AP

Arogya Prana

Legal

Privacy Policy

Effective date: 1 April 2025  ·  Last updated: 1 April 2025

This Privacy Policy is published in accordance with the Information Technology Act, 2000 and its amendments, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

1. Who We Are

Arogya Prana ("we", "us", "our") operates the Arogya Prana platform accessible at arogyaprana.com (the "Platform"). We connect verified healthcare professionals — doctors and hospitals — with patients and the general public in India.

For the purposes of the DPDP Act, 2023, we act as the Data Fiduciary for personal data processed through the Platform.

2. Information We Collect

2.1 Information you provide directly

  • Identity information: full name, date of birth, gender
  • Contact information: email address, phone number, postal address
  • Professional credentials: medical registration number, medical council name, specialty, degrees and qualifications
  • Profile information: biography, consultation fees, clinic/hospital details, profile photograph
  • Payment information: billing name, billing address (payment card details are handled exclusively by our payment processor and never stored by us)
  • Communications: messages you send us via contact forms, email, or support channels
  • User-generated content: health articles, reviews, and comments submitted through the Platform

2.2 Information collected automatically

  • Log data: IP address, browser type and version, pages visited, time and date of visits, referring URL
  • Device information: device type, operating system, unique device identifiers
  • Usage data: features used, search queries, interaction patterns on the Platform
  • Cookies and similar tracking technologies (see Section 8)

2.3 Sensitive Personal Data or Information (SPDI)

Healthcare professionals may voluntarily share information that qualifies as SPDI under the IT Rules, 2011, including medical registration details and health-related information. Such data is collected only to the extent necessary for verifying credentials and displaying your professional profile. We collect this data with your explicit consent.

3. How We Use Your Information

  • Creating and managing your account and professional profile on the Platform
  • Verifying healthcare professional credentials before granting public visibility
  • Displaying your public profile, articles, and affiliated entities to visitors
  • Processing subscription plan payments and issuing invoices with applicable GST
  • Sending transactional communications: account confirmations, billing receipts, security alerts
  • Sending service notifications and platform updates (you may opt out of non-essential communications)
  • Moderating content submitted to the Platform (health articles, patient reviews)
  • Preventing fraud, spam, and abuse, and enforcing our Terms & Conditions
  • Complying with legal obligations under Indian law
  • Analytics to improve the Platform (in aggregated and anonymised form where possible)

4. Legal Basis for Processing (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful bases:

  • Consent: where you have given us explicit, informed, and free consent (e.g., for displaying SPDI on your public profile, for marketing communications)
  • Contractual necessity: to fulfil our obligations to you under our Terms & Conditions (e.g., creating your account, processing your subscription)
  • Legitimate interests: for fraud prevention, platform security, and aggregate analytics, provided these interests are not overridden by your rights
  • Legal obligation: where processing is required to comply with Indian law or orders from competent authorities

Where we rely on your consent, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Third Parties

We do not sell your personal data. We share it only as described below:

5.1 Service providers

  • Clerk (authentication and user identity management) — your sign-in credentials, session tokens
  • Cloudflare R2 (media storage) — profile photographs and gallery images
  • Payment processor (billing and subscriptions) — billing name, billing address; card data is not shared with us
  • Infrastructure providers (hosting and database) — encrypted data at rest

All service providers are contractually bound to process your data only for the purposes specified and to maintain appropriate security standards.

5.2 Legal disclosures

We may disclose your personal data to government authorities, courts, or law enforcement agencies when required by Indian law, a court order, or a lawful request from a competent authority.

5.3 Business transfers

If we undergo a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. You will be notified by email and/or a prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

  • Active account data: retained for the duration of your account and for 3 years after account closure, for legal and audit purposes
  • Payment and billing records: retained for 8 years as required under Indian tax law (GST compliance)
  • Content you have published (articles, reviews): may be retained in archival form after account closure if legally required or if removal would harm other users' rights
  • Audit logs: retained for 3 years

You may request deletion of your account and personal data at any time (see Section 7). Certain data may be retained after deletion where required by law.

7. Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

  • Right to access: obtain confirmation of whether we process your personal data and access a summary of that data
  • Right to correction and erasure: correct inaccurate or incomplete data and request erasure of data that is no longer necessary or where consent has been withdrawn
  • Right to grievance redressal: raise a complaint with our Grievance Officer (see Section 12)
  • Right to nominate: nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity

To exercise these rights, contact us at support@arogyaprana.com or reach our Grievance Officer (Section 12). We will respond within 30 days of receiving your request.

8. Cookies and Tracking

We use cookies and similar technologies to operate and improve the Platform. Specifically:

  • Essential cookies: required for authentication, session management, and security — these cannot be disabled
  • Functional cookies: remember your preferences and settings
  • Analytics cookies: help us understand how visitors use the Platform in aggregate; where possible, data is anonymised

You can control non-essential cookies through your browser settings. Disabling essential cookies will prevent you from using authenticated features of the Platform.

9. Security

We implement reasonable security practices and procedures as mandated by the IT (SPDI) Rules, 2011, including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls limiting data access to authorised personnel only
  • Regular security reviews and vulnerability assessments
  • Audit logging of data access and modifications

No method of transmission over the internet is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@arogyaprana.com.

10. Children's Privacy

The Platform is intended for use by healthcare professionals (doctors and hospitals) and adults seeking healthcare information. We do not knowingly collect personal data from children below the age of 18 years. If you believe a minor has provided us with personal data, please contact our Grievance Officer and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by:

  • Posting a notice on the Platform at least 15 days before the changes take effect
  • Sending an email notification to your registered email address

Continued use of the Platform after the effective date of revised terms constitutes your acceptance of the updated Policy.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of the Grievance Officer are provided below. If you have any grievances regarding the processing of your personal data or a breach of this Privacy Policy, you may contact:

Grievance Officer: Arogya Prana Privacy Team

Email: support@arogyaprana.com

We will acknowledge your grievance within 48 hours and resolve it within 30 days of receipt, as required by applicable law.

13. Contact Us

For general privacy questions, data access requests, or to withdraw consent, please contact:

Arogya Prana

India

Email: support@arogyaprana.com