This Data Processing Addendum ("DPA") forms part of the Terms of Service between Rentesy Softwares Private Limited ("Processor," "Medichat") and the subscribing customer ("Controller"). It governs the processing of personal data by Medichat on behalf of the Controller in connection with the Service.
This DPA applies where the Controller is subject to applicable data protection law, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, India's Digital Personal Data Protection Act (DPDPA) 2023, the California Consumer Privacy Act (CCPA/CPRA), or HIPAA (as supplemented by a separate BAA where applicable).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Medichat on behalf of the Controller in connection with the Service.
- "Processing" has the meaning given in applicable data protection law.
- "Data Subject" means the individual to whom Personal Data relates, including patients, staff, or other individuals whose data the Controller processes via the Service.
- "Sub-Processor" means any third party engaged by Medichat to process Personal Data in connection with the Service.
2. Roles and Responsibilities
2.1 Controller Obligations
The Controller:
- Determines the purposes and means of processing Personal Data submitted through the Service
- Is solely responsible for ensuring it has a lawful basis for processing Personal Data, including obtaining all necessary consents from Data Subjects
- Is responsible for its own compliance with applicable data protection law
- Warrants that instructions given to Medichat comply with applicable law
2.2 Processor Obligations
Medichat as Processor will:
- Process Personal Data only on documented instructions from the Controller (as set forth in the Terms of Service and this DPA)
- Not process Personal Data for any purpose other than providing the Service
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement the technical and organizational security measures described in our Security page
- Assist the Controller in responding to Data Subject rights requests to the extent technically feasible
- Notify the Controller of any Personal Data breach without undue delay (and in any event within 72 hours of becoming aware)
- Delete or return all Personal Data upon termination of the Service, as directed by the Controller, subject to retention periods required by law
3. Sub-Processing
The Controller authorizes Medichat to engage the sub-processors listed below. Medichat will inform the Controller of intended changes by updating this DPA, providing 14 days' advance notice for material changes. All sub-processors are bound by data protection obligations at least as stringent as those in this DPA.
| Sub-Processor | Processing Activity | Location |
|---|---|---|
| Supabase, Inc. | Database storage, authentication | USA / EU |
| Vercel, Inc. | Application hosting | USA / Global |
| Meta Platforms (WhatsApp Cloud API) | Message delivery | USA |
| AI text generation provider(s) | Draft message generation | USA |
| ElevenLabs, Inc. | Voice synthesis | USA |
| Cloudflare, Inc. | Network security, traffic routing | USA / Global |
4. Data Subject Rights
Medichat will assist the Controller in fulfilling Data Subject rights requests — including access, rectification, erasure, portability, restriction, and objection — to the extent technically feasible. Controllers are responsible for responding directly to Data Subjects.
5. Security Measures
Medichat implements the technical and organizational measures described in our Security page, which are incorporated herein by reference, including encryption at rest and in transit, access controls and least-privilege principles, and incident detection and response procedures.
6. International Data Transfers
Where Personal Data is transferred outside the EEA, UK, or other applicable jurisdiction, Medichat will rely on appropriate transfer mechanisms, including:
- EU Standard Contractual Clauses (SCCs) (European Commission Decision 2021/914)
- UK International Data Transfer Addendum
- Other lawful transfer mechanisms as applicable under the relevant jurisdiction
7. Data Retention and Deletion
Upon termination of the Service or upon written request:
- Medichat will delete or return Personal Data within 90 days
- Anonymized or aggregated data from which individuals cannot be identified may be retained for product analytics
- Backup copies may persist for up to 30 days following deletion requests
8. Audit Rights
The Controller may request written confirmation that Medichat has complied with its obligations under this DPA. Medichat may satisfy audit obligations by providing relevant certifications, security documentation, or third-party audit reports, rather than permitting on-site audits, unless required by a supervisory authority.
9. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under applicable law.
10. Contact
Data protection inquiries:
Rentesy Softwares Private Limited
5-101/5/1/19 Ganga Avenue, Macha Bollaram, Alwal, Tirumalagiri
Hyderabad – 500010, Telangana, India
Email: hello@medichat.in (Subject: "DPA / Data Protection Inquiry")
Phone: +91 6281-209-374