1. Purpose

This policy outlines how OpenAccess safeguards personal and health-related information in compliance with GDPR, HIPAA, and India’s DPDP Act.

2. Data Governance

• Data Controller: ThinkRoman Ventures LLP (via OpenAccess)
• DPO Contact: admin@thinkroman.com
• Processing Principles: Lawful, Fair, Transparent, Purpose-limited, Minimization, Accuracy, Storage-limited, Integrity, Confidentiality

3. Security Measures

• End-to-end encryption of sensitive health data
• Zero-trust access controls and multi-factor authentication
• Segregated environments for development and production
• 24×7 monitoring and intrusion detection
• Regular penetration testing and audits

4. Data Retention & Disposal

• Account & session data: retained while active + 24 months after closure
• Health assessments: retained 5 years (unless deletion requested)
• Audit logs: retained for compliance (HIPAA = 6 years)
• Secure destruction: encrypted wipe or physical destruction of drives

5. Incident Response

• Breach notification to affected users within 72 hours (GDPR standard)
• Root cause analysis and remediation plan
• Reporting to authorities where required

6. Subprocessors

Vetted vendors for hosting, analytics, telehealth, and communications. Updated list available at /legal/subprocessors.

7. User Responsibilities

• Maintain strong passwords and keep credentials confidential
• Do not share account access with unauthorized users

8. Regulatory Alignment

• GDPR/UK GDPR: data subject rights, SCCs for transfers
• HIPAA: PHI handling in U.S. telehealth modules
• India DPDP Act: explicit consent, local storage if required
• CCPA/CPRA: “Do Not Sell/Share” covered in cookie & advertising preferences