We, at AMITA, are committed to ensuring and protecting the personal information and data
privacy of our visitors 1 , user of services 2 and practitioners 3 on our web portal, social media
and other forms of media. AMITA is a software application for service promoted by
PEARLSS 4 Development Private Limited and this Privacy Policy applies to digital, social and
software applications and provided by AMITA, not just limited to this website. This Privacy
Policy is our sincere effort to document and explain to the user, visitor and practitioner on
the manner on how we are, and the reasons for, collecting, defining, protecting, utilising and
disclosing personal information shared by the user, visitor and practitioner during the
process of exploring and/or using our services. It is our utmost endeavour to guarantee
accurate information and services of integrity and quality and hence, we take greatest care
when publishing our data, photographs, graphics, videos and messages.
We have used a simple, clear, concise and easily understandable language. Whenever
necessary, we will have the Privacy Policy in languages other than English. This policy will
be read along with the ‘terms for use of services’ and the ‘practitioner terms for practice’ and
will apply to the services owned and operated by AMITA. The policy does not vouch for the
privacy of other services, such as advertisements or searches run by third party providers on
our web portal or the social media and hence, we bring this to the user’s, visitors and
practitioners’ consideration that they explore the web portal, social media and other forms of
media with their independent judgement assessing the risks involved. We have tried to be as
informed as possible on the needs and the legal considerations while framing this policy.
The purpose of the Privacy and Data Protection Policy is:
i. To maintain maximum level of professionalism assuring high levels of privacy and
safety of the user data
ii. To describe and establish procedures for expressed consent and delimit purpose for
data protection and privacy
iii. To elucidate the safeguards and code of practice in data processing, storage of data,
and user data protection
iv. To lay down the obligations and the considerations taken within the legal
requirements and regulatory compliances
v. To confer the rights of the user to obtain data, correct inaccuracies, erase, update,
port to other fiduciaries and restrict/prevent disclosure of personal data
vi. To inform users on the institutional instruments of AMITA for data protection,
consent, grievance and fiduciary for protecting user interest, misuse of data,
compliance and promoting awareness on safety including intermediaries for social
media.
vii. To institutionalise proper recording procedures ensuring adequate procedures and
process for data protection and privacy.
Legal instruments governing the Privacy Policy
This Privacy Policy is governed under the following Acts and in compliance with:

i. Personal Data Protection Act 2019 (PDPA, 2019)
ii. Information Technology Act, 2000
a. Section 43A of the Information Technology Act, 2000;
b. Regulation 4 of the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Information) Rules, 2011 (the “SPI
Rules”);
c. Regulation 3(1) of the Information Technology (Intermediaries Guidelines)
Rules, 2011.

Consenting to providing personal data
When any user visits the website, social media pages or seeks therapy services, s/he will
leave behind some footprints. When the user seeks services and marks her acceptance on
the consent form, s/he enters into a contractual agreement to receive services as laid down
in the section 14 of the Indian Contract Act, 1872. The user is expected to read the consent
form and ‘tick’ inside the box, to demonstrate that s/he is willing to share personal details
and to ascent to the processing of sensitive personal data for the purposes listed in sub-
section 1, clause 3(36) in PDPA Act 2019 and to draw inferences from the anonymised data.
The users’ consent to the services is based on premise that s/he has read this privacy and
other policy documents provided on the website. Through the acceptance of the consent
form, the user, visitor and practitioner affirm that s/he is exploring or using the platforms
such as website, social media and therapy services out of her/ his free will and has got a
clear and adequate information on the specific privacy considerations with regards to their
use.
We pre-suppose that user, visitor and practitioner has read the privacy policy before
exploring the platform and consent to the terms and conditions of the privacy policy, terms
of use and the practitioner before one decides to become a stakeholder of AMITA. The
policy is binding and hence everyone who is using the website will need to read it. We
assure that the data will be used only for the purposes consented by the user or that is
incidental or connected with the purpose and will be used for purposes that the user will
reasonably expect with regard to the purpose and in the context and circumstances in which
the personal data was collected. We have tried to be as informed as possible on the needs
and the legal considerations while framing this policy.
The user, visitor and practitioner acknowledge that one has read through this document and
abides by the Privacy policy:
i. That the type of data collected contains Personal Information (under the PDPA Sec 2,
3(28) and Sensitive Personal data (Sub-section 1, clause 11(3)) related to the user
and his/her family
ii. That the personal data:
a. is collected under fair, informed and reasonable contexts and circumstances
b. has ensured the users’ and family privacy
c. can be used, as agreed upon in this privacy policy, for purpose of
a. Processing data
b. Retaining data
c. Destroying data
d. Disclosing data

