IMPORTANT NOTICE: This Privacy Notice describes how DigiNxtHlt Solutions Pvt. Ltd. collects, uses, stores, shares, and protects your personal data. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, please discontinue use of the Services immediately.

DigiNxtHlt Solutions Pvt. Ltd. (hereinafter referred to as “DigiNxtHlt”, “we”, “us”, or “our”) is committed to protecting the privacy, confidentiality, and security of the personal data of its users and customers. This Privacy Notice (“Notice”) sets out the basis on which we collect, use, process, disclose, and protect personal data in connection with our digital mental wellness platform, products, and services (collectively, the “Services”).

This Notice is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and all other applicable laws and regulations in India.

The terms “you”, “your”, or “Data Principal” refer to the individual whose personal data is being collected or processed. DigiNxtHlt is the “Data Fiduciary” as defined under the DPDPA.

1.  Definitions

In this Notice, the following terms shall have the meanings set out below:

1.    “Consent Manager” shall have the meaning assigned to it under the DPDPA, being a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent.

2.    “Data Fiduciary” shall mean DigiNxtHlt Solutions Pvt. Ltd., being the entity that, alone or in conjunction with others, determines the purpose and means of processing of Personal Data.

3.    “Data Principal” shall mean the individual to whom the Personal Data relates.

4.    “Data Processor” shall mean any person who processes Personal Data on behalf of a Data Fiduciary, including third-party service providers engaged by DigiNxtHlt.

5.    “Personal Data” shall mean any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA.

6.    “Processing” shall mean any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

7.    “Sensitive Personal Data” shall mean Personal Data revealing health or medical information, mental health status, biometric data, financial information, passwords, genetic data, caste or tribe, religious or political beliefs, or sexual orientation, as prescribed under Applicable Law.

8.    “Significant Data Fiduciary” shall have the meaning assigned under the DPDPA and shall apply to DigiNxtHlt to the extent it is so notified by the Central Government.

2.  Scope and Applicability

This Notice applies to all Personal Data collected by DigiNxtHlt through:

•       Access to or use of the DigiNxtHlt website at www.diginxthlt.com and any associated subdomains;

•       Use of the DigiNxtHlt Operating System and digital wellness products, including echoBuddy, echoShine, EchoCare, echoMindNest, and MUSICC Care;

•       Participation in clinical studies, research programmes, or wellness assessments facilitated by DigiNxtHlt;

•       Engagement with DigiNxtHlt through its corporate or institutional clients (such as Employee Assistance Programmes and Student Assistance Programmes); and

•       Any other interaction with DigiNxtHlt through digital or physical channels.

3.  Categories of Personal Data Collected

DigiNxtHlt may collect and process the following categories of Personal Data:

Identity and Contact Data:

•       Full name, date of birth, gender, and age;

•       Email address, mobile number, and postal address;

•       Employee identification number or student enrolment number (where applicable).

Health and Wellness Data (Sensitive Personal Data):

•       Mental health assessments, wellness scores, and self-reported emotional states;

•       Session notes, counselling interaction records, and psychometric responses;

•       Participation data from clinical studies or sound therapy programmes;

•       Medical history disclosed voluntarily for the purposes of availing the Services.

Usage and Technical Data:

•       IP address, device identifiers, browser type, and operating system;

•       Login timestamps, session duration, and feature interaction data;

•       Cookies and tracking data (refer to Clause 9 – Cookies Policy).

Professional and Institutional Data:

•       Employer or institution name, department, and designation (where provided through a corporate or institutional programme);

•       Programme enrolment and utilisation data.

Communication Data:

•       Correspondence, feedback, grievances, and responses submitted through any communication channel.

