Data Protection - Your Rights

1. Overview

BartLabs Technologies Private Limited, operating as Zuro Healthcare ("Zuro"), acts as a Data Fiduciary under the Digital Personal Data Protection (DPDP) Act, 2023. We are committed to respecting your rights as a Data Principal and ensuring that your personal and health data is processed lawfully, fairly, and transparently. This page provides a plain-language guide to your data protection rights and how to exercise them.

2. Your Rights Under the DPDP Act, 2023

As a user of Zuro, you are a "Data Principal" under the DPDP Act and have the following rights:

2.1 Right to Information

You have the right to know what personal data we collect about you, why we collect it, and how it is used. This information is provided in our Privacy Policy. We provide clear, specific consent notices at each point of data collection.

2.2 Right to Access Your Data

You have the right to obtain a summary of your personal data and information about how it has been processed. On Zuro, you can:

View all your health records, prescriptions, and medical documents from your patient dashboard at any time
Download your health records in standard formats (PDF, images)
View your profile information, appointment history, and medication records
Request a formal data access report by emailing privacy@zuro.health

2.3 Right to Correction

You have the right to correct inaccurate or incomplete personal data. You can:

Update your profile information (name, contact details, emergency contacts) directly from your account Settings
Request corrections to health records by contacting the healthcare provider who created them or by emailing support@zurohealth.com
Flag any data you believe is inaccurate through the in-app support system

2.4 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent. To request erasure:

Self-Service: Delete your account from Settings. This will initiate removal of your personal data within 30 days.
Email Request: Send a deletion request to privacy@zuro.health with your registered email and account details
Exceptions: Certain data may be retained where required by law, including medical records (minimum 3 years under Indian Medical Council regulations), financial records (8 years under tax laws), and audit logs (1 year for security compliance)

2.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. On Zuro:

You can download your health records and documents directly from your dashboard
For a comprehensive data export, contact privacy@zuro.health and we will provide your data within 30 days

2.6 Right to Withdraw Consent

You can withdraw your consent for data processing at any time. Please note:

Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal
Some features of the Service may become unavailable if consent is withdrawn (e.g., you cannot use prescription scanning without consenting to AI processing)
You can manage consent for data sharing with specific healthcare providers through your dashboard
For complete consent withdrawal, contact privacy@zuro.health

2.7 Right to Grievance Redressal

You have the right to raise concerns about how your data is being processed. See Section 6 below for how to file a complaint.

2.8 Right to Nominate

Under the DPDP Act, you may nominate another individual to exercise your data protection rights in the event of your death or incapacity. To register a nominee, contact privacy@zuro.health with the relevant details.

3. How We Protect Your Health Data

We employ multiple layers of security to protect your personal and health information. For complete technical details, visit our Health Data Protection Practices page. Key protections include:

Encryption: AES-256-GCM encryption for data at rest; TLS 1.2+ for data in transit. Sensitive identifiers (e.g., Aadhaar) receive additional field-level encryption.
Access Control: Strict role-based access control (RBAC) with 5 distinct roles (patient, doctor, hospital, pharmacist, admin), ensuring you control who sees your data.
Consent Management: Health records are shared with healthcare providers only with your explicit, granular consent. You can revoke access at any time.
Audit Trail: All access to your health information is logged. You can request a record of who accessed your data and when.
Secure Infrastructure: Data stored on Google Cloud Platform (Firebase) with enterprise-grade security certifications (SOC 1/2/3, ISO 27001).
Session Security: Automatic session timeouts based on your role, with re-authentication required for sensitive operations.
No Data Selling: We never sell, rent, or trade your personal or health data to any third party.

4. Consent Management

Consent is at the heart of how Zuro processes your data. Here is how consent works on the Platform:

4.1 When We Ask for Consent

At registration, for processing your personal data to provide the Service
When you upload health records or prescriptions for storage and processing
When you use AI-powered features (prescription OCR, Smart Rx) that involve processing your health data through Google Gemini AI
When you choose to share health records with a healthcare provider or pharmacy
For non-essential communications such as feature updates and newsletters

4.2 How to Manage Your Consent

Provider Access: View and manage which healthcare providers have access to your records from your patient dashboard. Revoke access at any time.
Communication Preferences: Manage email and notification preferences from your account Settings
Data Processing: To withdraw consent for core data processing, contact privacy@zuro.health. Note that this may require account closure as the Service cannot function without processing certain data.

4.3 Consent Records

We maintain records of all consents given, including what was consented to, when consent was given, and any withdrawals. You may request a copy of your consent records by contacting privacy@zuro.health.

5. How to Request Data Access or Deletion

You can exercise your data protection rights through the following channels:

5.1 Self-Service (Recommended)

View and Download Data: Access your health records, prescriptions, and documents directly from your patient dashboard
Update Information: Edit your profile and personal details from account Settings
Delete Account: Initiate account deletion from Settings, which will remove your personal data within 30 days
Manage Sharing: View and revoke provider access from your dashboard

5.2 Email Request

For formal data access, correction, portability, or deletion requests, email privacy@zuro.health with:

Your registered email address
The specific right you wish to exercise
Any relevant details to help us identify and process your request

We will verify your identity before processing the request and respond within 30 days.

5.3 In-App Support

You can also raise data protection requests through the Help and Support section within the Platform. Select the "Data Protection" category when creating a support ticket.

6. How to File a Complaint

If you believe your data protection rights have been violated or are dissatisfied with how we handle your personal data, you may:

Step 1: Contact Our Grievance Officer

Grievance Officer

BartLabs Technologies Private Limited

Email: grievance@zurohealth.com

Address: Vadodara, Gujarat, India

We acknowledge all grievances within 24 hours and aim to resolve them within 30 days.

Step 2: Escalate to the Data Protection Board of India

If you are not satisfied with our response or resolution, you have the right to file a complaint with the Data Protection Board of India, as established under the DPDP Act, 2023. The Board has the authority to investigate complaints and impose penalties on Data Fiduciaries who fail to comply with the Act.

7. Data Protection Officer

Our designated point of contact for all data protection matters is:

Data Protection Officer

BartLabs Technologies Private Limited

Email: dpo@zuro.health

Grievance Officer: grievance@zurohealth.com

General Privacy: privacy@zuro.health

Address: Vadodara, Gujarat, India

The Data Protection Officer is responsible for ensuring compliance with the DPDP Act, 2023 and other applicable data protection laws, responding to data subject requests, and liaising with the Data Protection Board of India when required.

8. Your Duties as a Data Principal

Under the DPDP Act, 2023, Data Principals also have certain duties:

Provide accurate and truthful information when registering and using the Platform
Do not impersonate another person or provide false identity information
Do not suppress material information when providing personal data
Do not register frivolous or false grievances or complaints with the Data Fiduciary or the Data Protection Board
Comply with all applicable laws when exercising your rights

9. Related Policies

For more details about how we handle your data, please review our related policies:

Privacy Policy - Complete details on data collection, processing, and sharing
Health Data Protection Practices - Technical security measures and compliance details
Terms of Service - Platform usage rules and agreements

1. Overview

2. Your Rights Under the DPDP Act, 2023

As a user of Zuro, you are a "Data Principal" under the DPDP Act and have the following rights:

2.1 Right to Information

2.2 Right to Access Your Data

You have the right to obtain a summary of your personal data and information about how it has been processed. On Zuro, you can:

View all your health records, prescriptions, and medical documents from your patient dashboard at any time
Download your health records in standard formats (PDF, images)
View your profile information, appointment history, and medication records
Request a formal data access report by emailing privacy@zuro.health

2.3 Right to Correction

You have the right to correct inaccurate or incomplete personal data. You can:

Update your profile information (name, contact details, emergency contacts) directly from your account Settings
Request corrections to health records by contacting the healthcare provider who created them or by emailing support@zurohealth.com
Flag any data you believe is inaccurate through the in-app support system

2.4 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent. To request erasure:

Self-Service: Delete your account from Settings. This will initiate removal of your personal data within 30 days.
Email Request: Send a deletion request to privacy@zuro.health with your registered email and account details
Exceptions: Certain data may be retained where required by law, including medical records (minimum 3 years under Indian Medical Council regulations), financial records (8 years under tax laws), and audit logs (1 year for security compliance)

2.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. On Zuro:

You can download your health records and documents directly from your dashboard
For a comprehensive data export, contact privacy@zuro.health and we will provide your data within 30 days

2.6 Right to Withdraw Consent

You can withdraw your consent for data processing at any time. Please note:

Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal
Some features of the Service may become unavailable if consent is withdrawn (e.g., you cannot use prescription scanning without consenting to AI processing)
You can manage consent for data sharing with specific healthcare providers through your dashboard
For complete consent withdrawal, contact privacy@zuro.health

2.7 Right to Grievance Redressal

You have the right to raise concerns about how your data is being processed. See Section 6 below for how to file a complaint.

2.8 Right to Nominate

3. How We Protect Your Health Data

We employ multiple layers of security to protect your personal and health information. For complete technical details, visit our Health Data Protection Practices page. Key protections include:

Encryption: AES-256-GCM encryption for data at rest; TLS 1.2+ for data in transit. Sensitive identifiers (e.g., Aadhaar) receive additional field-level encryption.
Access Control: Strict role-based access control (RBAC) with 5 distinct roles (patient, doctor, hospital, pharmacist, admin), ensuring you control who sees your data.
Consent Management: Health records are shared with healthcare providers only with your explicit, granular consent. You can revoke access at any time.
Audit Trail: All access to your health information is logged. You can request a record of who accessed your data and when.
Secure Infrastructure: Data stored on Google Cloud Platform (Firebase) with enterprise-grade security certifications (SOC 1/2/3, ISO 27001).
Session Security: Automatic session timeouts based on your role, with re-authentication required for sensitive operations.
No Data Selling: We never sell, rent, or trade your personal or health data to any third party.

4. Consent Management

Consent is at the heart of how Zuro processes your data. Here is how consent works on the Platform:

4.1 When We Ask for Consent

At registration, for processing your personal data to provide the Service
When you upload health records or prescriptions for storage and processing
When you use AI-powered features (prescription OCR, Smart Rx) that involve processing your health data through Google Gemini AI
When you choose to share health records with a healthcare provider or pharmacy
For non-essential communications such as feature updates and newsletters

4.2 How to Manage Your Consent

Provider Access: View and manage which healthcare providers have access to your records from your patient dashboard. Revoke access at any time.
Communication Preferences: Manage email and notification preferences from your account Settings
Data Processing: To withdraw consent for core data processing, contact privacy@zuro.health. Note that this may require account closure as the Service cannot function without processing certain data.

4.3 Consent Records

5. How to Request Data Access or Deletion

You can exercise your data protection rights through the following channels:

5.1 Self-Service (Recommended)

View and Download Data: Access your health records, prescriptions, and documents directly from your patient dashboard
Update Information: Edit your profile and personal details from account Settings
Delete Account: Initiate account deletion from Settings, which will remove your personal data within 30 days
Manage Sharing: View and revoke provider access from your dashboard

5.2 Email Request

For formal data access, correction, portability, or deletion requests, email privacy@zuro.health with:

Your registered email address
The specific right you wish to exercise
Any relevant details to help us identify and process your request

We will verify your identity before processing the request and respond within 30 days.

5.3 In-App Support

You can also raise data protection requests through the Help and Support section within the Platform. Select the "Data Protection" category when creating a support ticket.

6. How to File a Complaint

If you believe your data protection rights have been violated or are dissatisfied with how we handle your personal data, you may:

Step 1: Contact Our Grievance Officer

Grievance Officer

BartLabs Technologies Private Limited

Email: grievance@zurohealth.com

Address: Vadodara, Gujarat, India

We acknowledge all grievances within 24 hours and aim to resolve them within 30 days.

Step 2: Escalate to the Data Protection Board of India

7. Data Protection Officer

Our designated point of contact for all data protection matters is:

Data Protection Officer

BartLabs Technologies Private Limited

Email: dpo@zuro.health

Grievance Officer: grievance@zurohealth.com

General Privacy: privacy@zuro.health

Address: Vadodara, Gujarat, India

8. Your Duties as a Data Principal

Under the DPDP Act, 2023, Data Principals also have certain duties:

Provide accurate and truthful information when registering and using the Platform
Do not impersonate another person or provide false identity information
Do not suppress material information when providing personal data
Do not register frivolous or false grievances or complaints with the Data Fiduciary or the Data Protection Board
Comply with all applicable laws when exercising your rights

9. Related Policies

For more details about how we handle your data, please review our related policies:

Privacy Policy - Complete details on data collection, processing, and sharing
Health Data Protection Practices - Technical security measures and compliance details
Terms of Service - Platform usage rules and agreements