Overview
Applied Quantum Labs Pvt. Ltd. ("ProCare", "we", "us", "our") operates the ProCare clinical decision support platform. We take the privacy of doctors, patients, and all persons whose data we process with the utmost seriousness.
This Privacy Policy, read together with our Terms of Use, explains how we collect, use, process, store, share, and protect personal data in connection with our services. It also serves as our notice under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
Our core commitment
Patient data is processed on-device wherever possible. We do not sell, monetise, or share personal or clinical data with third parties for commercial purposes. Ever.
Who We Are
Data Fiduciary (Controller):
Applied Quantum Labs Pvt. Ltd.
Registered Office: Delhi NCR, India
CIN: [Registration Pending]
Email: privacy@procare.fit
Under the DPDP Act 2023, ProCare is the Data Fiduciary โ the entity that determines the purpose and means of processing personal data. You (the doctor) or your patient are the Data Principal.
Data We Collect
A. Doctor / Practitioner Data
- Name, MCI/NMC registration number, specialisation, and clinic details
- Mobile number and email address (for account and communication)
- Consultation metadata (number of consultations, conditions seen, time-of-use patterns)
- Digital signature or initials used for prescription sign-off
- Device information (model, OS version, app version) for compatibility and offline support
B. Patient Data
Patient data is always entered or captured by the doctor during the consultation. We do not independently collect patient data.
- First name or initials (as entered by doctor), age, sex
- Chief complaint, symptom history, examination findings (as captured by voice transcription)
- Differential diagnoses, investigations ordered, prescriptions issued
- WhatsApp number (used solely to deliver prescription and follow-up messages; patient must consent)
C. Sensitive Personal Data or Information (SPDI)
Under the SPDI Rules and DPDP Act, clinical and health data constitutes sensitive personal data. We treat all health-related data as SPDI and apply the highest level of protection to it.
- Medical history, diagnoses, prescriptions, and investigation results
- Allergy information and medication history
- Audio transcription data from consultations (processed and not stored in raw form)
D. Technical and Usage Data
- App usage logs (feature interactions, session duration) โ anonymised
- Crash reports and error logs โ no clinical content included
- Network connectivity status (for offline/online sync management)
How We Use Data
We process personal data only for specified, lawful purposes:
For Doctors
- To create and manage your account and credentials
- To verify your medical registration (NMC number validation)
- To provide clinical decision support during consultations
- To generate and transmit prescription documents
- To notify you of critical patient follow-up alerts
- To send product updates, compliance notices, and service communications
For Patients
- To deliver the signed prescription to the patient's WhatsApp
- To send medication reminders, symptom check-ins, and follow-up messages
- To flag critical symptoms to the treating doctor for review
- To translate prescription content into the patient's preferred language
For Service Improvement (Anonymised Only)
- To improve clinical protocol accuracy using anonymised, aggregated data
- To train and fine-tune our AI models using de-identified data only, where explicit consent has been obtained
- To generate anonymised research insights on disease patterns in Indian primary care
Purpose limitation
We will never use personal data for a purpose not specified above without obtaining fresh consent as required under the DPDP Act 2023.
Digital Personal Data Protection Act, 2023
ProCare is fully committed to compliance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules framed thereunder. The following provisions apply:
Legal Basis for Processing
- Consent: We obtain explicit, informed, clear consent from each Data Principal before processing their personal data. Consent is obtained through the ProCare app at the start of each consultation for new patients.
- Legitimate Use: Where applicable, we may process data for legitimate uses recognised under Section 7 of the DPDP Act (such as compliance with legal obligations or for the protection of the vital interests of a person).
Consent Management
- Consent is requested in clear, plain language in the preferred language of the Data Principal
- Each consent request states the specific purpose(s) of data processing
- Consent can be withdrawn at any time through the ProCare app or by contacting our Grievance Officer
- Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal
Data Principal Rights (Section 12โ14, DPDP Act)
See the full rights section below.
Significant Data Fiduciary
ProCare will monitor its scale of processing and, if notified by the Central Government as a Significant Data Fiduciary under Section 10 of the DPDP Act, will comply with all additional obligations including Data Protection Impact Assessments (DPIA) and appointment of an independent Data Auditor.
Data Sharing
We do not sell your data. We do not share personal or clinical data with third parties for advertising, marketing, or commercial profiling.
We may share data only in these specific circumstances:
Data Processors (Sub-processors)
ProCare uses certain trusted technology providers to deliver our services. All sub-processors are bound by data processing agreements that meet DPDP Act requirements:
- Sarvam Saaras โ Voice transcription (Indian language ASR). Audio is processed in-memory only; no raw audio is retained.
- Gemini / Google Cloud โ AI inference for clinical decision support. Patient identifiers are removed before any data reaches these systems.
- Meta (WhatsApp Business API) โ Delivery of prescription and follow-up messages to patients.
- Cloud Infrastructure Provider โ Encrypted data storage and compute, hosted in India.
Legal Disclosure
We may disclose data if required to do so by applicable Indian law, court order, or by a competent regulatory authority (such as the Ministry of Health and Family Welfare, CDSCO, or data protection authorities). We will notify affected Data Principals where legally permitted to do so.
Data Localisation
All personal data and sensitive personal data collected by ProCare is stored and processed within the territory of India, in compliance with the data localisation principles under the DPDP Act 2023 and applicable sectoral regulations.
Clinical data never leaves Indian data centres. AI inference for sensitive queries is performed using de-identified excerpts only.
Security
We implement reasonable security practices as required under Rule 8 of the SPDI Rules and the DPDP Act 2023, including:
- AES-256 encryption at rest and TLS 1.3 in transit for all data
- On-device processing for audio transcription โ raw audio is not transmitted to our servers
- Role-based access controls limiting internal data access on a need-to-know basis
- Regular penetration testing and vulnerability assessments
- Formal Incident Response Plan with mandatory notification to affected doctors within 72 hours of a confirmed breach, in line with emerging DPDP Act obligations
Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:
- Consultation records and prescriptions: 7 years from date of consultation (in line with MCI/NMC record-keeping guidelines and Consumer Protection Act, 2019)
- Doctor account data: Duration of active account plus 3 years after account closure
- WhatsApp message logs: 90 days (sufficient for follow-up cycle completion)
- Anonymised analytics: Indefinitely (as they contain no personal data)
Upon expiry of the retention period, data is securely deleted or irreversibly anonymised.
Your Rights
Under the DPDP Act 2023 and the SPDI Rules, Data Principals have the following rights. You may exercise these rights by contacting our Grievance Officer.
Right to Information
Know what personal data we hold about you and how it is being used (Section 11, DPDP Act).
Right to Correction
Request correction of inaccurate or incomplete personal data (Section 12, DPDP Act).
Right to Erasure
Request deletion of your personal data, subject to legal retention obligations (Section 12, DPDP Act).
Right to Withdraw Consent
Withdraw consent for processing at any time, without affecting prior lawful processing (Section 6, DPDP Act).
Right to Grievance Redressal
Lodge a complaint with our Grievance Officer and receive a response within 30 days (Section 13, DPDP Act).
Right to Nominate
Nominate a person to exercise your rights in the event of your death or incapacity (Section 14, DPDP Act).
To exercise any right, write to: privacy@procare.fit with subject line "DPDP Rights Request โ [Your Name]". We will respond within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India once constituted.
Cookies & Tracking
The ProCare mobile application does not use cookies. Our web properties (website and landing pages) use minimal, privacy-respecting analytics only.
- We do not use third-party advertising cookies or cross-site tracking
- Analytics are first-party and aggregate only โ no individual user tracking
- You may disable analytics by contacting us at privacy@procare.fit
Children's Data
ProCare is designed for use by registered medical practitioners and is not directed at children under the age of 18. We do not knowingly collect personal data from minors as account holders.
Where a consulting practitioner treats a minor patient, the patient's data is handled under the treating doctor's account and responsibility in accordance with applicable paediatric care guidelines.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. When we make material changes, we will:
- Update the "Effective Date" at the top of this policy
- Notify registered doctors via in-app notification and/or email at least 15 days before changes take effect
- Obtain fresh consent where required by the DPDP Act
Continued use of ProCare after the effective date of a revised policy constitutes acceptance of the revised terms.
Grievance Officer
In compliance with Rule 5(9) of the SPDI Rules and Section 13 of the DPDP Act 2023, we have designated a Grievance Officer:
Grievance Officer โ Applied Quantum Labs Pvt. Ltd.
Email: privacy@procare.fit
Response time: Within 30 days of receipt
If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India (once constituted under Section 18 of the DPDP Act 2023) or the appropriate Consumer Forum under the Consumer Protection Act, 2019.
Contact Us
For any privacy-related question, right request, or concern:
Email: privacy@procare.fit
Phone: +91 97171 38321
Registered Address: Applied Quantum Labs Pvt. Ltd., Delhi NCR, India
This policy is governed by and construed in accordance with the laws of India. Any dispute arising under this policy shall be subject to the exclusive jurisdiction of the competent courts at New Delhi.