Curex24 Clinic

Curex24 Clinic

by Oronzo LLP

Legal Document

Privacy Policy

We take your privacy seriously. This policy explains how Oronzo LLP collects, uses, and protects personal data when you use Curex24 Clinic.

Effective Date

01 June 2026

Applicable Law

DPDP Act 2023 · IT Act 2000

Contact

hello@oronzo.io

🔒 Oronzo LLP complies with the Digital Personal Data Protection Act, 2023 (DPDP Act), SPDI Rules, and the IT Act 2000.

Your Privacy Matters. Oronzo LLP acts as a Data Fiduciary for Subscriber data and a Data Processor for Patient Data. We do not sell or rent personal data. Patient health data is classified as Sensitive Personal Data or Information (SPDI) under Indian law and receives the highest level of protection we can provide.

1. Who We Are

Oronzo LLP is a Limited Liability Partnership incorporated under the Limited Liability Partnership Act, 2008 in India. We operate the Curex24 Clinic platform — a SaaS clinic operations management system for Indian healthcare providers. Our registered address is Oronzo LLP, Hyderabad, Telangana, India — 500081.

We are committed to protecting the privacy of our Subscribers (clinic owners, doctors, staff), their patients, and all individuals whose personal data we process. This Privacy Policy describes our practices in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 (IT Act), the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and all other applicable Indian data protection laws.

For all privacy matters, contact our Privacy / Data Protection Officer at: hello@oronzo.io.

2. Scope of this Policy

This Privacy Policy applies to:

  • Subscribers: clinic owners, doctors, nurses, receptionists, pharmacists, lab technicians, and other staff who register for and use the Platform.
  • Patients: individuals whose personal and health data is entered into the Platform by Subscribers (Subscribers are the Data Fiduciaries for their patients).
  • Website visitors: anyone who visits clinic.curex24.com or our marketing pages.
  • Business contacts: individuals whose contact details we collect in the course of business development, sales, or partnerships.

This Policy does not apply to third-party websites or services that may be linked from the Platform. We encourage you to review the privacy policies of any third-party services you use.

3. Data We Collect

We collect different categories of personal data depending on your relationship with us:

CategoryExamplesSourceClassification
Subscriber IdentityFull name, email address, mobile number, clinic name, professional designationSubscriber at registrationPersonal Data
Account CredentialsHashed password (bcrypt), session tokens, 2FA recovery codes (never plaintext)Subscriber at loginPersonal Data
Clinic ProfileClinic address, logo, GST number, registration number, specialisationSubscriber during onboardingBusiness Data
Staff / Authorised User DataName, email, role, login activity, audit logsSubscriber (admin) when adding staffPersonal Data
Patient IdentityName, age, sex, date of birth, contact number, address, Aadhaar (optional), ABHA IDSubscriber on behalf of patientsPersonal Data (SPDI if health-linked)
Patient Health Data (SPDI)Vitals, diagnoses, prescriptions, lab results, admission records, nursing notes, discharge summaries, medical historySubscriber / healthcare professionalsSensitive Personal Data (SPDI)
Payment DataRazorpay transaction IDs, invoice amounts, payment status (NO raw card numbers stored)Subscriber billingFinancial Data
Usage & Behavioural DataIP address, browser type, OS, pages visited, feature usage, click paths, session durationAutomatic (server logs)Personal Data
Device DataDevice type, screen resolution, time zoneAutomatic (browser)Technical Data
Error & Diagnostic DataError logs, stack traces (anonymised where possible) via SentryAutomaticTechnical Data
CommunicationsEmails, support tickets, chat messages sent to usUser-initiatedPersonal Data
Cookies & TrackersSession cookie (essential), preference cookie, analytics cookie (opt-in)BrowserTechnical Data
Health Data Note: Patient health information is classified as Sensitive Personal Data or Information (SPDI) under Rule 3 of the IT (SPDI) Rules 2011. It is protected by the most stringent security and access controls we apply.

4. Purposes & Legal Basis

We process personal data for the following purposes:

PurposeData UsedLegal Basis
Provide the Platform / Service deliveryAll data categoriesContract performance
Account registration & managementIdentity, credentials, clinic profileContract performance
Billing, invoicing & subscription managementIdentity, payment dataContract performance / Legal obligation
Issuing GST-compliant tax invoicesIdentity, GSTIN, payment dataLegal obligation (GST Act 2017)
Security, fraud prevention & access controlCredentials, usage data, device dataLegitimate interest
Technical support & troubleshootingError logs, usage data, communicationContract performance / Legitimate interest
Product improvement & analytics (anonymised)Aggregated, anonymised usage dataLegitimate interest
Sending product updates & critical service notificationsEmail, identityContract performance / Legitimate interest
Marketing & promotional communicationsEmailConsent (opt-in)
Compliance with law (tax records, court orders, regulatory requirements)All relevant dataLegal obligation
Dispute resolution & enforcement of TermsAll relevant dataLegitimate interest / Legal obligation
ABDM Health ID integrationPatient identity, ABHA IDConsent (patient via Subscriber)

