Effective Date: 23 May 2026

Last Updated: 23 May 2026

Platform: BondMedic (operated by Reighway Consulting Private Limited)

CIN: U70200MP2025PTC080788

Registered Address: Plot No. A-480, Sector A, Shahpura, 1100 Quarters, Bhopal, Madhya Pradesh, India – 462016

Legal Contact: legal@bondmedic.com

Data Protection Officer: dpo@bondmedic.com

Grievance Officer: grievance@bondmedic.com

Governing Law: Laws of the Republic of India

Jurisdiction: Courts of Bhopal, Madhya Pradesh, India

Scope and overview

This Privacy Policy is issued by Reighway Consulting Private Limited, (hereinafter “Company”, “Bondmedic”, “we”, “us”, “our”), a company registered under the Companies Act 2013, having its registered office at Plot No. A480, Sector A, Shahpura, 1100 Quarters, Bhopal, Madhya Pradesh, India, 462016 and the owner and operator of Bondmedic platform.

This policy describes the manner in which the Company collects, uses, stores, discloses, transfers and protects certain information including personal data of individuals who use our platform to obtain our services (hereinafter “User”, “you”, “your”). Users are encouraged to read this Policy carefully before using the platform or submitting any personal information.

Bondmedic is a healthcare and wellness service platform, operated by the Company through an authorised website (www.Bondmedic.com). The platform enables Users to avail telemedicine and telehealth service through the team of our empanelled UK consultants and empanelled Indian RMP’s, under the clinical lead and supervision of a empanelled Indian Registered Medical Practitioner ("RMP").

Presently, the users of Bondmedic can avail advisory review, chronic care management and care coordination services as a part of our telehealth services. These services are delivered by way of telehealth consultation and constitute a health information and educational review service. These services are strictly advisory in nature and do not constitute or substitute a clinical medical consultation, diagnosis, or treatment. The relevance, quality, and accuracy of any advisory opinion rendered through the platform is contingent upon the completeness and accuracy of the information submitted by the User. These services do not replace the independent clinical judgment of the User's treating physician and are not intended for use in emergency medical situations.

For all purposes under applicable laws in India and UK, including data protection laws, the Company shall act as the Data Fiduciary and Data Controller, as the case may be, in respect of all personal data and sensitive personal data — including health and medical records — collected, stored, processed, or transferred through the Bondmedic platform.

The Company processes sensitive personal and health data only with the user’s free, informed and specific consent and in compliance of the applicable Indian and UK data protection laws for the purposes of facilitating appropriate advisory, secure communication and continuity of care.

This Privacy Policy forms an integral part of our Terms and Conditions and is applicable to all interactions with Bondmedic, whether through our website, mobile application, electronic mail, or any other digital communication channel facilitated by the Company. This policy sets out, in clear and transparent terms, the types of information we collect, the purposes for which we process that data, the legal bases for processing, the measures implemented to protect and store data, the circumstances in which we may share, disclose or transfer data, and the rights available to the user and mechanisms to exercise such rights. This privacy policy is governed by all the applicable laws, rules, regulations and guidelines of India and UK, as amended from time to time.

1. Key Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below. Any term not defined here shall be interpreted in accordance with the applicable laws.

  • Advisory Service: Advisory Service shall mean and include health information and advisory review service. A User's medical records and history are reviewed by qualified medical professionals and an informational Advisory Opinion is prepared. This service does not constitute Telemedicine, does not involve clinical diagnosis or treatment, and does not result in a prescription. It is a second advisory opinion and health information service only.
  • Empanelled UK Consultants: A qualified UK – based General Medical Council (GMC) registered medical professional, who has been formally engaged by or through the Company to provide peer opinion services to the RMP’s on the Platform under applicable contractual and professional obligations.
  • Personal Data: Personal data shall mean and include any information relating to an identified or identifiable natural person, including information that, alone or in combination with other information, can identify an individual.
  • Registered Medical Practitioner (RMP’s): As per the definition laid under National Medical Commission Registered Medical Practitioner (Professional Conduct) Regulations, 2022, a Registered Medical Practitioner or RMP means a person whose name is either in the State Medical Register or the Indian Medical Register or the National Medical Register unless otherwise specified.
  • Special Category Data / Sensitive Personal Data or Information (SPDI): Any personal data revealing physical or mental health status, medical records, biometric identifiers, genetic data, mental health information, or other categories treated as sensitive under applicable law (including UK GDPR and the SPDI Rules).
  • Telehealth: Telehealth shall mean and include the delivery and facilitation of health and health-related services including medical care, provider and patient education, health information services, and self-care via telecommunications and digital communication technologies.
  • Telemedicine: Telemedicine shall mean and include the delivery of health-care services, where distance is a critical factor, by all health-care professionals using information and communications technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and the continuing education of health-care workers, with the aim of advancing the health of individuals and communities.

