Docs / Product Documentation

5. Legal, Compliance and Policy Documentation

Not legal advice. This section documents the platform's policy posture and the compliance requirements the product must satisfy. It is written to guide product, operations and engineering. It is not legal advice and does not substitute for review by qualified counsel in each operating jurisdiction. Final policy text must be approved by counsel before publication. Several controls below are Planned: the compliance backbone is specified but not yet built.

5.1 The foundational legal posture: facilitator, not provider

Global Clinic is a facilitator, not a medical provider. It coordinates cross-border care; it does not practise medicine, employ the treating clinicians, or make clinical decisions. Clinical responsibility rests with the treating hospital and surgeon. This framing is not merely marketing: it determines liability, advertising rules and consent design, and it must be enforced consistently in product copy, contracts and operations. The public footer already states "Facilitator, not a provider"; every surface must reinforce it.

5.2 Terms and conditions

The Terms of Service govern the relationship between Global Clinic and patients, and a separate Partner Agreement governs the relationship with clinics. The Terms must cover, at minimum:

Nature of service. Global Clinic coordinates and facilitates; it does not provide medical treatment and is not liable for clinical outcomes, which are the responsibility of the treating provider.
Indicative pricing. All prices shown before a formal quote are estimates, not guarantees. The binding figures are those in an accepted, itemised quote.
Escrow and payments. How funds are held, the milestone-release schedule, refund rights (full pre-arrival), currency handling, and the auditable ledger.
Cancellation and refunds. The refund schedule by journey stage, disclosed before any payment.
Visa facilitation. Global Clinic assists with documentation and the invitation letter but does not guarantee a visa grant; the decision rests with the government authority.
Travel. Travel options are indicative and booked through regulated partners; liability for travel disruption sits with the carrier or provider.
Limitation of liability and dispute resolution, governing law, and the complaints process.
Acceptable use and account responsibilities.

Clinics additionally agree to: accreditation and credentialing obligations, the empanelment standards owned by the Medical Director, milestone confirmation duties for escrow release, the verified-reviews policy (no suppression of genuine negative reviews), and the compliance boundaries in 5.7.

The platform processes sensitive personal data, including health data, identity documents and financial information, across borders. Privacy is built on explicit, purpose-specific consent and a recorded consent history.

Consent requirements:

Explicit, informed, purpose-bound consent is captured before processing health records, before sharing records with a specialist or hospital, and before any cross-border transfer.
Granular consent: separate consents for clinical review, for sharing with a specific hospital, for travel and visa processing, and for marketing follow-up. Marketing consent is never bundled with service consent.
A consent ledger (Planned) records every grant and withdrawal with actor, timestamp, purpose and scope, and is the system of record for audits.
Withdrawal is always available and stops the relevant processing prospectively.
Attendant and family data is processed only with the relevant person's consent.

5.4 Medical disclaimer requirements

Every surface that presents clinical or pricing information must carry the appropriate disclaimer:

No medical advice. Content on the platform (treatment descriptions, opinions surfaced from specialists, care plans) is for information and coordination. It is not a substitute for in-person medical advice, diagnosis or treatment by a qualified clinician.
Opinions are the specialist's. A medical opinion shown in the product is issued by a credentialed specialist at a partner hospital and recorded by Global Clinic; it is not Global Clinic's clinical judgement.
No outcome guarantee. Indicative savings, typical stays and recovery timelines are estimates; individual results vary and are determined by the treating provider.
Emergencies. The product is not for medical emergencies; patients in an emergency must contact local emergency services. The 24/7 clinical escalation path is for in-journey complications, not a substitute for emergency care.

5.5 Data retention policies

Retention is purpose-bound and corridor-aware. The defaults below are policy targets to be confirmed with counsel per jurisdiction.

Data category	Default retention	Basis
Identity documents	Duration of the active case plus a defined statutory minimum, then deletion or archival	KYC, fraud, legal hold
Medical records and opinions	Retained per the medical-records retention rules of the treating jurisdiction	Clinical and legal obligation
Financial and escrow ledger	Retained per financial-records and anti-money-laundering rules (typically multi-year)	AML, audit, tax
Consent records	Retained for the life of the relationship plus a statutory minimum after closure	Demonstrable compliance
Messages and case notes	Retained for the life of the case plus a defined period	Continuity, dispute resolution
Marketing data	Retained until consent withdrawal or a defined inactivity period	Consent-based
Audit logs	Retained for a long, fixed window appropriate to the highest applicable regime	Security and compliance

Principles: collect the minimum necessary; retain only as long as the purpose or law requires; delete or irreversibly anonymise on schedule; and honour legal holds that pause deletion. Retention timers and automated deletion are Planned.

