Privacy Policy

Table of Contents

• 1. Information We Collect
• 2. How We Use Your Information
• 3. Data Sharing and Disclosure
• 4. Limitations of Liability for Shared Data
• 5. Data Security
• 6. Your Rights
• 7. GDPR Rights (European Union)
• 8. CCPA Rights (California)
• 9. DISHA Compliance (India)
• 10. Data Retention
• 11. Children's Privacy
• 12. Changes to This Policy
• 13. Contact Us

1. Information We Collect

1.1 Personal Information

We collect information that you provide directly to us, including:

• Account Information: Name, email address, phone number, date of birth, and password
• Health Information: Medical records, health metrics, symptoms, medications, allergies, and family medical history
• Profile Information: Profile photo, sex (medical), address, emergency contact information
• Company Information: (For healthcare providers) Company name, branch details, registration numbers, and professional credentials

1.2 Automatically Collected Information

When you use our platform, we automatically collect:

• Usage Data: Pages visited, features used, time spent on platform, and interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information
• Location Data: General location information (city/state level) when you use location-based features
• Cookies and Tracking: We use cookies and similar technologies to enhance your experience (see our Cookie Policy)

1.3 Information from Third Parties

We may receive information from:

• Healthcare providers who share your medical records with your consent
• Diagnostic centers and laboratories when you authorize test result sharing
• Pharmacy partners when you use prescription services
• Family members or authorized representatives who manage accounts on your behalf

2. How We Use Your Information

We use your information solely for the following purposes:

• Service Delivery: To provide, maintain, and improve our healthcare platform and services
• Health Management: To help you track health metrics, manage medical records, and coordinate care
• Communication: To send you important updates, appointment reminders, and health alerts (with your consent)
• Provider Coordination: To facilitate communication and data sharing between you and your healthcare providers
• AI-Powered Insights: To generate personalized health recommendations and early warning alerts based on your data
• Account Management: To authenticate your identity, manage your account, and provide customer support
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Security: To detect, prevent, and address security issues and fraudulent activity

3. Data Sharing and Disclosure

We are committed to protecting your privacy. We do NOT sell your personal information. We only share your information in the following limited circumstances:

3.1 With Your Explicit Consent

• Sharing medical records with healthcare providers you authorize
• Sharing information with family members or caregivers you designate
• Participating in health research studies (only with your explicit opt-in consent)

3.2 Service Providers

We may share information with trusted service providers who assist us in operating our platform, subject to strict confidentiality agreements:

• Cloud hosting providers (data stored in secure, encrypted servers)
• Email service providers (for sending notifications and alerts)
• Payment processors (for subscription services, if applicable)
• Analytics providers (aggregated, anonymized data only)

3.3 Legal Requirements

We may disclose information when required by law, including:

• In response to valid court orders, subpoenas, or legal processes
• To comply with healthcare regulations and reporting requirements
• To protect the rights, property, or safety of Dirghayu, our users, or others
• In connection with a merger, acquisition, or sale of assets (with advance notice to users)

3.4 Medical Research and Trend Analysis

To advance medical research and improve healthcare outcomes, we may share aggregated, anonymized, and de-identified health data for research purposes. This data sharing is conducted under strict privacy safeguards:

• No Personally Identifiable Information: All shared data is completely anonymized and de-identified. No names, email addresses, phone numbers, or any other personally identifiable information is included.
• Aggregated Data Only: Only aggregated statistical data and trends are shared, never individual records.
• Research Purposes: Data is used solely for medical research, public health studies, and healthcare trend analysis.
• Medical Professional Consultation: Qualified medical professionals may be engaged in a consulting capacity to analyze trends, identify patterns, and derive insights from the aggregated data. These professionals operate under strict confidentiality agreements and are bound by medical ethics and privacy regulations.
• Ethical Standards: All research activities comply with applicable medical research ethics guidelines and privacy regulations (DISHA, GDPR, CCPA).
• No Commercial Use: Research data is not used for commercial purposes, advertising, or marketing.

4. Limitations of Liability for Shared Data

When you authorize Dirghayu to share your health information with other users (such as healthcare providers, family members, caregivers, or other authorized individuals), you acknowledge and agree to the following:

4.1 Your Responsibility

You are solely responsible for:

• Authorizing Access: Carefully selecting and authorizing which users have access to your health information
• Reviewing Permissions: Regularly reviewing and managing access permissions for your data
• Revoking Access: Promptly revoking access if you no longer wish to share information with a particular user
• Verifying Recipients: Verifying the identity and credentials of healthcare providers before sharing sensitive information

4.2 Third-Party User Actions

Once you authorize another user to access your health information through Dirghayu, that user becomes responsible for how they handle your data. Dirghayu is not liable for:

• Unauthorized disclosure of your information by the authorized user
• Misuse, mishandling, or improper storage of your data by the authorized user
• Breaches of confidentiality by healthcare providers or other authorized users
• Data breaches or security incidents occurring on systems controlled by authorized users
• Non-compliance with privacy laws or regulations by authorized users
• Any damages, losses, or consequences resulting from the authorized user's actions or omissions

4.3 Our Role

Dirghayu facilitates the secure sharing of information based on your explicit authorization. We provide:

• Secure transmission of data through our platform
• Access controls and permission management tools
• Audit logs of data access and sharing activities
• Ability to revoke access at any time

However, we cannot control or monitor how authorized users handle your data once they receive it, and we are not responsible for their actions or compliance with applicable laws.

4.4 Healthcare Provider Responsibility

Healthcare providers who access patient data through Dirghayu are independently responsible for:

• Complying with applicable healthcare privacy laws (HIPAA, DISHA, GDPR, etc.)
• Maintaining appropriate security measures for data in their possession
• Obtaining necessary consents for any further use or disclosure of patient information
• Protecting patient confidentiality and privacy
• Reporting any breaches or security incidents as required by law

4.5 Limitation of Liability

To the maximum extent permitted by applicable law, Dirghayu, its affiliates, officers, directors, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from:

• The actions or omissions of users who have been authorized by you to access your data
• Unauthorized access, use, or disclosure of your data by authorized users
• Data breaches or security incidents on systems controlled by authorized users
• Non-compliance with privacy laws by authorized users

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Strict access controls and authentication mechanisms
• Regular Audits: Security audits and vulnerability assessments
• Employee Training: All employees undergo privacy and security training
• Compliance: We comply with DISHA (India), GDPR (EU), and CCPA (California) security requirements
• Incident Response: We have procedures in place to respond to security incidents

While we implement robust security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information to the best of our ability.

6. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Withdrawal of Consent: Withdraw consent for data processing (where applicable)
• Objection: Object to certain types of data processing

To exercise these rights, please contact us at privacy@dirghayu.ai or use the privacy controls in your account settings.

7. GDPR Rights (European Union)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

7.1 Legal Basis for Processing

We process your personal data based on:

• Consent: When you provide explicit consent for specific processing activities
• Contract Performance: To fulfill our contractual obligations to provide healthcare services
• Legal Obligation: To comply with healthcare regulations and legal requirements
• Vital Interests: To protect your health and safety or that of others
• Legitimate Interests: For platform security, fraud prevention, and service improvement (balanced with your rights)

7.2 Your GDPR Rights

• Right of Access (Article 15): Obtain confirmation of whether we process your data and access to that data
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restriction (Article 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (does not affect processing before withdrawal)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.3 Data Transfers

If we transfer your data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions by the European Commission.

7.4 Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at dpo@dirghayu.ai.

8. CCPA Rights (California)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

8.1 Right to Know

You have the right to know:

• What categories of personal information we collect
• What categories of sources we collect information from
• Our business or commercial purpose for collecting information
• What categories of third parties we share information with
• The specific pieces of personal information we have about you

8.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions, security).

8.3 Right to Opt-Out

You have the right to opt-out of the sale of your personal information. We do not sell personal information. If this changes in the future, we will provide a clear "Do Not Sell My Personal Information" link and honor your opt-out requests.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. We will not deny services, charge different prices, or provide different quality of service based on your privacy choices.

8.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require verification of your identity and the agent's authorization.

8.6 How to Exercise CCPA Rights

California residents can exercise their rights by:

• Emailing us at privacy@dirghayu.ai
• Using the privacy controls in your account settings
• Calling our toll-free number: (if applicable)

We will respond to verified requests within 45 days (or 90 days if extended).

9. DISHA Compliance (India)

As a healthcare platform operating in India, we comply with the Digital Information Security in Healthcare Act (DISHA) and related regulations:

9.1 Health Data Protection

• Consent-Based Processing: We process health data only with your explicit, informed consent
• Purpose Limitation: Health data is used only for the purposes for which consent was given
• Data Minimization: We collect only the health data necessary for providing services
• Storage Limitation: Health data is retained only as long as necessary or required by law

9.2 Security Measures

We implement DISHA-mandated security measures:

• Encryption of health data in transit and at rest
• Access controls and authentication mechanisms
• Regular security audits and assessments
• Incident response and breach notification procedures
• Employee training on data protection

9.3 Data Localization

In compliance with DISHA and related regulations, we store health data on servers located in India. Any cross-border transfers are done only with appropriate safeguards and your explicit consent.

9.4 Breach Notification

In the event of a data breach affecting your health information, we will:

• Notify you within 72 hours of becoming aware of the breach
• Report to relevant regulatory authorities as required by DISHA
• Provide details about the nature of the breach and steps taken to address it
• Offer guidance on steps you can take to protect yourself

9.5 Your DISHA Rights

• Right to Access: Access your health data and receive copies
• Right to Correction: Request correction of inaccurate health data
• Right to Erasure: Request deletion of health data (subject to legal retention requirements)
• Right to Data Portability: Receive your health data in a structured format
• Right to Withdraw Consent: Withdraw consent for processing health data
• Right to Grievance Redressal: File complaints with the relevant regulatory authority

10. Data Retention

We retain your personal information only for as long as necessary to:

• Provide our services to you
• Comply with legal obligations (e.g., healthcare record retention requirements)
• Resolve disputes and enforce agreements
• Maintain security and prevent fraud

Health Records: In compliance with healthcare regulations, we may retain health records for extended periods as required by law (typically 5-10 years, depending on jurisdiction).

Account Deletion: When you request account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law.

11. Children's Privacy

Our platform is not intended for children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children without parental consent.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information upon verification.

For children's accounts managed by parents or guardians, we process data based on parental consent and in accordance with applicable laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our platform

Your continued use of our platform after changes become effective constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us: