Legal · Privacy

Privacy Policy

Prvaha is operated by Bhuneshvar, a sole proprietorship based in India. We are committed to protecting your privacy and the security of your personal and healthcare-related information.

Last Updated: June 23, 2026

This Privacy Policy is published in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the rules made thereunder.
1

Our Role: Data Fiduciary vs. Data Processor

Prvaha is a business-to-business platform used by clinics, polyclinics, diagnostic centres, and hospitals ("Healthcare Organizations") to manage their operations.

  • Patient and clinical data entered by a Healthcare Organization: the Healthcare Organization is the Data Fiduciary — it decides why and how the data is processed and is responsible for obtaining patient consent. Prvaha acts only as a Data Processor, processing such data on the Healthcare Organization's documented instructions.
  • Account, billing, website, and marketing data of our direct users and visitors: Prvaha acts as the Data Fiduciary.

If you are a patient and wish to access, correct, or delete your medical records, please contact the Healthcare Organization that treats you; we will support them in fulfilling your request.

2

Information We Collect

Personal Information

  • Name, email address, phone number
  • Date of birth, gender
  • Account credentials

Health & Medical Information

  • Appointment details and clinical notes
  • Medical records and prescriptions
  • Lab investigations, diagnoses, and reports

Usage Data

  • IP address and device information
  • Browser type and pages visited
  • Actions performed within the platform

Cookies & Tracking

We use cookies and similar technologies to enhance user experience and analyze usage. See our Cookie Policy for details.

3

How We Use Your Information

We use the collected data to:

  • Provide and maintain our services
  • Manage appointments and patient records
  • Improve platform performance and user experience
  • Communicate important updates and notifications
  • Ensure security and prevent fraud
  • Comply with legal and regulatory requirements
4

Data Sharing & Disclosure

We do not sell your personal data.

We may share your information with:

  • The Healthcare Organization you belong to or are treated by
  • Authorized staff and administrators within that organization
  • Third-party service providers ("sub-processors", see §5)
  • Legal or regulatory authorities when required by law

All third parties are bound by contractual obligations to maintain confidentiality and data security.

5

Sub-processors

We use trusted third-party service providers to operate the platform. They process data only as needed to provide their service and under appropriate data-protection commitments. Current categories include:

  • Cloud hosting & infrastructure — running the application and databases
  • Payment processing — Razorpay, for subscription billing
  • Email delivery — transactional and notification emails
  • Video consultations — real-time audio/video infrastructure
  • AI assistant — to power in-app assistance features
  • Object storage — for files and documents
  • Monitoring & error tracking — to keep the service reliable and secure

We review our sub-processors and will update this list as it changes.

6

Data Security

We implement industry-standard security measures, including:

  • Encryption of sensitive data in transit and at rest
  • Secure authentication mechanisms
  • Role-based access control and tenant data isolation
  • Audit logging and regular security reviews

However, no system is 100% secure, and we cannot guarantee absolute security.

Breach notification: In the event of a personal data breach, we will notify the affected Healthcare Organization(s), the Data Protection Board of India, and affected individuals where required — without undue delay and in accordance with the DPDP Act, 2023.
7

Data Retention

We retain your information only as long as necessary to:

  • Provide services
  • Comply with legal obligations
  • Resolve disputes

You may request deletion of your data, subject to legal and medical record retention requirements. See our Data Retention & Deletion page for how to submit a request.

8

Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable laws, you may have the right to:

  • Access a summary of your personal data and how it is processed
  • Correct, complete, or update inaccurate information
  • Request erasure of your data
  • Withdraw consent at any time
  • Nominate another individual to exercise your rights in the event of death or incapacity
  • Grieve and seek redressal through our Grievance Officer (see §12)

To exercise your rights, contact us using the details in §12. Patients should contact their Healthcare Organization, as it is the Data Fiduciary for clinical records.

9

Children's Privacy

Prvaha is not intended for use by individuals under the age of 18 without verifiable parental or guardian consent. We do not knowingly process children's data for tracking or targeted advertising.

10

Third-Party Services

Our platform may contain links to or integrations with third-party services. Their use of your data is governed by their own privacy policies, and we are not responsible for their practices.

11

Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised "Last Updated" date. Continued use of Prvaha after updates constitutes your acceptance of the revised policy.

12

Grievance Officer & Contact

If you have any questions, concerns, or grievances about this Privacy Policy or how your data is handled, please contact our Grievance Officer. We aim to acknowledge grievances promptly and resolve them within the timelines required by law.

Contact Us

Operator
Bhuneshvar
Phone
+91 7888812282
Address
317, Ahri, Jhajjar, Haryana
13

Compliance

We strive to comply with applicable data protection laws, including:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act)
  • The Information Technology Act, 2000 and the SPDI Rules, 2011
  • The General Data Protection Regulation (GDPR), where applicable