Legal

Privacy Policy

How Saxsons Healthcare Pvt. Ltd. collects, uses, retains and protects personal data on saxsons.com.

Effective: 27 June 2026 · Last updated: 27 June 2026

In one paragraph

We collect the minimum personal data needed to respond to your quote and partnership enquiries, send brochures you request, run your Saxsons account, and verify that the requests we receive are from real medical professionals rather than competitors or bots. We do not sell your data, we do not run advertising on this site, and we use a short, fixed list of processors (named below) to send email, geolocate IP addresses, cross-check professional identity, and measure aggregate traffic. You can ask us to access, correct or delete your data at any time by writing to saxsons@saxsons.com.

1. Who we are

This website (saxsons.com) is operated by Saxsons Healthcare Pvt. Ltd., a company registered in India. Where this policy uses "we", "us" or "our", it refers to that legal entity.

WH-88, Mayapuri Industrial Area, Phase-1
New Delhi — 110064, India
Phone: +91 11 4077 6666
Email: saxsons@saxsons.com

For the purposes of India's Digital Personal Data Protection Act, 2023 (DPDP Act), we act as the Data Fiduciary for the personal data collected via this website.

2. What personal data we collect

The data we hold falls into four buckets. The form fields we ask for are listed against each.

2.1 Data you actively give us

Quote requests — name, institutional email, mobile number, hospital / institution, designation, role, postal address, and the items + message you submit.
Brochure requests — name, institutional email, mobile number, hospital, plus the brochure you asked for.
Account registration — the same fields as a quote, plus your chosen password (stored only as a scrypt hash — never in plain text) and your newsletter opt-in choice.
Partnership and contact enquiries — whatever you choose to send via the contact form or directly by email.

2.2 Data your browser sends automatically

Your IP address and an approximate geolocation derived from it (country, region, city, latitude / longitude, internet service provider).
Browser user-agent, the page you visited, and the referring URL (if any).
A short, anonymous behaviour fingerprint kept in your browser tab's sessionStorage only — it records whether you scrolled, moved the mouse, focused a form, and how many product pages you viewed. It is cleared when you close the tab.
Cloudflare Turnstile may run a transparent browser check to confirm you are not an automated script. This does not show a CAPTCHA in most cases.

2.3 Verification signals (only on submit)

The SSL/TLS certificate subject of the email domain you submitted, and the WHOIS / RDAP registration age of that domain.
A one-time public-profile lookup (LinkedIn) for the name + employer domain pair, to cross-check that the person and hospital plausibly exist.
One or more one-time codes sent to your email and/or mobile number when OTP verification is enabled on a form.
For quote requests, an optional geocoding of the address you provided (via Google Maps) so we can flag implausibly distant addresses.

2.4 Cookies & local storage

saxsons_sid — an HTTPOnly, Secure, SameSite=Lax cookie that identifies your logged-in session. Idle window 30 minutes; absolute lifetime 8 hours from login.
_ga, _ga_* — first-party Google Analytics 4 cookies used to measure aggregate traffic (see 4.1). The script is loaded with anonymize_ip=true so Google does not see your full IP.
localStorage — your local quote basket items (kept in your browser only; never sent to us until you submit the quote form). We also store a random, anonymous client_id (UUID) so the access log can group page views from the same browser; it contains no PII and can be cleared by deleting your site data.
sessionStorage — the anonymous behaviour fingerprint described in 2.2 plus a per-tab session_id (UUID). Both are dropped when the tab closes.

We do not knowingly collect data from children under 18. This site is intended for healthcare professionals, medical institutions and procurement teams.

3. Why we collect it

For each purpose below, the lawful basis under the DPDP Act is shown in italics.

Purpose	Lawful basis
Respond to your quote, brochure or partnership enquiry	Consent (you submitted the form)
Run your Saxsons account — sign-in, sessions, password reset	Consent
Verify that submissions come from real hospital staff (fraud / competitor probing)	Legitimate interests of the operator
Aggregate traffic analytics (GA4) and access logging for security & debugging	Legitimate interests
Send the Saxsons newsletter	Consent (opt-in checkbox at registration)
Comply with tax, AERB / CDSCO records and other legal duties	Legal obligation

4. Who we share data with

We do not sell personal data. We share the minimum needed with the following processors, each bound by their own published terms and (where applicable) Indian or EU data-protection regimes.

4.1 Google Analytics 4

Aggregate traffic measurement (page views, devices, broad geo). Loaded with anonymize_ip=true; Google does not receive your full IP. No remarketing, no advertising integration. Google privacy policy →

4.2 Resend (transactional email)

Sends the quote / brochure / OTP / account emails between you and our sales team. Your email address and message body pass through Resend's infrastructure. Resend privacy policy →

4.3 Cloudflare Turnstile

Transparent anti-bot check on forms. Cloudflare receives the page URL and minimal browser signals required to score the request. Cloudflare privacy policy →

4.4 ip-api.com (IP geolocation)

Resolves your IP address into country / region / city / ISP for the access log and the anti-fraud score. IP-only payloads, no other identifiers. ip-api legal →

4.5 Google Maps Geocoding API

Used only when you submit a quote, to geocode the postal address you typed and flag implausibly distant submissions. Google privacy policy →

4.6 Proxycurl (LinkedIn cross-check)

On quote / registration submit, resolves your name + employer-domain pair to a public LinkedIn profile to cross-check that the requester plausibly exists. Public-profile data only. Proxycurl privacy policy →

4.7 MSG91 (SMS OTP)

Delivers the SMS one-time code when mobile OTP is enabled. Your mobile number and the code body are passed to MSG91 (a DLT-registered Indian SMS gateway). MSG91 privacy policy →

Some of these processors are based outside India. Where personal data is transferred internationally, we rely on the processor's published contractual safeguards and, where applicable, the Central Government's notified list of permitted destinations under section 16 of the DPDP Act.

5. How long we keep data

Data category	Retention
Quote / brochure / contact emails in the sales inbox	As long as the commercial relationship is live, plus 7 years for tax / audit purposes
Account record (registered users)	Until you ask us to delete it, or 24 months of inactivity
Login sessions	Idle 30 min; hard cap 8 hr from login; auto-pruned hourly
First-party page-view log (IP + geolocation + path)	180 days, then auto-deleted
Google Analytics 4 (Google-side)	Per Google's default property settings (currently 14 months for event data)
One-time codes (OTP)	10 minutes (then expired and discarded)
Web server access logs (nginx)	14 days rolling, on the application server only

6. Your rights under the DPDP Act

You can exercise any of the rights below by emailingsaxsons@saxsons.com with the subject line "DPDP Request — <your right>". We will acknowledge within 7 days and respond on substance within 30 days.

Right to access — receive a summary of the personal data we hold about you and how it is used.
Right to correction — have inaccurate or incomplete data corrected or completed.
Right to erasure — have your account and the personal data we hold about you deleted, subject to any legal-retention obligations (e.g. tax records).
Right to withdraw consent — for any processing based on consent. Withdrawal does not affect the lawfulness of past processing.
Right to grievance redressal — raise a complaint with us first; if unresolved, you may approach the Data Protection Board of India.
Right to nominate — nominate another person to exercise these rights in the event of your death or incapacity.

7. Newsletter & marketing

The newsletter is strictly opt-in. The checkbox is unchecked-by-default for non-account submissions and explicitly shown at registration. Every newsletter email contains a one-click unsubscribe link. We do not sell or rent your email address to third parties, and we do not use your details for behavioural advertising.

8. Security

The site is served exclusively over HTTPS with TLS 1.2+.
Passwords are stored only as scrypt hashes (with per-user salt) — never in plain text.
Account session cookies are HttpOnly, Secure, SameSite=Lax, with a 30-minute idle window and an 8-hour absolute lifetime.
Admin approve / reject / set-password links are short-lived HMAC-signed tokens, scoped to a single action.
Per-IP rate-limits and Cloudflare Turnstile defend the public form endpoints against scripted abuse.
Local SQLite databases hold user records and the access log; backups are taken offline and access is restricted to authorised staff.

No system can be 100% secure. If we ever become aware of a personal-data breach that is likely to result in harm to you, we will notify you and the Data Protection Board of India per section 8(6) of the DPDP Act.

9. Grievance Officer

In line with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the DPDP Act, you can contact our Grievance Officer for any privacy concern:

Grievance Officer — Saxsons Healthcare Pvt. Ltd.
WH-88, Mayapuri Industrial Area, Phase-1, New Delhi — 110064, India
Email: saxsons@saxsons.com
Phone: +91 11 4077 6666

10. Changes to this policy

We may update this policy as our processing changes or as the regulatory landscape evolves. The "Last updated"date at the top reflects the current version. Material changes will be highlighted on this page for at least 30 days, and registered users will be notified by email.

← Back to home