2. Categories of Personal Data Collected

We only collect information that is absolutely necessary for our services. We collect the following categories of data:

  • Identification: This includes name, date of birth, contact details, email id, government identifiers (if provided) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Health and clinical data: This includes medical history relating to physical or mental health, diagnostic reports, prescriptions, consultation notes, images and lab results, or any information including the provision of health care services.
  • Communication data: This includes video consultations, audio recordings, and chat transcripts generated during the course of your consultation.
  • Biometric data: This includes any biometric data where required for authentication under ABDM system in India or secure login.
  • Technical data: This data may include IP address, device identifiers, logs, cookies, domain servers and other information associated with the interaction of User browser and the website.

3. Consent

Given the nature of personal and health information we collect and process, we rely on your consent as the primary lawful basis for processing, and the form of consent will differ according to the category of data involved.

a. Implied consent for technical data:

By accessing or using our website, you accept and provide implied consent to the collection and processing of technical and non-sensitive data necessary for the operation of the platform (for example, IP address, device identifiers, cookies and usage logs). We process this technical data based on our legitimate interest in maintaining a secure and functional platform.

b. Explicit consent for personal and special category data:

We will obtain your explicit and informed consent before collecting, processing or transfers any personal data that is sensitive or special category (including health records, medical history, biometric data, and other SPDI). Upon your explicit consent, we may request and collect sensitive personal information—including medical records, diagnostic results, and treatment histories—directly from you or your third-party healthcare providers (such as your local treating physician or specialist) to provide you with a seamless and comprehensive service. Explicit consent is obtained through clear affirmative action by, ticking a consent box and signing an electronic consent form and will be recorded and retained by us in a secure manner.

  • You are under no legal obligation to provide consent. If you choose not to provide the explicit consent required for processing special category data, we will be unable to provide any services through our website.
  • Withdrawal of consent: You may withdraw your explicit consent at any time by using the withdrawal mechanism available on the website or by contacting our Data Protection Officer. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal; however, withdrawal may limit or prevent our ability to continue providing certain services. At the time you withdraw consent we will explain the practical consequences of withdrawal, including any impact on your ongoing care and any legal or clinical obligations that require us to retain certain records.
  • Recording and verification: All consents and withdrawals will be recorded electronically with a timestamp and retained in accordance with our retention policy.

4. Purpose and Use of Personal Data

Primary purpose:

As a part of our contractual obligations, we primarily process your personal sensitive data including medical records and related health information for the following purposes:

(a) Clinical Review and Peer Advisory

Your personal and health data is processed to enable the Company's empanelled Registered Medical Practitioner ("RMP") to undertake a structured review of your medical case. Following such review, the RMP may, where clinically appropriate, seek a peer advisory opinion on your medical condition from the Company's empanelled team of UK consultants. The RMP thereafter consolidates and reviews the peer opinion received and communicates a final advisory opinion to you through a secure, documented, and auditable communication channel.

(b) Continuity of Care

Communication data generated through your interactions with the platform — including consultation records, correspondence, and care coordination notes — is processed and retained to support the continuity of your care, to facilitate appropriate follow-up, and to maintain an accurate record of the advisory services rendered to you.

(c) Service Enhancement and Quality Improvement

With a view to improving the quality, safety, and effectiveness of the Services, the Company may also process and analyse communication and interaction data collected through the Website in an aggregated or de-identified form, to assess service delivery standards, identify areas for improvement, and inform the strategic development of the platform. No identifiable personal data shall be used for this purpose without a separate, specific legal basis or your explicit consent, as applicable.

