Digital Personal Data Protection Act, 2023 (DPDPA)
Effective Date
27-06-26
Last Updated
27-06-26
Version
1.0
1. Introduction
New Horizons Child Development Centre (“NHCDC,” “we,” “our,” “us”) is a child development and therapy organization providing developmental assessment, intervention, and therapy services to children with special needs across multiple centres in Mumbai and online through our E-nable programme.
We are committed to protecting the privacy and personal data of every child, parent, guardian, and family that engages with our services. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA).
Given that our services are primarily directed at children (persons under 18 years of age), we treat all personal data with the highest standard of care and apply the enhanced protections mandated by Section 9 of the DPDPA for children’s data.
2. Who This Policy Applies To
This Privacy Policy applies to:
Children enrolled in NHCDC’s services (in-centre and online)
Parents, lawful guardians, and family members of enrolled children
Prospective families who inquire about our services
Visitors to our centres and website
Employees and consultants of NHCDC (employee data is governed by the Internal Data Protection Policy)
3. Personal Data We Collect
3.1 Children’s Data
Identity: Name, date of birth, gender, photograph, patient ID
Family context: Occupation, family medical history (where clinically relevant)
Financial: Payment details, fee receipts, billing records
Communication: Emails, messages, call records with NHCDC staff
3.3 Website / Digital Data
If you visit our website/SM platforms: IP address, browser type, pages visited, cookies (if any)
If you fill an enquiry form: Name, contact details, nature of inquiry
4. Purpose of Data Collection
We collect and process personal data only for the following legitimate purposes:
Purpose
Legal Basis
Clinical assessment, therapy, intervention, and progress monitoring
Verifiable parental consent (DPDPA Section 9)
Preparing clinical reports, ITP, evaluation, and discharge summaries
Verifiable parental consent
Internal clinical review, supervision, and quality assurance
Legitimate clinical interest
Communication with parents regarding appointments, progress, and admin matters
Contractual necessity
Billing, invoicing, and financial record-keeping
Contractual and legal obligation
Staff training (using anonymized data only)
Legitimate organizational interest + separate consent
Compliance with legal obligations (POCSO reporting, court orders, regulatory filings)
Legal obligation
Child safety (CCTV, session recording)
Legitimate interest + parental consent
Research and outcome measurement (anonymized only)
Separate explicit consent
We do NOT: sell your data; use it for marketing, advertising, or targeted content; engage in behavioural tracking of children; share it with third parties for commercial purposes; or use it for any purpose not described in this policy.
5. Consent
Since our services are directed at children, we obtain verifiable consent from the parent or lawful guardian before collecting any personal data of the child, in accordance with Section 9 of the DPDPA, 2023.
Consent is obtained through a signed Parental Consent Form at the time of enrolment. For the E-nable (online) programme, a digital consent form is completed before the first session.
Consent is specific, informed, and freely given. You are not required to consent to data processing that is not necessary for the clinical services you are seeking.
You may withdraw your consent at any time by submitting a written request to our Grievance Officer. Please note that withdrawal of consent may impact our ability to continue providing clinical services.
6. Data Storage & Security
We implement appropriate technical and organizational measures to protect your personal data:
Clinical data is stored on secure, access-controlled systems (Medixcel and authorized organizational platforms).
Physical records are maintained in locked file cabinets with restricted access at each centre.
Role-based access controls ensure that only authorized personnel can access patient data.
All staff are bound by Non-Disclosure Agreements (NDA) and are prohibited from storing patient data on personal devices.
CCTV footage is stored for a maximum of 30 days.
E-nable session recordings are stored on NHCDC’s authorized systems, not on individual therapists’ personal devices.
Data is stored within India. We do not transfer personal data outside India without explicit consent and adequate safeguards.
7. Data Sharing
We do not sell, rent, or trade personal data. Data may be shared only in the following limited circumstances:
Referral to external specialists: Only with explicit written consent of the parent/guardian.
Medical emergencies: With hospitals or emergency services in the vital interest of the child.
Internal clinical supervision: Within NHCDC’s authorized clinical team for quality assurance.
Anonymized research: Only with separate explicit consent, after complete de-identification.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
Clinical records: Until the child turns 25 years of age (7 years after attaining majority).
Financial records: 8 years from the financial year of creation.
CCTV footage: 30 days (unless required for investigation).
Communication records: Duration of active engagement + 2 years.
Online session recordings: Duration of active engagement + 1 year.
After the retention period, data is securely destroyed — physical records are shredded and digital records are permanently deleted.
9. Your Rights
Under the DPDPA, 2023, you have the following rights:
Right to Access: Request a summary of your child’s personal data and how it is processed.
Right to Correction: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of data, subject to legal retention obligations.
Right to Withdraw Consent: Withdraw consent at any time (does not affect prior lawful processing).
Right to Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India.
Right to Nominate: Nominate a person to exercise your rights in case of your death or incapacity.
10. Special Provisions for Children’s Data
In accordance with Section 9 of the DPDPA, 2023:
We process children’s data only with verifiable parental consent.
We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.
We do not process children’s data in any manner that is likely to cause detrimental effect to the well-being of the child.
We apply the highest standard of data protection to all children’s data.
11. Data Breach Notification
In the event of a personal data breach that is likely to cause harm to any data principal, NHCDC shall:
Notify the Data Protection Board of India within 72 hours of becoming aware of the breach.
Notify affected parents/guardians without unreasonable delay.
Take immediate steps to contain the breach and mitigate its impact.
Document the breach, its effects, and the remedial actions taken.
12. Grievance Officer
For any questions, concerns, or requests regarding your personal data or this Privacy Policy:
Field
Details
Name
Kern Rebello
Designation
Quality Manager
Email
info@enablemychild.org
Address
New Horizons Child Development Centre, Goregaon East, Mumbai
Response Timeline
Within 7 working days of receiving your request
13. Updates to This Policy
This Privacy Policy may be updated from time to time to reflect changes in law, our services, or data processing practices. Any material changes will be communicated to you via email or notice at our centres. The latest version shall always be available at our website and at the reception of each centre.
1. Introduction
New Horizons Child Development Centre (“NHCDC,” “we,” “our,” “us”) is a child development and therapy organization providing developmental assessment, intervention, and therapy services to children with special needs across multiple centres in Mumbai and online through our E-nable programme.
We are committed to protecting the privacy and personal data of every child, parent, guardian, and family that engages with our services. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA).
Given that our services are primarily directed at children (persons under 18 years of age), we treat all personal data with the highest standard of care and apply the enhanced protections mandated by Section 9 of the DPDPA for children’s data.
2. Who This Policy Applies To
This Privacy Policy applies to:
3. Personal Data We Collect
3.1 Children’s Data
3.2 Parent / Guardian Data
3.3 Website / Digital Data
4. Purpose of Data Collection
We collect and process personal data only for the following legitimate purposes:
We do NOT: sell your data; use it for marketing, advertising, or targeted content; engage in behavioural tracking of children; share it with third parties for commercial purposes; or use it for any purpose not described in this policy.
5. Consent
Since our services are directed at children, we obtain verifiable consent from the parent or lawful guardian before collecting any personal data of the child, in accordance with Section 9 of the DPDPA, 2023.
Consent is obtained through a signed Parental Consent Form at the time of enrolment. For the E-nable (online) programme, a digital consent form is completed before the first session.
Consent is specific, informed, and freely given. You are not required to consent to data processing that is not necessary for the clinical services you are seeking.
You may withdraw your consent at any time by submitting a written request to our Grievance Officer. Please note that withdrawal of consent may impact our ability to continue providing clinical services.
6. Data Storage & Security
We implement appropriate technical and organizational measures to protect your personal data:
7. Data Sharing
We do not sell, rent, or trade personal data. Data may be shared only in the following limited circumstances:
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
After the retention period, data is securely destroyed — physical records are shredded and digital records are permanently deleted.
9. Your Rights
Under the DPDPA, 2023, you have the following rights:
10. Special Provisions for Children’s Data
In accordance with Section 9 of the DPDPA, 2023:
11. Data Breach Notification
In the event of a personal data breach that is likely to cause harm to any data principal, NHCDC shall:
12. Grievance Officer
For any questions, concerns, or requests regarding your personal data or this Privacy Policy:
13. Updates to This Policy
This Privacy Policy may be updated from time to time to reflect changes in law, our services, or data processing practices. Any material changes will be communicated to you via email or notice at our centres. The latest version shall always be available at our website and at the reception of each centre.