Privacy Policy

1. Who we are

Qlinniq is a mental-health intake and care-coordination platform operated by the Ashara Mental Health camp administration. This policy describes what information we collect from you, why we collect it, who has access to it, and the rights you have over it under India’s Digital Personal Data Protection Act, 2023 (“DPDP”) and the Information Technology Act, 2000.

2. Information we collect

• Identity details you enter at registration (ITS ID, name, gender, date of birth, contact details).
• Clinical inputs you provide on the intake forms (presenting concerns, symptom severity, safety screening, PHQ-9 / GAD-7 responses).
• Operational records from your care episodes (visits, sessions, follow-up tasks).
• Audit logs of every action taken on your record by you, our administrators, and our clinicians.

3. Purpose of data use

Your protected health information (PHI) will only be shared for the purpose of continuation of care — specifically: enabling the assigned clinician to deliver appropriate mental-health services, supporting handoff between clinicians, scheduling and operational logistics, and complying with legal obligations under the Mental Healthcare Act, 2017.

4. Your rights (DPDP §6 – §11)

• Access. Download a complete copy of every record we hold about you from your profile.
• Correction. Submit a correction request from your profile; an administrator will review.
• Withdrawal. Withdraw your account at any time. Clinical records may be retained per applicable mental-health rules; identifiers are anonymized.
• Granular consent. Treatment consent, data-use consent, and audio-recording consent are managed independently and each can be revoked.

5. Cross-border data transfer

Some application infrastructure used by Qlinniq (notification delivery via Resend / Twilio, error monitoring via Sentry, and the application server itself) currently processes requests outside India. We are actively migrating application hosting and primary data storage to an Indian region in accordance with DPDP cross-border rules and the Ashara recommended architecture; this policy will be updated when the migration completes. Until then, your consent at registration covers limited cross-border processing strictly for the operational purposes above.

6. Security

• HTTPS/TLS for all browser traffic.
• Role-based access control with least-privilege defaults.
• Encryption at rest on the database volumes.
• Audit logs retained for at least 180 days per CERT-In guidance.
• Multi-factor authentication enforced for administrative and clinical roles.

7. Retention

See the separate Data Retention & Deletion Policy.

8. Breach response

In the event of a personal-data breach, the Qlinniq compliance team will notify the Indian CERT-In within 6 hours of discovery, and affected patients without undue delay, in accordance with the CERT-In Cybersecurity Directions, 2022.

9. Contact

For any concern about this policy, your data, or to exercise a right that is not surfaced in the application, contact the Qlinniq grievance officer at privacy@qlinniq.com.