4.  Purposes of Processing Personal Data

DigiNxtHlt processes your Personal Data for the following purposes, each of which has a lawful basis as set out below:

a.    Provision of Services: To register your account, authenticate your identity, and deliver the mental wellness Services you have subscribed to or availed of.

b.    Personalisation: To tailor wellness content, recommendations, and AI-driven support to your individual profile and usage patterns.

c.    Clinical Research and Analytics: To conduct anonymised and aggregated analysis for research purposes, including studies on the efficacy of sound therapy and wellness interventions, in collaboration with authorised clinical partners.

d.    Communications: To send you service notifications, programme updates, appointment reminders, and, with your consent, marketing communications regarding DigiNxtHlt’s products and services.

e.    Compliance and Legal Obligations: To comply with applicable legal and regulatory requirements, including obligations under the DPDPA, SPDI Rules, and directions of any Governmental Authority.

f.     Safety and Security: To detect, prevent, and address fraud, security incidents, and technical issues affecting the Services.

g.    Improvement of Services: To analyse usage patterns, conduct quality assurance, and improve the functionality, safety, and effectiveness of the DigiNxtHlt Operating System and Services.

h.    Institutional Reporting: Where Services are provided pursuant to a corporate or institutional arrangement, to generate de-identified utilisation and programme effectiveness reports for the subscribing employer or institution.

5.  Lawful Basis for Processing

DigiNxtHlt processes your Personal Data on one or more of the following lawful bases:

i.      Consent: Where you have given your free, specific, informed, and unambiguous consent to the processing of your Personal Data for a specified purpose. You may withdraw your consent at any time in accordance with Clause 10 of this Notice.

j.      Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into such a contract.

k.    Legal Obligation: Where processing is necessary for compliance with a legal obligation to which DigiNxtHlt is subject.

l.      Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by DigiNxtHlt or a third party, provided that such interests are not overridden by your fundamental rights and freedoms.

m.   Vital Interests: Where processing is necessary to protect the vital interests of the Data Principal or another person, including in a mental health emergency.

6.  Processing of Sensitive Personal Data

Given the nature of its Services, DigiNxtHlt processes Sensitive Personal Data, including mental health and wellness information. Such processing is carried out with your explicit consent, strictly on a need-to-know basis, and subject to the following safeguards:

n.    Sensitive Personal Data shall be processed only by authorised personnel, including licenced mental health professionals, who are bound by confidentiality obligations;

o.    Sensitive Personal Data shall not be used for advertising, profiling for commercial purposes, or shared with employers or institutions without your express written consent, except in de-identified and aggregated form;

p.    DigiNxtHlt shall implement appropriate technical and organisational security measures to protect Sensitive Personal Data from unauthorised access, disclosure, or loss; and

q.    In the event of a mental health emergency where there is a reasonable risk to your life or the life of another, DigiNxtHlt may, to the extent permitted by Applicable Law, disclose relevant information to emergency services or your nominated emergency contact.

7.  Sharing and Disclosure of Personal Data

DigiNxtHlt does not sell, rent, or commercially exploit your Personal Data. We may share your Personal Data only in the following circumstances:

r.     Data Processors and Service Providers: With third-party vendors, technology partners, and cloud service providers who process data on our behalf under written data processing agreements and are bound by obligations no less protective than those set out in this Notice.

s.     Clinical and Research Partners: With authorised clinical institutions and research collaborators (such as hospital partners), solely for the purposes of conducting approved wellness research, using anonymised or de-identified data wherever possible.

t.      Corporate and Institutional Clients: With your employer or subscribing institution, in aggregated and de-identified form only, for the purpose of programme reporting. Individual Personal Data shall not be disclosed to your employer without your explicit consent.

u.    Legal and Regulatory Disclosure: With Governmental Authorities, law enforcement agencies, courts, or regulatory bodies where disclosure is required by Applicable Law, court order, or lawful directive.

v.    Business Transfers: In connection with any merger, acquisition, reorganisation, or sale of all or substantially all of DigiNxtHlt’s assets, subject to appropriate confidentiality obligations.

w.   With Your Consent: In any other circumstances where you have given your explicit prior consent to such sharing.

8.  Data Retention

DigiNxtHlt retains your Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by Applicable Law, whichever is longer. The following retention principles apply:

x.    Account and identity data shall be retained for the duration of your use of the Services and for a period of [three (3) years] thereafter, unless you request earlier erasure;

y.    Health and wellness data shall be retained for the period required under applicable health data regulations and clinical research standards;

z.     Data processed pursuant to a corporate or institutional programme shall be retained in accordance with the terms of the agreement with the subscribing institution; and

aa.  Data required to be retained for legal, audit, or compliance purposes shall be stored for the period mandated by Applicable Law.

