Privacy Policy

1. Who we are

This Privacy Policy explains how Sanocare Tech Innovations Private Limited ("Sanocare," "we," "us," or "our"), a company incorporated under the Companies Act 2013 and bearing CIN U86904DL2025PTC446725, with its registered office at 1666/B2, 3rd Floor, Gali 2, Govindpuri Extension, Kalkaji, New Delhi — 110019, collects, processes, stores, and protects personal data of users of the Sanocare website at sanocare.in, the Sanocare Pulse mobile application, and any related services we offer (collectively, the "Services").

Sanocare is the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act 2023"). You, as the user of our Services, are the Data Principal.

2. What personal data we collect

We collect the minimum personal data necessary to provide our Services. The categories of data we collect are:

Identity and contact data

• Full name, date of birth, age, gender
• Mobile number and email address
• Photograph (where you upload one to a Pulse profile)
• Residential address, including geocoded GPS coordinates of the address where a visit is requested

Health data

• Chief complaint, symptoms, and case description you provide at booking
• Vitals captured by our medics during a visit (blood pressure, heart rate, oxygen saturation, temperature, blood glucose, weight)
• Diagnoses, prescriptions, and treatment notes issued by our doctors
• Risk classifications (Green / Yellow / Red) assigned to each consultation
• Medical history and conditions you share with us, including family medical history
• Reports of laboratory tests collected and processed through us

Family data

• Personal data of family members you add as profiles on Sanocare Pulse, provided you have the legal right to share that data on their behalf. For children below 18, the consent of a parent or lawful guardian is required, in line with Section 9 of the DPDP Act 2023.

Booking and transaction data

• Records of bookings, visits, consultations, prescriptions, payments, refunds, and cancellations
• Communication history with our care team
• Live case status data (medic dispatch, ETA, arrival timestamps)

Technical data

• Device type, operating system, browser, and IP address
• App version, crash reports, performance telemetry
• Cookies and similar technologies (see Section 9)

We do not collect: biometric data (other than what is voluntarily uploaded as a profile photo), Aadhaar numbers (unless required by law for a specific service), bank account numbers (these are handled by our payment gateway, not by us), or political opinions.

3. How we use your personal data

We process your personal data only for specific, lawful purposes:

1. Service delivery — to schedule, dispatch, deliver, and close your healthcare bookings.
2. Clinical decision-making — to give the attending doctor and medic the information they need to provide safe care.
3. Payments — to process payments and refunds via our payment gateway partner (Razorpay).
4. Communication — to send booking confirmations, dispatch updates, prescription notifications, payment receipts, and case summaries via SMS, email, push notification, or in-app messaging.
5. Record-keeping — to maintain your clinical and transactional record as required by applicable laws including the Telemedicine Practice Guidelines 2020 and Indian Medical Council regulations.
6. Service improvement — to monitor service quality, train our care team, and improve the safety and reliability of our Services. Where this involves any personal data, the data is anonymised before use.
7. Legal compliance — to comply with applicable laws, regulatory orders, court orders, or law-enforcement requests where legally obligated.

4. Lawful basis for processing

Under Section 4 of the DPDP Act 2023, we process your personal data on the following lawful bases:

• Your free, specific, informed, unconditional, and unambiguous consent, given at the point of registration, booking, or feature use, as the primary basis for processing.
• Performance of the contract between you and Sanocare, where processing is necessary to deliver a booked Service.
• Compliance with law, where processing is required to discharge our legal obligations under healthcare and corporate regulations.

You may withdraw your consent at any time by writing to our Grievance Officer (see Section 11). Withdrawal will not affect the lawfulness of processing carried out before withdrawal, and we will continue to retain records we are legally required to keep.

5. How long we retain your personal data

We retain personal data only for as long as necessary for the purposes for which it was collected.

| Data | Retention period | |---|---| | Identity and contact data | Duration of active account + 3 years | | Clinical records (visits, vitals, prescriptions, lab reports) | Minimum 7 years from date of last consultation | | Transactional data (payments, refunds, invoices) | 8 years, per Companies Act 2013 and Income Tax Act | | Communication logs | 12 months | | One-time passwords (OTPs) | Stored only as a salted hash, never in plaintext, and deleted within 24 hours of verification or expiry. We use OTPs delivered via WhatsApp or SMS to verify your phone number before you create a booking. | | Technical data (logs, IP addresses, crash reports) | 90 days |

Where you exercise your right to erasure (Section 6), we will delete data not required for legal retention. Clinical records may be irreversibly anonymised but not deleted, where deletion would breach our legal obligations.

6. Your rights as a Data Principal

You have the following rights under the DPDP Act 2023:

1. Right to access — request a copy of the personal data we hold about you.
2. Right to correction and erasure — ask us to correct inaccurate data, complete incomplete data, or erase data that is no longer required (subject to our legal retention obligations).
3. Right to grievance redressal — file a grievance with our Grievance Officer. We will respond within 30 days.
4. Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
5. Right to withdraw consent — withdraw any previously given consent at any time.

To exercise any of these rights, email our Grievance Officer at contact@sanocare.in with the subject line "DPDP — [Right Requested]".

7. Who we share your data with

We share your personal data with a limited set of third parties strictly necessary to deliver the Services. We do not sell your personal data. We do not share your personal data with advertisers or analytics platforms for behavioural advertising.

| Third party | Data shared | Purpose | |---|---|---| | Razorpay Software Private Limited | Payment instrument data, transaction amount, booking ID | Payment processing | | Agora.io / LiveKit | Audio/video call data during in-app consultations | Video consultation delivery | | Twilio Inc. / MSG91 | Mobile number, SMS content | Transactional SMS | | Google LLC (Firebase Cloud Messaging) | Device token | Push notifications | | Laboratory partners | Patient identifiers, test order | Lab processing of samples we collect | | Government authorities | As legally required | Compliance with court orders, law enforcement | | Our clinicians (doctors, medics) | The clinical data necessary to deliver your care | Care delivery |

All third-party processors are contractually bound to process your data only on our documented instructions.

8. Cross-border transfer

Some of our processors (Razorpay, Agora/LiveKit, Google FCM) may process data on servers located outside India. We rely on the safeguards under Section 16 of the DPDP Act 2023 and on contractual data-protection clauses with these processors.

9. Cookies and similar technologies

The Sanocare website uses a minimal set of cookies and similar technologies:

• Strictly necessary cookies — required for the site to function. These do not require consent.
• Functional cookies — remember your preferences. Set only with your consent.
• Analytics cookies — privacy-friendly analytics (Plausible or similar) that do not track individuals across sites. Set only with your consent.

We do not use advertising cookies, social-media tracking pixels, or fingerprinting.

10. Children's data

Sanocare's Services may be used by adults (18+) on their own behalf, or by parents/lawful guardians on behalf of minors. For users below 18, we process personal data only with the verifiable consent of a parent or lawful guardian, as required by Section 9 of the DPDP Act 2023. We do not undertake tracking or behavioural monitoring of minors, and we do not direct any advertising at minors.

11. Grievance Officer

If you have any questions, concerns, or grievances about how we handle your personal data, please contact:

Shashwat Arora, Grievance Officer Sanocare Tech Innovations Private Limited 1666/B2, 3rd Floor, Gali 2, Govindpuri Extension, Kalkaji, New Delhi — 110019 Email: contact@sanocare.in

We will respond to grievances within 30 days as required under the DPDP Act 2023.

12. Security

We protect your personal data with industry-standard measures including encryption in transit (TLS 1.2+), encryption at rest, role-based access control, audit logging of access to clinical records, and regular security reviews. In the unlikely event of a personal data breach, we will notify you and the Data Protection Board of India within the timelines mandated by law.

13. Changes to this Policy

We may update this Policy from time to time. We will notify you of material changes by email, SMS, or in-app notice at least 7 days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.