PREAMBLE & LEGAL AFFIRMATION
This Privacy Policy (“Policy”) is published in accordance with:
▶ Section 43A of the Information Technology Act, 2000;
▶ Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”);
▶ Regulation 3(1) of the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021;
▶ The Consumer Protection (E-Commerce) Rules, 2020;
▶ Any other applicable Indian laws on data protection;
▶ [Optional – if GDPR-aligned] Articles 5, 6, 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) where applicable.
This Policy governs the access to and use of personal and sensitive personal information by M/s. VHC INTERNATIONAL PRIVATE LIMITED, having its registered office at 81B, Tower A, 2nd Floor, Prince Info Park, 2nd Main Road, Ambattur Industrial Estate, Chennai – 600058, through its wellness technology platform “TRICHELLA”, accessible via www.trichella.com and its associated mobile application (“Platform”).
By accessing or using the Platform, submitting your information, or availing services provided through the Platform (collectively, “Services”), you confirm that you are competent to contract under Indian law, and expressly consent to the collection, processing, transfer, storage, and disclosure of your personal information in accordance with this Policy.
DEFINITIONS
For the purposes of this Policy:
▶ “Personal Information” shall mean any information that relates to an identified or identifiable natural person and includes but is not limited to name, contact details, gender, date of birth, location, or online identifiers.
▶ “Sensitive Personal Information” (SPI) shall include, without limitation, health records, biometric data, medical history, and financial information such as bank account or card details.
▶ “Data Subject” means any natural person whose data is collected, stored, or processed by us.
▶ “Processing” means any operation performed on data, whether by automated or manual means, including collection, recording, structuring, storage, adaptation, alteration, retrieval, use, transmission, or erasure.
▶ “Applicable Law” includes all data protection, privacy, and cyber security laws in force in India, and wherever applicable, international norms to which we voluntarily adhere.
SCOPE AND APPLICABILITY
This Policy applies to:
▶ All users (past, present, or prospective) who access or use the Platform;
▶ All personal and sensitive personal information submitted to, collected by, or processed by the Company;
▶ All modes of data capture, including forms, calls, chat, payment gateways, AI assistants, customer support, and cookies;
▶ All Company employees, affiliates, consultants, vendors, and service providers having access to user data.
▶ This Policy does not apply to information collected by third-party platforms or services which may be accessed through our Platform via hyperlinks or integrations, or to any aggregated, anonymized, or publicly available data.
GROUNDS OF DATA COLLECTION
We collect data under the following lawful bases:
▶ Performance of a contract: Where processing is necessary to deliver wellness, diagnostic, or other services as contracted by the User.
▶ Consent: Where the User voluntarily provides data and consents to processing for defined purposes.
▶ Legitimate interest: Where processing is required for fraud prevention, system security, or analytics, without overriding user rights.
▶ Legal obligation: Where we are mandated by law to maintain records, submit disclosures, or retain transaction history.
Consent, where taken, is specific, informed, and revocable, unless otherwise required by law.
CATEGORIES OF DATA COLLECTED
The Company may collect and process the following types of data:
(a) Personal Information
▶ Full name, gender, date of birth
▶ Mobile number, email ID, residential address
▶ Government-issued identification (PAN, Aadhaar, etc.)
▶ Photograph or facial scan (if provided)
(b) Sensitive Personal Information
▶ Scalp condition reports, symptoms, uploaded images
▶ Clinical intake forms, diagnosis inputs
▶ Medical history, allergies, and treatments sought
▶ Payment and billing details (UPI ID, masked card info)
(c) Technical & Behavioral Data
▶ IP address, device ID, browser metadata
▶ Location and time zone data
▶ App usage logs and clickstream behavior
▶ Audio/video calls with consultants (if recorded with consent)
(d) Third-Party Data
▶ Information shared via WhatsApp, Instagram, or social sign-ins
▶ Lead source from ad networks (Google Ads, Meta, etc.)
▶ Referrals or testimonials shared by other clients
Note: Failure to provide mandatory fields (as marked) may result in denial of service or inability to fulfill a transaction.
