1. Introduction

This Privacy Policy explains how SurgeonSearch (“Company”, “we”, “us”, “our”) collects, uses, shares and protects personal data of individuals who access or use the Surgeon Search Platform, including Candidates and Recruiters (“you”, “your”).

The Policy is designed to comply with applicable Indian data protection and IT security requirements, including the Digital Personal Data Protection Act, 2023 and relevant rules, (“DPDPA”)and the Information Technology Act and rules governing reasonable security practices and sensitive personal data or information.

For the purposes of interpretation,

  1. surgeons and other healthcare professionals are collectively referred to as “Candidates”), and
  2. hospitals, clinics and other healthcare recruiters are collectively referred to as “Recruiters”

This Policy is an electronic record and forms part of the Terms. By using the Platform, you consent to the processing of your personal data in accordance with this Policy.

  1. Personal Data Collected

Categories of data we may collect include:

  1. Identification and contact data: name, email, phone number, address, professional registration number, organisation details.
  2. Professional profile data: photograph, qualifications, specialties, years of experience, skills, languages, location preferences, CV/profile, certifications, references, and availability.
  3. Recruiter data: organisation name, contact persons (HR), job descriptions, compensation ranges, and role requirements.
  4. Usage data: log data, device identifiers, IP address, browser/app version, pages viewed, time spent, and interaction logs.
  5. Communications data: messages exchanged through the Platform between Candidates and Recruiters, and communications with our support team.

Where applicable, we may also process limited health related information that is part of professional profiles (for example, types of surgeries performed, procedural experience) but do not intend to process detailed patient level records via the Platform.

We may collect this data:

  1. directly from you (ex. , registration forms, profile updates);
  2. automatically via cookies and similar technologies; and
  3. from third‑party sources where lawful (ex., professional registries, references) subject to your consent where required.
  4. Legal Bases and Purposes of Processing

We process personal data for one or more of the following lawful purposes:

  1. providing, operating and improving the Platform and its features.
  2. enabling Candidates and Recruiters to discover, evaluate and connect for professional opportunities.
  3. verifying identity and professional credentials, where applicable.
  4. facilitating communications, notifications and alerts.
  5. processing payments for paid services.
  6. personalising user experience and recommendations.
  7. ensuring platform security, fraud prevention, and misuse detection.
  8. complying with legal obligations, regulatory requirements, and law‑enforcement requests; and
  9. enforcing our Terms and protecting our legal rights.

These purposes reflect standard lawful purpose and necessity tests under the DPDPA framework and related healthcare sector guidance.

Where required by law, we will obtain your consent before collecting or processing your personal data, especially for:

  1. marketing communications;
  2. use of certain cookies/analytics; and
  3. any processing that is not strictly necessary for providing the core Platform services.
  4. Cookies and Tracking Technologies

The Platform may use cookies, web beacons, and similar technologies to:

  1. remember your preferences and session.
  2. improve website performance.
  3. understand usage patterns and analytics. and
  4. support security features.

You can manage cookie preferences through your browser settings or app controls. Disabling certain cookies may impact your ability to use some Platform features.

  1. Sharing and Disclosure of Personal Data

We may share your personal data with:

  1. Other users: Candidate profile details may be made visible to Recruiters. Recruiter organisation and job details may be visible to Candidates, as required for matching and engagement.
  2. Service providers: third party vendors who provide hosting, analytics, payment processing, communication, or verification services, under appropriate contractual safeguards.
  3. Group entities and partners: where necessary for operations, consistent with this Policy.
  4. Authorities: government, regulatory or law enforcement authorities, courts or tribunals when required by law or to protect our legal rights.

We do not sell your personal data to third parties. Marketing or promotional use by third parties will be subject to your consent where required.

  1. International Transfers

If personal data is transferred or stored outside India (for example, on cloud infrastructure located abroad), such transfers will be carried out in compliance with applicable data transfer requirements and subject to appropriate contractual, technical and organisational safeguards.

You acknowledge that your data may be processed in jurisdictions whose data protection laws may differ from those applicable in India, but we will continue to protect your data in accordance with this Policy and applicable law.

