Privacy Policy

Scope and applicability

This Privacy Policy describes how Chirayu Tech India Pvt Ltd ("Chirayu", "we", "us", or "our") collects, uses, stores, discloses, and protects information when you use any of our services — including the Caremap Hospital Management and Electronic Medical Records platform (caremap.in), Caremap Protect (protect.caremap.in), Tele Arogya (telearogya.com), Health-e Records, and the Healthe-Card.

This policy applies to patients, doctors, healthcare providers, hospital administrators, and any other user accessing our services through a web browser, mobile application, or integrated hospital system. By using our services, you agree to the practices described here.

Key definitions under the SPI Rules

The terms "personal information" and "sensitive personal data or information" used in this policy carry the meanings defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPI Rules"):

Personal information

Any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying that person.

Sensitive personal data or information

Personal information which consists of information relating to: passwords; financial information such as bank account, credit card, debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; and any detail relating to the above as provided to a body corporate for providing a service. Information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 is not regarded as sensitive personal data.

Information we collect

Depending on which Chirayu service you use, we may collect:

Identification and contact details

• Full name, date of birth, gender
• Mobile number and email address
• Residential address and city
• Government-issued identifiers where applicable (for example, ABHA ID for ABDM linkage)
• Healthe-Card number assigned during registration

Medical and clinical information

• Medical history, allergies, comorbidities, and current medications
• Symptoms, diagnoses, and clinical observations recorded by your healthcare provider
• Prescriptions, lab orders, imaging requests, and corresponding reports
• Vital signs captured during a visit
• Treatment plans, procedures performed, surgical records, and discharge summaries
• Photographs taken during examination, where clinically relevant and permitted by the healthcare provider

Consent recordings (Caremap Protect)

• Video recordings of consent sessions including face and voice
• Consent checklist items presented and acknowledged
• Date, time, and the identity of the initiating healthcare provider
• Patient identification confirmed during the recording

Tele consultation data (Tele Arogya)

• Video and audio streams during a live consultation (processed in real time, not stored unless explicitly indicated)
• Chat messages exchanged between the patient and the care provider
• Pre-consultation history captured by assistants on the patient's behalf
• Appointment booking details, including the slot, the care provider, and the language preference

Account, device, and usage information

• Account credentials including hashed password and OTP records
• IP address, device type, operating system, browser version
• Application logs, error reports, and feature usage patterns used for debugging and improvement

Payment information

• Payment instrument details processed through PCI-compliant payment gateways
• Transaction history and invoices
• Wallet balances and recharge history (applicable to Caremap Protect)

How we use information

We use the information we collect only for purposes that support the delivery of healthcare services and the operation of our software:

• Service delivery: creating and maintaining your account, scheduling appointments, recording clinical encounters, generating prescriptions, processing billing, and enabling teleconsultation.
• Consent documentation: creating, storing, and retrieving structured video consent records on behalf of the healthcare provider, and providing patients with access to their own consent history.
• Patient communication: sending appointment reminders, prescription details, lab reports, follow-up notifications, and account-related messages to the mobile number or email address you have registered.
• Patient transfer of records: sharing your medical records with another healthcare provider when you have given consent for such transfer.
• Customer support and debugging: diagnosing technical issues, responding to support tickets, and improving the reliability of our services.
• Compliance: meeting our legal and regulatory obligations under applicable Indian healthcare and data protection laws.
• Aggregated analytics: producing anonymised, aggregated statistics about the use of our services. Aggregated data does not identify any individual user.

We do not use your personal medical information for advertising, and we do not sell your information to any third party.

Sharing and disclosure

We disclose personal information only in the following circumstances:

• To your healthcare provider: the information you enter as part of a clinical encounter is necessarily accessible to the hospital or clinic providing your care.
• To other healthcare providers, on your consent: Chirayu will transfer patient data entered by one healthcare provider to another healthcare provider when you have provided consent. Chirayu is not liable if the necessary consent is not taken from the patient by the healthcare provider.
• To payment processors: to process transactions you have initiated.
• To service providers acting on our behalf: cloud hosting, SMS gateways, email delivery providers, and similar infrastructure partners, all bound by confidentiality and data protection obligations.
• For legal reasons: when required to comply with a court order, statutory notice, or other legal process, or when necessary to protect the rights, property, or safety of Chirayu, our users, or the public.

Consent records (Caremap Protect)

Caremap Protect records structured video consents on behalf of healthcare organisations. These recordings are stored securely and are accessible to:

• The authorised users of the healthcare organisation that initiated the consent (typically the doctor, the receptionist, and the administrator).
• The patient whose consent was recorded, through secure authentication using their registered mobile number.

Consent recordings are treated as part of the medical documentation of the healthcare organisation and are retained as required for medico-legal evidence. Patients may request access to their own consent records at any time. Chirayu does not share consent recordings with any third party except as required by law.

Tele consultation data (Tele Arogya)

Tele Arogya enables live video and audio consultation between patients and care providers. The video and audio streams during a live consultation are processed in real time for the purpose of the consultation. Chat messages exchanged during the consultation, prescription details, and pre-consultation history may be stored as part of the patient's medical record on the care provider's side.

You may request a copy of the records associated with your consultations by contacting your care provider directly.

Storage and security

We follow reasonable security practices and procedures, as required under the SPI Rules and other applicable laws, to protect personal information and sensitive personal data from unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit using TLS
• Encryption of data at rest for sensitive information
• Role-based access controls within healthcare organisations
• Authentication via password, OTP, and where applicable multi-factor verification
• Audit logging of access to consent records and clinical data
• Regular security reviews and updates to our infrastructure

While we take these precautions, no method of transmission or electronic storage is completely secure. We cannot guarantee absolute security and recommend that you keep your credentials private and notify us promptly of any suspected unauthorised use.

Retention

We retain personal and clinical information for as long as your account is active, for as long as required to deliver the services you have requested, and for any longer period required by applicable law, regulatory authorities, or our legitimate business purposes (including medico-legal record retention requirements). When information is no longer required and is not under any legal retention obligation, we will delete or anonymise it.

Your rights

You have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: ask us to correct information that is inaccurate or incomplete.
• Withdrawal of consent: withdraw any consent you previously provided. Withdrawal of consent may limit our ability to provide certain services to you.
• Restriction: request that we restrict processing of your information in specific circumstances.
• Grievance: file a complaint with our grievance officer about how your information has been handled.

To exercise any of these rights, write to us at contactus@caremap.in. We will respond within a reasonable time.

Cookies and tracking

Our websites use cookies and similar technologies to keep you signed in, remember your preferences, and analyse how our services are used. You can control cookies through your browser settings. Disabling cookies may affect some features of our services.

Minors

Our services are intended for users aged 18 or above, or the legal age to form a binding contract in the applicable jurisdiction. Minors between the ages of 13 and 18 may use the services only under the supervision of a parent or guardian who has agreed to our Terms and Conditions. Account credentials for any user identified as a minor are provided to the parent or guardian.

Grievance officer

For any concern, query, or grievance regarding the processing of your personal information, you may contact the grievance officer:

Changes to this policy

We may update this Privacy Policy from time to time. Changes become effective on the date they are posted on this page. Your continued use of our services after the changes are posted will signify your acceptance of the updated policy. We encourage you to review this page periodically.