Introduction
Effective Date: July 9, 2026
Nisarg Wellness Private Limited (hereinafter referred to as the “Company”), a company incorporated under the provisions of the Companies Act, 2013, is the owner, author, and publisher of the website dratdoorstep.com (referred as the “Website” / also referred to as “we”, “us” or “our”) and all related software services, mobile applications, and doorstep healthcare facilitation platforms (collectively referred as the “Platform”).
This privacy policy (“Privacy Policy”) describes how information, including Personal Data, is collected, processed, used, and retained at the Website and affiliated mobile applications for the purposes of its healthcare facilitation services. It applies to all users of the Platform, including medical practitioners, end-users, customers, and casual visitors. We have created this Privacy Policy to demonstrate our commitment to the protection, confidentiality, and absolute security of your Personal Data.
BY USING THE WEBSITE AND PLATFORM, YOU EXPRESSLY CONSENT TO OUR USE, DISCLOSURE, PROCESSING, AND RETENTION OF YOUR PERSONAL INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY. THIS PRIVACY POLICY IS INCORPORATED INTO AND SUBJECT TO THE TERMS OF USE. IF YOU DO NOT AGREE, PLEASE DO NOT USE OR ACCESS THEREOF.
Definitions
In this Privacy Policy, unless the context otherwise requires, the following definitions shall apply:
- “Company / Doorstep / NISARG”: Nisarg Wellness Private Limited, operating under its brand name “dratdoorstep.com”. Having its registered office at 11/A, Dipawali Society Karelibaug, Vadodara, Gujarat, India, 390018.
- “Data and Personal Information”: Any information capable of identifying an individual either directly or indirectly, in digital or physical format.
- “Sensitive Personal Data”: Includes patient health records, clinical symptoms, medical history, biometric data, financial credentials (such as credit/debit card cardholder details, processing logs), and basic health vitals.
- “Service Providers”: Independent agencies, diagnostic labs, pharmacy facilitators, ambulance vendors, and third-party developers engaged to process data pursuant to written protective contracts.
- “Users / You”: Any doctor, nurse, clinic, ambulance provider, patient, customer, or casual visitor who accesses the Platform.
- “Cookies”: A small text file that a website stores on your browser/device to retain session integrity and preference settings.
- “Practitioners”: Licensed doctors, nursing therapists, physiotherapists, pathologists, and healthcare professionals who display their schedules or offer consults on the Platform.
Scope of the Privacy Policy
This Privacy Policy applies to all Non-Personal Information, Personal Information, and Sensitive Personal Information collated through the website dratdoorstep.com, the iOS and Android mobile applications, automated emails, transactional SMSs, WhatsApp customer communication channels, call centers (+91 8000126666), or offline physical delivery interactions during service coordination.
Why is this Privacy Policy?
This Privacy Policy is compiled and published in compliance with statutory requirements, including:
- Section 43A of the Information Technology Act, 2000;
- Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”);
- Regulation 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011; and
- The Digital Personal Data Protection Act, 2023 (“DPDPA”) and rules associated thereunder.
This policy outlines the types of information collected, the legitimate and lawful purposes of processing, the duration of data storage, vendor safety protocols, and the dispute resolution mechanisms established by the Company.
Collection of Personal Information
We receive and securely store any information you enter on our Platform or provide in any other way. This is required for user registration, purchasing services, consult scheduling, and executing payments.
A. Demographics & Dynamic Inputs
During signup, booking coordinate forms, or customer care enquiries, we collect: first and last name, cellular number, email address, postal coordinates (coordinates for dispatching home healthcare visits), identity verification proofs (where required by regulations), and billing logs.
We also request information about your health conditions, symptoms, medical queries, or treatment history to facilitate correct clinical evaluations by independent professionals.
B. Third-Party & Independent Partner Data
We periodically obtain verified details from healthcare partners and independent clinical directories to correct physical delivery directories, facilitate telemedicine setups, and understand dynamic user bookings.
C. Automatic System Logs
We automatically collect operational metadata from your devices including: IP address, Web browser type (such as Google Chrome, Apple Safari, Mozilla Firefox, or Microsoft Edge), page access statistics, referral links, and location logs necessary for dispatching emergency/non-emergency ambulance search results.
D. Cookies & Dynamic Technology
We utilize cookies to maintain session persistent state, encrypt account credentials (User IDs/passwords), and customize navigation cards. You may deactivate cookies in your web browser, but doing so will restrict access to interactive sections of the Platform.
Privacy Statements
The Company maintains structured physical, operational, managerial, and technological security controls proportional to the sensitive nature of patient health records. Acceptance of this Privacy Policy is mandatory to access Platform services. If you disagree, you must immediately close the website and deactivate your account.
Under India's DPDPA, you must grant explicit, unconditional, and informed consent to process and distribute your Personal Information or Sensitive Data. Such consent is obtained digitally upon account registration or booking confirmations.
Your Rights (DPDPA 2023 Compliant)
In accordance with the Digital Personal Data Protection Act, 2023, Users have comprehensive rights regarding their digital personal information:
- Right to Access and rectification: You may edit, update, or correct demographic information directly inside your “My Account” page. For subsequent edits or updates, you can contact us at privacy@dratdoorstep.com to verify identity and update databases.
- Right to Withdraw Consent: You may withdraw your consent for future processing at any time by writing an email to privacy@dratdoorstep.com. Upon receipt, we will cease data processing within seven (7) to fifteen (15) working days, unless retention is legally mandated. Withdrawal of consent may terminate your current services.
- Right to Erasure / Deletion: You may request complete erasure and deletion of your account and personal records by selecting the 'Account Closure' option in the mobile application or writing to us. Deletion requests will be completed in compliance with medical record retention regulations.
- Right to Summarized Data: You have the right to request a summary of the Personal Data being processed by Doorstep, along with a description of the processing activities.
- Right to File Grievance: You have the right to register complaints regard to data processing violations directly with our designated Grievance Officer, who will resolve the dispute within fifteen (15) days.
Practitioners & Vendor Note
This section governs licensed doctors, pathologists, nurses, and medical vendors:
- All diagnostic schedules, qualifications, and registration metadata are verified before listing on the Platform. Practitioners declare that the clinical licensing and certification details provided are accurate and updated.
- Data Ownership Coordination: The copyright, clinical records, and documentation regarding professional qualifications of the Practitioner remain the property of the Practitioner. However, the Practitioner grants the Company a non-exclusive, royalty-free, perpetual license to use, display, and process such information for Platform operations (such as telemedicine facilitation, online scheduling, and invoice generations).
- Practitioners are bound to process all patient health metrics in strict compliance with the DPDPA, Telemedicine Practice Guidelines, 2020, and the Drugs and Cosmetics Act, 1940.
End-Users & Customer Guidelines
End-Users voluntarily provide demographic, medical history, and clinical symptoms to schedule doctors and home care treatments. All Company employee logs, customer support transcripts, and data processing nodes are restricted to preserve complete user confidentiality.
The Platform may share patient details with third-party payment gateways to facilitate bookings. We do not store complete banking or cardholder PINs. All financial logs are encrypted and processed through certified PCI-DSS compliant payment gateways.
Casual Visitors
Casual visitors who merely browse our Platform without registering an account are not subject to sensitive medical records collection. We do not collect personal information about casual website visitors from external third-party sources unless explicitly volunteered during a call request or message form.
We may collect tracking cookies for web navigation diagnostics. If you disagree, simply close the browser application or execute the "clear cookies" function in your browser program to remove temporary tracking tokens.
Third-Parties and Data Processors
We work with analytical, cloud hosting, and database partners. All third-party data processors are bound by strict contractual clauses in compliance with DPDPA 2023 regulations:
- Cybersecurity Responsibility: Data processors shall implement robust encryption, firewalls, and role-based clearance nodes to protect patient records.
- No Reuse or Sale: Data processors are contractually barred from reuse, sale, licensing, or commercial exploitation of any patient data for any purpose other than providing coordination services to the Company.
- In the event of database leaks or data breaches attributable to third-party processors, such entities shall be held legally liable and required to execute standard recovery measures.
Platform Intermediary & Liability Disclaimer
Nisarg Wellness Private Limited acts solely as a technology platform and digital intermediary that facilitates connection nodes between Users and independent registered medical practitioners, diagnostic labs, ambulance agencies, and pharmacy vendors. The Company is not a licensed healthcare provider and does not directly render professional medical diagnoses, telemedicine treatments, or emergency medical opinion.
All listings of Practitioners, diagnostic partners, and vendors on the Platform are for informational and coordination purposes. The independent practitioners are solely responsible for clinical decisions and treatment directives. The Company disclaims all liability for medical negligence, inaccurate diagnoses, clinical treatment outcomes, or doorstep coordination delays.
Call and CCTV Policy: Coordinates, home check-in sequences, phone calls with administrators, and platform activities may be actively logged or recorded for quality control, dispute resolution, and security purposes. CCTV monitoring, where applicable at the Company’s check-in hubs or diagnostic vehicles, shall be processed with strict privacy safeguards.
Emergency Limitation Warning
NOT FOR EMERGENCY USE
Services offered by the Platform are strictly meant for scheduled, non-emergency, and routine home-care medical facilitation. In the event of a medical emergency, acute symptoms, or life-threatening events, Users must immediately contact a local ambulance service, visit the nearest physical hospital emergency room, or dial government helpline emergency numbers (102/108) directly without relying on this Platform.
Confidentiality, Security & Audit
The Company utilizes AES-256 data encryption for storage (data at rest) and secure SSL/TLS connections for transmission (data in transit). The following safeguards are enforced:
- Role-Based Access Controls (RBAC): Access to sensitive patient health records is locked to authorized clinical, administrative, and operations personnel on a strict "need-to-know" basis.
- Audit Logs & Monitor Sequences: Automated audit logs monitor database queries, data modifications, and check-in times to prevent unauthorized intrusion.
- Data Breach Notification Protocol: In the event of any data breach within our technical systems:
- The Company shall acknowledge and document the breach internally within twenty-four (24) hours.
- Affected Users shall be notified via email or call within seventy-two (72) hours of breach confirmation.
- The cyber incident shall be reported to the Certifying Authority or relevant DPDPA regulatory board within seventy-two (72) hours of detection.
Data Retention Policy
In accordance with compliance directives under Indian law, we enforce standard retention periods, after which data is securely purged or anonymized:
| Data Classification | Mandated Retention Period |
|---|---|
| Patient Health & Medical Records | 5 to 7 years (as per Indian Medical Council/legal guidelines) |
| Financial & Transaction Records | 8 years (as per Companies Act & Income Tax guidelines) |
| System Logs, Activity Track Logs, Audit Logs | 12 months |
Upon expiry of these periods, or upon valid erasure request where lawful, all database records shall be securely deleted or permanently anonymized so that the data can never be re-identified.
Children’s and Minor’s Policy
Minors under the age of eighteen (18) years are prohibited from registering or booking services independently without the active involvement, supervision, and consent of a parent or legal guardian. In compliance with the DPDPA 2023, the Company enforces the following:
- Verifiable parental consent is mandatory to process children's data.
- We do not execute tracking, behavioral profiling, or targeted advertising directed at minor Users.
- Parents/guardians hold full rights to inspect, update, or request deletion of minor records by writing to privacy@dratdoorstep.com, which will be executed within 7 to 15 working days.
Grievance Officer & Data Protection Officer
For any queries, data rights requests, or complaints regarding data processing, Users can contact our Data Protection Grievance Officer in accordance with DPDPA 2023 guidelines:
- Grievance Officer: Compliance & Data Protection Officer (Grievance Cell)
- Registered Address: 11/A, Dipawali Society, Karelibaug, Vadodara, Gujarat, India – 390018.
- Helpdesk Contact: +91 8000126666
- Exclusive Email: privacy@dratdoorstep.com
Acknowledge & Resolution Timeline: The Grievance Officer shall acknowledge all data processing complaints within forty-eight (48) hours of receipt, and shall actively resolve and close complaints within fifteen (15) business days.
Governing Law, Severability & Acceptance
Governing Law: This Privacy Policy is construed and governed under the federal laws of India. Any litigation, dispute, or discrepancy arising from this policy shall be subject to the exclusive jurisdiction of the courts at Vadodara, Gujarat, India.
Severability: If any provision or part-provision of this Privacy Policy is determined to be invalid, illegal, or unenforceable by any competent court, such provision shall be deemed severed, and the remaining terms of this policy shall continue to have full force and effect.
Acceptance: Accessing DrAtDoorstep platforms, registering accounts, or booking services constitutes your active and unconditional agreement to the terms of this Privacy Policy.