We use a layered approach for consent for our therapy session to facilitate informed
decisions. There is a consent taken for recording of the therapy sessions too. When the

user or therapist records the session from his/her end, s/he needs to take permission from
the therapist/user. The Consent Manager for the psychotherapy sessions will be the user’s
therapist. Just in case the user wishes to have some additional privacy terms, s/he has a
choice to separately consent for each of the features, such as the purposes of, operations in,
the use of different categories of sensitive personal data relevant to processing and so on
by writing an email to the official contact address ‘admin@amitacare.com’. The user will
receive redressal email from the AMITA informing about the changes made.
Withdrawal of consent
During the process, the user has the right to withdraw the consent with ease for whatsoever
reason and s/he will not be compelled to continue the therapy sessions. The reasons for
withdrawal of consent, when the user has previously consented, need to be clearly
mentioned. The user will need to send an email to the official address
‘admin@amitacare.com’ and s/he will receive an acknowledgment for the same. S/he
should be able to resolve the same within a few days as laid down by the regulations. When
the user withdraws the consent from the processing of any personal data without any valid
reason, there may be legal consequences for the effects of such withdrawal. If for any
purpose or reason for withdrawal of consent is not aligned with the regulations, the user will
have to bear the costs of the legal procedures.
Consent for children
Children are considered as those below the age of 18 years according to the Juvenile
Justice Act, 2015 (Care and Protection of Children). When the user seeks services as an
authorised authority for another person who is a child under the definition of Juvenile
Justice Act 2015 (Care and Protection of Children) or incapacitated to provide consent
under the Indian Contract Act, 1872, the user will be whole and sole responsible for acting on
the best interest on behalf of that person. When children seek services, the parents or the
adult guardian of the child will provide the consent to the services, while, the assent will be
taken from the children. We will make efforts to talk to the child to involve the parents in the
therapeutic process in context where the child is not willing to involve parents. However, the
older children especially adolescent may seek services on their own and making it
mandatory for them to involve parents may be counterproductive to promoting teenagers to
approach services. Hence, we will need to further deliberate with the Internal Ethics
Committee to draw guidelines for ethics, including issues related to tele-psychotherapy and
data protection for teenage children. This is in line with the PDPA 2019, where we as
guardian data fiduciary as providers of providing exclusive counselling services to a child,
we shall not require to obtain the consent of parent or guardian of the child under sub-
section 2 ‘Obligations of Data Fiduciary’ of the PDPA Act.
Nature and categories of Personal details captured
Any service or service improvement starts with knowing the client and the clients’ needs. It
is our sincere effort and desire that the user understands personal data and associate
terminology adequately. The information that we collect will only be to the extent that is
necessary for the processing of such personal data that is required for our therapeutic
services. As we collect the data, we need the user to understand some terms of relevance
covered under the PDPA 2019:
a. Personal data means data about or relating to a natural person who is directly or
indirectly identifiable, having regard to any characteristic, trait, attribute or any other
feature of the identity of such natural person, whether online or offline, or any

