Back
ZIVOLABS
Legal

Privacy policy

Effective: 26 May 2026 · Last updated: 26 May 2026

This privacy policy explains how ZIVOLABS Healthcare Private Limited(“ZIVOLABS”, “we”, “our”, “us”) collects, uses, stores, shares, and protects information about you when you use our platform — including the website, the patient app, the doctor portal, and any related services (collectively, the “Platform”).

We act as the Data Fiduciaryunder the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for personal data we collect from you. For health information processed in the course of providing clinical care, we also follow the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Telemedicine Practice Guidelines, 2020.

1. What data we collect

1.1 Information you give us

  • Identity & contact: full name, date of birth, gender, email, phone, billing and shipping addresses.
  • Health & clinical: height, weight, BMI, medical history, current medications, allergies, lifestyle answers, symptoms, side-effect logs, weekly check-in data, and any photographs or documents you upload.
  • Government identifiers: only where the law requires (e.g. doctor NMC registration numbers, pharmacy drug-licence numbers).
  • Payment: we do not store your full card or bank details. Razorpay (PCI-DSS Level 1 certified) processes payments on our behalf and returns only a redacted reference token to us.
  • Communication: messages you send to our support team, doctor notes, and consultation transcripts (where you consent to recording).

1.2 Information we collect automatically

  • Device & log data: IP address, browser type, operating system, time-zone, referring URL, and pages visited — used for security and to debug issues.
  • Cookies & similar: session cookies for sign-in, and strictly necessary cookies for cart and checkout. We do not use third-party advertising cookies.

1.3 Information from third parties

  • Pharmacy & courier partners: dispatch confirmations, tracking events, and delivery confirmations.
  • Payment gateway: success/failure status, refund references.

2. Why we process your data

We process your data only for these purposes:

  • Treatment & care: matching you to a doctor, conducting consultations, generating prescriptions, dispatching medication, and following up on outcomes.
  • Billing & subscription management: charging for consults and refills, issuing invoices, processing refunds.
  • Safety & clinical compliance: recording adverse events, ensuring controlled-substance protocols are followed, audit logs for telemedicine.
  • Service operation & security: authenticating sign-ins, preventing fraud, debugging, and meeting our legal obligations.
  • Communication: appointment reminders, dispatch notifications, refill alerts, and (with your separate consent) product updates.
  • Anonymised analytics & research: only where you have specifically opted in, and only after removing direct identifiers.

3. Legal basis for processing

Under the DPDP Act, we rely on the following grounds:

  • Consent — for marketing communication, research participation, and recording of consultations.
  • Certain Legitimate Uses — for performance of the medical service you signed up for, fulfilment of a public-interest function (telemedicine safety), and compliance with law.

You may withdraw your consent at any time from your in-app privacy settings. Withdrawal does not affect the lawfulness of processing done before withdrawal, and some processing necessary for ongoing safety (e.g. retaining your medical record while you are under our care) will continue under a non-consent basis.

4. Who we share data with

We share the minimum data necessary, only with these categories of recipients:

  • The treating doctor assigned to you (always).
  • The pharmacy dispatching your medication — they receive your name, shipping address, drug, dose, and the doctor's prescription.
  • Courier partners — name, address, phone for the delivery.
  • Razorpay — for payment processing.
  • Service providers we use to run the platform: Clerk (authentication), Supabase (database hosting in Mumbai/Singapore region), Vercel (web hosting), Resend (transactional email), and a TURN/STUN provider for video calls. Each is bound by a written data-processing agreement.
  • Regulators, courts, and law-enforcement — only when legally compelled.

We do not sell your personal data. We do not share identifiable data with advertisers.

5. Cross-border transfers

Our database is hosted in India where available. Some of our service providers (Clerk, Vercel, Resend) process limited data outside India. In each case, the provider is contractually bound to apply protections equivalent to the DPDP Act. The Central Government has not, as of the effective date of this policy, notified a list of restricted countries; we will update this section if it does.

6. How long we keep your data

  • Medical records: a minimum of 3 years from the date of the consultation, as required by Clause 3.7.1 of the Telemedicine Practice Guidelines, 2020. We retain prescriptions for the lifetime of the prescription plus the regulatory minimum.
  • Billing & tax records: 8 years, as required under the Income-Tax Act and GST law.
  • Support communications: 2 years from last contact.
  • Marketing consent records: until withdrawn, plus 1 year for audit.

When the retention period ends, we securely delete or anonymise the data. You may ask us to erase your account at any time (see Section 8), and we will do so subject to the retention obligations above.

7. Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access to production data is restricted to named engineering and clinical-ops personnel, logged, and reviewed monthly.
  • Video consultations use end-to-end encrypted peer-to-peer WebRTC — the video and audio stream does not pass through our servers.
  • We run automated daily backups and conduct annual restore drills.
  • We will notify the Data Protection Board of India and affected users of any reportable personal-data breach within the timelines required by the DPDP Act and its rules.

8. Your rights under the DPDP Act

You have the right to:

  • Access — get a copy of the personal data we hold about you. You can self-serve this from your privacy page.
  • Correction & update — fix anything that is inaccurate or incomplete. You can edit most fields from your profile.
  • Erasure — delete your account and personal data, subject to the retention obligations described above.
  • Grievance redressal — raise a complaint with our Grievance Officer (Section 11). If we don't resolve it in 30 days, you may approach the Data Protection Board of India.
  • Withdraw consent — for any processing based on consent.
  • Nominate — appoint someone to exercise your rights if you become incapacitated or in the event of your death.

9. Children

ZIVOLABS is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If we learn that we have collected data from a minor, we will delete it.

10. Changes to this policy

We may update this policy when our practices, services, or applicable law change. The “Last updated” date at the top tells you when it was last revised. If we make material changes, we will notify you by email or through the app at least 7 days before the change takes effect.

11. Contact — Grievance Officer

Under Section 8(9) of the DPDP Act, our designated Grievance Officer is:

  • Name: Harsh Kumar
  • Email: grievance@zivolabs.org
  • Postal address: ZIVOLABS Healthcare Private Limited, Bengaluru, Karnataka, India
  • Response time: we acknowledge within 48 hours and resolve within 30 days.

For general support questions, write to support@zivolabs.org.