Privacy Policy
1. Who We Are & What This Policy Covers
CuroClan Private Limited ('we', 'YORO Health') operates the YORO Health platform — including the website yorohealth.com, our WhatsApp Business channel, and the care coordination service. This Privacy Policy explains what personal and sensitive data we collect, why we collect it, how it is used, and your rights as a Data Principal under the Digital Personal Data Protection Act, 2023 (DPDP Act).
2. Data We Collect
Identity & Contact Data • Full name of customer and senior resident • Mobile phone number (used as primary identifier) • Email address (optional) • Residential address including building name, tower, flat number, and geolocation coordinates Health & Medical Data (Sensitive Personal Data) • Vital signs recorded during visits: blood pressure, SpO₂ (oxygen saturation), blood glucose, heart rate, respiratory rate • Wound photographs taken during post-surgical dressing visits — shared with the family contact only • Medication name and schedules (for reminder tracking) • Mobility and gait observations (for fall risk logging) • Any health conditions or diagnoses voluntarily disclosed by the customer or family for care coordination purposes • 14-marker health log entries as described in our service documentation Note: Health data constitutes 'sensitive personal data' under Indian law. We collect it only with your explicit consent, solely to provide and document care services. It is never sold or shared with advertisers. WhatsApp Metadata • Phone number linked to WhatsApp account used to contact us • Time and date stamps of messages exchanged with the YORO Health WhatsApp Business number • Message content you send us, including booking requests, SOS messages, and feedback • Delivery and read receipts (as provided by WhatsApp Business API) • Caregiver dispatch confirmations and post-visit summary messages sent to you Note: WhatsApp message content is processed through the WhatsApp Business API (Meta Platforms, Inc.). Messages in transit are end-to-end encrypted per WhatsApp's protocol. We store a copy of booking-related messages for service quality, dispute resolution, and compliance purposes. We do not access or store general personal WhatsApp conversations. NRI Video Summaries • If you have subscribed to the NRI Care Plan, monthly video summaries of your parent's health status may be recorded by the caregiver • These videos are stored temporarily (maximum 30 days) on our secure servers before delivery to the designated family WhatsApp group • Videos are deleted from our servers within 7 days of confirmed delivery • No video is shared with any third party without your explicit written consent Location Data • Geolocation coordinates of your registered address (latitude/longitude) used for geofence validation and caregiver routing • Caregiver live location during active visits (shared with the customer via tracking link — not stored beyond the visit duration) Device & Usage Data • Browser type, device type, and IP address when accessing yorohealth.com • Pages visited and session duration (via privacy-respecting analytics — no cross-site tracking)
3. Legal Basis for Processing (DPDP Act 2023)
Consent Health data, wound photographs, NRI video summaries, WhatsApp communications. Consent is obtained at the point of booking and can be withdrawn at any time by contacting privacy@yorohealth.com. Contractual Necessity Identity, contact, and address data required to fulfil a booked care visit. Legitimate Interest Service quality monitoring, fraud prevention, and internal analytics to improve caregiver-matching accuracy. Legal Obligation Tax and financial records as required by Indian law; compliance with court orders or lawful government requests.
4. How We Use Your Data
• Matching and dispatching a caregiver to your registered address • Delivering post-visit health summaries to your WhatsApp contact • Sending appointment confirmations, reminders, and caregiver ETA updates • Generating monthly health reports for NRI plan subscribers • Processing payments and issuing invoices • Investigating complaints and resolving disputes • Improving caregiver training based on anonymised health outcome patterns • Complying with legal and regulatory obligations
5. Data Sharing
We do not sell personal data. We may share data with: Assigned Caregiver Customer name, address, and relevant health context necessary to perform the visit. No financial data is shared. WhatsApp Business API (Meta Platforms, Inc.) Message content and phone numbers for delivery of booking communications. Subject to Meta's data processing terms. Payment Gateway Transaction amount and order reference. We do not store card numbers or UPI credentials. Cloud Infrastructure (Neon, Vercel) Encrypted database records are hosted on Neon Serverless PostgreSQL. Application is hosted on Vercel. Both are bound by data processing agreements. Legal Authorities Personal data disclosed only when required by a lawful court order or government directive.
6. Data Retention
Health visit records (vitals, logs) 5 years from date of visit Wound photographs 90 days after the visit, then permanently deleted NRI video summaries 7 days post-delivery, then permanently deleted WhatsApp message logs (booking-related) 2 years Payment records 7 years (statutory tax compliance) Account and identity data Duration of active account + 2 years after last service
7. Your Rights (DPDP Act 2023)
Right to Access Request a summary of all personal data we hold about you. Right to Correction Request correction of inaccurate or incomplete personal data. Right to Erasure Request deletion of your data, subject to statutory retention obligations. Right to Withdraw Consent Withdraw consent for processing of sensitive data at any time. Withdrawal does not affect the lawfulness of prior processing. Right to Grievance Redressal Raise a complaint with our Grievance Officer (care@yorohealth.com) within 72 hours of your query. Right to Nominate Nominate a person to exercise your data rights in the event of incapacity or death, as provided under the DPDP Act. To exercise any right, email care@yorohealth.com with your registered phone number and the nature of your request. We will respond within 72 hours.
8. Data of Seniors & Vulnerable Adults
YORO Health services are coordinated on behalf of senior adults. We treat all health data pertaining to the senior resident as sensitive personal data requiring explicit consent from the customer (typically an adult family member acting as the designated contact). We do not knowingly collect personal data from individuals under 18 years of age.
9. Cookies & Tracking
yorohealth.com uses minimal, privacy-respecting analytics. We do not use third-party advertising cookies. Essential cookies are used for session management only. You may disable cookies in your browser, though this may affect site functionality.
10. Security
We implement industry-standard security measures including TLS encryption in transit, encrypted database storage, access controls limiting health data to authorised personnel only, and regular security reviews. In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.
11. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be posted on yorohealth.com with an updated effective date. For material changes affecting the processing of sensitive personal data, we will notify you via WhatsApp or email before the change takes effect.