  • Administrative and operational purpose: We process identification data to create and manage your account, to manage and process all kinds of financial transactions with our Users; for managing further consultations and for sharing updates and for receiving feedbacks from our Users.
  • Legal compliance and security: We process and retain your personal data to meet legal, regulatory and professional obligations. The legal and statutory obligations include any mandatory disclosure made before regulators, courts, or law enforcement when required under applicable laws ensuring compliance with lawful obligations. These include but are not restricted to any access, use, transfer or disclosure made under legal and statutory obligation to protect or defend this policy; to protect the rights and property of our Users, to detect, prevent, stop or investigate any fraud, abuse or unethical access or misuse of the Users personal data.
  • Quality assurance and improvement: We use your clinical records and consultation notes, kept confidential and anonymised where possible, to monitor and improve quality, support peer review and training, investigate complaints or adverse events, and analyse de-identified data to enhance diagnosis, services and patient outcomes.
  • Research, analytics and platform improvement: We may use de-identified or aggregated data for legitimate research, public-health analysis, planning and strategic development of our services, improve platform performance; any use of identifiable health data for research will require your explicit consent or another lawful basis and will be subject to ethical and governance review.

5. Data Storage, Retention and Erasure

  • Retention principles: We retain personal data only as long as necessary for the purposes for which it was collected, to meet legal, regulatory or clinical record-keeping obligations, or to resolve disputes.
  • Typical retention periods: Clinical records will be retained in accordance with the ABDM framework, applicable Indian laws, rules, and regulations, as well as relevant UK medical record retention requirements. Personal data, medical data and consent records shall be retained for a minimum of 3 years from the date of your last service, while system and security logs shall be retained for a minimum of 1 year.
  • Secure deletion and anonymisation: At the end of the retention period, data will be securely deleted, destroyed or irreversibly anonymised. Anonymised data may be used for research or service improvement without further consent, where permitted by law.

6. Cross-border transfers of data and safeguards

In light of the nature of our services, we transfer your personal data to our empanelled UK consultants to provide a peer opinion to our RMP on your medical condition as a part of our primary services and authorised third parties for secure storage and processing of your data. This shall be done in compliance with the applicable laws in both jurisdictions ensuring apt safeguards and measures apply to the data being transferred. These include but are not restricted to:

  • Legal mechanisms: The transfer of data shall be based on approved legally recognized mechanisms including adequacy decision or Standard Contractual Clauses (SCCs). Where SCCs are used, we conduct a Transfer Risk Assessment (TRA) before transfers to ensure sufficient and effective protection of your data.
  • Contractual and organizational safeguards: We share your data with our staff as well as third party service providers under Strict Data Processing Agreements and SCCs which include with confidentiality, role-based access, flowdown obligations; audit and inspection rights, vendor risk assessment, provision for Cyber Incident Response Plan (IRP), Cyber Risk Insurance. We also ensure periodical internal staff training and regular security testing and audits. We also conduct DPIAs prior to commencing new high-risk processing activities and shall be reviewed annually, in compliance with the applicable laws.
  • Technical safeguards: We implement appropriate technical measures to protect and ensure secure data transfer, including data encryption (AES-256, TLS 1.2+); Role based access control, Multi-Factor Authentication (MFA); Single Sign-On (SSO); Full-disk encryption on all company-managed devices; firewalls, VPN with MFA, DNS filtering, and network segmentation; antivirus, anti-malware, and Endpoint Detection and Response (EDR) solutions; secure storage of cloud credentials and API keys for approved secure vaults; Regular Data Back-up in alignment with Recovery Point Objectives (RPO); SIEM monitoring and breach notification.
  • Supplementary measures: Where legal risk is identified, we implement additional technical or contractual measures like explicit risk disclosures, encryption with keys retained in India, anonymisation, restricted access windows, etc.

