Privacy Policy

Last updated: July 2025

CareDirect is committed to protecting your privacy in compliance with applicable data protection laws, including India's Digital Personal Data Protection Act (DPDPA), 2023.

1. Data We Collect

We collect data necessary to provide our healthcare services:

• Account and identity information (name, email, phone number, Aadhaar for verification)
• Health information shared during appointments (medical history, allergies, medications, conditions)
• Location data for home visits (address, PIN code, GPS coordinates during appointment completion)
• Payment and transaction records (processed via Razorpay)
• Communications between patients and providers
• Device information (device type, OS version, push notification tokens)

2. How We Use Your Data

We use your data to:

• Facilitate appointment bookings between patients and healthcare providers
• Verify the identity and credentials of healthcare professionals
• Process payments securely
• Send appointment reminders, notifications, and OTPs
• Improve our platform and user experience
• Comply with legal obligations

3. Data Storage

Your data is stored and processed on servers located in India (Mumbai region, AWS ap-south-1), in compliance with applicable data protection regulations. Sensitive health and personal data is encrypted at rest using AES-256-GCM encryption.

4. Data Security

We implement appropriate security measures to protect your data, including:

• AES-256-GCM encryption for sensitive data at rest (health records, bank details, personal identifiers)
• TLS encryption for all data in transit
• Hashed session tokens and passwords (bcrypt)
• Rate limiting and CSRF protection on all endpoints
• Malware scanning for uploaded files
• Regular security audits and monitoring

5. Data Retention

We retain your data only as long as necessary for the purposes it was collected, or as required by law. When you delete your account, your personal data is permanently removed from our systems.

6. Your Rights

Under the DPDPA 2023, you have the following rights regarding your personal data:

• Access and download a copy of your data
• Correct or update your personal information
• Delete your account and all associated data
• Export your data in a portable format
• Withdraw consent for optional data processing at any time
• Contact us for any privacy-related concerns

7. Data Sharing

We do not sell your personal data. We share data only:

• With your assigned healthcare provider to facilitate care
• With our payment processor (Razorpay) for transaction processing
• With SMS/email service providers for delivering OTPs and notifications
• When required by law or to comply with legal processes
• With your explicit consent for any other purpose

8. Third-Party Services

We use the following third-party services to operate the platform:

• Razorpay — Payment processing (regulated by RBI)
• MSG91 — SMS and email OTP delivery
• AWS (Amazon Web Services) — Cloud infrastructure and file storage
• SurePass — Doctor credential verification and Aadhaar DigiLocker verification
• Sentry — Error monitoring (no personal health data is shared)
• Expo / Firebase Cloud Messaging — Push notifications

Each third-party service processes data in accordance with their own privacy policies and applicable regulations.

9. Children's Data Protection

Users must be 18 years or older to create an account. Patient profiles for minors can only be created and managed by a parent or legal guardian, who provides verifiable parental consent as required under the DPDPA 2023.

10. Consent Withdrawal

You can withdraw consent for optional data processing at any time through your account settings. Withdrawing consent does not affect processing carried out before the withdrawal. Some services may become unavailable if consent for necessary data processing is withdrawn.

11. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to you, we will:

• Notify the Data Protection Board of India as required under Section 8(6) of the DPDP Act 2023
• Inform affected users without unreasonable delay via email, in-app notification, or SMS
• Provide details of the nature of the breach, the data involved, and steps taken to mitigate harm
• Recommend protective actions you can take to safeguard your information

12. Grievance / Data Protection Officer

For privacy and data protection concerns, contact our designated Data Protection Officer:

Data Protection Officer, CareDirect
Email: [email protected]

Complaints will be acknowledged within 48 hours and resolved within 30 days.

13. Right to Complain

If you are not satisfied with our response to your grievance, you have the right to file a complaint with the Data Protection Board of India, as established under the Digital Personal Data Protection Act, 2023. Visit the official website of the Data Protection Board of India for details on how to file a complaint.

14. Changes to This Policy

CareDirect may update this Privacy Policy from time to time. Continued use of the platform after changes are posted constitutes acceptance of the revised policy. We will notify you of material changes via the app or email.

15. Contact Us

For general inquiries about this Privacy Policy, please contact us at [email protected].