How ORA Skin, Hair & Aesthetics collects, uses, protects and respects your personal information — in full compliance with India's Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025.
ORA Skin, Hair & Aesthetics (trading name; hereinafter "ORA", "we", "us", or "our") is a dermatology and aesthetic clinic located at Avalon Court, 3rd Floor, Camelot Layout, Botanical Garden Road, Kondapur, Hyderabad, Telangana — 500084. Our website is accessible at oraskinclinics.com.
As a healthcare provider, we are deeply committed to protecting the privacy, confidentiality and security of all personal information shared with us — including health-related information. We are a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), and we process your data in accordance with these laws and all applicable regulations.
This Privacy Policy applies to: (a) visitors and users of oraskinclinics.com; (b) individuals who submit enquiries, book appointments, or contact us through our website, WhatsApp, phone or in person; (c) existing and former clients of ORA Skin, Hair & Aesthetics.
This Privacy Policy should be read alongside our Terms & Conditions. Together, these documents form the complete agreement governing your use of ORA's services and website. For any privacy-related concerns, contact us at dm@oraskinclinics.com.
We collect only the data that is necessary for the specific purpose for which it is collected (the principle of data minimisation under DPDP Act, 2023 Section 4). We collect data through our website forms, WhatsApp, phone calls, and during in-person visits.
| Category | Data Collected | How Collected |
|---|---|---|
| Identity Data | Full name, gender (optional) | Appointment booking form, in-person registration |
| Contact Data | Mobile number, email address (optional), city / area of residence | Website form, WhatsApp, phone, in-person |
| Health & Treatment Data | Nature of skin or hair concern selected at enquiry, treatment history at ORA, medical history relevant to treatment, prescription records, consultation notes | Enquiry form (treatment selection), in-clinic consultation, doctor assessments |
| Communication Data | WhatsApp messages, call records (summary only), email correspondence | Direct communication with ORA |
| Usage Data | Pages visited on oraskinclinics.com, browser type, IP address (anonymised), session duration | Google Analytics 4 (anonymised — no personal data collected) |
| Marketing Data | Whether you opted into promotional communications, source of your referral (e.g., Google, Instagram) | Website forms, verbal consent at clinic |
What we do NOT collect: We do not collect Aadhaar number, PAN, financial/bank account details, passwords, or any biometric data through our website or as part of standard clinic procedures. We do not collect information from individuals under 18 years of age without explicit parental consent.
Under the DPDP Act, 2023, we must have a lawful purpose for processing your data. We use your personal data only for the following clearly stated purposes:
We will not use your data for any purpose other than those listed above without notifying you and, where required, seeking your fresh consent.
Under the DPDP Act, 2023, all data processing requires a valid lawful basis. ORA processes your data on the following bases:
We do not sell, rent or trade your personal data to any third party. Ever. Your health information is treated with the same confidentiality as any medical record.
We may share your data in limited circumstances, only as described below:
All health-related information you share with ORA Skin, Hair & Aesthetics — including your skin and hair concerns, treatment preferences, medical history, and consultation notes — is treated as confidential medical information. This is consistent with the ethical obligations of our board-certified dermatologists under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002.
Patient Medical Confidentiality Commitment: ORA's doctors and staff will not disclose your health information, treatment history or consultation details to any person outside your direct care team without your explicit written consent — except as required by law (e.g. court order, notifiable disease report, or public health emergency). This commitment applies during and after your treatment relationship with ORA.
Treatment photographs or results, if taken with your consent, are stored securely and will not be shared publicly, used in marketing, or posted on social media without your separate written consent specifically for that purpose.
If ORA wishes to use your testimonial, review text, or before/after photographs in marketing materials — on the website, social media, advertisements or any other channel — we will:
We retain your personal data only for as long as necessary for the stated purpose. Under the DPDP Act 2023, personal data must not be retained beyond what is required.
| Data Type | Retention Period | Reason |
|---|---|---|
| Appointment and enquiry records | 3 years from last appointment | Ongoing client relationship management |
| Clinical treatment records, prescriptions, consultation notes | 7 years from last treatment | Medical record-keeping obligations; Indian Medical Council guidelines recommend minimum 3 years; we retain 7 years to comply with consumer and contract law timelines |
| Before/after photographs (with consent) | Duration of consent or 5 years, whichever is earlier | Medical documentation; marketing if consented |
| Marketing communications consent records | Until consent is withdrawn + 1 year | Proof of consent compliance |
| Website analytics data (anonymised) | 26 months (Google Analytics default) | Website improvement; cannot identify individuals |
| WhatsApp and email enquiries | 2 years from last communication | Reference for relationship continuity |
When data reaches the end of its retention period or your purpose of processing is no longer valid, we will securely delete or anonymise it.
Under the DPDP Act, 2023 and DPDP Rules, 2025, you have the following rights as a Data Principal (the individual whose data is being processed). These rights are free to exercise. Contact us at dm@oraskinclinics.com to exercise any of these rights. We will respond within 30 days of receiving your request.
We implement reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, or disclosure, as required under the DPDP Act, 2023 and DPDP Rules, 2025 (Rule 6 — Reasonable Safeguards).
While we take all reasonable precautions, no data transmission over the internet or electronic storage system can be guaranteed as completely secure. We strongly advise against sharing sensitive medical information via public platforms.
Our website uses the following cookies and tracking technologies:
| Technology | Purpose | Personal Data? |
|---|---|---|
| Google Analytics 4 | Website usage analytics — pages visited, session duration, device type. IP anonymisation is enabled. | No — anonymised only |
| Google Ads Conversion Tag | Tracking whether a user submitted an enquiry form after clicking an ad. Non-health event signals only. | No health data. Anonymised conversion event only. |
| Meta Pixel | Tracking whether a user submitted a form (Lead event). Configured in Limited Data Use mode. No treatment type or health signals transmitted. | No health data. Anonymous Lead event only. |
| Session / Functional Cookies | Essential for website functionality — maintaining your session, form state. | Session-only. Deleted when browser is closed. |
You may disable non-essential cookies by adjusting your browser settings. This may affect some website functionality. We do not use cookies to target healthcare-related advertisements or to infer health conditions. Our advertising cookies transmit only anonymised, non-health signals to comply with Google and Meta healthcare advertising policies.
Our website and services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18 through our website.
Where a minor (below 18 years) is brought to ORA for treatment, we require explicit consent from a parent or legal guardian before collecting any personal or health data relating to that minor. The parent or guardian's data is used to manage the relationship. This is consistent with the DPDP Act, 2023 provisions on children's data, which require verifiable parental or guardian consent.
We review and update this Privacy Policy at least annually, or sooner when there are changes in applicable law (including DPDP Act / Rules updates), changes in our data processing practices, or following a data protection review. All updates are effective immediately upon posting to this page.
The "Last updated" date at the top of this page indicates when this policy was most recently revised. We recommend reviewing this page periodically. Material changes will be communicated via a notice on our website or via direct contact with known clients.
For any privacy-related questions, requests to exercise your rights, or concerns about our data practices, please contact us using the details below. We will respond within 30 days of receiving your request.
This Privacy Policy is governed by the laws of India. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts in Hyderabad, Telangana, India.