Privacy Policy

Curaah is a healthcare technology platform built and operated from Nangal, Punjab, India. We provide a digital system for patients to book OPD appointments at hospitals and clinics, and for hospitals to manage their OPD operations.

Curaah is a technology platform — we are not a hospital, not a clinic, and not a healthcare provider. We connect patients with healthcare facilities. The actual medical care is provided by the hospitals and doctors you book with through our platform.

For any privacy-related queries, contact us at: curaahtech@gmail.com

When you register as a patient, we collect:

• Full name
• Mobile phone number
• Email address
• Gender
• City or village of residence
• Your consent to our data processing (required)

When you book an appointment, we collect:

• Which hospital, OPD, and doctor you booked with
• Date and time slot of your appointment
• Any notes or symptoms you choose to share
• Insurance scheme used (if any)
• Appointment status (confirmed, checked in, completed)

When you check in via QR or staff, we collect:

• Check-in time and date
• Token number assigned
• OPD queue position data

When a doctor creates a referral for you, we collect:

• Referring and referred hospital details
• Clinical notes written by the referring doctor
• Urgency level of the referral
• Your verbal consent (confirmed by staff)

What we do NOT collect:

• Aadhaar number or any national ID (unless you voluntarily link ABHA)
• Bank account or payment details
• Precise GPS location
• Camera, microphone, or contacts access
• Browsing history or data from other apps
• Any data beyond what is necessary for OPD booking

We collect data for the following specific purposes:

• To create and manage your account — your name and phone are needed to identify you at the hospital
• To book and manage appointments — appointment details are stored so you and the hospital both have a record
• To provide the token system — check-in data is used to assign your queue position
• To enable referrals — referral records help you carry your clinical notes between hospitals without paper
• To show your appointment history — so you can track your healthcare visits in one place
• To allow hospital staff to identify you — staff need your name and phone to check you in manually if you don't have a smartphone

We do not use your data for advertising, profiling, or any purpose beyond providing the Curaah healthcare coordination service.

We share your data only in these specific situations:

• With the hospital you book with — hospital staff can see your name, phone number, and appointment details so they can provide you with care. They cannot see appointments at other hospitals.
• With Supabase — our database and authentication provider. Supabase is SOC 2 Type 2 certified and stores data securely. We use their servers to store your data. View Supabase's privacy policy at supabase.com/privacy.
• With referred hospitals — if a doctor creates a referral for you, the referred hospital receives your name, phone, and the clinical notes written by the referring doctor. You are informed before any referral is created.

We do not share your data with insurance companies, pharmaceutical companies, government bodies, advertisers, or any other third party without your explicit consent.

• Encrypted storage — all data is stored on Supabase servers with encryption at rest and in transit (HTTPS/TLS)
• Row Level Security (RLS) — database-level access controls ensure patients can only see their own data. Hospital staff can only see data from their own hospital. No cross-hospital data leakage is possible at the database level.
• Secure authentication — passwords are hashed by Supabase Auth. We never store plain-text passwords.
• No unnecessary data collection — we follow the principle of data minimization. We collect only what is needed.
• Separate account types — patients, hospital staff, and proxy agents have completely separate access controls. A staff login cannot access patient login areas and vice versa.

Under the Digital Personal Data Protection Act 2023 (DPDP Act) and general data protection principles, you have the following rights:

• Right to access — you can view all your data in your Curaah dashboard at any time
• Right to correction — email us if any of your details are incorrect and we will update them
• Right to deletion — you can request complete deletion of your account and all associated data by emailing curaahtech@gmail.com. We will process deletion requests within 30 days.
• Right to withdraw consent — you can withdraw your consent to data processing at any time by deleting your account
• Right to data portability — you can request a copy of all your data in a readable format by emailing us
• Right to know about sharing — we will always inform you before sharing your data with any new party beyond hospitals you book with

To exercise any of these rights, email us at curaahtech@gmail.com with the subject line "Data Rights Request" and your registered phone number.

• Account data — kept until you request account deletion
• Appointment records — kept for 3 years for medical record continuity, then deleted unless you request earlier deletion
• Token and check-in records — kept for 1 year for operational analytics, then deleted
• Referral records — kept for 5 years as they form part of your medical history
• Walk-in patient records — basic records kept for 1 year, then deleted

If you request account deletion, we will delete your personal data within 30 days. Some anonymized and aggregated data (no names, no phone numbers) may be retained for operational improvement purposes.

Curaah uses only essential cookies required for the platform to function. Specifically:

• Authentication cookies — set by Supabase Auth to keep you logged in between page visits. These expire when you logout or after 7 days of inactivity.
• Session cookies — temporary cookies that allow the platform to remember your current session.

We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookies. We do not use Google Analytics, Facebook Pixel, or any similar tracking tools.

Curaah does not knowingly create accounts for children under 18 years of age. If a child needs a hospital appointment, a parent or guardian should register and book on their behalf, or use the proxy booking system through an authorized proxy agent.

If you believe a child's data has been collected without appropriate consent, please contact us at curaahtech@gmail.com and we will delete it promptly.

The Digital Personal Data Protection Act 2023 (DPDP Act) governs how we handle your personal data in India. Curaah is committed to compliance with this Act.

• Consent first — we collect your consent before processing any personal data. This consent is recorded at registration.
• Purpose limitation — we use your data only for the purposes stated in this policy
• Data minimization — we collect only what is necessary
• Health data classification — your appointment and health records are treated as sensitive personal data under the DPDP Act and handled with additional care
• Grievance redressal — if you have any grievance about how your data is handled, email curaahtech@gmail.com. We will respond within 7 days.

As the DPDP Act implementation rules are finalized by the Government of India, we will update our practices accordingly.

If we make significant changes to this privacy policy, we will update the date at the top of this page. For major changes that affect how we use your data, we will attempt to notify registered users via email.

Continuing to use Curaah after a policy update means you accept the updated policy. If you do not agree with changes, you may request account deletion at any time.

For any privacy concerns, data requests, or questions about this policy: