PRIVACY POLICY — InMode India

InMode India is committed to protecting the privacy, confidentiality, integrity, and lawful management of personal data processed through its digital platform. This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023 (“DPDPA 2023”), the Information Technology Act, 2000, and all applicable Indian data-governance standards.

By accessing, browsing, or interacting with our platform, the User voluntarily agrees to the collection, storage, processing, transfer, and protection of personal data as described herein.

DEFINITIONS (As per DPDPA 2023)

For the purpose of this Policy:

“Personal Data” shall have the meaning assigned under Section 2(t) of the DPDPA, referring to any data that identifies an individual.

“Processing” refers to any operation performed on personal data, including collection, storage, use, transfer, or deletion.

“Data Principal” refers to the individual to whom the personal data relates.

“Data Fiduciary” refers to the entity determining the purpose and means of processing—InMode India, in this context.

CATEGORIES OF DATA WE COLLECT

InMode India collects multiple types of data in accordance with Purpose Limitation under Section 4 of DPDPA. Data categories include:

Identification & Contact Data
Full name
Email address
Mobile number
Clinic or workplace information

Professional & Medical Credentials

Collected voluntarily from doctors, clinicians, or medical professionals:

Medical licence numbers
Registration details
Specialization credentials
Training or certification requirements

Technical & Device Data

Automatically captured through digital systems:

IP address
Device type & model
Operating System
Browser information
Session logs
Digital identifiers

Behavioural & Website Usage Data
Page visits
Clickstream
Time spent
Search activity
Navigation patterns

Communication & Support Records
Inquiry forms
Customer service communication
Emails
Feedback & complaint submissions

Security, System & Compliance Logs
Firewall logs
Access attempts
Suspicious activity flags
Server warnings
Error diagnostics

PURPOSE OF PROCESSING (Section 4 — Purpose Limitation)

Data is processed strictly for lawful and legitimate purposes, including:

Responding to enquiries, product questions, or service requests
Providing device, clinical, or training-related support
Verifying professional identity
Improving the user experience through analytics
Ensuring platform safety, detecting fraud, and preventing misuse
Complying with legal obligations, audits, and regulatory directives
Coordination with the global InMode Group for technical support

No processing is done beyond the scope necessary for fulfilling legitimate business objectives.

LEGAL BASIS (Section 5 & Section 7, DPDPA)

InMode India processes personal data on the following lawful grounds:

Consent-Based Processing — Section 6 & 7(1)

User consent is obtained through:

Website access
Form submissions
Continued engagement

Legitimate Uses — Section 7(2)

Certain processing does NOT require express consent if it is necessary for:

Platform security
Fraud prevention
Legal compliance
Responding to medical-device related obligations

Contractual Necessity

To fulfil services explicitly requested by the User.

Legal & Regulatory Requirements

As mandated under Indian laws.

DATA SHARING (Section 8, DPDPA)

Personal data is shared only with:

Authorized Service Providers
IT & Cloud operators
Cybersecurity vendors
Communication services
Analytics providers

Global InMode Corporate Group

For lawful business coordination, technical analysis, device-related support, and training validation.

Government Authorities

Disclosures may occur under:

Court orders
Law enforcement requests
Statutory compliance obligations

Data is never sold, traded, or commercially exploited.

CROSS-BORDER TRANSFERS (Section 16, DPDPA)

InMode India may transfer certain personal data to servers or entities located outside India.

Such transfers take place only when:

Lawful purpose exists
Adequate contractual and technical safeguards are in place
Data is encrypted during transfer
Foreign recipients meet equivalent security standards

Cross-border transfers may be essential for cloud hosting, IT support, analytics, product validation, and global reporting.

DATA RETENTION (Section 8(7))

Data is retained only for as long as necessary for:

Delivering requested services
Legal and regulatory requirements
Internal audits
Dispute resolution
Security investigations

After such purposes are fulfilled, data is securely:

Deleted
Archived
Or anonymized

Certain logs (e.g., security logs) may be preserved longer as required by law.

SECURITY MEASURES (Section 8(5))

InMode India employs multi-layered security systems, including:

Encryption (in transit and at rest)
Strict access controls (role-based)
Firewalls and intrusion detection
Continuous threat monitoring
Secure cloud storage environments
Regular vulnerability assessments

Security measures comply with DPDPA and global medical-technology standards.

Breaches caused due to User-side vulnerabilities (weak passwords, compromised devices, unsafe networks) do not constitute Company liability.

USER RIGHTS (DPDPA Chapter III — Sections 11 to 14)

Users have the following rights:

Right to Access (Section 11)

Obtain details of personal data being processed.

Right to Correction (Section 12)

Rectify inaccurate, incomplete, or outdated information.

Right to Deletion (Section 12)

Request erasure if data is no longer required.

(Note: Legal & compliance retention may override deletion requests.)

Right to Withdraw Consent (Section 6)

May be exercised anytime.

Right to Grievance Redressal (Section 13)

Submit formal complaints which must be addressed within statutory timelines.

Right to Nominate (Section 14)

Appoint another individual to exercise rights on behalf of the User in case of incapacity.

CONSENT WITHDRAWAL (Section 6)

Withdrawal of consent does not affect the legality of past processing.

After withdrawal:

Certain services may become unavailable
Legally required data cannot be deleted
Record retention obligations remain applicable

DATA BREACH MANAGEMENT (Section 8(6))

In case of any breach likely to cause harm, InMode India will:

Notify the User promptly
Notify the Data Protection Board of India
Begin containment, forensic investigation, and remediation
Secure affected systems
Maintain breach records for compliance

USER RESPONSIBILITIES (Section 15, DPDPA)

Users shall:

Provide true and accurate information
Not impersonate or mislead
Maintain device and credential security
Not attempt unauthorized access
Comply with platform terms

Violation of these duties may attract penalties under Indian law.

POLICY MODIFICATIONS (Section 8(8))

InMode India may update this Privacy Policy due to:

Regulatory changes
Internal policy updates
New digital features
Security improvements

Continued use signifies acceptance of updated terms.

GOVERNING LAW & JURISDICTION

This Policy is governed exclusively by Indian Law, including the DPDPA 2023.

All disputes fall under the jurisdiction of Courts in New Delhi.