Privacy policy

This policy applies to:

• Visitors to our website — anyone browsing www.medigrow.co.in or any subdomain we operate.
• Prospective clients — practitioners, hospital owners, or administrators who submit inquiries via our contact form, newsletter signup, lead-magnet downloads, or discovery-call bookings.
• Active clients— engagements where MediGrow provides marketing, technology, or advisory services, and we process data on the client’s behalf as a data processor.

This policy does not cover:

• Patient data managed inside a client’s own systems — we operate as a data processor in those cases, and the client’s own privacy notice governs patient relationships.
• Third-party websites we link to. Their privacy policies apply once you leave our domain.

We collect personal data in the following categories:

Information you give us directly

• Contact form submissions: name, email, phone, practice name, specialty, locality, and the message body you send us.
• Newsletter signups: email address.
• Lead magnet downloads: name, email, practice name (where requested), and the lead magnet you requested.
• Discovery call bookings: name, email, scheduling timezone, and any context fields you provide via Cal.com.
• Client onboarding: practice details, billing information, authorized signatory contacts, scope-of-work artifacts. Collected under a signed engagement agreement.

Information collected automatically

• Usage analytics: page views, referrer URL, IP address, user agent, and timing data, collected via Google Analytics 4 with anonymized IP.
• Performance and error logs: collected by our hosting provider (Vercel) and our caching/CDN layer.
• Cookies: see our separate Cookie Policy for the complete inventory.
• Bot-protection signals: form submissions are screened by Cloudflare Turnstile, which collects browser-fingerprint signals to detect abuse. Signals are not used for identification or marketing.

What we do not collect

We do not collect or process patient health data through this website. Our services do involve patient data inside client systems — that processing is governed by client-specific agreements and is outside the scope of this notice.

We use personal data for the following purposes:

• Respond to inquiries — when you fill out a form, request a quote, or book a discovery call, we use the data to respond and schedule follow-ups.
• Deliver requested materials — lead magnets, downloadable playbooks, and newsletter content are sent via Resend (transactional email) and Brevo (newsletter list).
• Service delivery — for active clients, we use practice details to plan, ship, and report on the engagement.
• Improve our services — aggregated, non-identifying analytics help us understand which content is useful and where to invest editorial effort.
• Compliance and security — to detect and prevent fraud, abuse, and unauthorized access to our systems.
• Legal obligations — to comply with applicable laws, court orders, or regulatory requirements in India.

We do not sell personal data. We do not share inquiry data with unaffiliated marketers. We do not run behavioral retargeting on sensitive healthcare topics (see Cookie Policy).

Under the Digital Personal Data Protection Act, 2023, we process personal data on the following lawful bases:

• Consent — for newsletter signups, lead-magnet downloads, and cookie-based analytics that fall outside strictly-necessary categories. Consent is collected through clear opt-in actions and can be withdrawn at any time.
• Legitimate uses (as defined under DPDP Act § 7) — for responding to inquiries you initiate, performing contractual obligations to clients, complying with legal requirements, and operating our website securely.
• Contract performance — for active clients, processing is necessary to deliver the services you have engaged us for.

We share personal data only with the following categories of recipients, each under appropriate contractual safeguards:

• HubSpot (CRM and marketing automation) — receives contact form submissions and lead-magnet inquiries. United States-based. Operates under its own DPA terms.
• Brevo (newsletter and broadcast email) — receives newsletter subscriber emails. European Union-based (France).
• Resend (transactional email) — sends confirmation emails for inquiries, lead-magnet deliveries, and account notifications. United States-based.
• Cal.com (scheduling) — receives discovery-call booking details including name, email, and selected time slot. United States-based.
• Google (Analytics 4, Tag Manager, reCAPTCHA where applicable) — receives usage analytics with IP anonymization enabled. United States-based.
• Cloudflare (Turnstile bot protection) — receives form submission signals for abuse detection. United States-based with global edge network.
• Sanity (content management) — stores content created by our editorial team. Does not store inquiry data. United States-based.
• Vercel (hosting and CDN) — operates our infrastructure and processes request logs. United States-based with global edge.
• Upstash (rate-limiting Redis) — stores anonymized rate-limit counters per IP. United States-based.
• Slack (internal notifications) — receives notifications when new inquiries arrive. United States-based.

We may also share data with our legal counsel, accountants, and auditors under strict confidentiality, and with law enforcement when legally compelled to do so. We will resist over-broad requests and notify the affected individual where law permits.

We retain personal data only as long as necessary:

• Contact form inquiries — 24 months from the last interaction. We retain inquiry context to maintain continuity if you reach out again.
• Newsletter subscribers — until you unsubscribe. Unsubscribed addresses are retained for 12 months in a suppression list to prevent re-subscription against your will.
• Lead magnet downloads — 24 months from download.
• Discovery call records — 12 months after the call (or longer if the inquiry converts to a client engagement).
• Client engagement records — for the duration of the engagement plus 7 years thereafter for tax, accounting, and dispute-resolution purposes.
• Analytics data — Google Analytics 4 retention is configured to 14 months.
• Backups — operational backups are retained for 30 days. Data marked for deletion is removed from backups on the next rotation cycle.

Under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right of correction — you can request correction of inaccurate or incomplete data.
• Right of erasure — you can request deletion of your data (subject to legal retention requirements).
• Right to withdraw consent — for processing based on consent (e.g., newsletter), you can withdraw at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right of grievance redressal — you can raise concerns with our data protection lead. If unresolved, you may approach the Data Protection Board of India.
• Right of nomination — you can nominate another person to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, email hello@medigrow.co.in with the subject line “DPDP rights request.” We will verify your identity and respond within the timeline specified under the DPDP Act (currently 30 days).

We implement reasonable security practices and procedures appropriate to the nature of data processed:

• Encryption in transit — all website traffic uses TLS 1.2 or higher. Internal API calls between our systems and processor partners (HubSpot, Brevo, Resend, etc.) are encrypted.
• Encryption at rest — personal data stored in HubSpot, Sanity, and other processor systems is encrypted at rest by those providers.
• Access controls — production system access is restricted to authorized team members on the principle of least privilege. Two-factor authentication is required.
• Rate limiting — public forms and API endpoints are rate-limited to prevent abuse.
• Bot protection — Cloudflare Turnstile screens submissions to prevent automated abuse.
• Logging and monitoring — system access and security events are logged for incident detection.
• Vendor due diligence — we review the security posture of every processor before engaging them and on an ongoing basis.

If a personal data breach occurs that is likely to result in significant harm, we will notify affected individuals and the Data Protection Board of India within the timelines required by law.

Some of our processors are located outside India (primarily the United States and the European Union). When personal data is transferred outside India, we rely on one or more of the following safeguards:

• Standard Contractual Clauses or equivalent in our data processing agreements with each vendor.
• Vendor compliance with internationally-recognized security and privacy frameworks (ISO 27001, SOC 2 Type II, GDPR alignment).
• Restriction of transfers to jurisdictions notified by the Government of India under DPDP Act § 16, where applicable.

We will update this section as the Indian government issues additional country notifications under the DPDP Act.

We do not knowingly collect personal data from children under 18 years of age. Our services are directed at healthcare practitioners, hospital administrators, and other adult professional audiences.

If you believe we have inadvertently collected data from a child, contact us at hello@medigrow.co.in and we will delete it promptly.

For client engagements that involve content addressing pediatric healthcare, all data subjects in our processing context are professional adults (parents, guardians, practitioners) — never the children themselves.

We may update this policy from time to time. Material changes (changes to the categories of data we collect, changes to our processor list, or expansion of processing purposes) will be communicated by:

• Updating the “Last reviewed” date at the top of this page.
• Posting a notice on our home page or in a banner for at least 30 days.
• Where you have provided email contact, sending direct notice for material changes.

The current version of this policy is always the version available at this URL.

For questions about this policy or to exercise your rights, contact:

Data Protection Lead, MediGrow Technologies
Email: hello@medigrow.co.in
Postal address: 1-4-2/4, 5/114, 4th Floor, Road No 4, Sri Nageshwar Nagar Colony, Kishanbag, Maruthi Nagar, Kothapet, Hyderabad, Telangana 500102, India.

We aim to respond within 4 business hours for general inquiries, and within the statutory timelines under the DPDP Act for formal rights requests.

This policy is provided in English. Translations may be made available; the English text controls in the event of a discrepancy.