The platform spans multiple regulatory regimes simultaneously. The data model already carries a per-corridor dataRegime field so that handling can vary by corridor.

India DPDP Act (Digital Personal Data Protection). The destination jurisdiction. Requires lawful, consented processing, purpose limitation, data-principal rights (access, correction, erasure), breach notification, and obligations on data fiduciaries. The consent ledger and DSAR workflow are designed against DPDP.
GDPR (EU and EEA, EU-adjacent patients). Applies to patients in scope. Requires a lawful basis (explicit consent for health data as a special category), data-subject rights, data-protection-by-design, records of processing, cross-border transfer safeguards, and 72-hour breach notification to the supervisory authority.
HIPAA (United States). Relevant to US patients and any US-based partners. Where the platform or a partner acts as a covered entity or business associate, Business Associate Agreements, the Privacy and Security Rules, and breach notification apply. For US diaspora cases, continuity with the home provider and records must respect HIPAA handling.
Gulf and African corridors. Corridor-specific data-protection and health-information rules apply (for example Oman's and Kenya's data-protection regimes). The Country Pack encodes the applicable dataRegime and any data-residency constraint.
Cross-border transfer. Health and identity data crossing borders requires a documented lawful transfer mechanism and explicit patient consent. Data-residency controls per corridor are Planned and modelled in Country Packs.

Patient data-subject rights (access, correction, deletion, portability, and withdrawal of consent) are delivered through a DSAR workflow (Planned) with identity verification, a tracked SLA, and an auditable response.

5.7 Anti-corruption and medical-ethics boundaries (hard limits)

India's National Medical Commission (NMC) Code of Medical Ethics is explicit and enforced. The product and the commercial model must respect these boundaries:

No referral commission to clinicians. A physician must not give, solicit or receive any gift, commission or bonus for referring or procuring a patient.
No fee-splitting or rebating of medical fees, directly or indirectly.
No use of agents to procure patients by registered medical practitioners.

How the model stays compliant:

The platform's commission is a B2B facilitation fee from the hospital, not a payment to any doctor and not a split of the clinical fee.
Affiliate payouts are marketing fees from Global Clinic's own margin to non-clinical partners, milestone-gated on an arrived or admitted patient, never on a raw lead, and never paid to clinicians.
Medical-advertising compliance (claims, disclosures) is reviewed so that no content implies guaranteed outcomes or constitutes prohibited solicitation.

5.8 Sanctions, AML and high-risk corridors

Sanctions and AML screening (Planned) runs on payments and on enhanced-risk corridors. The data model carries a per-corridor riskTier (standard or enhanced).
Enhanced-risk corridors receive additional KYC, source-of-funds checks and manual review before escrow funding.
Escrow operates as a regulated, multi-currency money movement and is delivered through a specialist payment and trust-account partner with the appropriate licences.

5.9 Patient data handling guidelines

Operational guidance for everyone who touches patient data:

Minimise. Request only the records a specific step needs. The visa and consultation workflows ask for specific documents, not a blanket dump.
Encrypt. Data is encrypted in transit and at rest. Identity and medical documents live in encrypted object storage (Planned) with access logged.
Restrict. Access is case-scoped and role-scoped. A coordinator sees only assigned cases; support access requires patient consent and is audited.
Never paste sensitive data into unmanaged tools. Records, identity documents and financial details stay inside the platform's managed surfaces.
Log every access. Reads and writes of sensitive records are recorded with actor and timestamp.
Honour withdrawal and deletion. When consent is withdrawn or a deletion right is exercised, follow the DSAR workflow and the retention rules; apply legal holds where they override deletion.
Report incidents immediately. Any suspected exposure follows the breach workflow (Planned) and the regulatory notification timelines in 5.6.

For the technical controls that enforce these guidelines, see Developer Security Documentation and PII handling.