AyuLink Health Technologies Pvt. Ltd. ("AyuLink", "we", "us", or "our") is committed to protecting the privacy of every user of the AyuLink digital health records platform (the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your information when you access or use our Platform, whether as a patient, doctor, hospital administrator, or any other authorised user.
This policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"), as applicable.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Platform.
1. Information We Collect
1.1 Personal Data
- Full name
- Phone number
- Email address
- Date of birth
- Gender
- Address and pin code
- Government-issued identification numbers (where provided voluntarily)
1.2 Health Data (Sensitive Personal Data)
- Medical records and clinical notes
- Prescriptions and medication history
- Lab reports and diagnostic results
- Imaging reports (X-rays, MRIs, etc.)
- Allergies and immunisation records
- Emergency contact and emergency medical information
- Doctor-patient consultation notes
1.3 Device and Usage Data
- IP address
- Browser type and version
- Device type, operating system, and unique device identifiers
- Pages visited, time spent, click patterns, and navigation paths
- Crash logs and performance data
- Referral URLs
1.4 Data Provided by Healthcare Providers
Doctors and hospitals using the Platform may upload medical records, prescriptions, and clinical notes associated with your profile, with your consent.
2. How We Use Your Data
We use your data strictly for the following purposes:
- Service Delivery: To provide, maintain, and improve the Platform's functionality, including storing and retrieving your health records, facilitating doctor-patient interactions, and enabling emergency QR-based data access.
- Platform Improvement: To analyse usage patterns and improve the user experience, performance, and reliability of the Platform.
- Doctor-Patient Interactions: To enable healthcare providers to view, update, and manage your medical records when you grant them access.
- Communication: To send you service-related notifications, appointment reminders, and critical updates (e.g., security alerts).
- Legal Compliance: To comply with applicable laws, regulations, and lawful requests from governmental authorities.
- Safety and Security: To detect, prevent, and address fraud, abuse, and security threats.
We do not use your health data for advertising, marketing, or profiling purposes.
3. Data Sharing and Disclosure
We share your data only in the following circumstances:
- With Your Consent: When you explicitly authorise sharing — for example, granting a doctor access to your medical records.
- Healthcare Providers: With doctors, hospitals, or clinics you choose to communicate with or share records with via the Platform.
- Service Providers: With trusted third-party service providers (e.g., cloud hosting, payment processors) who assist us in operating the Platform. These providers are bound by strict confidentiality and data-processing agreements.
- Legal Obligations: When required by law, regulation, or a valid court order issued by a competent authority in India.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction, subject to the same level of protection described in this policy.
We do not sell, rent, or trade your personal or health data to any third party.
4. Data Security
We implement industry-standard security measures to protect your data, including but not limited to:
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.
- Secure Storage: Data is hosted on secure, ISO 27001-certified cloud infrastructure (Amazon Web Services) with data centres located in India.
- Access Controls: Role-based access control (RBAC) ensures only authorised personnel and users can access specific data. Multi-factor authentication (MFA) is available for all accounts.
- Regular Audits: We conduct periodic security audits, vulnerability assessments, and penetration testing.
- Incident Response: We maintain a documented incident response plan and will notify affected users of any data breach in accordance with the DPDP Act, 2023.
While we take every reasonable precaution, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will act promptly to address any breach.
5. Your Rights
Under the DPDP Act, 2023, and applicable Indian law, you have the following rights:
- Right to Access: You may request access to the personal and health data we hold about you.
- Right to Correction: You may request correction of inaccurate or incomplete data.
- Right to Erasure: You may request deletion of your personal data, subject to legal and regulatory retention requirements.
- Right to Withdraw Consent: You may withdraw consent for data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Right to Grievance Redressal: You may raise a complaint or grievance regarding data processing by contacting our Grievance Officer (see Section 12).
- Right to Nominate: You may nominate another individual to exercise your data rights on your behalf, in accordance with the DPDP Act.
To exercise any of these rights, please contact us at privacy@ayulink.health.
6. Data Retention
- We retain your personal and health data for as long as your account is active or as needed to provide you services.
- Upon account deletion or withdrawal of consent, we will delete your data within 30 days, unless retention is required by applicable law or regulation (e.g., medical record retention requirements under Indian law).
- Anonymised and aggregated data that cannot identify you may be retained indefinitely for research and analytics purposes.
7. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential Cookies: Required for the Platform to function correctly (e.g., session management, authentication tokens).
- Analytics Cookies: To understand how users interact with the Platform and improve our services.
- Preference Cookies: To remember your settings and preferences.
You can manage cookie preferences through the cookie consent banner displayed on first visit or through your browser settings. Disabling essential cookies may impair Platform functionality.
8. Third-Party Services
We use the following categories of third-party services to operate and improve the Platform:
- Cloud Infrastructure: Amazon Web Services (AWS) for hosting, storage, and compute services.
- Payment Processing: Third-party payment gateways (e.g., Razorpay) for processing subscription payments. We do not store your payment card details on our servers.
- Analytics: Analytics services to understand Platform usage and improve performance.
- Communication: Email and SMS service providers for transactional notifications.
Each third-party provider is subject to its own privacy policy and terms. We strongly encourage you to review their policies.
9. ABHA Integration Disclaimer
Important Notice
AyuLink is not currently integrated with the Ayushman Bharat Health Account (ABHA) system. Integration with ABHA is in progress and will be announced once available. Until then, AyuLink operates independently and does not pull or push data to/from ABHA or the National Digital Health Mission (NDHM) ecosystem.
10. Children's Privacy
The Platform is not intended for use by individuals under the age of 18 without the consent and supervision of a parent or legal guardian. We do not knowingly collect personal data from children without verified parental consent. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete such data promptly.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or for other operational or legal reasons. We will notify you of any material changes through the Platform or via email. The updated policy will be effective from the date stated at the top of this page. Continued use of the Platform after changes constitutes your acceptance of the revised policy.
12. Grievance Officer
In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer to address your concerns regarding data processing:
Grievance Officer
Name: Grievance Officer, AyuLink Health Technologies Pvt. Ltd.
Email: grievance@ayulink.health
Response Time: Within 48 hours of receiving your complaint.
Resolution Timeline: Within 30 days of receipt, in accordance with applicable law.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@ayulink.health
- Website: https://ayulink.akforges.com