combination of such features with any other information, and shall include any
inference drawn from such data for the purpose of profiling.
b. Sensitive Personal Data or Information of a person means personal information
about that person relating to, passwords; financial information such as bank
accounts, credit and debit card details or other payment instrument details; physical,
physiological and mental health condition; sexual orientation; medical records and
history; biometric information; information received by body corporate under lawful
contract or otherwise; visitor details as provided at the time of registration or
thereafter; and call data records.
c. Genetic data means personal data relating to the inherited or acquired genetic
characteristics of a natural person which give unique information about the
behavioural characteristics, physiology or the health of that natural person and which
result, in particular, from an analysis of a biological sample from the natural person
in question.
d. Health data means the data related to the state of physical or mental health of the
data principal and includes records regarding the past, present or future state of the
health of such data principal, data collected in the course of registration for, or
provision of health services, data associating the data principal to the provision of
specific health services.
Any user registering to our psychotherapy and mental health interventions will be required to
provide all the four categories of information. When the user desires to use our
psychotherapy and mental health services, we will ask for the name, contact details and
basic personal details as identifiers before they register and engage in therapy. This will
help the psychotherapist to be prepared for a session with the user. We take user email ID
to send an email and the user will open the email using the password. In addition, the user
will be asked to enter his/her users’ mobile number and some basic data. This number is
primarily to contact the user in need and will not be used for marketing purposes or to push
messages. The user can opt for ‘do not call registry’, a clause available under the PDPA
2019 by a clear, unambiguous expressed written communication ascertain non-consent to
receive mobile/telephone calls/push emails.
When the user starts the psychotherapy session with the psychotherapist, s/he will once
again explain the consent form. S/he will ask the user about personal and demographic
details, problems, personal and family details. S/he will also collect information on the user
and family mental health condition, sexual orientation, medical records and history, to name
a few. S/he will need to know them so that s/he can diagnose the problem and then plan
and provide an intervention that matches the various dimensions of the problem, personality,
family conditions and cultural realities using the theoretical frameworks for intervention.
The other points where personal information is shared include:
i. The user may also send an email or contact AMITA over phone or email and
share some personal information at that time.
ii. When the user makes payments, the financial information such as bank
accounts, credit and debit card details or other payment instrument details will be
used.
iii. The user may have personal information on public domains and we may decide
to collate free to use data from the public domain. For such information available
on the public domain, we will be using it without going through the process of
consent for disclosing information

iv. Visitors on the website leave a footprint on the web which we may choose to
track and gain understanding on the people who are visiting the website,
selecting the service or exploring the website.

Purposes for collecting data
The data collected will be used, but not exclusive, for the following purposes:
i. To provide the user mental health interventions and psychotherapy and maintain
electronic recording systems that meets the best standards for professional practice
and as consented by user
ii. To institute a well-planned and recorded need-based referral service system for users
of AMITA services
iii. To generate reports on psychological tests, evaluations, certificates and
recommendations to be shared, submitted or provided on behalf of users. It may for
self, workplaces, insurance organisations etc.
iv. For issuance of any certificate, licence or permit for any action, activity or
provisioning under the State or otherwise as requested by user
v. To contact user in need especially in special circumstances, such as incomplete
registration, follow up or grievance management.
vi. To provide analytic perspective to inform the team on the patterns of individual and
group presentation of users and the symptomatology using analysis of anonymised
data
vii. To respond to any medical emergency involving a threat to the life or a severe threat
to user’s health
viii. To undertake any measure to provide medical treatment or health services to the
user or community with psychiatric disorders using anonymised data during an
epidemic, outbreak of disease or any other threat to public health; or
ix. To undertake measures that ensure the safety of, or provide assistance to or services
to, any individual during any disaster or any breakdown of public order.
x. To track and improvise efficiency and efficacy of interventions, appointment booking
systems, ascertain customer satisfaction trends and practitioner practice patterns
xi. For research, analysis and business intelligence using anonymised data published as
research reports, published articles and newsletters.
xii. To meet routine and other legal or regulatory compliance including those arising out
of any order or judgement of any Court or Tribunal in India
xiii. To generate data to advocate with the State on behalf of user needs under any
law/program
xiv. To assist in the billing and accounting processes
xv. For performance improvement or problem solving of information systems, for e.g.,
debugging exercise
xvi. To publish anonymised data on website, social media and annual/monthly reports,
especially client feedback
a. For promoting and publish and studying customer feedback on new and existing
products and services
b. For product and software improvement on design and utility
c. For payment purposes including third party payment gateways and service providers
such as banks, financial institutions etc.
Accuracy of data

