Privacy Policy.

Dactorly is a WhatsApp-first telemedicine platform operated by Xphora AI Technology Private Limited ("Dactorly", "we", "us", or "our"), a company incorporated in India under CIN U62011UP2025PTC219786, with registered office at Goa Institute of Management, AIC, Pariye, Goa 403505, India. We operate the website dactorly.com and the Dactorly clinic management platform delivered through WhatsApp (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, retain and safeguard personal data when doctors, clinics and visitors use the Service. By accessing the Service you agree to the practices described here.

2.1 Information you provide directly

• Doctor onboarding data — full name, date of birth, gender, contact details (phone, email, WhatsApp number), residential address, medical registration details (degree, registration number, council, system of medicine, specialisation), clinic information, banking details for payment-gateway settlement, KYC document uploads, and digital signature.
• Contact and callback requests — name, email or phone number, and any message you include.
• Testimonials — name, clinic name, rating, and review text submitted voluntarily.
• Newsletter subscriptions — email address only.
• Patient messages — when patients message a clinic running on Dactorly through WhatsApp, message contents pass through Meta Platforms' WhatsApp Business infrastructure and the doctor's clinic dashboard. The doctor is the data controller for that patient data; we act as data processor.

2.2 Information collected automatically

• Device & browser data — IP address, user-agent string, operating system, referring URL and pages visited, captured in standard server logs.
• Approximate geolocation — country derived from your IP address, used solely to display region-appropriate pricing and currency on the website.
• Essential cookies — first-party cookies that store your country preference. No advertising cookies, analytics cookies, or third-party trackers are set by Dactorly.

2.3 Information we do not collect

• We do not run Google Analytics, Facebook Pixel, or any advertising-network tracker.
• We do not collect biometric data, racial or ethnic origin, religious beliefs, or political opinions.
• We do not knowingly collect personal data from anyone under 18 years of age.

We use personal data only for the following purposes:

• To verify and process doctor onboarding applications.
• To configure your WhatsApp Business account, payment gateway and clinic portal.
• To respond to your contact, callback or support requests.
• To send transactional emails (application confirmations, status updates, security notices).
• To send product updates if you subscribe to our newsletter (you can unsubscribe at any time).
• To improve, maintain, secure and debug the Service.
• To comply with applicable legal, regulatory and tax obligations.
• To enforce our Terms of Service and prevent fraud or abuse.

• Consent — for newsletter subscriptions, optional fields in onboarding forms, and testimonials.
• Contractual necessity — for delivering the Service to onboarded doctors, including setup and ongoing operation of the WhatsApp clinic.
• Legal obligation — for tax records, KYC retention, and lawful disclosures.
• Legitimate interests — for security, fraud prevention, server logs, and improving the Service, balanced against your rights and freedoms.

Dactorly uses only first-party essential cookies and browser local storage strictly required to deliver the website. Specifically:

• Country preference — stored in your browser (local storage) so the site shows your selected country's pricing on return visits.
• Session security — short-lived cookies set by Vercel's edge for request integrity and fraud detection.

We do not use Google Analytics, Google Ads, AdSense, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, or any other behavioural advertising or analytics technology. You can clear cookies and local storage in your browser at any time without losing access to the Service.

Your data is stored on the following infrastructure:

• Website & APIs: Vercel Inc., USA — global edge with HTTPS/TLS 1.3 enforced, HSTS preloaded, X-Content-Type-Options, X-Frame-Options, and a strict Permissions-Policy header.
• Doctor onboarding records, callbacks, testimonials, newsletter: Google Sheets via Google Apps Script (Google LLC, USA) — accessed only by authorised Dactorly personnel through Google's identity-based access controls.
• Transactional email: Resend (USA) — sent over TLS, signed with DKIM, and authenticated with SPF and DMARC for the dactorly.com domain.
• Patient messages: Meta Platforms Inc., delivered through WhatsApp Business with end-to-end encryption between patient and clinic.
• Payment processing: Razorpay Software Private Limited (India) — PCI-DSS compliant. We never store full card numbers or CVVs on our infrastructure.

We apply industry-standard administrative, physical and technical safeguards including TLS in transit, encryption at rest with sub-processors, role-based access, audit logging, and a least-privilege policy for production access. Banking details collected during onboarding are forwarded to Razorpay for KYC and are not retained on Dactorly servers after settlement is configured.

We share personal data only as described below:

• Sub-processors — Vercel, Google, Resend, Razorpay and Meta/WhatsApp, strictly to operate the Service. See Section 13 for the full list.
• Legal requirements — when required by law, regulation, court order, or a binding government request, after we verify the request's legitimacy.
• Vital interests — to protect the life or physical safety of a person.
• Business transfers — in connection with a merger, acquisition or sale of assets, with prior notice and continued protection of personal data.

• Doctor onboarding data: active partnership + 3 years (regulatory and contractual record-keeping).
• KYC documents and bank details: retained as required under Indian PMLA, Income Tax Act and Razorpay's KYC policy (typically 5 to 8 years after relationship ends).
• Patient data managed through Dactorly on behalf of doctors: retained per the doctor's instructions and applicable medical-record retention law (typically 3 to 10 years depending on jurisdiction).
• Contact and callback requests: indefinite, unless you request deletion.
• Testimonials: retained while published, plus 1 year after removal.
• Newsletter subscriptions: until you unsubscribe.
• Server logs: 90 days, then deleted or anonymised.

9.1 India — DPDPA 2023

• Right to access a summary of personal data we process about you.
• Right to correction of inaccurate data and erasure of data no longer needed.
• Right to grievance redressal through our designated Grievance Officer.
• Right to nominate another person to exercise your rights in case of incapacity or death.

9.2 EU & UK — GDPR

• Right of access, rectification and erasure (Articles 15–17).
• Right to restrict or object to processing (Articles 18 and 21).
• Right to data portability in a structured, machine-readable format (Article 20).
• Right to withdraw consent at any time (Article 7(3)).
• Right to lodge a complaint with your supervisory authority.

9.3 USA — HIPAA & State laws (CCPA, VCDPA…)

• HIPAA: for US healthcare providers, we maintain HIPAA-aligned safeguards and will sign a Business Associate Agreement (BAA) on request before processing Protected Health Information.
• California (CCPA / CPRA): right to know, delete, correct and limit use of sensitive personal information; right to opt out of sale or sharing — Dactorly does not sell or share personal information for cross-context behavioural advertising.
• Other states (Virginia, Colorado, Connecticut, Utah, Texas…): equivalent access, correction, deletion and opt-out rights.

9.4 Other jurisdictions

If you reside elsewhere, similar rights apply under your local data-protection law. Contact us and we will assist regardless of jurisdiction.

Personal data may be processed in countries outside your residence, including India and the United States, through our sub-processors. We rely on the following safeguards:

• EU Standard Contractual Clauses (SCCs) for transfers from the EU/UK.
• UK International Data Transfer Addendum where required.
• Adequacy decisions where they exist for the destination country.
• Contractual confidentiality and security obligations on every sub-processor.

Dactorly does not make decisions producing legal or similarly significant effects on you using solely automated processing. Specifically:

• We do not use AI to issue medical diagnoses or final treatment decisions.
• We may use AI to assist doctors with documentation drafts, message templates, appointment triage suggestions and language translation. The doctor reviews and is responsible for every clinical output before it reaches the patient.
• We do not use your personal data to train third-party foundation models, and our AI sub-processors are configured for zero data retention or are bound by contractual confidentiality.

When a patient interacts with a clinic running on Dactorly, the doctor or clinic is the data controller for that patient's information, including health data. Dactorly acts as a data processor on the doctor's behalf under a written data-processing agreement that mirrors GDPR Article 28, the DPDPA Data Processor obligations and HIPAA BAA terms where applicable.

Doctors are responsible for obtaining lawful basis (typically explicit patient consent) before using Dactorly to consult with a patient, deliver prescriptions or collect payments.

We may add or replace sub-processors. Material changes will be reflected on this page with a new "Last reviewed" date and, where required, advance notice to onboarded doctors.

The Service is intended for licensed medical practitioners and healthcare professionals aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe we have collected such data, contact us and we will delete it promptly.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR or DPDPA, and notify affected individuals without undue delay. For HIPAA-covered data, we follow HIPAA Breach Notification Rule timelines.

We may update this Privacy Policy from time to time. The "Last reviewed" date at the top reflects the most recent revision. Material changes will be communicated via email or a prominent notice on the website at least 30 days before they take effect for onboarded doctors. Continued use of the Service after changes constitutes acceptance.

For privacy questions, data access or deletion requests, or complaints:

• Email: support@dactorly.com
• Phone: +91 73583 30377
• Postal address: Xphora AI Technology Private Limited, Goa Institute of Management, AIC, Pariye, Goa 403505, India
• Grievance Officer (DPDPA, India): Aakashdeep Srivastava — support@dactorly.com
• EU/UK Representative: not currently appointed; EU/UK users may contact us directly at the email above.

We acknowledge requests within 48 hours and resolve them within 30 days, or as required by applicable law. Where a request is denied, we will explain the legal basis and your right to escalate to a supervisory authority.