Privacy Policy

Effective Date: 1st April, 2026

1. About This Policy and Its Scope

This Privacy Policy governs the collection, use, storage, sharing, and protection of personal data and sensitive personal data by MfunL (hereinafter referred to as “we,” “us,” “our,” or “the Company”), a healthcare digital marketing agency having its principal place of business at P-534, Raja Basanta Roy Road, 3rd Floor, Near Southern Avenue, Lake Kali Bari, Kolkata – 700029, West Bengal, India.

This Policy applies to:

• All individuals who visit our website at www.mfunl.com from any location
• Individuals and organisations who submit enquiries through our website, social media pages, or any other channel
• Existing and prospective clients who engage us for any of our services
• Patients, prospective patients, and other data subjects whose personal data we process on behalf of our clients in the course of providing lead generation and digital marketing services
• Employees, contractors, and freelancers who interact with client data in the course of service delivery

This Policy applies regardless of whether you are located in India or any other country. Where you access our website or services from outside India, you acknowledge that your data may be processed and stored in India and that Indian data protection laws will govern that processing.

This Policy is published in compliance with:

• The Information Technology Act, 2000 (“IT Act”)
• The Information Technology (Amendment) Act, 2008
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)
• The Digital Personal Data Protection Act, 2023 (“DPDP Act”), to the extent its provisions have been notified and are in force
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”), to the extent applicable

For users located in the European Union or European Economic Area, we also acknowledge the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and have structured our practices to align with its principles where reasonably practicable, though MfunL is not established in the EU and does not systematically target EU data subjects.

By using our website or engaging our services, you acknowledge that you have read, understood, and agree to the terms of this Policy.

2. Who We Are and Our Role in Data Processing

MfunL is a specialised healthcare digital marketing agency working exclusively with doctors, surgeons, clinics, nursing homes, hospitals, and diagnostic centres. Our services include Healthcare SEO, Google Ads (PPC), Meta Ads, Social Media Marketing, Website Design and Development, Online Reputation Management (ORM), Medical Content Creation, and Patient Conversion Management.

Depending on the context in which we process your data, we act in one of two capacities:

Data Controller: In respect of data collected directly through our website (contact forms, consultation booking, newsletter subscriptions), we determine the purposes and means of processing and are accordingly the data controller.

Data Processor: In respect of patient enquiry data, lead information, and other personal data collected and processed on behalf of our healthcare clients through their campaigns, landing pages, and ad forms, we act as a data processor under instructions from the client, who is the data controller. Our obligations in this capacity are governed by the data processing terms agreed with each client.

This distinction matters because your rights in relation to data processed on behalf of a client (such as your patient enquiry submitted through a doctor’s ad) should primarily be exercised against that client. MfunL will, however, cooperate with and assist clients in responding to such requests.

3. What Personal Data We Collect
4. a) Data You Provide Directly to MfunL

When you contact us, complete our enquiry form, book a free consultation, or enter into a service engagement, we collect:

• Full name, phone number, and email address
• Organisation name (clinic, hospital, diagnostic centre, or practice name) and your designation within it
• Business address, city, and location details
• Website URL and details of existing digital presence
• Marketing objectives, campaign requirements, and advertising budget range
• Description of challenges or problems you wish us to address
• Any other information you voluntarily share in correspondence with us, whether by email, phone, WhatsApp, or in person

1. b) Patient and Lead Data Processed on Behalf of Clients

In the course of running lead generation campaigns (Google Ads, Meta Ads, WhatsApp campaigns, landing pages, and contact forms) on behalf of our healthcare clients, we may collect and process on their behalf:

• Patient names and contact details (phone number, email, WhatsApp number)
• City or locality of the patient
• Nature of the medical enquiry or the specific service the patient is seeking (as voluntarily submitted)
• Appointment preference (date, time, type of consultation)
• Basic health-related information submitted voluntarily through enquiry forms
• Source of the enquiry (which ad, platform, or campaign generated the lead)

This data is collected strictly as a service to our clients and is governed by data processing terms agreed with each client. We do not use, analyse, or share this data for any purpose beyond delivering the client’s campaign and lead management service.

We do not collect detailed medical records, clinical diagnoses, treatment histories, prescription data, or pathology results, and we never will, unless a specific written data processing and confidentiality agreement covering such data has been executed.

1. c) Data Collected Automatically Through the Website

When you visit www.mfunl.com, the following data may be collected automatically:

• IP address and approximate geographic location derived from it
• Browser type, version, and language settings
• Device type, operating system, and screen resolution
• Pages visited, time spent on each page, and navigation path through the website
• Referring URL (the website or search result that directed you to us)
• Search terms used on the website
• Cookie identifiers and session data
• Interaction data such as clicks, form submissions, and button interactions

1. d) Data From Third-Party Sources

We may also receive data about you or your organisation from:

• Google and Meta advertising platforms, including ad engagement data, audience insights, and conversion tracking data
• LinkedIn, if you engage with our company profile or sponsored content
• Third-party lead enrichment or business intelligence tools used to better understand prospective clients

We handle all data received from third-party sources in accordance with this Policy and the terms of the relevant platform.

4. Sensitive Personal Data or Information (SPDI)

Under Rule 3 of the SPDI Rules, the following categories of data qualify as Sensitive Personal Data or Information: passwords; financial information (bank account details, credit/debit card numbers); physical and mental health conditions; sexual orientation; medical records and history; biometric data; and any other information received in confidence by a body corporate.

MfunL’s operations bring it into contact with health-related data through the patient enquiry forms and lead generation campaigns run on behalf of clients. Any health-related information voluntarily submitted by a patient through such a form — such as a description of a medical condition or the type of treatment being sought — is treated as Sensitive Personal Data under these Rules.

In relation to such data, we commit to:

• Collecting it only for the specific, lawful purpose of connecting the patient with the relevant healthcare provider
• Not storing it beyond what is necessary for that purpose
• Applying the heightened security standards required under the SPDI Rules
• Not sharing it with any party other than the client on whose behalf it was collected, and such third-party service providers as are strictly necessary for service delivery
• Obtaining prior written consent from patients through the applicable form or landing page before such data is collected, as required under Rule 5 of the SPDI Rules

Where MfunL’s employees or contractors are required to access such data in the course of their work, they are subject to confidentiality obligations covering the same.

5. Legal Basis and Consent for Data Collection and Processing

We process your personal data only where we have a valid legal basis to do so. Depending on the nature of the data and the purpose of processing, the applicable basis will be one or more of the following:

Consent: Where you have voluntarily submitted your information through our contact forms, consultation booking, or campaign opt-in forms, you consent to our processing it for the stated purposes. You may withdraw this consent at any time by writing to us at info@mfunl.com. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal but may affect our ability to deliver services.

Performance of Contract: Where processing is necessary to carry out our obligations under a service agreement with you or your organisation, including onboarding, campaign delivery, reporting, and invoicing.

Legal Obligation: Where applicable Indian law requires us to collect, retain, or disclose data, including under tax laws, court orders, or directions from competent authorities.

Legitimate Interests: For activities such as website analytics, service improvement, internal reporting, fraud prevention, and business development, where our legitimate interests in conducting these activities are not overridden by your rights and interests.

Vital Interests: In rare circumstances, where processing is necessary to protect the vital interests of a data subject (this is unlikely to arise in the normal course of MfunL’s business but is acknowledged for completeness).

Under the DPDP Act, 2023, once its consent and notice framework is fully operative, MfunL will issue a notice to data principals clearly describing the personal data being collected and the purpose of processing, and will obtain free, specific, informed, and unambiguous consent before processing personal data. We will update our systems and processes accordingly when the relevant rules are notified.

6. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit a website. We use the following categories:

Essential / Strictly Necessary Cookies These are required for the website to function and cannot be switched off. They include session cookies, security tokens, and load-balancing cookies. No personally identifiable information is stored in these cookies.

Analytics Cookies We use Google Analytics 4 to collect aggregated, anonymised data about how visitors use our website — which pages are visited most, how long visitors stay, where they come from, and what actions they take. This helps us improve the website and our content. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on available at tools.google.com/dlpage/gaoptout.

Advertising and Remarketing Cookies We use Google Ads conversion tracking and the Meta Pixel to:

• Measure whether website visitors take desired actions after clicking on our ads
• Build remarketing audiences to serve relevant ads to people who have previously visited our website
• Track which campaigns are generating enquiries and leads for us

These cookies involve data being shared with Google LLC and Meta Platforms Inc., each of which has its own privacy policy governing that data.

Functional Cookies These remember your preferences (such as language, form inputs, or chat settings) to improve your experience.

Third-Party Embedded Content Our website may embed content from YouTube, Instagram, or LinkedIn. These platforms may set their own cookies when such content is loaded. We do not control those cookies.

You may manage or disable non-essential cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling cookies may affect the functionality of parts of our website.

Where required by law (including for users in the EU or other jurisdictions with explicit cookie consent requirements), we will display a cookie consent banner on first visit and will not activate non-essential cookies until your consent is given.

7. How We Use Your Information

We use the personal data we collect for the following purposes:

• To respond to your enquiries and provide information about our services
• To onboard clients and set up service engagements
• To plan, execute, monitor, report on, and optimise digital marketing campaigns
• To design, develop, and manage websites and digital platforms for clients
• To generate, capture, track, distribute, and report on patient leads on behalf of clients
• To train client teams on lead follow-up, conversion, and appointment management
• To send invoices, receipts, service updates, performance reports, and business communications
• To manage and resolve any complaints, disputes, or legal proceedings
• To comply with applicable legal, regulatory, and tax obligations
• To improve our services, internal processes, and website through analytics and feedback
• To conduct market research and develop new service offerings
• To protect the security and integrity of our systems and client data
• To verify the identity and credentials of prospective clients and partners

We will not use your data for automated decision-making that produces legal or similarly significant effects on you without your knowledge.

We will not use your data for purposes that are incompatible with those listed above without giving you prior notice and, where required, obtaining fresh consent.

8. Data Sharing and Disclosure

We do not sell, rent, barter, or trade your personal data to any third party under any circumstances.

We may share your data only in the following limited and defined circumstances:

Advertising Platforms: Personal data (including custom audiences, pixel data, and conversion events) may be shared with Google LLC and Meta Platforms Inc. for the purpose of running, measuring, and optimising ad campaigns. These companies operate under their own privacy frameworks, including Google’s Privacy Policy (policies.google.com/privacy) and Meta’s Data Policy (facebook.com/privacy/policy).

Analytics and Marketing Technology Tools: Data may be processed by tools such as Google Analytics, Google Tag Manager, Meta Business Suite, WhatsApp Business API providers, CRM platforms (such as Zoho, HubSpot, or similar), and call tracking or IVR systems used for lead management. All such tools are selected with data security in mind.

Authorised Personnel: Access to personal data is restricted to MfunL employees, contractual staff, and freelancers who need it to deliver the relevant services. All such individuals are bound by confidentiality obligations.

Client Healthcare Providers: Patient lead data and enquiry information is shared with the relevant healthcare client on whose behalf it was collected. The client is then responsible for handling the patient interaction in compliance with applicable professional and data protection obligations.

Legal and Regulatory Requirements: We may disclose data where required by Indian law, a court order, a direction from a competent regulatory authority, or where we reasonably believe disclosure is necessary to prevent a crime, protect national security, or protect the vital interests of any person.

Business Transfers: In the event that MfunL undergoes a merger, acquisition, restructuring, or sale of all or a substantial part of its business, personal data held by us may be transferred to the acquiring or successor entity. We will notify affected individuals of any such transfer and ensure that the successor entity is bound by equivalent privacy protections.

Professional Advisors: We may share data with our lawyers, accountants, auditors, and insurers where necessary, subject to professional confidentiality obligations.

9. International Data Transfers

MfunL is based in India and processes data primarily within India. However, in the course of using advertising platforms (Google, Meta), analytics tools, and cloud services, your data may be transferred to and processed in servers located outside India, including in the United States and other countries.

Where such transfers occur, they are governed by the terms of the relevant platform (Google, Meta, etc.), which operate under approved data transfer mechanisms including Standard Contractual Clauses and adequacy frameworks where applicable.

If you are located in the EU or EEA and have concerns about the transfer of your data outside those territories, please contact us at info@mfunl.com and we will provide further information about the specific safeguards in place.

10. Your Rights as a Data Subject

Subject to applicable law, you have the following rights in respect of your personal data held by us:

Right of Access: You may request a copy of the personal data we hold about you and information about how we process it.

Right to Correction: You may request that inaccurate, incomplete, or outdated personal data be corrected or updated.

Right to Deletion (Right to be Forgotten): You may request the deletion of your personal data where it is no longer required for the purposes for which it was collected, or where you have withdrawn consent. We may retain certain data where required by law or for legitimate business purposes such as maintaining financial records.

Right to Withdraw Consent: Where our processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Withdrawal may affect our ability to continue delivering services.

Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format, where technically feasible.

Right to Object: You may object to our processing of your data for direct marketing purposes at any time, and we will cease such processing immediately upon receiving your objection.

Right to Grievance Redressal: You have the right to raise a complaint about our data handling practices with our designated Grievance Officer (see Section 14).

Right Under the DPDP Act: Once the DPDP Act’s provisions are fully operative, you will additionally have the right to nominate a person to exercise your data rights on your behalf in the event of your death or incapacity, and the right to approach the Data Protection Board of India with complaints that remain unresolved after our internal grievance process.

To exercise any of these rights, write to us at info@mfunl.com. We will acknowledge your request within 48 hours and resolve it within 30 days. For complex requests, we may require up to an additional 30 days, in which case we will notify you of the extended timeline and the reason for it.

11. Data Security

We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction, in compliance with Rule 8 of the SPDI Rules and the relevant schedule thereto. Our security measures include:

• SSL/TLS encryption for all data transmitted through our website and campaign platforms
• Role-based access controls ensuring that only authorised personnel access specific categories of data
• Password-protected systems with regular mandatory password updates
• Two-factor authentication on critical platforms and accounts
• Restricted physical access to office systems containing client and lead data
• Regular internal reviews of data access logs and system security
• Contractual confidentiality obligations on all employees, contractors, and freelancers handling personal data
• Data minimisation practices — we collect only what we need and retain it only as long as necessary

While we take every reasonable precaution, no digital system is completely immune from security incidents. In the event of a data breach that is likely to result in risk to your rights and interests, we will notify you and, where required by law, the relevant regulatory authority, within the timeframe prescribed under applicable law.

You are also responsible for safeguarding any login credentials, access links, or platform account details shared with you or generated in the course of our service engagement.

12. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our general retention schedule is as follows:

• Website enquiry and contact data from non-clients: 2 years from the date of last interaction, after which it is securely deleted or anonymised
• Client onboarding and business correspondence data: 7 years from the end of the engagement, to comply with applicable tax, company law, and limitation period requirements
• Executed contracts and service agreements: 10 years from the date of execution or expiry, whichever is later
• Campaign performance data and ad account records: 5 years from the end of the relevant campaign period
• Patient lead data processed on behalf of clients: As agreed with the client in the applicable data processing terms, and deleted or returned upon termination of the engagement
• Website analytics data (Google Analytics): Up to 26 months, as per default Google Analytics retention settings, unless adjusted
• Employee and contractor data: As required under applicable labour and tax laws, typically 8 years from the end of employment or engagement

Where data must be retained beyond these periods for legal, regulatory, or litigation purposes, it will be retained only for as long as that specific requirement persists and will not be used for any other purpose during that extended retention period.

At the end of the applicable retention period, data will be securely deleted or permanently anonymised so that it can no longer be associated with any individual.

13. Healthcare Data, Regulatory Compliance, and Telemedicine

Given that MfunL operates exclusively in the healthcare sector, the following additional data handling principles apply:

Medical Advertising Compliance: All campaign content and marketing materials produced by MfunL are intended to comply with the Drugs and Magic Remedies (Objectionable Advertisements) Act, 1954, the NMC (National Medical Commission) Regulations on medical advertising, and the advertising policies of Google and Meta as they apply to healthcare and pharmaceutical content. The ultimate responsibility for the accuracy and legality of medical claims rests with the client.

Telemedicine: Where our clients offer telemedicine services, patient data collected through MfunL’s lead generation campaigns may involve patients seeking online consultations. MfunL’s role is limited to generating the initial enquiry lead. The actual telemedicine consultation and associated clinical data are governed entirely by the client’s own data handling practices and the Telemedicine Practice Guidelines issued by the Board of Governors of the Medical Council of India (2020), as updated by the NMC. MfunL does not participate in or have access to telemedicine consultation data.

Children’s Data: MfunL’s marketing campaigns on behalf of healthcare clients are directed at adult patients or the parents and guardians of minor patients. We do not knowingly collect personal data directly from children under the age of 18. Where a parent or guardian submits an enquiry on behalf of a minor child, only the parent or guardian’s contact details are processed by MfunL. If we become aware that data of a minor has been collected without appropriate consent, we will delete it promptly.

Google Healthcare Advertising Policies: MfunL manages Google Ads campaigns for healthcare clients and is aware of Google’s sensitive healthcare category restrictions, including restrictions on targeting based on health conditions, restrictions on certain pharmaceutical advertising, and requirements for certification in regulated healthcare ad categories. All campaigns are managed in compliance with these policies to the extent within MfunL’s control as an agency.

Meta Healthcare Advertising Policies: Similarly, MfunL manages Meta (Facebook and Instagram) campaigns in compliance with Meta’s policies on health and wellness advertising, including restrictions on targeting based on health-related interests and the use of sensitive health data in custom audiences.

14. Grievance Officer

In accordance with Rule 5(9) of the SPDI Rules, Section 23 of the Information Technology Act, 2000, and in anticipation of the Consent Manager and grievance framework under the DPDP Act, 2023, MfunL has designated a Grievance Officer to receive and resolve complaints and grievances regarding the collection, use, or processing of personal data.

Grievance Officer: Mr. Kuntal Chatterjee Designation: Chief Executive Officer, MfunL Address: P-534, Raja Basanta Roy Road, 3rd Floor, Near Southern Avenue, Lake Kali Bari, Kolkata – 700029, West Bengal, India Email: info@mfunl.com Phone: +91 8336920676

Complaints or grievances may be submitted in writing by email or post. We will acknowledge receipt within 24 hours and resolve or respond substantively within 30 days of receipt of the complaint.

If you are not satisfied with the resolution provided by our Grievance Officer, you may, upon the full operationalisation of the DPDP Act, approach the Data Protection Board of India as established under Section 18 of that Act.

15. Third-Party Links and Embedded Content

Our website may contain links to external websites, social media profiles, YouTube videos, news articles, and other third-party resources. This Policy does not apply to those external platforms. Each third-party website or platform has its own privacy policy and data handling practices. We encourage you to review those policies before submitting any personal data to a third-party site. MfunL is not responsible for the privacy practices, content, data handling, or security of any external website or platform.

16. Changes to This Policy

We review and update this Privacy Policy periodically to reflect changes in our data handling practices, applicable law, or regulatory guidance. Material changes will be reflected on this page with an updated “Last Updated” date at the top. Where material changes affect existing clients or data subjects, we will endeavour to provide direct notice by email. Continued use of our website or services following any update constitutes your acceptance of the revised Policy. We encourage you to check this page periodically.

17. Contact for Privacy Matters

For any questions, requests, or concerns regarding this Privacy Policy or our data handling practices, please contact:

MfunL Healthcare Digital Marketing P-534, Raja Basanta Roy Road, 3rd Floor, Near Southern Avenue, Lake Kali Bari, Kolkata – 700029, West Bengal, India Phone: +91 8336920676 / +91 9674605724 Email: info@mfunl.com Website: www.mfunl.com