It is the user’s responsibility to provide accurate information on the contact details and
background details related to the problem in concern. The capturing of the therapy
information is carried out by the therapist in good faith and hence the responsibility is
shared between the user and the therapist as the situation may be. The user will have
access to review and correct, delete, modify or amend the information that is stored by
AMITA. In case the data that is capture or modified is not true, complete or out of date, we
will not be held responsible for it. When the data provided by users has legal or regulatory
issues due to incomplete and wrong information provided, we may have the sole discretion
to make decisions using the reasonable grounds and terminate services. We will also have
the discretion not to make the changes suggested by the user and when that happens, we
will communicate the same with the user in response to request made.
Confidentiality and shared confidentiality
The user’s data will be known to his/her psychotherapist. The data may also be overseen by
the admin, IT personnel, supervisory mental health professionals, institutional bodies for
privacy, safety and ethics, and research personnel as need basis to carry out the processes
we have elucidate as part of the purposes. Some part of the information may be accessible
by a few employees, agents or partners and third parties on a need-based basis. When these
confidentiality limits are expanded, we will bind them through robust contractual agreements
that bind them and their employees with strict confidentiality obligations. At times, we hold
case conferences where we may discuss the user case details or conference presentations
and research papers for localised or wider dissemination and learning for the goal of
enhancing skill sets of the therapist or other professionals.
A major responsibility at our end is to get both internal and external persons’ having access
to the user personal data following the regulatory and ethical responsibility towards his/her
personal data. We are committed to this and will build mechanisms for expanding know-
how on rights of the user and the standards and the safety mechanisms.
We, however, wish to draw the limits of our responsibility and inform the user that anything
beyond the scope of this privacy document will not be addressed by us. We will not be held
responsible for the breach of security or for any actions of the third-party arrangements that
are beyond our reasonable control, including but not limited to, acts of government,
computer hacking, unauthorised access to computer data and storage device, computer
crashes, breach of security and encryption, poor quality of Internet service or telephone
service providers of the User etc.
We also wish to inform the user, visitor and practitioner that the legal rights of the processed
personal information and data will rest with AMITA and no user, visitor or practitioner will
hold any right over it.
Preservation of personal data
Under the PDPA 2019, the "official identifier" means any number, code, or other identifier,
assigned to a data principal under a law made by Parliament or any State Legislature which
may be used for the purpose of verifying the identity of a data principal (user). The user’s
personal data will be preserved in a form that distinguishes personal data based on facts
from personal data based on opinions or personal assessments. Every user of
psychotherapy and mental health interventions registering for our services will be provided a
number for identification.

