Last Updated: 14-01-2026
Purpose
The purpose of this Privacy & Personal Data Protection Policy (“Policy”) is to define the principles, controls, and safeguards adopted by Vasudhaiva Kutumbakamsoftware Solutions Private Limited (hereinafter referred to as “Company” or “MHITR”) for the protection of personal data shared by Our Client (hereinafter referred to as “Client”). This Policy ensures that personal data relating to Client’s employees, clients, residents, consultants, service partners, and other authorized individuals (“Data Principals”) is processed in a lawful, fair, secure, and transparent manner, strictly in accordance with Client’s governance standards and applicable data protection laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
Scope
This Policy applies to:
• All personal data shared by Client with MHITR
• All MHITR employees, consultants, contractors, and authorized representatives
• All systems, platforms, applications, infrastructure, and processes used by MHITR in providing services to Client.
This Policy forms an integral part of MHITR’s information security, confidentiality, and vendor compliance framework.
ROLES & ACCOUNTABILITY
We use your information to:
Provide you with personalized mental health resources and support tools
Operate and improve the App and Services
Communicate with you about your account or important updates
Ensure the safety, integrity, and legal compliance of our platform
| Role | Responsibility |
|---|---|
| Client | Data Fiduciary under DPDP Act |
| MHITR Private Limited | Data Processor |
| MHITR Management | Policy enforcement and oversight |
| Authorized Personnel | Secure and compliant data handling |
CATEGORIES OF PERSONAL DATA
MHITR may process the following categories of personal data on a need-to-know an purpose-limited basis:
• Identification data (e.g., name, age, gender)
• Contact information (e.g., address, phone number, email ID)
• Employee, client, resident, or user reference identifiers
• Wellness, lifestyle, or health-related data (only where applicable, permitted, and consented)
• Any other personal data necessary for service delivery as expressly approved by Client
MHITR shall not collect personal data directly from Data Principals unless explicitly authorized by Client.
PRINCIPLES OF DATA PROCESSING
MHITR adheres to the following data protection principles, aligned with Client’s vendor policies:
• Lawfulness & Fairness: Processing only for lawful, authorized, and legitimate purposes
• Purpose Limitation: Use strictly limited to defined service objectives
• Data Minimization: Processing only data that is strictly necessary
• Accuracy: Reasonable measures to ensure data accuracy and relevance
• Storage Limitation: Retention only for approved periods
• Accountability: Demonstrable compliance and audit readiness
LEGAL BASIS FOR PROCESSING
MHITR processes personal data based on:
• Valid consent obtained by Client from Data Principals; and/or
• Legitimate uses permitted under the DPDP Act, 2023
MHITR relies on Client to ensure lawful collection, consent management, and fulfillment of fiduciary obligations.
INFORMATION SECURITY CONTROLS
MHITR implements appropriate technical and organizational security measures aligned with enterprise vendor requirements, including:
• Role-based and least-privilege access controls
• Strong authentication mechanisms
• Secure storage, encryption, and controlled access
• Confidentiality and non-disclosure obligations for personnel
• Periodic internal security reviews and assessments
Personal data is protected against unauthorized access, alteration, disclosure, loss, or destruction.
DATA SHARING & THIRD-PARTY ACCESS
• Personal data shall not be disclosed, sold, licensed, or transferred to any third party without prior written approval from Client.
• Approved sub-processors shall be bound by data protection obligations equivalen to or stronger than this Policy
• Any legally mandated disclosure shall be promptly notified to Client, unless prohibited by law
DATA RETENTION & DISPOSAL
• Personal data shall be retained only for the duration necessary to fulfill service obligations or comply with applicable legal requirements
• Upon completion or termination of services, personal data shall be securely returned, deleted, or anonymized as instructed by Client
• Secure deletion and disposal methods shall be used to prevent unauthorized recovery
DATA PRINCIPAL RIGHTS SUPPORT
MHITR shall reasonably assist Client in fulfilling Data Principal rights under the DPDP Act, including:
• Right to access information regarding processing
• Right to correction or updating of personal data
• Right to erasure of personal data
• Right to withdraw consent
• Right to grievance redressal
All requests shall be routed through Client as the primary interface and handled without undue delay.
PERSONAL DATA BREACH MANAGEMENT
In the event of a personal data breach or suspected breach:
• MHITR shall notify Client without undue delay
• Immediate containment, mitigation, and remediation actions shall be initiated
• MHITR shall fully cooperate with Client for regulatory reporting, investigation, and corrective measures
Breach handling shall align with Client’s incident management and reporting expectations.
CROSS-BORDER DATA TRANSFER
Personal data shall not be transferred outside India unless:
• Explicitly authorized in writing by Client; and
• Such transfer is permitted under applicable Indian law
AUDIT & COMPLIANCE
• MHITR shall maintain audit-ready records of personal data processing activities
• Client or its authorized auditors may review compliance upon reasonable notice
• Any identified non-compliance shall be promptly addressed through corrective actions
TRAINING & AWARENESS
MHITR ensures that relevant personnel:
• Are aware of data protection and confidentiality responsibilities
• Receive periodic training on security and compliance requirements
• Are subject to disciplinary action for violations of this Policy
POLICY REVIEW & UPDATES
This Policy shall be reviewed periodically to reflect:
• Changes in applicable laws or regulations
• Updates to Clinet’s vendor requirements
• Operational, technological, or security enhancements
Material changes shall be communicated to Client.
GRIEVANCE REDRESSAL
For any data protection concerns or complaints:
Grievance Officer
Vasudhaiva Kutumbakamsoftware Solutions Private Limited
Email: rsvn.sharma@mhitr.in
Address: 17, Obel Villas, Balagere Main Road, Bengaluru, Karnataka, 560087
POLICY ACCEPTANCE