Privacy Policy

This Privacy Policy explains how Pregacoach Technologies Private Limited (“Pregacoach”, “we”, “us”) collects, uses, discloses, stores and protects your personal data when you use the Pregacoach website, web application and any official mobile application (together, the “Platform”).

We are the Data Fiduciary for the personal data we process under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the “body corporate” under the Information Technology Act, 2000 and the SPDI Rules, 2011. We process health information in line with the National Medical Commission’s Telemedicine Practice Guidelines, 2020.

Please read this policy together with our Terms of Service, Medical Disclaimer and, if you use financing, our Lending Partners disclosure.

We collect only the data needed for a feature you ask us to deliver:

• Identity & contact: name, date of birth, gender, phone number, email and postal address.
• Account data: login credentials (passwords are stored only as salted hashes), profile settings, and profiles you create for dependents such as a spouse or newborn.
• Health data (sensitive): medical history, symptoms, prescriptions, lab and scan reports, consult notes and, where you consent, audio/video recordings of tele-consultations.
• Financial data (sensitive): for EMI/financing flows only — identity documents (e.g. PAN), income proof and bank details you submit for an NBFC application.
• Payment metadata: transaction and order identifiers from our payment gateway. We do not store full card numbers, CVV or UPI PINs.
• Technical data: device, browser, IP address and session logs used for security and to keep you signed in.

We rely primarily on your consent under section 6 of the DPDP Act. Before we process your data we give you an itemised notice describing what we collect and why, in clear language.

Each non-routine disclosure — for example, forwarding a delivery enquiry to a hospital, or a loan application to an NBFC — requires a fresh, purpose-bound consent that names the recipient. You can review and withdraw any consent at any time from your privacy settings. Where the law allows, we may also process data for “certain legitimate uses” (such as complying with a legal obligation or responding to a medical emergency).

We use your data to:

• create and secure your account and verify identity at the start of a consult;
• schedule and deliver tele-consultations and in-person referrals;
• store prescriptions, reports and consult records and make them available to you and your treating clinician;
• process payments and, where you opt in, match you with RBI-regulated NBFC partners;
• send transactional reminders (appointments, payments, reports) over SMS, email or WhatsApp;
• provide support, prevent fraud and abuse, and meet legal and regulatory obligations.

We do not sell your personal data, and we do not use your health or financial data for advertising.

We share data only with the parties named in the consent you grant for a specific transaction, and with the processors who run the Platform on our behalf under contract:

• Your doctor — for the consult you book.
• Partner hospitals — only the details needed for a delivery or care enquiry you submit.
• RBI-regulated NBFC partners — only when you apply for financing, and only the documents that application requires.
• Sub-processors — cloud hosting (Amazon Web Services, Mumbai region), our payment gateway, and SMS/email/WhatsApp delivery providers. Each is bound by data-processing terms and may process data only on our instructions.
• Authorities — where disclosure is required by law, court order or to protect life and safety.

Personal data is processed and stored in India, on Amazon Web Services’ Mumbai region (ap-south-1). Health data and financial documents are encrypted at the column level using AES-256 keys held in a managed key service. Backups are encrypted and access-controlled.

If we ever need to transfer data outside India, we will do so only as permitted by the DPDP Act and applicable Government of India restrictions, with appropriate safeguards in place.

We keep prescriptions and consult records for seven years, as required by the NMC Telemedicine Practice Guidelines, 2020 and Indian medical record-retention norms. Financing records are retained for the period the NBFC and applicable RBI/KYC rules require.

Other personal data is retained while your account is active and for a reasonable period afterwards to meet legal, accounting and dispute-resolution needs, after which it is deleted or irreversibly anonymised.

Under the DPDP Act you have the right to:

• access a summary of the personal data we process about you;
• correct, complete or update inaccurate data;
• erase data that is no longer needed for its purpose — you can delete your account and data at any time; see Account & Data Deletion;
• withdraw consent you previously gave (withdrawal does not affect processing already carried out);
• nominate another individual to exercise your rights in the event of death or incapacity;
• grievance redressal through the contact below, and escalation to the Data Protection Board of India.

We respond to verified requests within 30 days. Some retentions are statutory (for example, prescription audit records) and cannot be reversed; we will tell you when that applies.

Tele-consults follow the NMC Telemedicine Practice Guidelines, 2020. The doctor verifies your identity at the start of the consult and obtains your explicit consent before any recording. The medicines that may be prescribed remotely are restricted by those Guidelines; your doctor will tell you when an in-person visit is required. Your consult records are visible to you and your treating clinician, and to no one else without a fresh consent.

For EMI/financing, Pregacoach acts as a Lending Service Provider under the RBI Digital Lending Guidelines, 2022. We never lend, underwrite, run credit decisions, disburse funds or collect EMIs. We pass the documents you submit only to the NBFC(s) you select, and the loan is governed entirely by the agreement between you and that NBFC. The Key Fact Statement (KFS) for any offer is generated by the NBFC. See our Lending Partners disclosure for the full list and how grievances are handled.

We use first-party cookies for session authentication and to remember your preferences. We do not use third-party advertising or cross-site tracking cookies. You can disable cookies in your browser, but parts of the Platform may then not work.

An account can hold profiles for minors (including newborns) managed by a parent or lawful guardian who is the account holder. Under section 9 of the DPDP Act, the account holder is responsible for providing verifiable consent on behalf of a child, and we do not knowingly use a child’s data for tracking, behavioural monitoring or targeted advertising.

We follow healthcare-grade practice: column-level encryption for protected health information, encryption in transit (TLS) and at rest, mandatory multi-factor authentication for staff, role-based access scoped per organisation, tamper-evident audit logging and periodic access reviews. No system is perfectly secure, but we work to reduce risk and to notify you and the Data Protection Board promptly of any breach that affects you, as the DPDP Act requires.

We may update this policy as the Platform or the law evolves. We will notify you in advance of material changes through the Platform or by email, and the “Last updated” date above will change. Continued use after the effective date means you accept the updated policy.