7. Data Sharing and Disclosure

We do not share or sell your data. We only share personal data with specific categories of recipients under strict contractual safeguards only after your consent:

  • Empanelled UK Consultants: Authorised and empanelled consultants providing requested peer-to-peer medical advice to our empanelled RMP’s.
  • Treating Clinicians: Your local healthcare providers, solely with your consent for continuity of care.
  • Subprocessors: Vetted IT, cloud hosting, and secure payment vendors acting under our direct instructions.
  • Legal Authorities: Regulators, courts, or law enforcement only when legally compelled or to protect vital human interests.

8. Limitation of Liability and Clinical Responsibility

  • The services and advisory opinions provided by our empanelled RMP’s clinicians is strictly advisory in nature and are solely based on medical records provided by the User and collected on the explicit consent of the User. They do not replace a physical examination or a primary diagnosis.
  • The advisory opinion provided by our empanelled UK consultants to our empanelled Indian RMPs strictly arises from a professional peer-to-peer discussion. This in no situation establishes a doctor-patient relationship between you and our empanelled UK consultants.
  • Any doctor–patient relationship that may exist is strictly between the Registered Medical Practitioner (RMP) and the User, and is limited solely to the advisory services provided through the platform
  • Your local treating clinicians/physicians shall remain solely responsible for any final treatment or diagnosis.
  • We are a technology intermediary, facilitating secure communication and improved health advice. We do not practice medicine and hold no responsibility or liability for any clinical outcomes or treatment decisions made by you or your local doctors in accordance with the advisory opinion shared with you.
  • Nothing in this section, affects your statutory rights under applicable data protection or consumer protection laws.

9. Your Rights

Our Users have the following rights in respect of their personal data, subject to legal limits and necessary safeguards:

  • Right of access: You can obtain confirmation whether we process your data and receive a copy of personal data we hold.
  • Right to rectification: You can request correction of inaccurate, incomplete or changes in your personal data.
  • Right to erasure (right to be forgotten): You can request deletion of personal data where there is no overriding legal or clinical reason to retain it. We will explain any retention obligations that prevents us to process your request for deletion.
  • Right to restrict processing: You may ask us to suspend any processing of your personal data in case of a dispute, until it is resolved.
  • Right to data portability: You can receive your personal data in a structured, commonly used, machine-readable format and request transfer to another controller where technically feasible.
  • Right to object: You can object the processing of your data based on legitimate interests; we will stop the processing unless we have compelling lawful grounds.
  • Right to withdraw consent: As previously stated, you can withdraw your consent for processing at any time. Any withdrawal does not affect prior lawful processing.
  • Right to nomination: You can nominate a person to exercise your data rights in the event of your death or incapacity. You can nominate a person using the mechanism available on the website or by contacting our Data Protection Officer.
  • Right to lodge a complaint: You may exercise any of your rights by lodging a Complain to our Grievance Officer, if you believe your rights are breached. You may reach out to our Grievance Officer at grievance@bondmedic.com.

You may request the enforcement of any of the rights set out above by submitting a written request to the Company's Data Protection Officer. The Company shall acknowledge all such requests within 48 hours of receipt and shall endeavour to resolve and respond to the same within 30 days of receipt, or within such shorter period as may be prescribed under applicable law. Where the Company requires additional time or information to process a request, it shall notify you of the same within the initial 48-hour acknowledgement period, along with the reasons for any delay and the expected timeline for resolution.

10. Company’s Rights and Responsibilities

We as a Data Fiduciary have the following rights and responsibilities:

  • To process your personal data collected and stored by us for only legitimate purposes consistent with this Policy and applicable laws.
  • To collect only the data that is necessary for providing telehealth services as otherwise permitted by law and retain it only for as long as legally or clinically required.
  • To ensure strict role-based access to the User personal data and only to the extent necessary for their duties.
  • To maintain and store records and logs of all data processing activities.
  • To implement appropriate technical and organisational measures to protect data against unauthorised access, alteration, disclosure, or destruction.
  • To maintain transparency by providing clear, accessible information to Users about their data, its processing and ensuring User awareness in respect of their rights and safeguards through this Privacy Policy and consent mechanisms.
  • To decline or suspend services where essential consent is withdrawn or where providing services would conflict with legal or clinical obligations.
  • To retain your personal data in accordance with the legal and statutory requirements.
  • To take effective steps to ensure compliance of applicable laws and prompt cooperation with the law enforcement agencies.
  • To appoint Data Protection Officer, conduct regular audits and perform periodical data protection impact assessments to effectively maintain accountability.

11. Security measures and Data breaches

  • We secure your information using a defense-in-depth security system. This includes multi-layered encryption (both in transit and at rest), secure key management, firewalls, intrusion detection, strict role-based access controls. Our security system is regularly and continuously validated through regular internal and third-party audits, security testing, and mandatory staff training, to ensure your data remains protected against evolving threats, unauthorized access, or disclosure.
  • We have a rapid incident response plan to deal with data breach. In such an unlikely event of a data breach, we will immediately contain it and investigate the incident, assess risk to individuals, and take remedial action. Where required by law we will notify you, the relevant supervisory authorities, namely Indian Computer Emergency Response Team (CERT-In) and The Data Protection Board of India (DPBI), within legally required timeframes, detailing the steps taken to protect you and your data.

12. Automated decision making

  • We may, from time to time, adopt changing technology trends to enhance our services and your experience. These may include any technology including automated decision support systems for clinical advice or business development.
  • We ensure and confirm that such tools are solely used to assist our medical professionals in the review process. The tools do not and shall not form the sole ground of any advisory opinion issued to you. Every advisory opinion delivered through the platform is only delivered after the clinical review by our empanelled Indian RMP. All assisted insights are subject to a mandatory human-in-the-loop review by a qualified medical professional before being communicated to the user.
  • We may utilise automated decision support systems for the purposes of profiling and analysing our aggregated, pseudonymised data purely to monitor service quality and for service improvement. Any profiling that produces legal or similarly significant effects will only be carried out with explicit prior consent and appropriate safeguards.

13. Children and vulnerable persons

  • We expect the use of our website by adults aged 18 years and older. The Indian RMP shall appropriately verify the identity and age of the user before initiating consultation. Where a User is identified as a minor or where there is reasonable cause to suspect that a User may be under the age of 18, access to the platform shall be restricted pending completion of the consent verification process.
  • In case of minors or vulnerable persons, the Company shall process the health data only upon the receipt of verifiable, explicit and informed consent of a parent or legal guardian as the case may be. The parent or legal guardian providing consent shall be clearly identified in the User's records and shall be the designated point of contact for all communications relating to the minor or vulnerable person's data.
  • Where the Company becomes aware that personal data has been collected from, or processed in relation to, a minor without verifiable parental or legal guardian consent, the Company shall promptly delete or render inaccessible all such data, notify the relevant parent or guardian where reasonably practicable, and document the steps taken in its internal compliance records.
  • We comply with enhanced security protocols applicable to the personal data of vulnerable individuals in accordance with the applicable laws.

14. Changes to this Policy

We may update this Policy from time to time to reflect legal, technical or business changes. Any material change to the privacy policy shall be notified on the Bondmedic Platform. The continued use following re-consent to the changes, modification in the Privacy Policy shall constitute formal acceptance of the revised Policy.

15. Governing Law and Dispute Resolution

  • This Privacy Policy is governed by all the applicable laws, rules, regulations and guidelines applicable in India (including but not limited to IT Act, 2000; SPDI Rules, 2011; DPDP Act 2023 & Rules 2025; Telemedicine Practice Guidelines 2020) and the laws, rules and regulations of the United Kingdom (UK GDPR, Data Protection Act 2018) along with any future applicable regulations.
  • Any dispute will first be handled through our internal grievance redressal process. The Grievance Officer shall acknowledge your complaint within 48 hours and endeavour to resolve it within 30 days of receipt. If the dispute is unresolved, they will fall under the jurisdiction of competent courts in India.

16. Contact Us

For ensuring compliance of protection of your data or communicating change of information or withdrawal of consent, you can reach our Data Protection Officer at dpo@bondmedic.com.

For redressal of any queries regarding your data or exercising your rights, you can contact our Grievance Officer at grievance@bondmedic.com.