DPDP Act 2023 & SPDI Compliant

Privacy Policy

Version 3.1Compliance: India & Global Standards

Your privacy and the security of patient data are our highest priorities. This Privacy Policy details our practices in compliance with the Digital Personal Data Protection (DPDP) Act 2023 (India) and local SPDI guidelines.

1. Data Segregation (The "Snapshot" Pattern)

To comply simultaneously with dynamic user profile updates and strict static accounting audits, we employ the "Snapshot" Data Pattern.

Transparent Auditing: All transactional data (including Invoice details, legal clinic names, and Tax/GSTIN numbers) are snapshotted and mathematically frozen at the exact moment of payment execution. This satisfies statutory tax audits and cannot be altered retrospectively, even if the user later updates their active organizational profile.

We distinctly separate current "Live" identity data (which you can edit at any time) from historical "Snapshot" billing data (which remains immutable).

2. Data Collected

We classify collected data into two distinct silos with varying levels of encryption and access control:

Identity & Authentications

  • Primary contact details: Email address and Name.
  • Network footprint: IP addresses and session timestamps.
  • Device signatures: Hardware persistent device IDs (e.g., matching Samsung/Apple high-entropy Client Hints like SM-S928B) used strictly for security monitoring and fraud prevention.

Clinical Data

  • Patient demographic records.
  • EMR (Electronic Medical Record) notes and diagnostic files.
  • Digital prescriptions and clinic branch setups.

Security Assurance (The "Personal Vault" Model): We employ Zero-Knowledge (Frontend Encryption) for clinical data. This means patient data is encrypted before it leaves your browser, acting as a personal vault. This encrypted data is securely stored and managed in our MongoDB databases (hosted via Amazon Web Services/AWS or Google Cloud), rather than our app servers. Neither Aztreya as a company, nor any of its staff, can access or decrypt your patients' clinical data.

3. Third-Party Sub-processors

To provide high-availability services, we partner with specialized, certified infrastructure providers. We remain transparent about where your data is processed:

  • Google Cloud & Amazon Web Services (AWS): Secure cloud hosting, application deployment, and database storage infrastructure. Location constraint: India Regions exclusively.
  • Razorpay: PCI-DSS compliant, RBI-certified payment processor handling all financial tokenization.
  • AWS SES: High-deliverability dispatchers for transactional emails and systemic notifications.
  • WhatsApp Business API: Secure delivery of transactional WhatsApp messages and alerts.
  • SendGrid / Msg91: Reliable delivery providers for SMS communications and OTPs.

4. Retention Periods

While we support modern privacy rights, certain data is subject to overriding statutory laws.

In adherence to Indian corporate and tax laws, historical legal invoices and financial transaction logs will be retained securely for a period of 7 years. This retention applies unconditionally, even if a user subsequently requests account deletion invoking the "Right to be Forgotten" mandates under GDPR or the DPDP Act 2023.