Privacy Policy

    2. Privacy Policy

    2.1 Introduction

    This Privacy Policy describes how CareConnect India Pvt Ltd (CIN: available on request) collects, uses, discloses, and safeguards Personal Data when you use our Platform.

    2.2 Scope & Definitions

    "Personal Data" has the meaning assigned under §2(j) DPDP Act 2023.

    "Sensitive Personal Data" ("SPD") includes health information, biometrics, and financial data per Rule 3, SPDI Rules 2011.

    "Processing", "Data Principal", and "Data Fiduciary" bear the meanings in the DPDP Act.

    2.3 Data We Collect

    CategoryExamplesPurposeRetention
    IdentityName, Aadhaar/PAN, passport, profile photoRegistration, KYC7 yrs post‑last transaction
    ContactAddress, email, phone, emergency contactsCommunication, SOS7 yrs
    ProfessionalCertifications, licences, background‑check reportsCredentialing CaregiversWhile active + 7 yrs
    FinancialBank a/c, UPI ID, payment tokensEscrow payouts7 yrs
    Health (SPD)Diagnoses, medication schedule, care plansTailoring Care Services5 yrs after last service
    UsageDevice IDs, IP, cookies, analyticsSecurity, product improvement3 yrs; cookies per type
    CommunicationsChat transcripts, call recordingsQuality assurance, dispute resolution2 yrs
    LocationGPS during active visitsSafety, attendance verification1 yr rolling

    2.4 Legal Bases for Processing

    • Consent – optional add‑ons, marketing, telehealth.
    • Contract Performance – matching, booking, payments.
    • Legitimate Interests – fraud prevention, analytics, service improvement.
    • Legal Obligation – tax, regulatory reporting, police verification.

    2.5 How We Use Personal Data

    • Verify identity and professional credentials of Caregivers.
    • Enable discovery, booking, payment, and review functionality.
    • Provide emergency support via SOS relay to local law enforcement.
    • Conduct research, analytics, and machine‑learning‑based matching.
    • Send transactional notifications and, with consent, marketing communications.
    • Enforce Platform rules and investigate complaints.

    2.6 Disclosures & Third‑Party Service Providers

    We share necessary data with: Razorpay, Stripe India (payments); Twilio (OTP/SMS); Hyperverge (KYC & background checks); Google Analytics; Freshchat (support); Mailchimp (email); AWS Mumbai (hosting); accredited labs for home diagnostics; certified equipment rental vendors; and EU‑based support contractors under EU Standard Contractual Clauses.

    2.7 International Transfers

    Personal Data may be processed outside India (e.g., EU customer‑support centre). Such transfers rely on (a) Contractual Clauses incorporating DPDP‑compliant safeguards; (b) audits; and (c) encryption in transit (TLS 1.3).

    2.8 Security Measures

    • ISO/IEC 27001‑aligned ISMS.
    • Encryption: TLS 1.3 in transit, AES‑256 at rest.
    • Role‑based access; MFA for privileged accounts.
    • Daily encrypted backups retained 90 days.
    • Annual penetration tests and quarterly vulnerability scans (§8 SPDI Rules).
    • Incident‑response plan with 72‑hour breach notification to CERT‑In.

    2.9 Data Retention & Deletion

    We retain Personal Data no longer than necessary for the purposes stated above or to comply with legal obligations. On expiry of retention periods, data are irreversibly anonymised or securely erased using NIST SP 800‑88 standards.

    2.10 User Rights

    Subject to verification, Data Principals may access, correct, erase, restrict, port, or withdraw consent via in‑app settings or by emailing privacy@care-connect.online. Requests will be fulfilled within 15 days unless an extension (max 15 days) is notified.

    2.11 Children’s Privacy

    The Platform is not directed at minors (<18). If we learn we have collected data from a minor, we delete it within 72 hours.

    2.12 Cookies & Trackers

    We use first‑party session cookies, JWT‑based auth tokens, and third‑party analytics cookies. Users can manage preferences via the Cookie Settings panel or browser settings. Essential cookies cannot be disabled.

    2.13 Grievance & Data Protection Officers

    Grievance Officer: Mr Hanuman Prasad — hello@care-connect.online (address as §1.15)

    Data Protection Officer: Mr Hanuman Prasad — hello@care-connect.online (same postal)

    2.14 Changes

    Material changes will be notified at least 15 days in advance through email and in‑app banners. Version history will be archived at care-connect.online/privacy.