1. Introduction

BartLabs Technologies Private Limited, operating as Zuro Healthcare ("Zuro", "we", "us", or "our"), is committed to protecting your privacy and the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our healthcare management platform ("Platform" or "Service").

This policy is published in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

By using Zuro, you consent to the data practices described in this policy. If you do not agree with this policy, please do not access or use our services.

2. Data Fiduciary Information

Under the DPDP Act, 2023, Zuro acts as a "Data Fiduciary" for the personal data processed through the Platform. The Data Fiduciary details are:

3. Information We Collect

3.1 Personal Information

• Full name, email address, and phone number
• Date of birth, age, and gender
• Profile photographs (optional)
• Residential address
• Emergency contact information
• Government-issued identification numbers (e.g., Aadhaar, Ayushman Bharat Health Account ID) where voluntarily provided and necessary for service delivery; these are stored with field-level encryption

3.2 Account and Role Information

• Account type (patient, doctor, hospital/clinic, pharmacist, admin)
• Professional credentials and verification documents (for healthcare providers), including medical registration number, council name, and qualification certificates
• Clinic or hospital details (name, address, specialties, operating hours, registration number)
• Subscription tier and billing information

3.3 Health Information (Sensitive Personal Data)

• Medical prescriptions and documents uploaded by you or issued by providers through the Platform
• Lab reports, diagnostic results, and imaging reports
• Vaccination records and immunisation history
• Medication history, current medications, and reminders
• Doctor appointments, consultation notes, and visit history
• Emergency health information (blood type, known allergies, chronic conditions)
• AI-extracted prescription data (medicines, dosages, frequency) generated through OCR scanning

3.4 Financial Information

• Payment transaction records (processed via Razorpay; we do not store complete card details)
• Subscription history and invoices
• Billing address

3.5 Support and Feedback Data

• Support tickets and correspondence
• Feature requests and feedback submissions
• Bug reports and issue descriptions

3.6 Technical and Usage Information

• Device information (type, operating system, browser)
• IP address and approximate geolocation
• Usage patterns, session duration, pages visited, and feature interaction analytics
• Cookies and similar tracking technologies

4. Purpose of Data Processing

We process your personal data for the following purposes:

• Service Delivery: To provide, maintain, and improve the healthcare management platform, including storing medical records, processing prescriptions, managing appointments, and sending medication reminders
• AI-Powered Features: To enable prescription OCR scanning (via Google Gemini AI), Smart Rx suggestions, drug interaction checks, and medicine information lookups
• Account Management: To create and manage your account, verify provider credentials, and process subscriptions and payments
• Communication: To send transactional emails (via Resend), appointment reminders, medication alerts, security notifications, and service updates
• Healthcare Coordination: To facilitate the sharing of health records between patients and their authorised healthcare providers, with explicit consent
• Security and Compliance: To detect and prevent fraud, unauthorised access, and other security threats; to comply with legal obligations
• Analytics and Improvement: To analyse anonymised and aggregated usage patterns to improve the Service (no personally identifiable health information is used for this purpose)
• Customer Support: To respond to support tickets, feedback, and enquiries

5. Legal Basis for Processing Under DPDP Act

We process your personal data on the following legal grounds as permitted under the DPDP Act, 2023:

• Consent: Your explicit, informed, and freely given consent obtained at the time of registration and at each point of data collection. You may withdraw consent at any time (see Section 8).
• Legitimate Uses: Processing necessary for the performance of the Service you have requested, such as storing health records, processing prescriptions, and facilitating appointments.
• Legal Obligation: Processing required to comply with applicable Indian laws, including medical record retention requirements, tax laws, and regulatory requirements.
• Medical Emergency: Processing necessary to respond to a medical emergency involving a threat to the life or health of the Data Principal or another individual.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or health records. We share your information only in the following circumstances:

• With Healthcare Providers (With Consent): When you explicitly choose to share health records with a doctor, hospital, or pharmacy through the Platform's consent management system
• With Pharmacies (With Consent): When you or your prescribing doctor shares a prescription with a pharmacy for dispensing
• With Service Providers (Data Processors): With trusted third-party service providers who process data on our behalf under strict contractual obligations (see Section 11)
• Legal Requirements: When required by law, court order, or government authority, or when disclosure is necessary to protect our rights, safety, or property, or the rights, safety, or property of others
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections

7. Data Security

We implement industry-standard security measures to protect your health data. For detailed information about our security practices, please refer to our Health Data Protection Practices page. Key measures include:

• Encryption: AES-256-GCM encryption at rest; TLS 1.2+ encryption for all data in transit
• Access Control: Role-based access control (RBAC) with five distinct roles ensuring users can only access data relevant to their role
• Field-Level Encryption: Sensitive identifiers (e.g., Aadhaar numbers) are encrypted at the field level with additional protections
• Secure Storage: Data is stored on Google Cloud Platform (Firebase) with enterprise-grade security certifications
• Session Management: Automatic session expiry with role-based timeout durations
• Audit Logging: All access to health information is logged for accountability
• No Third-Party Selling: We never sell your health data to third parties

8. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act, 2023, you have the following rights:

• Right to Access: You may request a summary of all personal data we hold about you and the processing activities associated with it
• Right to Correction: You may request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to Erasure: You may request deletion of your personal data. Upon a valid erasure request, we will delete your data within 30 days, except where retention is required by law (e.g., medical record retention requirements, tax records).
• Right to Data Portability: You may export your health records from your dashboard in a structured, commonly used format at any time
• Right to Withdraw Consent: You may withdraw your consent for data processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal. Note that withdrawing consent may limit your ability to use certain features of the Service.
• Right to Grievance Redressal: You may raise a grievance with our Grievance Officer (see Section 14) or file a complaint with the Data Protection Board of India
• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the DPDP Act

To exercise any of these rights, contact us at privacy@zuro.health with your request and account details. We will respond within 30 days.

9. Data Retention

We retain your personal and health information according to the following schedule:

• Active Account Data: Retained for as long as your account remains active and is needed to provide the Service
• Post-Deletion: Upon account deletion, personal data is erased within 30 days, subject to legal retention requirements
• Medical Records: Health records created by healthcare providers may be retained for the minimum period required by applicable medical record retention laws (3 years under the Indian Medical Council regulations, or longer as required by state-specific laws)
• Financial Records: Transaction and billing records are retained for a minimum of 8 years as required under Indian tax and accounting laws
• Audit Logs: Security and access logs are retained for a minimum of 1 year for compliance and incident investigation purposes
• Anonymised Data: Aggregated and anonymised data (from which no individual can be identified) may be retained indefinitely for analytics and service improvement

10. Children's Data Protection

Zuro does not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent, in compliance with the DPDP Act, 2023.

• Parents or legal guardians may create accounts and manage health records on behalf of their minor children
• We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children
• If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete such data promptly
• Healthcare providers using the Platform to manage paediatric patients must ensure appropriate parental consent is obtained as required by law

11. Third-Party Services (Data Processors)

We engage the following third-party service providers who process data on our behalf. Each provider is bound by contractual obligations to maintain the confidentiality and security of your data:

• Google Cloud Platform / Firebase: Cloud infrastructure, data storage, authentication, and hosting. Data is stored in Google Cloud data centres with enterprise-grade security certifications.
• Razorpay: Payment processing (PCI-DSS compliant). Only transaction data is shared; no health information is transmitted to Razorpay.
• Google Gemini AI: Prescription OCR scanning and Smart Rx features. Prescription images are processed for data extraction; processed data is returned to the Platform and is not retained by Google for AI training purposes under our data processing agreement.
• Resend: Transactional email delivery (account verification, password resets, appointment reminders). Only the minimum necessary information (email address and message content) is shared.
• Vercel: Application hosting and deployment. No health data is stored on Vercel servers; it serves as a delivery network for the web application.

12. Cross-Border Data Transfers

Some of our third-party service providers may process data outside India. In such cases:

• We ensure that data transfers comply with the DPDP Act, 2023 and are only made to jurisdictions not restricted by the Central Government
• Appropriate contractual safeguards (Data Processing Agreements) are in place with all such providers
• We endeavour to use data centres located in India or within jurisdictions that provide an adequate level of data protection
• Google Cloud Platform provides options for data residency in India, which we utilise where available

13. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India as required under the DPDP Act, 2023, without unreasonable delay
• Notify affected Data Principals (users) of the breach, the nature of data compromised, and the remedial measures taken, in the manner and within the timeframe prescribed by the Data Protection Board
• Take immediate steps to contain the breach, investigate the cause, and implement measures to prevent recurrence
• Maintain a record of all data breaches and the actions taken in response

14. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Maintain your authenticated session and ensure the Platform functions correctly. These cannot be disabled.
• Analytics Cookies: Understand how users interact with the Platform to improve the user experience. We use anonymised analytics only.
• Preference Cookies: Remember your settings, language preferences, and display choices.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Platform.

15. Grievance Officer

In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000, we have appointed a Grievance Officer to address your concerns regarding data processing:

If you are not satisfied with our resolution, you may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least 15 days' prior notice via email or in-app notification. Continued use of Zuro after the effective date of the revised policy constitutes your acceptance of the changes. The "Last updated" date at the top of this page indicates when the policy was last revised.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: