Privacy Policy — Kathmandu Cancer Center

1

Who We Are

This Privacy Policy applies to Kathmandu Cancer Center Pvt. Ltd. ("KCC", "we", "us", "our"), a private cancer hospital registered with the Government of Nepal, Ministry of Health and Population. Our registered address is:

Kathmandu Cancer Center
Nala Road, Tathali, Bhaktapur, Nepal
City Clinic: New Baneshwor, Kathmandu
Email: [email protected]
Phone: 01-5091629

This policy covers data collected through our website at kccrc.org, our WhatsApp channels, phone consultations, in-person registration, and any digital service operated by KCC.

Governing law: This policy is governed by the Nepal Individual Privacy Act 2018 (Byaktigat Gupta Ain 2075) and reflects the principles of the EU General Data Protection Regulation (GDPR) for international patients who access our services from within the European Economic Area.

2

What Data We Collect

2.1 Information you provide directly

Name, age, gender, contact details (phone, email, address)
Medical history, symptoms, diagnoses, test reports shared with us
Information submitted via WhatsApp, phone calls, or web contact forms
Feedback, complaints, or survey responses
Payment and insurance information for billing purposes

2.2 Information collected automatically

Browser type, device type, and operating system
Pages visited on kccrc.org, time spent, and navigation paths
IP address (anonymised for analytics)
Referring website (how you found us)

We use Google Analytics for website analytics. Google Analytics collects anonymised usage data. We do not enable Google Analytics' advertising features or demographic tracking. We do not collect sensitive personal data through cookies or tracking.

2.3 Special category data (medical information)

Medical and health information is classified as special category data under Nepal law and GDPR. We collect this only when you voluntarily share it with us for the purpose of receiving or arranging medical care. We apply the highest level of protection to this category of information.

3

How We Use Your Data

We use the information we collect for the following purposes:

To provide, arrange, or coordinate cancer diagnosis and treatment
To communicate with you about appointments, test results, and care plans
To maintain accurate medical records as required by Nepal law
To process payments and insurance claims
To respond to enquiries, complaints, and feedback
To improve the quality and safety of our clinical services
To conduct anonymised medical research and publish findings (no individual patient is identifiable in published research without explicit consent)
To comply with legal obligations under Nepal health regulations
To analyse website usage and improve our online services

We do not use your personal data for marketing to third parties. We do not sell, rent, or trade your information to any external organisation for commercial purposes.

4

Medical Records

All medical records created during your care at KCC are maintained in accordance with the Nepal Medical Records Regulations and the standards of the Nepal Medical Council.

Records are stored securely with access restricted to treating clinical staff
Physical records are stored in locked, access-controlled environments
Digital records use password-protected systems with audit trails
Records are not shared with other healthcare providers without your consent, except in genuine medical emergencies or where required by law
You have the right to request a copy of your medical records at any time (see Section 8 — Your Rights)

If you share medical reports, scans, or test results with KCC via WhatsApp or email, these are treated with the same confidentiality as in-person medical records.

5

Who We Share Your Data With

We do not share your personal or medical information with third parties except in the following specific circumstances:

Clinical referrals: If your care requires referral to another hospital or specialist, we share relevant medical information with your knowledge and consent.
Laboratory and diagnostic services: Test samples and associated information may be sent to accredited diagnostic laboratories under strict confidentiality agreements.
Insurance and government schemes: We share information required to process claims under Nepal health insurance or government subsidy programmes, with your consent.
Legal obligation: We may disclose information if required by a court order, Nepal government authority, or to prevent serious harm.
Medical research: Anonymised, de-identified data may be used in aggregate research. No individual patient is identifiable.
Website analytics: Anonymised usage data is processed by Google Analytics (Google LLC). Google's privacy policy applies to this processing.

We do not transfer personal data outside Nepal except for anonymised analytics data processed by Google Analytics on servers outside Nepal.

6

Cookies & Analytics

Cookies are small text files stored on your device by your browser. KCC uses cookies only for the following purposes:

Analytics cookies (Google Analytics): To understand how visitors find and use our website. We use anonymised IP addresses. We do not use advertising or remarketing cookies.
Functional cookies: To remember your language preference (Nepali or English) between visits.

We do not use tracking cookies, advertising cookies, or cookies that identify you personally. You may disable cookies in your browser settings at any time without affecting your ability to use this website.

7

WhatsApp & Messaging Communications

KCC uses WhatsApp (+977 9818-226237) as a primary communication channel for appointment booking, report review, and patient guidance.

Messages and medical reports you send to KCC on WhatsApp are received by authorised clinical and administrative staff only.
WhatsApp communications are subject to WhatsApp's own privacy policy (Meta Platforms, Inc.). End-to-end encryption applies to individual messages.
KCC does not initiate unsolicited WhatsApp messages.
If you prefer not to use WhatsApp, all services are also available by phone (01-5091629) or email ([email protected]).

8

Your Rights

Under the Nepal Individual Privacy Act 2018 and aligned international standards, you have the following rights regarding your personal data:

Your data rights at KCC

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure — request deletion of data we hold, subject to legal retention requirements for medical records
Right to portability — receive your data in a structured, readable format
Right to restrict processing — request we limit how we use your data in specific circumstances
Right to object — object to processing for research or statistical purposes
Right to withdraw consent — withdraw consent at any time where processing is based on consent
Right to complain — lodge a complaint with Nepal's relevant data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Medical record requests may take longer due to clinical verification requirements.

For EU/EEA residents: You also have the right to lodge a complaint with your local Data Protection Authority if you believe your GDPR rights have been violated.

9

Children's Privacy

KCC provides cancer care to patients of all ages, including children. For patients under 18 years of age:

Medical decisions and consent are managed by a parent or legal guardian
Personal and medical data for minors is treated with additional care and restricted access
We do not knowingly collect data from minors via this website independently of their clinical care
If you believe we have inadvertently collected data about a child without appropriate parental consent, please contact us immediately

10

Data Retention

Medical records: Retained for a minimum of 10 years after last clinical contact, as required by Nepal medical regulations. Paediatric records are retained until the patient reaches age 28.
Enquiry and contact data: Retained for 2 years after last contact, then securely deleted.
Website analytics data: Anonymised aggregate data retained for 26 months in Google Analytics (standard retention period).
Financial and billing records: Retained for 7 years as required by Nepal tax regulations.

After retention periods expire, data is securely deleted or anonymised so that individuals cannot be identified.

11

Data Security

We implement appropriate technical and organisational measures to protect your personal and medical information against unauthorised access, disclosure, alteration, or destruction:

Physical records stored in locked, access-controlled facilities
Digital systems protected by passwords, access controls, and audit logging
Staff training on patient confidentiality and data protection obligations
Website served over HTTPS (TLS encryption)
WhatsApp end-to-end encryption for messaging communications

No method of transmission over the internet is 100% secure. If you believe your data has been compromised, please contact us immediately at [email protected].

12

Contact & Complaints

For any privacy-related question, data access request, or complaint, contact our Data Protection Officer:

Data Protection Officer
Kathmandu Cancer Center Pvt. Ltd.
Nala Road, Tathali, Bhaktapur, Nepal
Email: [email protected]
Phone: 01-5091629
Response time: within 30 days

If you are not satisfied with our response, you may escalate your complaint to the National Information Commission of Nepal or, for EU/EEA residents, your local Data Protection Authority.

This policy was last updated in January 2025. We reserve the right to update this policy at any time. Material changes will be notified via a notice on our website homepage.