Who We Are

This Privacy Policy applies to the following entity, which is the data fiduciary (controller) for your personal data:

This policy governs all personal data collected through our websites (cosmeticsurgerynagpur.com and mayflowerclinic.in), our WhatsApp Business line, our contact forms, and any in-person clinical interaction.

We are committed to protecting your privacy in accordance with India's Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology (Reasonable Security Practices) Rules, 2011, and applicable healthcare data protection standards.

Information We Collect

We collect information in the following ways:

Information you provide directly

• Name, phone number, and email address when you submit an enquiry or contact form
• Medical history, current medications, allergies, and surgical goals when you attend a consultation
• Photographs taken for clinical documentation purposes (pre- and post-procedure), collected only with your explicit written consent
• Payment details used for billing — processed securely and not stored on our servers
• Messages and communication sent to us via WhatsApp, email, or phone

Information collected automatically

• Browser type, device type, operating system, and IP address when you visit our website
• Pages viewed, time spent on pages, and navigation patterns (via Google Analytics — see Section 6)
• Referring website or search query that brought you to our site

Information we do NOT collect

• Payment card numbers or bank account details (payments are processed via third-party processors)
• Government identification numbers (Aadhaar, PAN) unless specifically required for insurance claims
• Social media credentials or passwords

How We Use Your Information

Your information is used solely for the following purposes. We will not use it for any purpose not listed here without obtaining your consent first.

• To provide medical care — maintaining your clinical records, tracking treatment history, and coordinating follow-up care
• To respond to enquiries — calling, messaging, or emailing you in response to a contact form or WhatsApp message
• To confirm and manage appointments — sending reminders and post-procedure follow-up instructions
• To process payments — issuing invoices and receipts for procedures
• To improve our website — understanding which pages are most useful to patients using anonymised analytics data
• To comply with legal obligations — maintaining records as required under applicable medical and tax regulations in India

Data Sharing & Disclosure

Mayflower Clinic does not sell, rent, or trade your personal information. Disclosure occurs only in the following limited circumstances:

Service providers (data processors)

We may share minimal data with trusted vendors who help us operate our services:

• Google LLC — website analytics (Google Analytics 4), email (Gmail/Workspace), and maps (Google Maps embed). Data is processed under Google's privacy terms.
• Meta Platforms Inc. — if you contact us via Facebook Messenger or interact with our Facebook page, Meta's data policies also apply.
• WhatsApp Business — messages sent to our WhatsApp number are processed by Meta under their Business Data Processing terms.
• Payment gateways — if applicable, your payment is processed by a PCI-DSS compliant provider. We do not receive or store full card details.

All service providers are contractually obligated to use your data only as directed by us and to maintain appropriate security standards.

Legal disclosure

We may disclose your information if required by a court order, regulatory authority, or applicable Indian law, or where necessary to protect the safety of a patient or third party.

Medical referrals

With your explicit consent, relevant medical history may be shared with a specialist or hospital in the context of your treatment or referral.

Data Security

We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• SSL/TLS encryption for all data transmitted through our website (HTTPS)
• Access controls ensuring that clinical records are accessible only to authorised clinic staff directly involved in your care
• Password protection and limited-access storage for digital records
• Physical security measures for paper-based clinical records held at the clinic premises

Cookies & Tracking Technologies

Our website uses cookies — small text files placed on your device — to improve your browsing experience and understand site usage.

Types of cookies we use

• Essential cookies — Required for the website to function (e.g. form session tokens). Cannot be disabled.
• Analytics cookies — Google Analytics 4 cookies that track page views and visitor behaviour in anonymised, aggregated form. These help us understand which content is useful.
• Preference cookies — Store settings such as language or region preferences if applicable.

Managing cookies

You can control or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our contact forms. Most modern browsers allow you to:

• View and delete cookies currently stored by websites
• Block cookies from specific sites or all sites
• Receive a notification before a cookie is placed

For guidance specific to your browser, visit the browser's official help documentation. To opt out of Google Analytics tracking specifically, you may install the Google Analytics Opt-out Browser Add-on.

Your Rights as a Data Principal

Under India's Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data held by us:

• Right to Access — You may request a summary of the personal data we hold about you and the purposes for which it is being processed.
• Right to Correction — You may request that we correct inaccurate or incomplete data about you.
• Right to Erasure — You may request deletion of your personal data, subject to legal obligations that require us to retain certain clinical records (see Section 11).
• Right to Withdraw Consent — Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Grievance Redressal — You may raise a grievance with us and we will respond within a reasonable timeframe.
• Right to Nominate — You may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, contact us using the details in Section 13. We will respond within 30 days.

Children's Privacy

Our services are intended for adults aged 18 and above, consistent with surgical consent requirements under Indian law.

We do not knowingly collect personal data from individuals under the age of 18 without the verified consent of a parent or legal guardian. If a minor requires surgical consultation, consent forms must be completed and signed by the parent or legal guardian, who also takes responsibility for any data submitted on the minor's behalf.

If you believe we have inadvertently collected data relating to a minor without appropriate parental consent, please notify us at contact@mayflowerclinic.in and we will take prompt corrective action.

Third-Party Links

Our website contains links to external platforms including our YouTube channel, Facebook page, Instagram profile, and Google Maps. These are independent services with their own privacy policies.

Clicking any external link takes you off our site and into a platform governed by that provider's own terms and conditions. We are not responsible for the privacy practices of any third-party site and encourage you to review their policies before sharing any personal information with them.

Third-party platforms we link to or embed content from include:

• YouTube (Google LLC) — patient education videos
• Facebook / Instagram (Meta Platforms Inc.) — social media profiles
• Google Maps — clinic location embed
• Trustindex / Google Reviews — patient review widget

Sensitive Health Data

Medical and health-related information is classified as sensitive personal data under Indian law. We treat it with the highest level of care and apply the following additional safeguards:

• Health information is collected only when directly necessary for your care and is never used for marketing purposes
• Clinical photographs are taken only with your explicit written informed consent, which you may withdraw at any time
• Clinical photographs are used only for the purpose stated at the time of consent (e.g. surgical planning, progress tracking, or — with separate explicit consent — educational or website use)
• Your health records are accessible only to Dr. Pawan Shahane and directly involved clinical staff
• Sensitive health data is never shared with insurance providers, pharmaceutical companies, or research institutions without your specific written consent

Data Retention

We retain your data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

• Clinical records — retained for a minimum of 8 years from the date of last treatment, as recommended under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
• Enquiry and contact form data — retained for 12 months from the date of submission if no appointment follows, then securely deleted
• Website analytics data — anonymised and retained for 26 months in Google Analytics (standard GA4 default)
• Payment records — retained for 7 years as required by Indian tax and accounting regulations

After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to you as an individual.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Post a notice on our website homepage for a period of 30 days following the change
• Where required by law, notify affected individuals directly

We encourage you to review this page periodically. Continued use of our website or services after a change is posted constitutes acceptance of the updated policy.

Contact Us — Grievances & Data Requests

For any questions about this Privacy Policy, to exercise your data rights, or to submit a grievance, please contact us through any of the following channels. We will respond within 30 days.

If you are unsatisfied with our response, you may escalate your grievance to the Data Protection Board of India once it is operational under the DPDP Act, 2023.