Data processing
There are some terms that may be of important to know before the user understands the
privacy considerations in data processing and analysis
i. "Profiling" means any form of processing of personal data that analyses or predicts
aspects concerning the behaviour, attributes or interests of a data principal (user);
ii. “Processing" in relation to personal data, according to the Personal Data
Protection Act 2019, means an operation or set of operations performed on personal
data, and may include operations such as collection, recording, organisation,
structuring, storage, adaptation, alteration, retrieval, use, alignment or combination,
indexing, disclosure by transmission, dissemination or otherwise making available,
restriction, erasure or destruction. The "data processor" means any person, including
the State, a company, any juristic entity or any individual, who processes personal
data on behalf of a data fiduciary (AMITA).
iii. "Significant harm" means harm that has an aggravated effect having regard to the
nature of the personal data being processed, the impact, continuity, persistence or
irreversibility of the harm. Some of the harm mentioned by the Personal Data
Protection Act 2019 include, bodily or mental injury; loss of reputation or humiliation;
loss of employment; any discriminatory treatment; any denial or withdrawal of a
service, benefit or good resulting from an evaluative decision about the data principal
(user); any restriction placed or suffered directly or indirectly on speech, movement
or any other action arising out of a fear of being observed or under surveillance; any
observation or surveillance that is not reasonably expected by the data principal.
These terms have applicability in our operations and data management systems. Our effort
is to minimise and reduce the consequences of significant harms if any. The user needs to
understand how we might process the data. As the processing of personal data may be for
research, archiving and statistical purposes, the PDPA 2019 recognises that the compliance
with the provisions of this Act shall disproportionately divert resources from such purpose.
For archiving, anonymising data may not serve the purposes of processing and hence de-
identification in accordance with the code of practice specified under Code of Practice (Sub
-section 9, Clause 50) and the processing can be achieved if the personal data is in de-
identified form. Any personal data that is not being sensitive personal data may be
processed for "reasonable purposes" that may include but not exhaustive, whistle blowing;
network and information security; processing of publicly available personal data; and the
operation of search engines.
The personal data will not be used to take any decision specific to or action directed to the
user or other users. The personal data will not be processed in a manner that puts user to a
risk of significant harm to self or others. The PDPA 2019 exempts research, archiving, or
statistical purposes from the application of any of the provisions of the Act and the specified
regulations.
We shall take necessary steps to ensure that the personal data processed is complete,
accurate, not misleading and updated; having regard to the purpose for which it is
processed. If any data information or data processing involves cross-border transfer of the
personal data, it will be carried out as per the legal instruments of the government and in
such situations, the user will be informed on the same through an email on the registered
email ID.

Our online services are not intentionally targeted to children but there is possibility that
children may explore our web portal and reach out for services. When we process personal
data of children, it will be assured that the rights of the child are protected and every action
is in the best interest of the child. In situations where the child needs services but for
whatever reasons the parental permissions are difficult to ascertain, we will be considering
seeking support from our Internal Ethics Committee to make decisions on provisioning on
the necessary support to continue the services to the child who most need them. This is in
line with the PDPA 2019, where we as guardian data fiduciary as providers of providing
exclusive counselling services to a child, we shall not require to obtain the consent of parent
or guardian of the child under sub-section 2 ‘Obligations of Data Fiduciary’ (AMITA) of the
PDPA Act.
Before processing of any personal data of a child, we will verify his/her/ age and obtain the
consent of his parent or guardian, in such manner as may be specified by regulations. The
PDPA 2019 suggests the following considerations for verification of the age of the child; the
volume of personal data processed; the proportion of such personal data likely to be that of
child; possibility of harm to child arising out of processing of personal data; and such other
factors as may be prescribed. We shall make all efforts to ensure that we do not profile,
track or behaviourally monitor of, or targeted advertising directly at children, especially those
that can cause significant harm to the child (Sub-section 4, clause 16(5) of the PDPA 2019).
Period of retaining personal data
The personal data considered for the process will not be retained beyond the period
necessary to satisfy the purpose for which it is collected unless and until it is necessary to
comply with any obligation under any law for the time being in force. When the data is
disclosed for the purpose of processing, it shall be deleted at the end of the processing by
ourselves and/or by the process intermediaries. In certain circumstances, the personal data
in our possession may be required to be retained for a longer period for the purpose of
processing. We will undertake periodic review to determine whether it is necessary to retain
the personal data in our possession. In such circumstances, we will review the purpose for
which we collected and that we need to retain the data and come to a realistic determination
on the time period for which we need to retain the data. Once this purpose is met, we are
expected to securely delete user information when user data is no longer need for the
purpose; this is a little difficult to follow with therapy linked data as we do not know when
the user may reach to use the services once again. When personal data is deleted, it shall be
done as specified by regulations under the Act. When there is a change of terms for
retaining or on the security of the data, we will keep the user updated through intimation on
the website. The user will be informed in case the processing is not for the said purpose the
user has agreed under the consent ascertained.
Rights of the user
The PDPA 2019 provides rights for the user and this includes right to obtain from the data
fiduciary (AMITA)
i. confirmation whether the data fiduciary (AMITA) is processing or has processed
personal data of the data principal (user);
ii. the personal data of the data principal (user) being processed or that has been
processed by the data fiduciary (AMITA), or any summary thereof;

iii. a brief summary of processing activities undertaken by the data fiduciary (AMITA)
with respect to the personal data of the data principal (user), including any
information provided in the notice under section 7 in relation to such processing.
In addition, the user has specifically the following rights, subject to such conditions and
specified by the regulations:
i. Access to personal data: The user has the right to ask us a copy of the personal data
that was provided by him/her. The user also has the right to ask and review the
nature of the data we possess and how we intend to use it. In an eventuality we
refuse to respond, the user has the right to ask us the reason on why we have
refused to share the data and get a reply on the reasons for refusal.
ii. Correction of incomplete and misleading data or updation: The user has the right to
ask for the correction amendment or updation of the incomplete/errored/out of date
data.
iii. Deletion of data: The user has the right to request for deletion of data on certain
grounds. The reasons may include, the data is no longer serving the purposes of the
consent provided, infringements on the right of the user or has other legal
requirements that mandate the deletion of the data. The user may have to bear the
costs in any legalities emerge as part of the process. We may decide to inform the
persons associated with providing the data on the changes made in case the
changes are asked by persons’ other than the user.
iv. Object or restrict data processing: The user has the right to object or restrict the
processing of the user’s personal data in parts or as a whole
v. Consent: The user has the right to withdraw consent at any time during the course of
the engagement with valid reasons through communication over an email and
receive a response to that effect; including the reasons why the request could be
entertained. The consent for using processed data can be applicable to whole data
or parts of the data.
vi. Disclosure of data: The user has the right to restrict or prevent the continuing
disclosure of personal data and that may be enforced only on an order of the
Adjudicating Officer made on an application filed by user on the grounds that the
right or interest in preventing or restricting the continued disclosure of personal data
overrides the right to freedom of speech and expression and the right to information
of any other citizen, where such disclosure:
a. has served the purpose for which it was collected or is no longer necessary for the
purpose;
b. was made with the consent of the data principal under section 11 and such consent
has since been withdrawn; or
c. was made contrary to the provisions of this Act or any other law for the time being in
force.
vii. Identities of data fiduciaries: The user shall have the right to access in one place the
identities of the data fiduciaries with whom personal data have been shared together
with the categories of personal data shared with them, in such manner as may be
specified by regulations.
viii. Deceased user: The legal representative of the user has the right to request AMITA
to delete the data of the deceased person through a request over an email followed
by a postal letter, providing the legal documents to prove his/her as the legal
representative and the death certificate.

When we are processing the personal data through automated means, the user has the right
to
i. receive the following personal data in a structured, commonly used and machine-
readable format
a. the personal data provided to the data fiduciary;
b. the data which has been generated in the course of provision of services or use of
goods by the data fiduciary (AMITA); or
c. the data which forms part of any profile on the data principal (user), or which the data
fiduciary (AMITA or other associates) has otherwise obtained; and
ii. have the personal data referred to in clause (i) transferred to any other data fiduciary
in the format referred to in that clause.
The provisions of this above-mentioned clause shall not apply where:
i. processing is necessary for functions of the State or in compliance of law or order of
a court under section 12 of the Act;
ii. compliance with the request in sub-section (1) of the Act would reveal a trade secret
of any data fiduciary or would not be technically feasible.
The user has the right to requesting for his/her information on the above-mentioned clauses
and shall receive clear and concise easily comprehensible information from us. The user
will hold regard to the purposes for which personal data is being processed. We are there to
help the user understand the information written on one’s health record. If the user desires
to avail any of these rights, s/he may send a communication to the following email ID:
‘admin@amitacare.com’. Just in case we do not agree with such correction, completion,
updation or erasure having regard to the purposes of processing, we shall provide the user
with adequate justification in writing for rejecting the application. One of the reasons that we
will not oblige and comply with the request is where such compliance shall harm the rights
of any other service user.
In case the user is not satisfied with the justification provided by us, we will take reasonable
steps to indicate, alongside the relevant personal data, that the same has been disputed by
the user. Where we have corrected, completed, updated or erased any personal data we
shall also take necessary steps to notify all relevant entities or individuals to whom such
personal data may have been disclosed regarding the relevant correction, completion,
updation or erasure, particularly where such action may have an impact on user rights and
interests or on decisions made on the user.
We acknowledge the receipt of requests made on the rights of the individual. This response
can be expected within a short period and in alignment specified by regulations. We will
charge a fee if the request is not related to one’s rights as may be specified under the
regulations of the Act. In case we refuse the user’s request and s/he are not satisfied with it,
s/he have the right to file a complaint with the Authority under the Act and/or take legal
remedies against the refusal within a period and manner as specified by the regulations.
The user can avail these services free of charge without fear of any intimidation. These
rights may not be absolute and may have limitations and exceptions and we will provide
reasons as a response email mentioning the same. We will carry out certain verifications to
ensure that the person availing the rights is the user or the legal representative of the user.
Disclosure of personal data

We may be disclosing personal data in such situations
i. Enforcing any legal right or claim, seeking any relief, defending any charge, opposing
any claim, or obtaining any legal advice from an advocate in any impending legal
proceeding;
ii. processing of personal data by any court or tribunal in India is necessary for the
exercise of any judicial function;
iii. personal data is processed by a natural person for any personal or domestic
purpose, except where such processing involves disclosure to the public, or is
undertaken in connection with any professional or commercial activity; or
iv. processing of personal data is necessary for or relevant to a journalistic purpose, by
any person and is in compliance with any code of ethics issued by the Press Council
of India, or by any media self-regulatory organisation.
Technology used for processing
Technology that is currently used is for the website, for the payment gateway and for data
storage. We are yet to decide on the technology for processing of personal data. Whenever
we will be doing so, we will update it here from time to time in such manner as may be
specified by regulations. We will ensure that it is based on internationally accepted
standards and security requirements. We wish to assure the user is that we are committed
to setting the best international standards and safety policies, rules and technical measures
to protect the user’s confidentiality, privacy and safety. We will make all that is possible in
our control to protect unauthorised entry, modification and unlawful destruction or
accidental loss. We implement reasonable security practices and procedures and document
the same considering the managerial, technical, operational and physical control measures
in line with the requirements of the mental health services that we manage. In spite of our
best efforts, there is a high likelihood of data loss or theft due to unauthorised access to the
user’s electronic devices through which the user accesses services. At the user level, it is of
paramount importance that they protect themselves from unauthorised access to their
accounts by securing their passwords of their computers and mobile phones. The user will
log off from the website once the session is completed. We shall not be held liable for such
loss, whatsoever, caused by the user technological issues.
Our access and security on passwords of the personal data platform will be governed and
will be available with a limited group of administrative staff members. We will protect the
user from any unauthorised access to their information including password, mobile numbers
and phone numbers, such as unauthorised use of his/her account and password.
Breach of any data processed
We will take all possible measures to ensure that the risks to breach of data is minimal or
absent. In situation where there is an unexpected breach of data, we will inform the
authority by notice and carry out actions as informed and/or as laid in the regulations when
such breach is likely to cause harm to the user or to others. Our sincere effort is to ensure
that such circumstances do not arise. In situation where it is not possible for us to provide
the required information, we will reach out to the user and request them to provide the
required information to the Authority without undue delay. In consultation with the Authority,
we will report to the user on the breach of personal data and direct her/his to take
appropriate remedial actions as soon as possible and post the details of the personal data
breach on our website.

If and when the user is aware or has suspicion of any unauthorized use of the account, they
are mandated to inform AMITA as soon as possible through email and a phone call to
facilitate immediate action from our side and prevent any harm or loss faced by the user.
The contact point for sharing the information and receive support is through the email:
‘admin@amitacare.com’.
Maintenance of records
We will maintain accurate and up-to-date online and/or offline records in such form and
manner as may be specified by regulations, namely:
i. important operations in the data life-cycle including collection, transfers, and erasure
of personal data to demonstrate compliance as required under section 10 of the Act;
ii. periodic review of security safeguards under section 24 of the Act;
iii. data protection impact assessments under section 27 of the Act; and
iv. any other aspect of processing as may be specified by regulations.
Transfer of personal data outside India
In concurrence with the PDPA 2019, we may transfer anonymised sensitive personal data for
analysis outside India, but we will continue to store the sensitive personal data at our end.
When the ‘critical personal data’ that is notified by the central government is involved such
data will only be processed in India.
Cookies
Cookies are minuscule parts of information that are stored on user computer’s hard drive by
companies that enable one to identify the user when the s/he visits the site. These cookies
do not collect individual identification data but provide valuable statistical insights about the
site and the online behaviours and patterns of users, such as, date and time of visits, pages
viewed, the IP address including network location and computer internet address and
website visited. We also use ‘persistent cookies’ that identify user as unique, tailoring the
content to match the user’s preferred interest areas. AMITA uses the temporary cookies
stored by the user’s and service providers browser to develop an understanding of the
technical administration of the website, for research and development and for user
administration. We may do this by ourselves or use third party agencies to place or
recognise cookies of the user’s browser.
By using them, we can improve the user experience and personalise online interactions; for
e.g., knowing the aggregate number of people who visited the website, content that is
popular, we can add more information on the theme. The user has a choice to disable the
use of cookies using his/her browser settings; this may limit the use of some of the
features.
Some other clauses of relevance
i. If we have information about abuse or risk of sexual abuse to a child, we are legally
bound under the POCSO Act to report to the proper authorities.
ii. If we are aware of risk to harm user’s or other people’s life, we will make all efforts to
take action to ensure user’s safety or the safety of others
iii. If we have orders from the Court to release personal and sensitive information, we
will be bound by the law to do so.

iv. If we have to defend ourselves in the court against a complaint filed against AMITA
or any professional working with AMITA on matters related to the users or otherwise,
we will consult with our legal experts to decide on what data needs to be disclosed.
If the limits of privacy and confidentially are likely to be breached beyond the
acceptable limits, we will be informing the user on the same.
Grievance management on Privacy matters
"Personal data breach means any unauthorised or accidental disclosure, acquisition,
sharing, use, alteration, destruction of or loss of access to, personal data that compromises
the confidentiality, integrity or availability of personal data to a data”.  In case of any
personal data breach, we encourage the user to reach out to us to raise their grievance and
support us in assuring highest privacy. In a context where some of the clause/s is not
acceptable to the user or they have a question related to it and/or the user may decide not to
use the service, we request the user to reach out to the Data Protection Officer appointed by
AMITA under the Personal Data Protection Act 2019 and seek clarification on the same. The
user may send in an email to ‘admin@amitacare.com’ and make a telephone call over the
contact number provided on the website.
Revisions to Privacy policy
We may from time to time, at our discretion, reserve the right to change, modify and/or
delete some terms of the privacy policy. We are likely to make changes as and when
needed, and as a good practice, we will review the policy in total. The users are advised to
check on it regularly and we aware on the edits made on it.
Contact details for matters related to privacy
The contact details of the data fiduciary and the data protection officer are as follows:
Dr. Anita Rego, Director, Project AMITA, PEARLSS 4 Development