Política de Privacidad

Introduction

NeedStreet Web Technologies Private Limited (“NeedStreet,” “we,” “our,” “us”) develops and operates the ContinuousCare Platform Services, an online healthcare technology platform for licensed healthcare providers (“Customers”) to manage their services and engage with their patients.

This Privacy Policy explains how NeedStreet collects, uses, stores, and protects personal data processed through the platform. It applies to:

• Customers (healthcare providers and organizations),
• Team Users (staff, clinicians, administrators),
• Patient Users (patients who access a Virtual Practice), and
• Visitors to our websites.

This Policy is part of our Terms of Use. The platform is designed to comply with GDPR, HIPAA, the DPDP Act, and other applicable frameworks, and is regularly reviewed for compliance with evolving regulatory standards.

Patient Users are required to provide informed consent during on-boarding in Virtual Practice apps/portals before their data is processed. Customers, as healthcare providers, remain responsible for ensuring that patient consent is valid and up to date.

Roles and Responsibilities

• Customers act as Data Controllers (under GDPR) or Data Fiduciaries (under the DPDP Act).
• NeedStreet acts as a Data Processor (GDPR/DPDP) or Business Associate (HIPAA) for Customer Data, processing data only under documented Customer instructions.
• For our own business operations data (billing, telemetry, analytics, website data), NeedStreet acts as an independent Data Controller.

Categories of Data Collected

Customer Data (Confidential)

• Patient health information entered by providers or patients.
• Clinical documentation, medical history, uploaded files.
• Device-integrated data syncs
• Data from data sources such as Apple Health and Google Health Connect etc.
• Communications between patients and providers.
• Administrative records generated in the Virtual Practice (appointments, invoices, billing records, practice management data).

Customer-Published Content (Non-Confidential)

• Provider Professional profiles set up by Customers (e.g., provider name, qualifications, specialties, contact details), Practice Location and Organization details.
• Patient education content published by Customers for display in their portals (e.g., articles, videos, FAQs).
• This information is published intentionally and is not considered confidential. Customers remain responsible for ensuring accuracy and appropriateness.

Account & User Data

• Customer registration details, account setup, subscription info.
• Team User details: name, email, phone, verification records.

Transaction & Billing Data

• Patient payments to Customers: handled entirely through the Customer’s configured third-party payment gateway. NeedStreet does not process or store payment method details of users in Virtual Practices.
• Customer payments to NeedStreet: processed via NeedStreet’s payment gateway and subscription management provider. NeedStreet does not store card/payment method data of subscribed Customers on the platform.

Platform Usage Data

• Logs, API calls, error reports, audit trails.
• Feature usage metrics.

Communications Data

NeedStreet processes communications related to the operation of Customer Virtual Practices. These include:

• System notifications:Appointment confirmations, payment confirmations, provider review requests, and similar notifications generated automatically by the platform. System notifications are delivered through external channels such as email, SMS, push notifications, or integrated messaging services. To protect privacy, NeedStreet’s default system templates exclude any PHI (Protected Health Information) or PII (Personally Identifiable Information).
• Custom Messages:Customers may create custom messages. NeedStreet is not responsible for the inclusion of PHI or PII in such messages, since content is determined entirely by Customers and their staff.

Communication channels:

• Email: By default, the platform sends email notifications using NeedStreet’s mail infrastructure. Customers may optionally connect their own mail server accounts for outbound messages from their Virtual Practice.
• SMS: Customers are responsible for configuring their own SMS gateway accounts (e.g., Twilio, ValueFirst). In some cases, Customers in India may choose to use NeedStreet’s default SMS gateway account.
• Push Notifications: Sent via the platform’s infrastructure.
• WhatsApp Integration: Customers may integrate their WhatsApp Business account through Twilio into their Virtual Practice. This allows their Virtual Practice to send system notifications via WhatsApp, as well as to send custom notifications and respond to patient messages for patient support.
• In App notifications: These are sent through the application interfaces only and not through any external communication channels.

Responsibility: Customers are responsible for ensuring the secure and lawful use of external communication channels they configure, and for the content of any custom messages sent through those channels.

Website & Device Data

• Cookies and tracking technologies may be used on NeedStreet’s corporate marketing website (e.g., www.continuouscare.io) for analytics and service improvement.
• Browser type, device type, IP address, and location metadata.
• Analytics identifiers (e.g., Google Analytics) apply only to NeedStreet’s own corporate website and marketing pages.
• No third-party analytics tools are embedded in or permitted within the Virtual Practice web or mobile app interfaces used by Customers, Team Users, or Patient Users. Analytics in those environments are limited strictly to internal platform logs required for service performance, security monitoring, and compliance auditing.

Purpose and Legal Basis of Processing

We process personal data for:

• Service delivery (contractual necessity) – hosting, storage, access, communication.
• Security & fraud prevention (legitimate interest/legal obligation) – monitoring, logging, incident response.
• Regulatory compliance (legal obligation) – audits, breach notification, lawful disclosures.
• Improvement of services (legitimate interest) – aggregated analytics, feature usage trends.
• Marketing communications (consent) – NeedStreet may send service-related updates and marketing communications only to its own Customers (the healthcare providers/organizations) and their authorized representatives, never to Patient Users or Team Users within Customer Virtual Practices. Such communications are sent only where permitted by law, with clear opt-out options

We do not use Customer Data for advertising, profiling, or AI model training. NeedStreet collects only the minimum personal data required to deliver services in compliance with the principle of data minimization.

How We Process Data

NeedStreet processes Customer Data only under documented Customer instructions, such as account configurations, permissions, enabled features, and written support requests. We do not use Customer Data for any purpose other than delivering and supporting the ContinuousCare Platform Services.

In delivering communications, the platform generates and transmits system notifications tied to specific events (e.g., appointment confirmations, payment receipts). These notifications are routed through external communication channels (email, SMS, push notifications, or integrated messaging services). NeedStreet ensures that its default templates do not include PHI or PII, but Customers remain responsible for the security and lawful configuration of their chosen channels and for any custom content included in notifications.

NeedStreet uses vetted sub-processors, such as Amazon Web Services for cloud hosting and communications infrastructure providers (e.g., WebRTC relays, SMS/email gateways). We remain responsible for the actions of our sub-processors.

Some subscription plans include AI-powered features, such as AI-assisted clinical documentation. When enabled, these features process Customer Data only in transient sessions to generate outputs. Customer Data processed in AI features is not stored for training and is not retained beyond the session, except for minimal logs required for service quality and security. Customers are solely responsible for reviewing and validating all AI-generated content before using it in clinical workflows or patient records.

Data Storage & Location

• European Union Customers

  Customer Data for Customers located in the EU is stored exclusively in our EU cloud centre. Data at rest and backup copies remain within the EU and are not transferred outside the region.

• India Customers

  Customer Data for Customers located in India is stored exclusively in our India cloud centre. Data at rest and backup copies remain within India and are not transferred outside the region.

• United States and All Other Customers

  Customer Data for Customers in the United States and in all other regions outside the EU and India is stored in our US cloud centre.

• For healthcare providers in the United States, NeedStreet acts as a HIPAA Business Associate and enters into Business Associate Agreements (BAAs).
• oFor Customers outside the US but hosted in the US cloud, HIPAA does not apply, but the same technical and organizational safeguards are applied.

• Singapore Customers

  Customer Data for Customers located in Singapore is stored exclusively in our Singapore cloud centre. Data at rest and backup copies remain within Singapore and are not transferred outside the region.

• Real-Time Video and Audio (WebRTC)

  Video consultations and other WebRTC-based communications may involve routing of encrypted media streams across relay servers located outside the Customer’s home region. This routing is determined dynamically by the WebRTC protocol for performance optimization and is not controlled by NeedStreet.

• These transmissions are end-to-end encrypted, not stored, and inaccessible to NeedStreet or third parties.
• They exist only for the duration of the session.

Data Security

NeedStreet is committed to protecting the confidentiality, integrity, and availability of Customer Data. We implement a comprehensive security program that combines technical safeguards, organizational controls, and independent oversight to reduce risks and meet international compliance standards. Our approach is designed to ensure that healthcare providers can rely on the ContinuousCare platform for secure delivery of patient services.

Key elements of our security program include:

• Encryption:All Customer Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent industry standards). Real-time communications (WebRTC) are end-to-end encrypted and never stored.
• Access Controls: Access is restricted through role-based permissions, unique credentials, and support for two-factor authentication. Automated protections include login anomaly detection, failed login lockouts, and strict administrative access management.
• Infrastructure: Services are hosted on Amazon Web Services (AWS), which provides globally recognized certifications including ISO 27001, SOC 2, HIPAA, and FedRAMP. This ensures physical and environmental security at the data-centre level.
• Monitoring & Incident Response: The platform is continuously monitored for abnormal activity. Intrusion detection, logging, and automated alerts support early detection. NeedStreet maintains a documented Breach Management Policy overseen by our Data Protection Officer (dpo@continuouscare.io).
• Availability & Backups:Redundant, encrypted backups are maintained with disaster recovery and business continuity plans in place. Services are architected for high availability and fault tolerance across multiple AWS availability zones.
• Testing & Assurance: NeedStreet conducts regular vulnerability scanning, external penetration testing, and secure development practices aligned with OWASP standards. Identified risks are tracked to remediation under formal governance processes.
• Privacy by Design:Data protection safeguards are embedded into the design and default configuration of our applications and infrastructure, ensuring that privacy and security considerations are addressed from the outset of product development.

Data Retention & Deletion

NeedStreet retains Customer Data only for as long as the Customer maintains an active subscription for their Virtual Practice on the ContinuousCare platform. Once a subscription ends—whether due to cancellation, non-renewal, or termination—Customer Data remains available for secure export for a grace period of 30 days (the “Retention Period”). Prior to and/or during the Retention Period, Customers may request and download their data using available export tools or through NeedStreet support.

After the Retention Period, NeedStreet will permanently delete Customer Data from active systems. Backup copies will be scheduled for deletion within 12 months, unless a longer period is legally required for NeedStreet’s own compliance obligations.

Customers are solely responsible for meeting any medical record retention requirements or other legal obligations applicable in their jurisdiction. NeedStreet has no direct relationship with Patient Users and cannot determine the length of time healthcare records must be retained under local law. Customers are expected to export and securely store any required data before their subscription expires.

If a Customer abandons their account and does not renew their subscription within the Retention Period, NeedStreet has no obligation to maintain, recover, or restore Customer Data. Requests to access or recover data after the Retention Period cannot be accommodated, unless otherwise agreed in a separate written contract (e.g., an enterprise data archival add-on).

Data Portability & Export

NeedStreet provides Customers with reasonable mechanisms to export their Customer Data. Customers may export individual patient data summaries in PDF format directly from the platform. For mass exports, data is generally provided in structured, machine-readable formats such as CSV or Excel.

Data exports are intended primarily for account termination, migration, or compliance purposes. NeedStreet does not support frequent or repeated export requests that are excessive, disruptive to service, or beyond what is necessary for lawful or contractual reasons. Departing Customers are reminded at the time of termination to export their data before the account closes. If a Customer does not complete their export during the account’s active period, NeedStreet will support a one-time secure export of remaining data upon request within the defined retention period. Exports are delivered through secure transfer mechanisms, and once made available, the security, storage, and further safeguarding of exported data becomes the sole responsibility of the Customer.

Certain subscription plans include access to an API that enables Customers to retrieve their data programmatically whenever they need to. API use is authenticated and controlled by the Customer. Data accessed or exported via API is governed by the same security safeguards as other processing, but once exported, the security, storage, and further use of the data becomes the sole responsibility of the Customer.

Rights of Individuals

• EU / UK (GDPR): Access, rectification, erasure, restriction, objection, portability, withdraw consent (through Customer as Data Controller).
• US (HIPAA): Access, amendment, accounting of disclosures (through Customer as Covered Entity).
• India (DPDP Act): Access, correction, erasure, withdrawal of consent, grievance redressal (through Customer as Data Fiduciary).

Patient Users can securely access their data through the patient portal/mobile patient app of their healthcare provider’s Virtual Practice. Patients may request deletion of their accounts and data directly within the app or portal. The Virtual Practice web and mobile apps comply with App Store compliance requirements for user account deletion requests from patients. It is the responsibility of the Customer to process such requests using the Delete Patient option in the Virtual Practice, to ensure their regulatory compliance.

Children’s Data

• Minimum age: 18 years
• Parental/guardian consent must be verified before processing minors’ data.
• Customers are responsible for obtaining and managing such consent.

Cookies & Tracking

• Marketing Website (e.g., www.continuouscare.io): Our marketing website uses cookies for analytics and improvement of our web presence. A cookie banner/consent mechanism is provided for EU/UK/India visitors in compliance with applicable laws.
• Virtual Practice Patient Portals:A cookie consent mechanism is built into the patient portal websites of each Virtual Practice. Only the minimum cookies required for the functioning of the portal are used.
• Web Applications (Team/Provider Interfaces): Within our Virtual Practice web applications used by Customers and Team Users, only essential functional cookies are set. These are used to:
  • Save user preferences,
  • Preserve session settings,
  • Support secure authentication and re-authentication of frequently used services.

  The only third-party cookies used are AWS load balancer cookies, required for reliable operation of our cloud-based application. These cookies expire after one week.

  The first-party cookies used by the application are strictly for security and authentication:

  • A session cookie that expires at logout/timeout,
  • A persistent cookie with a one-year lifespan for secure re-authentication.

Controls: You may use browser settings to disable cookies when using our services; however, this may result in reduced functionality or certain features not working as intended.

Data Breach Handling

Data breach handling is governed by NeedStreet’s Breach Management Policy. Customers will be notified without undue delay and NeedStreet will assist Customers in identifying affected individuals.

Regulatory notifications: NeedStreet will notify Customers without undue delay of any actual or suspected breach of Customer Data. NeedStreet will provide information necessary to support Customers in meeting their regulatory obligations, including notifications to supervisory authorities, regulators, or affected individuals. Regulatory notifications to authorities remain the sole responsibility of the Customer, as Data Controller / Data Fiduciary / Covered Entity.

Where a breach arises from Customer negligence (e.g., sharing credentials, failure to implement MFA etc.), Customers remain fully responsible for compliance with applicable breach notification requirements.

Third-Party Links & Services

Customers may integrate third-party services (e.g., payment gateways, SMS/messaging gateways, support chat) into their Virtual Practice. Customers white-labelling the mobile app interfaces of their Virtual Practice, will publish these applications in their own app store accounts with Google and Apple. Customers are solely responsible for the setup, maintenance and life cycle management of these third party accounts. NeedStreet is not responsible for external websites, services, or their privacy practices.

Changes to this Policy

For material changes, NeedStreet will provide at least 30 days’ advance notice via email or in-app notifications, including a summary of changes.

Contact & Grievance Redressal

Contact: support@continuouscare.io

Data Protection Officer: dpo@continuouscare.io