Last updated: [DATE]

Privacy Policy

⚠️ Draft for legal review. This template aligns with India's Digital Personal Data Protection Act, 2023 (DPDP Act). It is not a substitute for advice from a qualified Indian lawyer. Have it reviewed before publishing, and replace every [BRACKETED] placeholder.

This Privacy Policy explains how [LEGAL ENTITY NAME] ("Nirog", "we", "us") collects, uses, discloses, and protects your information when you use our website and home blood-sample collection services in Mumbai, India.

1. Data we collect

Identity & contact: name, mobile number, email, collection address, pincode.
Health data: the tests you book and the resulting reports. Health data is treated as sensitive and handled with heightened care.
Payment data: processed by our payment partner (Razorpay). We do not store your card or UPI credentials on our servers.
Technical data: IP address, device/browser type, and security logs.

2. How we use your data

To schedule and fulfil home sample collection and deliver your reports.
To verify your identity via OTP and secure your account.
To process payments and issue invoices.
To comply with legal, accreditation (NABL), and medical record-keeping obligations.

3. Consent & your rights (DPDP Act)

We process your personal data based on the consent you provide at the time of booking. Under the DPDP Act you have the right to access, correct, update, and erase your personal data, to withdraw consent, and to grievance redressal. To exercise these rights, contact our Data Protection / Grievance Officer below.

4. Data sharing

We share data only with: (a) NABL-accredited partner laboratories that process your samples; (b) our payment processor; (c) SMS/WhatsApp providers to send confirmations; and (d) authorities where required by law. We never sell your data.

5. Security

We protect your data with encryption in transit (HTTPS), hashed one-time passwords, access controls, rate limiting, and security logging. No method of transmission is perfectly secure, but we apply reasonable safeguards as required by law.

6. Data retention

We retain medical records for the period required by applicable Indian medical record-keeping rules, and other personal data only as long as necessary for the purposes above.

7. Grievance Officer

As required by the DPDP Act and IT Rules:
Name: [GRIEVANCE OFFICER NAME]
Email: grievance@nirog.health
Address: [REGISTERED ADDRESS]

8. Changes

We may update this policy. Material changes will be posted here with a revised "Last updated" date.