Legal
Privacy Policy
1. Introduction
Manoah Technology Private Limited (“Manoah”, “we”, “us”, or “our”) operates Manoah — a practice management platform designed for psychologists, therapists, and mental health professionals in India. Manoah helps practitioners manage appointments, maintain client records, write clinical session notes, generate GST-compliant invoices, and send automated reminders to their clients.
This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use the Manoah platform, website, and related services (collectively, the “Services”). It also explains your rights under applicable Indian law.
Who this policy applies to:
- Therapists / Practitioners — mental health professionals who register for and use Manoah to manage their practice (“Therapists” or “account holders”)
- Clients — individuals whose information is entered into Manoah by a Therapist (“Clients”)
- Visitors — individuals who browse our website without creating an account
- Prospective Clients — individuals who submit an inquiry via a Therapist’s public profile page on Manoah
The Therapist–Client data relationship: Manoah is a data processor(as understood under the Digital Personal Data Protection Act, 2023 and the IT (SPDI) Rules, 2011). When a Therapist enters their clients’ personal and health information into Manoah, the Therapist is the data fiduciary (controller) for that client data. Manoah processes that data solely on the Therapist’s instructions and does not independently use, share, or monetise client data. Therapists are responsible for obtaining any necessary consents from their own clients and for complying with the Mental Healthcare Act, 2017 and other applicable professional obligations.
By registering for or using Manoah, you confirm that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information Provided by Therapists (Account Holders)
When a Therapist creates and uses a Manoah account, we collect:
| Category | Examples |
|---|---|
| Identity and contact | Full name, email address, phone number |
| Professional credentials | Rehabilitation Council of India (RCI) registration number, specialisation, qualifications |
| Business information | GST Identification Number (GSTIN), practice name, practice address |
| Account security | Password (stored as a one-way bcrypt hash — we never store your plaintext password), JWT refresh tokens |
| Practice configuration | Working hours, session types, fees, appointment duration |
| Profile | Profile photo |
| Payment and billing | Billing address, GST details; payment transactions are processed by Razorpay and/or Cashfree Payments — we do not store card numbers or UPI credentials |
| Google Calendar | If you voluntarily connect your Google Calendar, we access your calendar events solely to sync appointments; we do not read unrelated calendar data |
| Device data | FCM (Firebase Cloud Messaging) push notification tokens, operating system, device platform (iOS/Android) |
2.2 Client Data Entered by Therapists
Therapists enter information about their clients to manage their practice. This may include:
| Category | Examples |
|---|---|
| Identity and contact | Client’s name, phone number, email address |
| Emergency contact | Name and contact number of the client’s emergency contact |
| Health and clinical information | Intake forms, presenting concerns, case history, diagnoses, medications |
| Session notes | SOAP notes (Subjective, Objective, Assessment, Plan) and freeform client notes (title, body, tags) — these are clinical records |
| File attachments | Images (JPEG, PNG, WebP, HEIC) and PDF documents attached to session notes or client notes by the Therapist |
| Appointment records | Session dates, duration, attendance, session type |
| Financial records | Invoice amounts, session fees, GST breakdown, payment method, payment status, discount/coupon codes |
| Consent records | Informed consent status and consent form data |
This data is Sensitive Personal Data or Information (SPDI) under the IT (SPDI) Rules, 2011 and constitutes health data under the Digital Personal Data Protection Act, 2023. We treat it with the highest level of care.
Session notes and client notes are encrypted at rest using AES-256 encryption. Only the Therapist who created them can decrypt and read them. File attachments are also encrypted at rest using AES-256-GCM before being stored on Cloudflare R2.
2.3 Automatically Collected Information
When you use the Manoah platform, we automatically collect:
- Log data: IP address, browser type, user-agent string, pages visited, timestamps, HTTP request/response codes
- Audit logs: Records of actions taken within the platform along with IP address and user-agent — used for security and accountability
- Session data: JWT tokens used to authenticate your session
- Cookies and local storage: Session tokens and preference data (see Section 10)
2.4 Inquiry Data from Prospective Clients (Client Portal)
When a prospective client submits an inquiry through a Therapist’s public profile page, we collect:
| Category | Examples |
|---|---|
| Identity and contact | Name, phone number, email address (optional) |
| Communication | Free-text message describing their reason for reaching out (optional) |
Purpose: This data is collected solely to facilitate initial contact between the prospective client and the Therapist. It is shared only with the specific Therapist whose profile the inquiry was submitted through.
Retention:Inquiry records are retained for the lifetime of the Therapist’s account. Therapists may archive or delete inquiries through the platform.
2.5 Information We Do Not Collect
- We do not collect payment card numbers, CVVs, or UPI PINs. All payment processing is handled by Razorpay and/or Cashfree Payments.
- We do not collect biometric data.
- We do not build advertising profiles on users or sell data to advertisers.
- We do not use client health data for any purpose other than delivering the Services to the Therapist.
