20+ trackers on a health website. Most not in the policy. Visit recording active on medical pages.

Executive summary

We visited a healthcare platform where people book doctor appointments and look up medical information. Over 20 trackers loaded — including visit recording, identity matching, and more than a dozen advertising networks. Most were not mentioned in the privacy policy. Visit recording was active on pages where people look up health information.

Evidence snapshot

What trackers we found

Microsoft Clarity recorded screen behavior on medical pages. LiveRamp — a tool that figures out who you are — can connect your browsing to your real name and email. Criteo, Meta Pixel, Google Ads, Taboola, Outbrain, and more than a dozen other advertising trackers loaded during the session. Most were not named anywhere in the privacy policy.

What the privacy policy says

The policy says using the app means you "agree to provide medical and financial data, and consent to its collection and sharing." It allows sharing with group companies worldwide, including foreign entities. It says data helps "develop machine learning algorithms and target you with ads." It also says the company is "not liable for data loss unless it is a direct consequence of their negligence."

What the product flow showed

On pages where users look up symptoms, browse doctors, or book appointments, visit recording and identity matching trackers were active. What doctor you are looking at, what condition you are researching — all of this was visible to advertising trackers the policy does not name.

Why this matters

Health data is among the most personal. When a healthcare website records your screen and figures out who you are while running ad trackers it never told you about — on pages where you look up medical conditions — that is a serious problem. The policy says consent is implied by using the app. Under DPDP, health data requires much more than that. Evidence exists. Company name withheld.