Vendor Privacy Policy
How Carelix collects, uses, and protects personal and business data of vendors who supply care staff through the Platform.
1 Introduction
Carelix Healthcare Pvt. Ltd. ("Carelix", "we", "us") is committed to protecting the privacy of Vendors registered on our Platform. This Privacy Policy explains what data we collect from Vendors, why, how we use and protect it, and what rights the Vendor has under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws.
2 Data We Collect From Vendors
2.1 Business / Entity Data
- Entity name (company, LLP, or proprietorship name)
- Entity type and registration details (CIN, LLP registration number, etc.)
- GSTIN (if registered)
- Registered business address
- Service categories offered and coverage area
2.2 Authorised Representative Data
- Full name of authorised contact person
- Age and gender
- Mobile number
- Aadhaar card (image or PDF)
- PAN card (image or PDF)
2.3 Financial Data
- Bank account name, account number, and IFSC code
- UPI ID (optional)
- Cancelled cheque or bank document
- Invoice records and payment history
2.4 Compliance Data
- Business registration certificate
- GSTIN certificate (if applicable)
- Labour law registration documents (if requested)
- Insurance certificates (if requested)
2.5 Platform Usage Data
- Login activity and timestamps
- Assignment history (received, completed, cancelled)
- Client ratings aggregated for the Vendor
- App and device information
3 Why We Collect Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Business KYC & verification | Entity details, Aadhaar, PAN, reg. certificate | Consent + Legal obligation |
| Creating & displaying Vendor profile | Entity name, service categories, area, rating | Contractual necessity |
| Allocating Assignments to the Vendor | Service categories, availability, location | Contractual necessity |
| Processing payments & settlements | Bank details, Assignment & invoice records | Contractual necessity |
| TDS deduction & GST compliance | PAN, GSTIN, invoice data | Legal obligation |
| Sending Leegality agreement for e-signing | Contact name, mobile, email | Contractual necessity |
| Performance monitoring & ratings | Assignment records, Client feedback | Legitimate interest |
| Fraud prevention & compliance checks | All KYC and usage data | Legitimate interest + Legal obligation |
| Dispute resolution & audit | All relevant Agreement and payment data | Legitimate interest |
| Platform improvement | Usage data (anonymised where possible) | Legitimate interest |
4 What We Share With Clients
When a Vendor's Staff is allocated to a Client Assignment, Carelix shares the following about the Vendor / Staff with the Client:
- Vendor entity name.
- Staff member's name, role, and qualifications.
- Staff member's Platform rating.
We do NOT share the Vendor's bank details, Aadhaar number, PAN number, GSTIN, or internal business documents with Clients.
5 Who Else We Share Your Data With
Payment processors
To settle Service Fees to the Vendor's bank account. Only necessary financial data is shared.
Leegality
Contact name, mobile, and email of the authorised representative are shared to facilitate e-signing of the Vendor Service Agreement.
Government and regulatory authorities
Tax authorities (for TDS compliance), courts, and regulators when required by law or court order.
Technology service providers
Cloud hosting, SMS/OTP providers, and analytics tools โ all bound by confidentiality obligations and given only minimum necessary data.
We do not sell Vendor data to any third party.
6 Data Retention
| Data Category | Retention Period |
|---|---|
| KYC documents (Aadhaar, PAN, business registration) | 7 years from account termination |
| Bank account and financial records | 7 years from last transaction |
| Assignment and invoice records | 7 years (Income Tax Act requirement) |
| Signed Vendor Service Agreement (Leegality) | 10 years from signing date |
| Profile data (entity name, service categories, ratings) | Deleted within 90 days of account deactivation |
| Login and platform usage logs | 2 years from log creation date |
| Compliance documents (insurance, labour licences) | 5 years from document date |
7 Data Security
We protect Vendor data through:
- Encrypted storage of KYC documents and bank details.
- OTP-based authentication for Platform access.
- Access controls ensuring only authorised Carelix staff can view sensitive Vendor data.
- Secure HTTPS connections for all data in transit.
- Regular internal audits of data access.
In the event of a data breach likely to affect the Vendor's rights, Carelix will notify the Vendor as required by applicable law.
8 Vendor's Own Data Protection Obligations
As a Vendor supplying Staff who access Client homes and personal information, the Vendor must:
- Ensure its Staff do not collect, store, photograph, or share Client personal or medical information.
- Comply with the DPDP Act, 2023, with respect to any Client or Staff personal data accessed through the Platform.
- Maintain confidentiality of Client information after Assignment completion.
- Report any data breach involving Client data to Carelix immediately.
9 Your Rights Under the DPDP Act 2023
As a data principal (or representing one), the Vendor has the right to:
Access
Request a summary of what data Carelix holds about the Vendor.
Correction
Request correction of inaccurate business or contact data.
Erasure
Request deletion of Vendor data, subject to legal retention requirements (Section 6).
Grievance Redressal
Raise a complaint about data handling. Carelix will respond within 30 days.
To exercise these rights, write to: grievance@carelixhealthcare.com
10 Changes to This Privacy Policy
Carelix may update this Privacy Policy periodically. Changes will be communicated via email to the Vendor's registered contact at least 15 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance.
11 Grievance Officer
In accordance with the Information Technology Act, 2000, and the DPDP Act, 2023:
Name: Komal Gulati
Designation: Grievance Redressal Officer
Email: grievance@carelixhealthcare.com
Address: Carelix Healthcare Pvt. Ltd., Sohna Road, 141 JMD Galleria, Gurugram, Sector 48, Haryana โ 122001
Response time: Within 30 days of receipt of complaint.