This Privacy Policy describes how Sapphire Roots Hair Transplant Clinic (referred to as "Sapphire Roots", "we", "us", or "our") collects, uses, stores, shares, and protects personal and sensitive personal data of individuals who visit our website (https://www.sapphireroots.com), interact with our clinic, or use our services.
We are committed to handling your data in compliance with the Digital Personal Data Protection Act 2023 (DPDP Act) of India and applicable medical confidentiality requirements under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations.
Consultation enquiries: Hair loss concerns, age, gender, treatment interest, preferred consultation date
Medical history: Health conditions, medications, allergies, previous treatments (when you become a patient)
Photographs: Pre-procedure, post-procedure, and follow-up photographs taken with your consent for medical documentation
Payment information: Transaction details for services rendered (we do NOT store full card numbers — payments are processed through PCI-compliant gateways)
Communications: Messages, emails, or WhatsApp conversations with our team
2.2 Information Collected Automatically
Website analytics: Pages visited, time spent, device type, browser, approximate location (via IP address)
Cookies: Session cookies for functionality, analytics cookies (if you accept) — see Section 6
Form submission metadata: Timestamp, source URL, IP address for fraud prevention
Sensitive Personal Data: Medical history, treatment records, and photographs constitute "sensitive personal data" under Indian law. We collect these only with your explicit consent and process them with heightened safeguards.
3. How We Use Your Information
We use your information for the following purposes:
Communication: Responding to your enquiries, sending appointment reminders, sharing pre/post-operative instructions, requesting feedback
Operations: Scheduling appointments, billing, maintaining patient records as required by law
Quality improvement: Analysing aggregated, anonymised data to improve our services
Marketing (with consent): Sharing relevant clinic updates, health tips, or treatment information — you can opt out at any time
Legal compliance: Meeting record-keeping requirements under medical and tax laws
4. Information Sharing & Disclosure
We do not sell, rent, or trade your personal information. We share information only in these limited circumstances:
Treatment team: Authorised clinic staff (technicians, nurses, coordinators) involved in your care
Diagnostic labs: When tests are ordered, results are shared between the lab and us
Service providers: Hosting (Hostinger), email delivery, SMS gateways, payment processors — bound by confidentiality and data protection agreements
Legal requirements: If required by court order, government regulation, or to protect rights, property, or safety
Business continuity: If Sapphire Roots merges or transfers operations, your data may transfer to the successor — you will be notified
We will never share your medical photographs, health information, or before-after images publicly without your specific, written consent for that purpose.
5. Medical Records & Confidentiality
Medical records are maintained under strict confidentiality obligations imposed on medical practitioners by the Indian Medical Council and applicable state regulations.
Access is restricted to authorised treatment team members
Records are retained for a minimum of 3 years from the last consultation, in line with medical record-keeping requirements (longer for surgical cases)
Photographs used internally for treatment planning are stored securely and never shared without written patient consent for marketing purposes
You may request a copy of your medical records at any time
6. Cookies & Tracking Technologies
Our website uses cookies and similar technologies to:
Essential cookies: Session management, CSRF security, form functionality (cannot be disabled)
Analytics cookies: Google Analytics and Microsoft Clarity to understand website usage (anonymised; can be disabled in browser)
Marketing cookies: Meta Pixel for advertising effectiveness measurement (only if you consent)
You can manage cookies through your browser settings. Disabling certain cookies may affect website functionality.
7. Your Rights Under Indian Law
Under the Digital Personal Data Protection Act 2023, you have the following rights:
Right to information: Know what data we have about you and how it is processed
Right to access: Request a copy of your personal data
Right to correction: Request corrections to inaccurate or incomplete data
Right to erasure: Request deletion of your data (subject to legal record-keeping obligations for medical records)
Right to grievance redressal: File a complaint with our Data Protection Officer or with the Data Protection Board of India
Right to nominate: Nominate someone to exercise your rights in case of incapacity or death
Right to withdraw consent: Withdraw consent for marketing communications at any time
To exercise any of these rights, contact us using the details in Section 11.
8. Data Security & Retention
Encryption: All data transmission uses HTTPS/TLS encryption
Access controls: Role-based access — staff only see data necessary for their role
Backups: Regular encrypted backups for disaster recovery
Retention: Medical records retained per legal requirements (minimum 3 years from last consultation, longer for surgical cases). Marketing data deleted upon consent withdrawal.
Breach notification: In case of a data breach affecting your information, we will notify you and the Data Protection Board as required by law
⚠ While we implement strong security measures, no system is 100% secure. If you suspect unauthorised access to your information, contact us immediately.
9. Minors
Our services are intended for adults (18 years and above). For patients under 18, we require parental or legal guardian consent before any consultation, treatment, or data collection. We do not knowingly collect data from minors without verified parental consent.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. The "Last updated" date at the top indicates when changes were made. For material changes, we will notify you via email or a prominent notice on the website.
11. Contact Us
For any privacy-related questions, requests, or complaints, please contact our Data Protection Officer: