Privacy Policy

SecondDoctorOpinion.com ("we", "us", "our") is committed to protecting the privacy and security of your personal and health information. This policy explains how we collect, use, store, and share your information in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act, India) and applicable medical confidentiality standards.

1. Information We Collect

Account Information

• Name, email, mobile number, password (hashed using bcrypt)
• For doctors: medical qualifications, Medical Council registration number, years of experience, hospital affiliation

Medical Information

• Symptoms, current diagnosis, medical history, medications, allergies
• Medical records you upload: PDF reports, scans (JPG, PNG, DICOM), lab reports
• Specialty preference and tier selected

Payment Information

• We do not store your card or UPI credentials.
• All card payments are processed by Stripe (PCI-DSS compliant). We only retain transaction reference IDs and amount paid.

2. How We Use Your Information

• To match your case with an appropriate specialist by specialty
• To enable the assigned specialist to review your records and provide an opinion
• To send case status updates and the final opinion report
• To process payments and issue receipts
• To generate AI-assisted preliminary analyses (using Anthropic Claude Sonnet 4.5) which are then verified by a human specialist
• To improve platform safety, prevent fraud, and comply with legal obligations

3. Who Has Access to Your Information

• The specialist assigned to your case
• Authorized administrative staff for case routing and customer support
• Our infrastructure providers (Stripe for payments, Anthropic for AI inference, object storage for medical files) under appropriate data processing agreements
• We will never share your records with your primary doctor unless you explicitly request it.
• We do not sell your data to third parties for advertising or any other purpose.

4. Data Security

• All data transmitted to and from our servers is encrypted using HTTPS/TLS.
• Passwords are stored only as bcrypt hashes — never in plain text.
• Medical files are stored in encrypted object storage with role-based access controls.
• Authentication uses short-lived JWT access tokens and httpOnly cookies to prevent XSS-based theft.
• Access to your records is logged for audit purposes.

5. Your Rights (DPDP Act)

• Right to access: Request a copy of the personal data we hold about you
• Right to correction: Update inaccurate information
• Right to erasure: Request deletion of your account and associated data (subject to legal retention requirements)
• Right to grievance redressal: Submit a complaint via our Grievance Redressal page
• Right to nominate: Nominate another individual to exercise your rights in case of incapacity

Email privacy@seconddoctoropinion.com to exercise any of these rights. We will respond within 7 business days.

6. Data Retention

We retain your medical records for at least 7 years from the date of consultation to comply with Indian medical record retention standards. After this period, you may request deletion. Payment records are retained as required by applicable financial regulations.

7. Cookies

We use only essential cookies required for authentication (httpOnly access and refresh tokens). We do not use third-party advertising cookies or analytics that track you across other websites.

8. Children

Our service is intended for users 18 years and older. For consultations involving minors, the case must be submitted by a parent or legal guardian on the minor's behalf, with full legal responsibility assumed by the guardian.

9. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on this page at least 7 days before they take effect.