3. How We Use Your Information
3.1 Therapist Account Data
| Purpose | Details |
|---|---|
| Providing the Services | Creating and managing your account, authentication, access control |
| Practice management | Enabling scheduling, client records, invoicing, session notes, availability management |
| Notifications | Sending transactional emails and push notifications |
| Billing and compliance | Processing subscription payments; generating invoices with GST details; retaining records as required under the GST Act |
| Google Calendar sync | Two-way synchronisation of appointments with your Google Calendar if you opt in |
| Security and fraud prevention | Monitoring for unauthorised access, maintaining audit logs, rate limiting |
| Platform improvement | Aggregated, anonymised analytics to understand feature usage — no individual profiling |
| Legal compliance | Responding to lawful requests from courts and government authorities |
| Customer support | Responding to your queries and resolving technical issues |
3.2 Client Data (Entered by Therapists)
Client data is used only to provide the specific features the Therapist uses:
| Purpose | Details |
|---|---|
| Appointment management | Scheduling, calendar views, reminder notifications |
| Clinical records | Storing and displaying session notes, intake forms, and case history to the Therapist |
| Invoicing | Generating GST-compliant invoices linked to sessions |
| Reminders | Sending appointment reminders to the client via WhatsApp or email, on behalf of the Therapist |
| Emergency contact | Stored for the Therapist’s reference in clinical emergencies |
We do not use client data for any purpose beyond delivering the Services to the Therapist who entered that data.
4. Legal Basis for Processing (DPDPA 2023)
Under the Digital Personal Data Protection Act, 2023 (“DPDPA”), we process personal data on the following grounds:
| Legal Basis | How We Rely on It |
|---|---|
| Consent | Therapists consent to this Privacy Policy when they register. For client data, the Therapist (as data fiduciary) is responsible for obtaining the client’s consent. |
| Contractual necessity | Processing Therapist account data is necessary to perform the contract for Services. |
| Legitimate use / legal obligation | Maintaining audit logs for security; retaining invoice data as required by the GST Act; responding to lawful government or court orders. |
| Legitimate interests | Detecting and preventing fraud, security threats, and abuse of the platform. |
5. Data Sharing and Third-Party Processors
We do not sell, rent, or trade your personal data or your clients’ data to any third party for commercial or marketing purposes.
We share data with third-party service providers (“sub-processors”) solely to operate and deliver the Services. These providers are contractually bound to process data only on our instructions and to maintain appropriate security standards.
5.1 Sub-Processor List
| Sub-Processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Oracle Cloud Infrastructure | Application hosting and PostgreSQL database hosting | All platform data including client records, session notes, invoices | India region |
| Cloudflare | Website hosting and file/PDF storage (R2) | Invoice PDFs, encrypted file attachments | Global / regional |
| Firebase / Google FCM | Push notification delivery | FCM device tokens, notification payloads | United States |
| Authkey | WhatsApp appointment reminders sent to clients | Client phone numbers, appointment details | India |
| Resend | Transactional email delivery | Email address, notification content | United States |
| Razorpay | Payment link generation and payment processing | Therapist billing details, payment transaction data | India |
| Cashfree Payments | Payment link generation and payment processing | Therapist billing details, payment transaction data | India |
| Google Calendar API | Two-way appointment sync (opt-in only) | Appointment titles, dates, times, attendee details | United States |
5.2 Cross-Border Data Transfers
Some sub-processors listed above are located outside India (Google, Cloudflare, Resend). Where personal data is transferred outside India, we ensure such transfers comply with the DPDPA 2023. We rely on contractual safeguards with sub-processors to maintain equivalent data protection standards.
5.3 Disclosure to Authorities
We may disclose personal data to courts, law enforcement agencies, or government authorities when:
- Required to do so by a valid court order, subpoena, or applicable Indian law
- Necessary to protect the safety, rights, or property of Manoah, its users, or the public
- Required under the Mental Healthcare Act, 2017 (e.g., where there is a risk to life)
We will notify the relevant Therapist of such a request where permitted by law.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
6. Data Storage and Security
6.1 Security Measures
| Control | Details |
|---|---|
| Encryption in transit | All data transmitted between your device and our servers uses TLS 1.2 or higher (HTTPS) |
| Encryption at rest | Session notes, client notes, and file attachments are encrypted at rest using AES-256-GCM encryption |
| Password hashing | Therapist passwords are hashed using bcrypt — plaintext passwords are never stored |
| Authentication | JWT-based authentication with short-lived access tokens and refresh token rotation |
| Audit logging | All data mutations are logged with timestamps, IP addresses, and user-agent strings |
| Rate limiting | API endpoints are rate-limited (60 requests/minute) to prevent brute-force and abuse |
| HTTP security headers | Strict HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) |
| Access control | Role-based access; Therapists can only access their own practice data |
6.2 Reasonable Security Practices
We maintain Reasonable Security Practices and Procedures as required under Rule 8 of the IT (SPDI) Rules, 2011. In the event of a data security breach involving sensitive personal data, we will notify affected users and, where required, the relevant government authority within the timelines prescribed under applicable law.
6.3 Limitations
No system is completely secure. While we take data security seriously and continuously improve our practices, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Therapist account data | Retained for the duration of the active subscription plus 90 days after account closure, then deleted or anonymised |
| Client records and session notes | Retained as long as the Therapist’s account is active; deleted within 90 days of account closure |
| Invoice and financial records | Retained for a minimum of 8 years from the date of the invoice, as required under the GST Act |
| Audit logs | Retained for 12 months, then deleted |
| Google Calendar tokens | Deleted immediately when the Therapist disconnects Google Calendar |
| FCM device tokens | Deleted when the Therapist logs out or revokes notification permissions |
| Backup data | Encrypted backups are retained for up to 30 days, then purged |
Account closure: Therapists may close their account at any time by contacting contact@manoah.care. Before closure, Therapists may export their data in a portable format. After the 90-day grace period, data is permanently deleted and cannot be recovered.
8. Your Rights
8.1 Rights of Therapists (Account Holders)
Under the DPDPA 2023 and the IT (SPDI) Rules, 2011, Therapists have the following rights:
| Right | What It Means |
|---|---|
| Right to access | You may request a summary of the personal data we hold about you |
| Right to correction | You may request correction of inaccurate or incomplete personal data |
| Right to erasure | You may request deletion of your personal data, subject to legal retention requirements |
| Right to grievance redressal | You may raise a complaint with our Grievance Officer (see Section 12) |
| Right to withdraw consent | Where processing is based on consent, you may withdraw it at any time |
| Right to data portability | You may request an export of your data in a commonly used format |
| Right to nominate | You may nominate another individual to exercise your rights in the event of your death or incapacity |
To exercise any of these rights, contact us at contact@manoah.care. We will respond within 30 days of receiving a verifiable request.
8.2 Rights of Clients (of Therapists)
Clients whose data has been entered into Manoah by a Therapist should direct data access, correction, or deletion requests to their Therapist directly, as the Therapist is the data fiduciary for that data. Where a Client contacts us directly, we will forward the request to the relevant Therapist.
8.3 Complaints to the Data Protection Board
If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India once it is constituted under the DPDPA 2023, or approach other available legal forums.
9. Children’s Privacy
Manoah is designed for use by licensed mental health professionals and is not directed at children under the age of 18.
- Therapists must not use Manoah to create accounts for minors.
- Where a Therapist sees minors as clients, they must ensure they have obtained verifiable parental or guardian consent before entering the minor’s data into the platform.
- If we become aware that we have inadvertently collected personal data of a child under 18 without appropriate consent, we will delete that data promptly.
10. Cookies and Tracking
10.1 What We Use
| Type | Purpose |
|---|---|
| Session cookies | Store your authentication state; expire when you close your browser or log out |
| Local storage | Store your JWT access token and user preferences |
| Security cookies | CSRF protection tokens |
10.2 What We Do Not Use
- We do not use advertising, tracking, or analytics cookies from third-party advertising networks.
- We do not use cross-site tracking.
- We do not share cookie data with advertisers.
10.3 Third-Party Scripts
Our platform may load scripts from:
- Firebase (Google) — for push notification support
- Razorpay — for payment link checkout flows
- Cashfree Payments — for payment link checkout flows
These services have their own privacy policies and may set their own cookies: Google Privacy Policy | Razorpay Privacy Policy | Cashfree Privacy Policy
10.4 Browser Controls
You can control or delete cookies through your browser settings. Note that disabling essential cookies may prevent you from logging in or using the platform.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy
- Send an email notification to registered Therapists
- Display a notice within the Manoah platform
Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the changes. We will maintain an archive of previous versions of this policy, which you may request by emailing contact@manoah.care.
12. Grievance Officer and Contact
Grievance Officer
In accordance with Rule 5(9) of the IT (SPDI) Rules, 2011 and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer:
Name: Santosh Kumar Jha
Designation: Grievance Officer, Manoah Technology Private Limited
Email: contact@manoah.care
Address: New Delhi, Delhi, India
Response time: We will acknowledge your complaint within 48 hours and resolve it within 30 days of receipt.
General Privacy Contact
For all other privacy-related queries, data requests, or concerns:
Email: contact@manoah.care
Subject line format: [Privacy Request] <Your Name> — <Brief Description>
For account and technical support: contact@manoah.care
Registered Office
Manoah Technology Private Limited
New Delhi, Delhi, India
Appendix: Applicable Laws
This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts at New Delhi, India.
Key regulations referenced in this policy:
- Information Technology Act, 2000
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- Digital Personal Data Protection Act, 2023
- Mental Healthcare Act, 2017
- Goods and Services Tax (GST) Act, 2017
- Indian Contract Act, 1872