Privacy Policy

1. Introduction

The National Healthcare Supply Chain Council (“NHSCC,” “we,” “us,” or “our”) operates the NHSCC Learning Management System accessible at lms.nhscc.in (“Platform”). NHSCC is a not-for-profit organization dedicated to strengthening India’s healthcare supply chain ecosystem through education and professional development.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Platform, create an account, enroll in courses, or interact with our services. By using the Platform, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Personal Information

When you register, enroll in courses, or contact us, we may collect:

Full name, email address, phone number, and postal address
Professional details: job title, organization name, department, and industry
Account credentials: username and encrypted password
Profile information: photo, bio, and professional certifications
Educational records: course enrollments, progress, quiz scores, and certificates earned

2.2 Payment Information

When you purchase courses, we collect billing details including name, billing address, and payment method. Payment card details are processed directly by our PCI-DSS compliant payment processors (Razorpay/Stripe) and are never stored on our servers.

2.3 Usage Data

We automatically collect technical information including IP address, browser type and version, operating system, device identifiers, pages visited, time spent on pages, referring URLs, and click patterns.

2.4 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to enhance your experience, analyze usage patterns, and deliver personalized content. See our Cookie Policy for detailed information.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To create and manage your account, process enrollments, deliver course content, track progress, issue certificates, and provide customer support.
Communication: To send enrollment confirmations, course updates, certificate notifications, platform announcements, and promotional materials (with your consent).
Analytics & Improvement: To analyze usage patterns, improve course content and platform features, conduct research, and generate anonymized aggregate reports.
Compliance & Reporting: To generate compliance reports for organizations enrolling employees, maintain audit trails for certificate verification, and meet legal obligations.
Security: To detect, prevent, and address fraud, unauthorized access, and other security threats to the Platform.
Legal Obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Legal Basis for Processing

We process your personal data under the following legal bases as applicable under Indian law and the Digital Personal Data Protection Act, 2023:

Consent: Where you have given clear consent for us to process your data for specific purposes.
Contractual Necessity: Processing necessary to fulfill our contractual obligations when you enroll in courses or use our services.
Legitimate Interests: Processing necessary for our legitimate interests such as improving the Platform, fraud prevention, and direct marketing, provided these do not override your fundamental rights.
Legal Obligations: Processing necessary to comply with legal requirements including tax regulations, record-keeping obligations, and regulatory compliance.

5. Data Sharing & Third Parties

We do not sell your personal information. We may share your data with the following categories of third parties:

Payment Processors: Razorpay, Stripe, or similar PCI-DSS compliant processors for secure payment handling.
Cloud Infrastructure: Hosting providers for platform operation and data storage.
Analytics Services: Google Analytics and similar tools for anonymized usage analysis.
Instructors: Limited learner progress data shared with course instructors for educational purposes.
Organizations: If enrolled through a corporate or organizational account, relevant progress and completion data may be shared with your organization’s administrators.
Legal Authorities: When required by law, court order, or governmental regulation.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. Specifically:

Account data is retained for the duration of your active account plus 3 years after account closure.
Course completion records and certificates are retained indefinitely for verification purposes.
Payment records are retained for 7 years as required by Indian tax and financial regulations.
Usage analytics data is anonymized after 24 months.

You may request deletion of your personal data at any time by contacting us. We will process such requests within 30 days, subject to legal retention requirements.

7. Your Rights

Under the Digital Personal Data Protection Act, 2023 and applicable laws, you have the following rights:

Right to Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Request your data in a structured, machine-readable format.
Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
Right to Object: Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
Right to Grievance Redressal: Lodge a complaint with the Data Protection Board of India.

To exercise any of these rights, contact us at lms@nhscc.in. We will respond within 30 days.

8. Data Security

We implement industry-standard security measures to protect your personal information:

TLS/SSL encryption for all data in transit between your browser and our servers.
AES-256 encryption for sensitive data at rest.
Role-based access controls limiting data access to authorized personnel only.
Regular security audits, vulnerability assessments, and penetration testing.
Secure password hashing using bcrypt with appropriate salt rounds.
Automated backup systems with encrypted offsite storage.
Incident response procedures for prompt handling of security breaches.

While we employ robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

9. Children’s Privacy

The NHSCC LMS is designed for professional and adult learners. We do not knowingly collect personal information from individuals under the age of 18. If you are under 18, you may only use the Platform with the involvement and consent of a parent or legal guardian. If we learn that we have collected personal data from a child without proper consent, we will take steps to delete that information promptly.

10. International Data Transfers

Your personal data is primarily stored and processed on servers located in India. In certain cases, data may be processed by third-party service providers located outside India. When such transfers occur, we ensure appropriate safeguards are in place, including contractual clauses that require the receiving party to maintain the same level of data protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised “Last Updated” date. For significant changes, we may also notify you via email or a prominent notice on the Platform. Your continued use of the Platform after changes constitutes acceptance of the updated policy.