Privacy Policy

Garg Hospital, Gandhinagar Golghar, Gorakhpur, Uttar Pradesh – 273001 ("Hospital", "we", "us") is committed to protecting the privacy and confidentiality of personal information provided by patients, visitors, and users of our website ("you"). This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable healthcare regulations in India.

We collect the following categories of information when you interact with our website or services:

1.1 Information You Provide

• Appointment Booking: Full name, mobile number, email address (optional), preferred date and time, department, and any health-related notes you choose to share.
• Contact / Enquiry Form: Name, email address, phone number (optional), subject, and your message.

1.2 Information Collected Automatically

• IP Address: Recorded with each form submission for security, fraud prevention, and abuse detection.
• Browser / Device: Standard web server logs may capture your browser type, operating system, and referring URL for technical diagnostics only.

1.3 Sensitive Personal Data

Any health-related information you voluntarily share in message fields (e.g., symptoms, medical conditions) constitutes Sensitive Personal Data under the DPDP Act, 2023. We process such data solely to respond to your enquiry or facilitate appointment scheduling. We will never use it for commercial profiling.

We use your information only for the following specific purposes:

• To schedule, confirm, and follow up on appointment bookings.
• To respond to your enquiries and provide information about our medical services.
• To ensure the security of our website and prevent misuse (spam, abuse, CSRF).
• To comply with legal obligations under Indian healthcare regulations and the DPDP Act, 2023.
• To improve hospital services based on aggregated, anonymised feedback (no individual profiling).

By submitting any form on this website, you provide your free, specific, informed, and unambiguous consent as required under Section 6 of the DPDP Act, 2023 for us to process your personal data for the stated purpose.

You may withdraw your consent at any time by contacting us at garghospital2010@gmail.com. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal, and will not affect your ability to receive in-person medical care at our hospital.

We do not sell or rent your personal data. We may share it only in the following limited circumstances:

• Internal Hospital Staff: Doctors, nurses, and administrative staff who need the information to fulfill your appointment or enquiry.
• Government Health Authorities: As required for Ayushman Bharat PM-JAY (National Health Authority) claim processing, disease surveillance under the Epidemic Diseases Act, or other statutory obligations.
• Legal Requirements: When disclosure is required by law, court order, or competent government authority.
• Emergency Safety: To prevent serious risk to life or public health, to the extent permitted under the DPDP Act.

All third parties with whom we share data are required to maintain the same level of data protection as this Policy.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• HTTPS encryption for all data transmission (when deployed on a live server).
• Parameterised database queries (PDO prepared statements) to prevent SQL injection.
• CSRF token protection on all form submissions.
• Google reCAPTCHA v2 to prevent automated abuse.
• Session-based rate limiting on all public form endpoints.
• Server-side input sanitisation before storage.
• HTTP security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy).

While we take all reasonable precautions, no transmission over the internet is 100% secure. In the unlikely event of a data breach that poses risk to your rights, we will notify you as required under the DPDP Act, 2023.

• Appointment records are retained for the period required by the Clinical Establishments (Registration and Regulation) Act, 2010 and applicable state regulations — generally a minimum of 3 years.
• Contact / enquiry messages are retained for 1 year and then securely deleted.
• Security logs (IP address, submission time) are retained for 90 days for fraud prevention and then deleted.

We will delete or anonymise your personal data when it is no longer needed for the purpose it was collected, unless we are required by law to retain it longer.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

To exercise any of these rights, contact our Data Protection Officer (see Section 9). We will respond within 30 days of receiving a verifiable request.

Our website uses session cookies only — small, temporary data files stored in your browser — for the following strictly necessary purposes:

• Maintaining your session across pages.
• Storing CSRF security tokens to protect form submissions.
• Enforcing rate limits to prevent abuse.

We do not use tracking cookies, advertising cookies, or third-party analytics that profile your browsing behaviour. Session cookies are automatically deleted when you close your browser.

Google reCAPTCHA (used on our forms) may set its own cookies as part of bot-prevention. Please review Google's Privacy Policy for details.

If you have any questions, concerns, or grievances about this Privacy Policy or the processing of your personal data, please contact our designated Data Protection Officer:

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the Effective Date at the top of this page. Continued use of our website after such changes constitutes your acceptance of the updated Policy. We encourage you to review this page periodically.