Upon expiry of the applicable retention period, Personal Data shall be securely deleted, anonymised, or disposed of in accordance with our data destruction procedures.

9.  Cookies and Tracking Technologies

DigiNxtHlt’s website and digital platforms use cookies and similar tracking technologies to enhance user experience and collect usage data. The categories of cookies used are as follows:

bb.  Strictly Necessary Cookies: Required for the operation of the website and the delivery of the Services. These cannot be disabled.

cc.  Performance and Analytics Cookies: Used to collect information about how users interact with the website, in order to improve its functionality. Data collected is aggregated and anonymised.

dd.  Functional Cookies: Used to remember your preferences and personalise your experience.

ee.  Targeting and Marketing Cookies: Used to deliver relevant communications and measure the effectiveness of our programmes. These are only deployed with your prior consent.

10.  Your Rights as a Data Principal

Subject to the provisions of the DPDPA and other Applicable Law, you have the following rights in respect of your Personal Data:

ff.    Right to Access: You have the right to obtain confirmation of whether DigiNxtHlt processes your Personal Data and to access a summary of such data and the purposes for which it is processed.

gg.  Right to Correction and Erasure: You have the right to request correction of inaccurate or incomplete Personal Data, and to request erasure of Personal Data where it is no longer necessary for the purposes for which it was collected, subject to any overriding legal obligations.

hh.  Right to Grievance Redressal: You have the right to have your grievances addressed by DigiNxtHlt in an expeditious and effective manner, in accordance with Clause 13 of this Notice.

ii.     Right to Nominate: You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights in respect of your Personal Data.

jj.     Right to Withdraw Consent: You may withdraw your consent to the processing of your Personal Data at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Withdrawal of consent may result in DigiNxtHlt being unable to provide the Services or certain features thereof.

To exercise any of the above rights, please contact our Grievance Officer using the details set out in Clause 13 of this Notice.

11.  Data Security

DigiNxtHlt implements appropriate and reasonable technical and organisational security measures to protect your Personal Data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include, without limitation:

kk.  End-to-end encryption of data in transit and encryption of data at rest;

ll.     Role-based access controls and multi-factor authentication for personnel with access to Personal Data;

mm.  Regular security assessments, vulnerability testing, and penetration testing;

nn.  Contractual data protection obligations imposed on all Data Processors and third-party service providers;

oo.  Incident response procedures for detecting, reporting, and mitigating Personal Data breaches.

In the event of a Personal Data breach that is likely to result in a risk to your rights, DigiNxtHlt shall notify you and the relevant regulatory authority in accordance with the timelines prescribed under Applicable Law.

12.  Cross-Border Transfer of Personal Data

DigiNxtHlt primarily processes and stores your Personal Data within India. To the extent that any Personal Data is transferred to or processed in a jurisdiction outside India (including through the use of cloud infrastructure or third-party service providers), DigiNxtHlt shall ensure that such transfer is carried out in compliance with the provisions of the DPDPA and only to jurisdictions notified as permissible by the Central Government, or pursuant to such contractual safeguards as are required by Applicable Law.

13.  Children’s Privacy

The Services are not directed at children below the age of eighteen (18) years. DigiNxtHlt does not knowingly collect Personal Data from children. If you believe that a child below the age of eighteen (18) has provided Personal Data to DigiNxtHlt, please contact our Grievance Officer immediately so that we may take appropriate steps to delete such data.

Where Services are provided under institutional programmes that may include individuals between the ages of eighteen (18) and twenty-five (25), processing of such individuals’ Personal Data shall comply with all requirements applicable to such age groups under Applicable Law.

14.  Amendments to this Notice

DigiNxtHlt reserves the right to amend, update, or modify this Notice at any time. Where any amendment is material, DigiNxtHlt shall notify you by placing a prominent notice on its website, through the Services, or by email. Your continued use of the Services following notification of any amendment shall constitute your acceptance of the revised Notice. You are advised to review this Notice periodically.