  1. Data Retention

We retain personal data for as long as necessary to fulfil the purposes set out in this Policy, including to:

  1. provide services to you.
  2. comply with legal, regulatory, accounting or reporting requirements; and
  3. resolve disputes and enforce our rights.

When personal data is no longer required, we will delete or de‑identify it in accordance with our internal retention schedules, subject to any legal obligations requiring longer retention.

  1. Data Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration or destruction, including:

  1. access controls and authentication.
  2. encryption in transit (such as HTTPS/TLS) and, where appropriate, encryption at rest.
  3. logging and monitoring of system access; and
  4. periodic security reviews and updates.

Payment Card Security (PCI DSS Compliance): We comply with the Payment Card Industry Data Security Standard (PCI DSS) for payment processing. We do not store complete credit card numbers, CVV codes, or magnetic stripe data. Payment processing is handled by PCI DSS-compliant third-party processors using encryption and tokenization.

CERT-In Compliance (India): We comply with CERT-In directives, including:

  1. Reporting cybersecurity incidents to CERT-In within six hours of noticing such incidents.
  2. Maintaining system logs for at least 180 days.
  3. Implementing security best practices and coordinating with CERT-In on incident response.

Limitations of Security: While we employ industry standard security measures, no system is completely secure. Data transmission over the internet and electronic storage carry inherent risks. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account. For your own protection, do not include sensitive personal data (ex., passwords, credit card numbers, health information) in emails to us or our staff unless encrypted or transmitted through secure channels.

Security Incident Response: In the event of a data breach affecting personal data:

  1. We will investigate promptly and take steps to contain and mitigate the breach;
  2. We will notify affected individuals and relevant authorities including the Data Protection Board or India as required by law;
  3. Notice to affected individuals and the Data Protection Board without undue delay;

We will cooperate with regulatory investigations and take corrective actions to prevent recurrence.

  1. Your Rights

Subject to applicable law, you may have the following rights in relation to your personal data:

  1. Right to access: to obtain a summary of your personal data that we process.
  2. Right to correction: to request correction or updating of inaccurate or incomplete data.
  3. Right to deletion: to request deletion of your personal data when it is no longer necessary for the stated purposes or when consent is withdrawn, subject to legal exceptions.
  4. Right to grievance redressal and review: to raise complaints and, where applicable, seek review by the relevant Data Protection Board or authority.

To exercise these rights, you may contact us using the details contained in this Policy. We may need to verify your identity before acting on your request and may refuse or limit requests where permitted by law (for example, to comply with legal obligations, protect the rights of others, or for internal records).

We will make reasonable efforts to respond within timelines prescribed under applicable law or, where not prescribed, within a reasonable period.

  1. Children’s Data

The Platform is not intended for use by individuals under 18 years of age.

We do not knowingly collect personal data from children. If you believe that a child has provided personal data through the Platform, please contact us so that we can take appropriate steps, including deletion where required.

  1. Updates to This Policy

We may amend this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our data‑handling practices.

Material changes will be notified via the Platform or other reasonable means. Your continued use of the Platform after such changes become effective will signify your acceptance of the updated Policy.

  1. Grievance Officer and Contact Details

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  1. Email: surgeonsearch25@gmail.com
  2. Phone: +91-9444702299
  3. Address: s2, Triple C Majesty, 48/6, Muthukumarappa Street, Saligramam, Chennai – 600093

Data Protection Officer (DPO): We have appointed a Data Protection Officer to oversee compliance with data protection laws and address your privacy concerns.

  1. Email: mithun@growbledigital.com
  2. Address: 24, Field Marshal Cariappa Road, Shanthala Nagar, Ashok Nagar, Bengaluru, Karnataka – 560025

Grievance Officer : We have appointed a Grievance Officer in accordance with DPDPA requirements to address complaints and grievances related to personal data processing.

  1. Grievance Officer Name: Sudharsan P V
  2. Email: sudharsan_pv91@yahoo.co.in
  3. Address: 25/6, 5th Main Road, Chamrajpet, Bengaluru – 560018
  4. The Grievance Officer will acknowledge your complaint within 24 hours and resolve it within 30 days (or such other timeframe as specified under DPDPA rules).

Regulatory Authorities: You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

India: Data Protection Board of India