6. PURPOSE OF COLLECTION AND USAGE OF INFORMATION
Your information may be collected, stored, and used for the following specific, legitimate, and lawful purposes:
▶ Clinical Evaluation: To analyze hair/scalp conditions and recommend appropriate treatments or regimens;
▶ Appointment Scheduling & Follow-ups: To book sessions with in-house or affiliated practitioners and remind users of clinical protocols;
▶ Product Purchases: To enable purchase, delivery, and follow-up on prescribed home-care kits or wellness products;
▶ User Support & Dispute Resolution: To respond to queries, complaints, or service-related issues and ensure proper grievance redressal;
▶ Internal R&D and Algorithmic Improvements: To refine AI diagnostic tools, improve clinical accuracy, and enhance platform features;
▶ Regulatory or Legal Compliance: To fulfil obligations under applicable laws, court orders, or statutory directions;
▶ Marketing & Engagement (only with consent): To send wellness updates, offers, newsletters, or satisfaction surveys via SMS, email, or WhatsApp;
▶ System Diagnostics & Security: To detect, prevent, and address fraud, abuse, or security breaches on the Platform.
Your data shall not be used in a manner incompatible with these purposes without obtaining your fresh consent or legal basis.
7. AUTOMATED PROCESSING, AI, AND PROFILING
The Platform uses AI-powered tools to assist in analysis, recommendations, and personalisation of care.
▶ Any automated profiling (e.g., scalp type detection, product recommendations) is performed under human oversight;
▶ We do not deploy AI tools for final clinical diagnosis without human validation;
▶ Where algorithmic tools are used to generate client reports or care protocols, you may request an explanation or manual review of such outcomes;
▶ AI-based decisions are never used to deny access to essential services, treatments, or benefits.
GDPR Alignment: Pursuant to Article 22 of the GDPR, no user shall be subject to a decision based solely on automated processing which produces legal or similarly significant effects unless you provide explicit consent or such processing is contractually required.
8. MARKETING, OUTREACH, AND PROMOTIONAL COMMUNICATIONS
We may send you marketing and promotional content only:
▶ With your prior opt-in consent;
▶ Based on your preferences or selected categories;
▶ Via permitted channels (SMS, email, push notifications, WhatsApp).
You may opt-out or withdraw consent to such communications at any time using:
▶ The “unsubscribe” link in emails;
▶ A designated STOP keyword on SMS/WhatsApp;
▶ By contacting our Data Protection Officer at greivance@trichella.com.
We do not sell or commercially rent your personal information to third parties for marketing purposes.
10. RETENTION AND STORAGE OF DATA
We retain your personal and sensitive personal data:
▶ For as long as necessary to fulfill the purpose of collection;
▶ As per applicable Indian law on clinical records (e.g., 3 years under Clinical Establishments Act guidelines);
▶ For legal, audit, or regulatory purposes even after cessation of service, subject to data minimization.
Post-retention, your data is:
▶ Permanently deleted using secure erasure techniques; or
▶ Anonymised for statistical or research use without re-identification.
Your records shall not be retained indefinitely unless:
▶ You are a recurring subscriber;
▶ A specific legal or tax obligation exists; or
▶ There is an unresolved grievance or dispute.
11. USER RIGHTS AND DATA SUBJECT ENTITLEMENTS
We recognize the rights of all individuals whose personal data is collected, held, or processed on our Platform. Subject to verification of identity and applicable laws, you have the following enforceable rights:
▶ Right to Access: To obtain a copy of your personal information in a readable format;
▶ Right to Rectification: To correct inaccurate or incomplete data;
▶ Right to Erasure (“Right to be Forgotten”): To request deletion of data no longer necessary for the purpose collected;
▶ Right to Restrict Processing: To limit usage of your data under certain conditions (e.g., pending dispute resolution);
▶ Right to Data Portability: To receive your data in a structured, machine-readable format and request its transmission to another service provider;
▶ Right to Withdraw Consent: Any consent given may be withdrawn without affecting past lawful processing;
▶ Right to Object: You may object to direct marketing or automated profiling at any time.
To invoke any of these rights, please email a signed request to grievance@trichella.com with government-issued identity proof. We shall acknowledge within 48 hours and process within 15 business days.
12. COOKIES, PERMISSIONS, AND DEVICE IDENTIFIERS
When you access the Platform, we may use standard technologies, including cookies, local storage, and device identifiers to enhance user experience and improve system performance.
▶ Cookies may store session tokens, UI preferences, or language settings;
▶ Device Permissions: You may be prompted to allow access to:
o Camera (for scalp images);
o Gallery (to upload health documents);
o Location (to suggest nearest clinics);
o Microphone (for in-app audio consultations);
▶ Analytics Tools: We may use Google Analytics, Meta Pixel, or similar tools solely for internal analysis.
You may disable cookies or revoke device permissions through your browser or OS settings, but this may limit platform functionality.
We do not use third-party advertising trackers or hidden scripts that record user activity beyond the scope of service.
13. DATA SECURITY MEASURES
We employ industry-standard technical, operational, and administrative safeguards to protect your personal data against loss, misuse, unauthorized access, disclosure, alteration, and destruction.
These include:
▶ End-to-end encryption of health data;
▶ Multi-factor authentication (MFA) for admin access;
▶ Firewalled storage systems and periodic penetration testing;
▶ Role-based access protocols with audit trails;
▶ Regular employee training on confidentiality and security norms.
In case of any suspected or actual data breach, you will be notified within 72 hours, along with details of compromised data, remedial steps taken, and your available legal remedies.
We periodically update our security framework in accordance with ISO 27001, NIST, and applicable Indian cyber security directives.
14. CHILDREN’S PRIVACY
The Platform is not intended for use by individuals under the age of 18 years, unless:
▶ The treatment relates to a minor and is expressly consented to by a parent or legal guardian;
▶ A formal declaration is obtained, and identity of guardian is verified.
We do not knowingly solicit or collect data from minors without guardian verification. If you believe that a child’s information has been processed in violation of this clause, please write to grievance@trichella.com, and we will delete such records upon verification.
15. DATA PROTECTION OFFICER (DPO) & REDRESSAL MECHANISM
In compliance with Indian and international privacy frameworks, we have appointed a Data Protection Officer (DPO) to ensure:
▶ Continuous monitoring of compliance with data laws;
▶ Grievance redressal for users within specified timelines;
▶ Coordination with law enforcement and regulators.
Grievance Officer & DPO:
Mr. Kumar
VHC International Pvt Ltd
Door No 191/ 4 5 17 18
1st Floor, Indlabele Village, Attibele, Bengaluru Urban, Karnataka - 562107, India
📩 Email: kumar@trichella.com
📞 Tel: +91 9944525656
🕒 Hours: Mon–Sat, 10:00 AM to 6:00 PM IST
Complaints will be acknowledged within 48 hours and resolved within 15 business days, as per Rule 5(9) of the SPDI Rules and Rule 3(2) of the Intermediaries Guidelines, 2021.
16. POLICY UPDATES AND MODIFICATIONS
We reserve the unilateral right to modify, amend, or update this Privacy Policy, in full or part, at any time, without prior individual notice, unless legally mandated. Any changes shall be published prominently on the Platform, and the "Effective Date" at the top of this Policy shall be updated accordingly.
You are advised to review this Privacy Policy periodically. Your continued use of the Platform or Services post any such updates shall be deemed to constitute your binding acceptance of the revised Policy. If you do not agree with the modifications, you are advised to discontinue use and raise an objection,
if any, within seven (7) days of publication of the change.
We may, at our discretion, notify users by email or in-app notification where feasible.
17. JURISDICTION, GOVERNING LAW, AND DISPUTE RESOLUTION
This Privacy Policy shall be governed by and construed in accordance with the laws of India, including but not limited to the Information Technology Act, 2000, the Indian Contract Act, 1872, and any allied Rules and regulations in force.
▶ Any dispute, controversy, or claim arising out of or relating to this Policy shall be exclusively subject to the jurisdiction of competent courts at Chennai, Tamil Nadu, to the exclusion of all other courts or forums;
▶ All disputes shall be subject to prior resolution by the Company’s internal Grievance Officer within a maximum of 15 working days;
▶ In case of failure of such resolution, Parties may refer the matter to arbitration under the Arbitration and Conciliation Act, 1996, with a sole arbitrator appointed by the Company. The seat and venue of arbitration shall be Chennai.
18. INTERPRETATION, SEVERABILITY, AND TRANSLATIONS
▶ Interpretation: All headings are for ease of reference only and shall not affect the construction or interpretation of the underlying clauses;
▶ Severability: If any provision of this Privacy Policy is held to be invalid, unlawful, or unenforceable under applicable law, such provision shall be severed, and the remainder shall continue in full force and effect;
▶ Language and Translation: This Policy is published in English. Where translations exist, the English version shall prevail in the event of any inconsistency or interpretative conflict.
