Privacy Policy

Last Updated: [DATE_TO_UPDATE]

[YOUR_REGISTERED_COMPANY_NAME] ("HospiJunction," "we," "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights under India's Digital Personal Data Protection Act, 2023 (DPDP Act).

This policy applies to the HospiJunction mobile app and any related services.

1. Who We Are

We are the Data Fiduciary for the personal data you provide to the Service. We can be reached at:

• Email: [privacy@yourdomain.com]
• Address: [Your registered business address]

2. What Data We Collect

2.1 Information You Provide Directly

When you sign up and use the Service, we collect:

• Identity data: Full name, date of birth, gender
• Contact data: Email address, mobile phone number
• Address data: City (for matching to nearby hospitals)
• Family member data: If you book on behalf of a family member, we store their name, age, gender, and relationship to you
• Health-related data: Symptoms or notes you optionally provide when booking
• Account credentials: Encrypted password (we never see your plain-text password)

2.2 Information Generated Through Use

• Booking history: Hospitals, doctors, dates, times, and status of appointments
• Queue activity: Token numbers, check-in times
• Reviews and ratings you submit
• Device data: Device type, OS version, app version, push notification token
• Usage data: Screens visited, features used (used in aggregate for improving the Service)

2.3 Payment Information

Payments are processed through Razorpay. We do NOT see, store, or have access to your card numbers, UPI IDs, or bank details. Razorpay handles all payment data under their PCI-DSS-compliant infrastructure. We only receive a transaction ID and status (success/failure).

2.4 What We Do NOT Collect

• We do NOT collect medical records, prescriptions, or treatment details
• We do NOT track your location in the background
• We do NOT access your contacts, camera, or photos without your explicit action

3. How We Use Your Data

We use your data only for legitimate purposes, including:

We do NOT sell your data to third parties. We do NOT use your data for unrelated advertising.

4. How We Share Your Data

We share your data only when necessary:

4.1 With Hospitals You Book

When you book an appointment, the hospital receives:

• Your name (or your family member's name)
• Phone number
• Age and gender
• Selected appointment date and time
• Symptoms or notes you provided (if any)

This is necessary for the hospital to provide the service. Hospitals are contractually bound to treat your data confidentially.

4.2 With Service Providers (Processors)

We work with trusted vendors who help us operate the Service:

• Supabase (database and authentication) — based in the US, GDPR-compliant
• Razorpay (payment processing) — based in India, PCI-DSS-compliant
• Expo / Google Firebase (push notifications) — for sending notifications to your device
• Vercel / cloud hosting (website) — for our public website

These vendors process your data on our behalf under strict confidentiality agreements.

4.3 With Authorities

We may disclose data if required by law, court order, or to prevent harm — but only the minimum necessary.

4.4 In Business Transfers

If HospiJunction is acquired or merged, your data may transfer to the new entity, who must honor this Privacy Policy.

5. How Long We Keep Your Data

• Account data: Retained while your account is active. Deleted within 90 days of account deletion request.
• Booking history: Retained for up to 7 years to comply with Indian tax and accounting laws.
• Payment transaction records: 7 years (as required by RBI guidelines and tax laws).
• Customer support communications: 3 years.

6. How We Protect Your Data

We implement industry-standard security measures:

• Encryption in transit: TLS 1.2+ for all data sent between your device and our servers
• Encryption at rest: Database-level encryption via Supabase
• Access control: Only authorized personnel can access user data
• Row-Level Security (RLS) policies prevent users from seeing each other's data
• No plaintext passwords: All passwords are hashed using industry-standard algorithms

Despite these measures, no system is 100% secure. We will notify you of any breach affecting your data as required by the DPDP Act.

7. Your Rights Under the DPDP Act

As a Data Principal, you have the following rights:

1. Right to access — Request a copy of personal data we hold about you
2. Right to correction — Update or correct inaccurate information (also doable in-app via Profile)
3. Right to erasure — Request deletion of your account and associated data
4. Right to withdraw consent — For any processing based on consent
5. Right to grievance redressal — File a complaint with our Grievance Officer (see Section 11)
6. Right to nominate — Nominate someone to exercise your rights in case of your death or incapacity

To exercise any of these rights, email us at [privacy@yourdomain.com]. We will respond within 30 days.

8. Children's Privacy

The Service is not designed for users under 18. Parents and guardians may book appointments for their children using the "Family Member" feature. If we learn that a user under 18 has created their own account, we will delete it.

9. Cookies and Tracking

The mobile app does not use cookies. Our website (if applicable) may use essential cookies for functionality. We do not use advertising or tracking cookies.

10. International Data Transfers

Some of our service providers (such as Supabase) are based outside India. When data is transferred internationally, it is done so under appropriate safeguards as required by the DPDP Act.

11. Grievance Officer

In accordance with the DPDP Act and IT Rules:

Grievance Officer: [TO_BE_APPOINTED_NAME] Email: [grievance@yourdomain.com] Address: [Your registered business address] Response time: We will acknowledge complaints within 24 hours and resolve them within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the app or email. The "Last Updated" date at the top reflects the latest version.

13. Contact Us

For privacy questions:

• Email: [privacy@yourdomain.com]
• Address: [Your registered business address]

By using HospiJunction, you acknowledge that you have read and understood this Privacy Policy.