Legal
Privacy Policy
Last updated: pending public launch · Draft scaffold for DPDP Act compliance review
1. Overview
This Privacy Policy describes how Allymed Yoursdoctorly LLP ("PREVOLY", "we", "us") collects, processes, stores, and discloses personal data in connection with the PREVOLY platform. Drafted to align with the Digital Personal Data Protection Act, 2023 (DPDP Act).
2. Data Fiduciary and Grievance Officer
Allymed Yoursdoctorly LLP acts as the Data Fiduciary. A designated Grievance Officer is responsible for receiving and resolving complaints under the DPDP Act. Contact details will be published prior to public launch.
3. Categories of personal data collected
Account identifiers, demographic details, contact details, MRSS assessment inputs, voluntarily submitted lab reports, clinical notes generated by your care team, payment metadata (handled by Razorpay), and technical / device metadata.
4. Purposes of processing
Delivery of clinical services, MRSS scoring, care team coordination, billing, security and fraud prevention, regulatory compliance, and product improvement on de-identified data.
5. Lawful basis and consent
Processing is grounded in your explicit consent, recorded per category (telemedicine, data collection, care team sharing, anonymised research, AI features, marketing). Consent can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.
6. Your rights as a Data Principal
You have the right to access, correction, erasure, grievance redressal, and nomination as defined under the DPDP Act. Requests are handled through the in-app data request flow or by writing to the Grievance Officer.
8. Cross-border transfers
Production data is hosted in Microsoft Azure Central India. Cross-border transfers, if any, follow DPDP Act notifications.
9. Data retention
Clinical records are retained for a minimum of the period mandated by Indian medical record-keeping rules. You may request deletion of non-mandatory data at any time.
10. Security safeguards
Encryption at rest in Azure (Central India), encryption in transit, role-based access control with audit logging, principle-of-least-privilege for clinical staff, regular access reviews, and incident response procedures.
11. Data breach notification
In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act and its rules.
12. Children's data
PREVOLY is intended for adults aged 18 and over. We do not knowingly collect personal data of children.
13. Changes to this policy
Material changes will be notified at least 30 days in advance via email and in-app banner.
14. Contact
Grievance Officer contact details and physical address will be listed here before public launch.