Privacy Policy
Last Updated: October 30, 2025
1. Introduction & Scope
Welcome to EasyKare (“Company”, “we”, “our”, or “us”).
We are committed to protecting the privacy, confidentiality, and security of your Personal Data. This Privacy Policy outlines how EasyKare collects, uses, discloses, and safeguards your information when you use our digital and mobile platforms (collectively, the “Platform”).
"Personal Data" means any data that can identify an individual. This includes "Sensitive Personal Data" (under Indian law) or "Special Category Data" (under GDPR), collectively referred to as "Health Data," such as medical history, symptoms, and prescriptions.
This policy is designed to comply primarily with The Digital Personal Data Protection Act, 2023 (DPDP Act) of India. To ensure the highest standard of data protection for our users, we also incorporate the principles and standards of the EU General Data Protection Regulation (GDPR).
Where any conflict arises between these laws, we adhere to the more stringent standard that provides greater protection to your data.
This Privacy Policy serves as a binding notice. Your consent for the collection and processing of your Personal Data, particularly Health Data, will be obtained through a clear, affirmative act (such as checking a box) before or at the time of collection, as required by law.
2. Data Fiduciary & Data Controller (Contact)
The entity responsible for your Personal Data is:
EasyKare, Mumbai, Maharashtra, India
Email: care@easykare.in
Website: https://easykare.in
For the purposes of the DPDP Act, we are the Data Fiduciary.
For the purposes of the GDPR, we are the Data Controller.
3. Lawful Basis for Processing
We process your Personal Data only when we have a lawful basis to do so.
- Consent: Where you have given us clear, specific, and unambiguous consent for a defined purpose (the primary basis for processing Health Data).
- Performance of a Contract: To fulfill our services to you, such as booking appointments or managing your patient file.
- Legitimate Interest: To enhance platform functionality, ensure security, and prevent fraud, provided it does not override your fundamental rights.
- Legal Obligation: To comply with mandatory legal or regulatory requirements, such as maintaining medical records as required by law.
3.1 Lawful Basis for Sensitive Personal Data (Health Data)
Processing of sensitive Health Data requires a higher standard of protection. We process this data under the following conditions:
- Explicit Consent: As required by the DPDP Act and GDPR, your explicit, specific consent will be obtained before or at the time of collecting any Health Data.
- GDPR Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care or treatment.
4. Data Collected and Purpose of Use
We collect only the minimum data necessary for the specified purpose.
4.1 Doctor Data
| Data Type | Purpose of Processing | Sharing / Disclosure |
|---|---|---|
| Full name, date of birth, gender, speciality, mobile number, email ID, doctor license number, doctor photograph | To create, verify, and manage doctor accounts, validate professional credentials, and facilitate patient communication. | Only the doctor's name and speciality are visible to patients. |
| Email ID | To send account-related information, billing details, and platform notifications via Brevo. | Shared with Brevo as a compliant Data Processor for secure email delivery. |
| Mobile number | For authentication, verification, and sending account related information. | The mobile number is shared with Message Central (our Data Processor) solely for this authentication purpose. |
4.2 User Data (Authentication)
| Data Type | Purpose of Processing | Sharing / Disclosure |
|---|---|---|
| Mobile number | For authentication, verification, and sending secure appointment links and scheduling notifications via WhatsApp or SMS | Shared with approved communication partners (Meta, Sendwo, Fast2SMS) using official, approved message templates. |
| One-Time Password (OTP) | We use Message Central to send OTPs for secure mobile verification. | The mobile number is shared with Message Central (our Data Processor) solely for this authentication purpose. |
4.3 Patient Data (Healthcare Services)
(A “patient” may also be a user)
| Data Type | Purpose of Processing | Additional Safeguards |
|---|---|---|
| Mobile number | Authentication, patient ID linkage, and family pool validation. | Encrypted and pseudonymized where applicable. |
| Full name, date of birth, gender | To maintain accurate medical and appointment records for service delivery. | Used strictly for healthcare service delivery. |
| Photo + Face Template | For identity verification during clinic visits to prevent fraud. | Face template generated on the client side; verification on the server. Raw images are never shared externally. |
| Relationship with user | To maintain and manage a family medical pool under one account. | Stored securely and accessible only to the primary user and validated users. |
| Symptom voice recordings | Recorded in local language; anonymized on the client side by altering tone and pitch. | No identifiable raw audio is transmitted to AI systems. No audio is stored within EasyKare system. |
| AI-generated symptom assessment and structured report | To support medical evaluation and diagnosis by your chosen doctor. | Shared only with the selected treating doctor. |
| Digital prescriptions, diagnosis, medical history, visit history | To facilitate healthcare continuity, maintain medical records, and provide access to your health information. | Access is strictly restricted to the patient and their authorized doctor. |
| WhatsApp Data | Used for user authentication and scheduling via Meta WhatsApp Cloud API. | No medical, diagnostic, or sensitive personal data is ever shared over WhatsApp. Communications are limited to scheduling and links. |
5. Data Processors, Storage & International Transfers
We use a limited number of third-party service providers ("Data Processors") to operate our Platform. We have verified that all processors provide a level of data protection compliant with both the DPDP Act and GDPR.
- Primary Infrastructure: Google Cloud Platform (GCP) and Firebase (Firestore & Storage) are used for secure data storage, serverless processing (Cloud Functions), and application APIs.
- Email Automation: Brevo is used to send transactional and service emails to doctors.
- SMS/OTP: Message Central is used for sending secure OTPs for user verification.
- WhatsApp Communication: Meta (WhatsApp Cloud API), Sendwo, and Fast2SMS are used to manage and deliver secure, template-based messages for scheduling and authentication.
We do not sell, rent, or trade your Personal Data. Data is only shared with these processors to the extent necessary to perform their specific function.
5.1 International Data Transfers
Your Personal Data may be processed and stored on servers located outside of your country of residence (e.g., in Google Cloud or Brevo data centers). We ensure such transfers are lawful and secure:
- For Indian Residents (DPDP Act): We adhere to the data transfer rules and any list of approved countries as notified by the Central Government of India.
- For Non-Indian Residents (GDPR): We rely on Adequacy Decisions or Standard Contractual Clauses (SCCs) as approved by the European Commission (GDPR Article 46).
6. Data Security
We implement robust technical, administrative, and organizational security measures to protect your data, including:
- Encryption: All Personal Data and Health Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Access Control: Strict role-based access controls and audit logging are implemented to ensure only authorized personnel can access data.
- Anonymization: Techniques like pseudonymization and anonymization (e.g., for voice recordings) are used to protect identity.
- Audits: We conduct periodic security audits and vulnerability assessments.
- Breach Notification: In the event of a data breach, we will notify affected users and the competent authorities (as required by the DPDP Act and GDPR Article 33) without undue delay.
7. Data Retention
We retain your Personal Data only for as long as is necessary to fulfill the purposes outlined in this policy, or as required by our legal and medical record-keeping obligations. When data is no longer needed, it is securely and irreversibly deleted or anonymized.
8. Your Rights as a Data Principal / Data Subject
Under the Indian DPDP Act and GDPR, you have specific rights regarding your Personal Data:
- Right to Access: To obtain a copy and summary of your personal data.
- Right to Rectification: To correct inaccurate or incomplete information.
- Right to Erasure (“Right to be Forgotten”): To request the deletion of your data, subject to our legal retention obligations.
- Right to Restrict Processing: To limit how we use your data in certain cases.
- Right to Data Portability: To obtain your data in a structured, machine-readable format.
- Right to Withdraw Consent: To revoke your consent at any time.
- Right to Nominate (DPDP Act): The right to nominate another person to exercise your rights in case of death or incapacity.
- Right to Lodge a Complaint: You have the right to file a complaint with the relevant supervisory authority (e.g., the Data Protection Board of India or your relevant EU data protection authority).
To exercise any of these rights, please contact us at care@easykare.in. We will respond to your request within the legally mandated timeframe.
9. Children’s Data (Data of Minors)
Our Platform is not intended for use by individuals under the age of 18 without verifiable parental or guardian consent. We do not knowingly collect Personal Data from minors without such consent. If you are a parent or guardian and believe your child has provided us with data, please contact us immediately to have the data removed.
10. Cookies and Tracking
EasyKare uses only technically necessary ("essential") cookies for session management, security, and core platform functionality.
We do not use non-essential, advertising, or analytical cookies without your explicit, affirmative consent.
11. Policy Updates
We may update this Privacy Policy periodically to reflect legal, regulatory, or operational changes. We will publish all updates on this page (https://easykare.in/privacy-policy) and update the "Last Updated" date.
12. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of India. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India. This does not prejudice your rights under the GDPR if you are an EU or Non-Indian resident.
13. Contact Us
For any privacy-related questions, requests, or to file a grievance, please contact us on care@easykare.in.