Curiezon.com is committed to protecting user privacy and complying with India’s Digital Personal Data Protection (DPDP) Act, 2023.
This policy outlines our practices for handling personal data, ensuring lawful processing, and safeguarding individual rights.
Applicability
This policy applies to all digital personal data processed by Curiezon.com in the course of providing services, including but not limited to personal identifiers, health data, transactional data, and usage analytics.
Definitions
- Digital Personal Data: Any data about an individual processed by electronic means.
- Data Principal: An individual to whom the personal data pertains.
- Data Fiduciary: Curiezon.com, which determines the purpose and means of processing personal data.
- Data Processor: Third-party service providers processing data on our behalf.
- Sensitive Personal Data: Includes health records, biometric data, and any data specified under DPDP rules.
Lawful Basis for Processing
- Consent: Obtained explicitly for processing health and sensitive data.
- Performance of Contract: To fulfill bookings, tele-consultations, lab services, and payments.
- Compliance with Legal Obligations: To meet regulatory requirements under DPDP, healthcare and financial laws.
- Legitimate Interests: Fraud detection, service improvement, and security measures.
Consent Management
- Explicit Consent: Users provide clear consent during sign-up or prior to specific data uses.
- Granular Controls: Options to opt-in/opt-out of marketing, analytics, location, and third-party sharing.
- Withdrawal: Users can withdraw consent at any time via account settings or by contacting dpo@curiezon.com.
- Consent Ledger: Immutable records of consent timestamps, scope, and method of collection.
Data Subject Rights
- Right to Access: Request a copy of personal data processed by Curiezon.
- Right to Rectification: Correct inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of personal data, subject to legal retention requirements.
- Right to Restrict Processing: Temporarily halt processing while disputes are resolved.
- Right to Data Portability: Receive personal data in a structured, machine-readable format.
- Right to Object: Challenge processing based on legitimate interests or direct marketing.
Data Security & Governance
- Encryption In Transit & At Rest: TLS 1.2+; AES-256 for databases and backups.
- Access Controls: Role-based access, MFA for administrative accounts.
- Audit Logs & Monitoring: Comprehensive logging of access, changes, and data exports.
- Vendor Management: Due diligence, DPDP-compliant contracts, and periodic audits of processors.
- Incident Response: Data breach playbook with 72-hour notification to authorities and affected users.
Data Retention & Deletion
- Retention Schedule: Personal and health data retained for the duration of service plus 7 years for compliance.
- Deletion Requests: Processed within 30 days, unless legal obligations require continued retention.
- Anonymization: Data anonymized for analytics and research once no longer needed for active service.
Cross-Border Data Transfers
- Mechanisms: Standard Contractual Clauses and DPDP-prescribed safeguards for international transfers.
- Approved Jurisdictions: Transfers only to countries providing adequate data protection guarantees.
Governance & Oversight
- Data Protection Officer (DPO): Appointed to oversee DPDP compliance and handle data subject requests (dpo@curiezon.com).
- Privacy Committee: Cross-functional team reviewing policies, audits, and training programs quarterly.
- Training & Awareness: Mandatory DPDP training for all employees; annual refresher courses.
Policy Review & Updates
- Review Cycle: Annual policy review or sooner upon regulatory changes.
- Communication: Users notified via email and website banner of significant updates.
- Version Control: Archived policy versions accessible on the website.
