
2. have the personal data referred to in clause (i) transferred to any other data fiduciary in the format referred to in that clause

The provisions of this above-mentioned clause shall not apply where:

1. processing is necessary for functions of the State or in compliance of law or order of a court under section 12 of the Act;
2. compliance with the request in sub-section (1) of the Act would reveal a trade secret of any data fiduciary or would not be technically feasible

The user has the right to requesting for his/her information on the above-mentioned clauses and shall receive clear and concise easily comprehensible information from us. The user will hold regard to the purposes for which personal data is being processed. We are there to help the user understand the information written on one’s health record. If the user desires to avail any of these rights, s/he may send a communication to the following email ID: ‘[email protected]’. Just in case we do not agree with such correction, completion, updation or erasure having regard to the purposes of processing, we shall provide the user with adequate justification in writing for rejecting the application. One of the reasons that we will not oblige and comply with the request is where such compliance shall harm the rights of any other service user.

In case the user is not satisfied with the justification provided by us, we will take reasonable steps to indicate, alongside the relevant personal data, that the same has been disputed by the user. Where we have corrected, completed, updated or erased any personal data we shall also take necessary steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure, particularly where such action may have an impact on user rights and interests or on decisions made on the user.

We acknowledge the receipt of requests made on the rights of the individual. This response can be expected within a short period and in alignment specified by regulations. We will charge a fee if the request is not related to one’s rights as may be specified under the regulations of the Act. In case we refuse the user’s request and s/he are not satisfied with it,s/he have the right to file a complaint with the Authority under the Act and/or take legal remedies against the refusal within a period and manner as specified by the regulations.The user can avail these services free of charge without fear of any intimidation. These rights may not be absolute and may have limitations and exceptions and we will provide reasons as a response email mentioning the same. We will carry out certain verifications to ensure that the person availing the rights is the user or the legal representative of the user. Disclosure of personal data

We may be disclosing personal data in such situations

1. Enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding;
2. processing of personal data by any court or tribunal in India is necessary for the exercise of any judicial function
3. personal data is processed by a natural person for any personal or domestic purpose, except where such processing involves disclosure to the public, or is undertaken in connection with any professional or commercial activity; or
4. processing of personal data is necessary for or relevant to a journalistic purpose, by any person and is in compliance with any code of ethics issued by the Press Council of India, or by any media self-regulatory organisation.

Technology used for processing

Technology that is currently used is for the website, for the payment gateway and for data storage. We are yet to decide on the technology for processing of personal data. Whenever we will be doing so, we will update it here from time to time in such manner as may be specified by regulations. We will ensure that it is based on internationally accepted standards and security requirements. We wish to assure the user is that we are committed to setting the best international standards and safety policies, rules and technical measures to protect the user’s confidentiality, privacy and safety. We will make all that is possible in our control to protect unauthorised entry, modification and unlawful destruction or accidental loss. We implement reasonable security practices and procedures and document the same considering the managerial, technical, operational and physical control measures in line with the requirements of the mental health services that we manage. In spite of our best efforts, there is a high likelihood of data loss or theft due to unauthorised access to the user’s electronic devices through which the user accesses services. At the user level, it is of paramount importance that they protect themselves from unauthorised access to their accounts by securing their passwords of their computers and mobile phones. The user will log off from the website once the session is completed. We shall not be held liable for such loss, whatsoever, caused by the user technological issues.

Our access and security on passwords of the personal data platform will be governed and will be available with a limited group of administrative staff members. We will protect the user from any unauthorised access to their information including password, mobile numbers and phone numbers, such as unauthorised use of his/her account and password.

Maintenance of records

We will maintain accurate and up-to-date online and/or offline records in such form and manner as may be specified by regulations, namely:

1. periodic review of security safeguards under section 24 of the Act
2. data protection impact assessments under section 27 of the Act; and
3. any other aspect of processing as may be specified by regulations.

Transfer of personal data outside India

In concurrence with the PDPA 2019, we may transfer anonymised sensitive personal data for analysis outside India, but we will continue to store the sensitive personal data at our end. When the ‘critical personal data’ that is notified by the central government is involved such data will only be processed in India.

cookies

Cookies are minuscule parts of information that are stored on user computer’s hard drive by companies that enable one to identify the user when the s/he visits the site. These cookies do not collect individual identification data but provide valuable statistical insights about the site and the online behaviours and patterns of users, such as, date and time of visits, pages viewed, the IP address including network location and computer internet address and website visited. We also use ‘persistent cookies’ that identify user as unique, tailoring the content to match the user’s preferred interest areas. AMITA uses the temporary cookies stored by the user’s and service providers browser to develop an understanding of the technical administration of the website, for research and development and for user administration. We may do this by ourselves or use third party agencies to place or recognise cookies of the user’s browser.

By using them, we can improve the user experience and personalise online interactions; for e.g., knowing the aggregate number of people who visited the website, content that is popular, we can add more information on the theme. The user has a choice to disable the use of cookies using his/her browser settings; this may limit the use of some of the features.

Some other clauses of relevance

1. If we have information about abuse or risk of sexual abuse to a child, we are legally bound under the POCSO Act to report to the proper authorities.
2. If we are aware of risk to harm user’s or other people’s life, we will make all efforts to take action to ensure user’s safety or the safety of others
3. If we have orders from the Court to release personal and sensitive information, we will be bound by the law to do so.
4. If we have to defend ourselves in the court against a complaint filed against AMITA or any professional working with AMITA on matters related to the users or otherwise, we will consult with our legal experts to decide on what data needs to be disclosed. If the limits of privacy and confidentially are likely to be breached beyond the acceptable limits, we will be informing the user on the same.

Grievance management on Privacy matters

"Personal data breach means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data”. In case of any personal data breach, we encourage the user to reach out to us to raise their grievance and support us in assuring highest privacy. In a context where some of the clause/s is not acceptable to the user or they have a question related to it and/or the user may decide not to use the service, we request the user to reach out to the Data Protection Officer appointed by AMITA under the Personal Data Protection Act 2019 and seek clarification on the same. The user may send in an email to ‘[email protected]’ and make a telephone call over the contact number provided on the website.

Revisions to Privacy policy

We may from time to time, at our discretion, reserve the right to change, modify and/or delete some terms of the privacy policy. We are likely to make changes as and when needed, and as a good practice, we will review the policy in total. The users are advised to check on it regularly and we aware on the edits made on it.

Contact details for matters related to privacy

The contact details of the data fiduciary and the data protection officer are as follows:

Dr. Anita Rego, Director, Project AMITA, PEARLSS 4 Development