Overview
mfine (operated by LifeCell International) is a major player in India’s digital health space. They handle your most private information: medical history, blood group, mental health conditions, and even genetic data.
When a company knows your heart rate and your prescriptions, the stakes are sky-high. Under the DPDP Act, mfine is a Data Fiduciary (the entity that decides why and how your data is processed). You are the Data Principal (the person the data belongs to).
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
mfine uses what we call “bundled consent.” They basically say if you use the app, you’ve already agreed to everything.
What the policy says: “By accessing the Website or Application… You unconditionally signify Your (i) assent to the Privacy Policy, and (ii) consent to the Utilisation of your Personal Information.”
What the law requires: Consent must be specific and informed. You should be able to say “Yes” to a doctor’s consultation but “No” to your data being used for marketing.
The problem: You can’t pick and choose. It’s a “take it or leave it” deal, which the DPDP Act specifically tries to stop. If consent isn’t freely given, it might not be legally valid.
Section 7 — Certain Legitimate Uses ⚠️
The policy mentions using data for research and “business intelligence.”
What the policy says: “…to sell or otherwise transfer such research, statistical or intelligence data in an aggregated and/or non-personally identifiable form to third parties.”
What the law requires: Section 7 allows data use without explicit consent for “legitimate uses” like medical emergencies or employment.
The problem: mfine is using your data for commercial research. While they say it’s “aggregated” (meaning your name isn’t on it), the DPDP Act has strict rules about using data for purposes other than what you originally signed up for.
Section 8 — Obligations of Data Fiduciary ✅
This is where mfine does better. They acknowledge they are responsible for keeping your health records safe.
What the policy says: “We have adopted reasonable security practices… including role-based access, secure communication, password protection, [and] encryption.”
What the law requires: A Data Fiduciary must implement reasonable security safeguards to prevent data breaches.
The strength: Since they handle medical records, their mention of role-based access (meaning only the right people see your files) is a strong point for DPDP compliance.
Section 9 — Data Retention 🔴
This is a major red flag for any business owner looking at this policy as a template.
What the policy says: “LIFECELL shall store Your Personal Information at least for a period of three years from the last date of use.”
What the law requires: Once the purpose is served (e.g., your consultation is over and the records are shared), the data should be deleted unless a law says otherwise.
The problem: Saying they will keep it for “at least” three years is the opposite of what the DPDP Act wants. The law asks: “Why are you keeping it at all?” Holding onto health data longer than necessary is a high-risk move.
Section 11 — Rights of Data Principal ⚠️
The DPDP Act gives you the “Right to Erasure” and the “Right to Nominate.”
What the policy says: You can email them to “update or correct” your info or “request that We no longer use” it.
The problem:
- It’s too manual. You have to email and wait for “reasonable efforts.”
- There is no mention of a Nominee. Under Section 14 of the DPDP Act, you have the right to name someone to manage your health data if you are unable to. mfine’s policy is silent on this.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They provide an email (contactus@lifecell.in) for a grievance officer.
What the law requires: You must have a clear way to complain, and if the company doesn’t fix it, you must be told you can go to the Data Protection Board of India.
The problem: mfine doesn’t mention the Data Protection Board. If you aren’t happy with their internal fix, the policy doesn’t tell you where to go next.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: Data may be provided to “third party contractors” who might be outside the scope of the agreement.
The problem: The DPDP Act says the government will list “restricted countries” where data cannot go. mfine’s policy is too vague—it doesn’t specify where the data goes or how it’s protected once it leaves India.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Medical Data Privacy | Critical | Health data leaks carry the highest penalties (up to ₹250 Cr). |
| Consent Validity | High | Bundled consent makes their entire database legally shaky. |
| Data Retention | High | Keeping data for 3 years by default invites regulatory scrutiny. |
| User Rights | Medium | Lack of a “Nomination” feature for health records is a gap. |
Recommendations
- Unbundle your Consent: If you run a platform, give users a checkbox for “Service” and a separate one for “Marketing/Research.”
- Fix Retention Language: Don’t say “we keep it for X years.” Say “we delete your data within 30 days of you closing your account,” unless a specific medical law requires longer.
- Add the Nominee Clause: Especially in healthcare, let users name a person to handle their data in an emergency.
- Update the Grievance Path: Explicitly state that users can escalate issues to the Data Protection Board of India.