5.1 Consent Mechanisms

We obtain consent in different ways depending on the context:

  • Account creation: By registering for {PRODUCT}, you consent to this Privacy Policy and our Terms & Conditions.
  • Marketing emails: Subscribers are enrolled in product update emails by default. A clear unsubscribe link is included in every marketing email.
  • Optional features: Features such as ABDM integration or third-party integrations require explicit opt-in.
  • Patient consent: Subscribers (as Data Fiduciaries) are responsible for obtaining patient consent before entering patient data into the Platform.

5.2 Withdrawal of Consent

Where we rely on consent as the legal basis, you may withdraw it at any time. To withdraw consent:

  • Marketing emails: Click the "Unsubscribe" link in any email, or email hello@oronzo.io.
  • Optional features: Disable them in your account settings or contact support.
  • Account data: Request account deletion as described in Section 11.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Withdrawal may impact your ability to use certain features of the Platform.

6. Special Categories of Data — Health & Medical Information

Patient health data (medical records, prescriptions, diagnoses, vitals, lab results, admission records) is classified as Sensitive Personal Data or Information (SPDI) under Rule 3 of the IT (SPDI) Rules, 2011. We treat SPDI with the highest level of care:

  • SPDI is encrypted at rest and in transit.
  • Access to SPDI is restricted to Authorised Users with the Subscriber’s clinic, based on role-based access control.
  • SPDI is never processed for advertising, profiling, or any purpose other than providing the Service.
  • {ORG} staff do not access patient health data without explicit authorisation from the Subscriber, except for the purpose of providing technical support.
  • Patient health data is retained in accordance with applicable Indian medical records guidelines (minimum 3 years for outpatient records, 5 years for inpatient records, or as required by law).

As the Data Fiduciary for their patients, Subscribers are responsible for obtaining valid patient consent before entering SPDI into the Platform, and for informing patients about how their health data will be used.

7. Children's Privacy

The Platform is not directed to children under 18 years of age. Oronzo LLP does not knowingly collect personal data directly from minors. Patient records for minor patients must be created and managed by their parent, legal guardian, or authorised healthcare provider, acting through the Subscriber's account.

If we become aware that we have inadvertently collected personal data from a minor without appropriate consent, we will take steps to delete such data promptly. If you believe we have collected data from a minor without proper authorisation, please contact us at hello@oronzo.io.

8. Sharing & Disclosure

We do not sell, rent, or trade personal data. We share personal data only in the following limited circumstances:

8.1 Sub-Processors

We share data with sub-processors who help us operate the Platform (see Section 9). All sub-processors are bound by data processing agreements and are required to implement appropriate security measures.

8.2 Legal Requirements

We may disclose personal data to law enforcement, regulatory authorities, courts, or government bodies when required to do so by applicable law, court order, or regulatory requirement. Where legally permissible, we will notify you of such requests.

8.3 Corporate Transactions

If Oronzo LLP is involved in a merger, acquisition, asset sale, or restructuring, your data may be transferred to the successor entity. We will notify Subscribers at least 30 days in advance of any such transfer and provide an opportunity to export or delete their data.

8.4 Protection of Rights

We may disclose personal data when we reasonably believe it is necessary to: (a) protect the rights, property, or safety of Oronzo LLP, our users, patients, or the public; (b) detect or prevent fraud, security incidents, or illegal activity; or (c) enforce our Terms & Conditions.

8.5 Consent

We may share personal data with other third parties if you have given us explicit consent to do so.

9. Sub-Processors & Third Parties

We use the following sub-processors to operate the Platform. All sub-processors are engaged under contractual obligations that require them to protect personal data in accordance with applicable law:

Sub-processorPurposeData ProcessedLocation
Supabase (PostgreSQL)Primary database hosting and storageAll Platform dataAWS ap-south-1 (Mumbai, India)
Cloudflare R2File storage: PDFs, prescriptions, lab reportsDocuments, filesGlobal CDN
Upstash RedisMessage queue, session cache (BullMQ)Transient job dataap-southeast-1 (Singapore)
RazorpayPayment processing and subscription billingPayment transaction dataIndia
Meta / WhatsApp Business APIWhatsApp appointment reminders and notificationsPatient name, phone, appointment detailsIndia / Global
Twilio (SMS)OTP delivery and SMS notificationsPhone number, OTPIndia / US
VercelNext.js web frontend hosting and CDNBrowser session dataGlobal Edge Network
RailwayNestJS API server hostingAPI request/response dataAsia-Pacific
SentryError monitoring and performance tracking (anonymised)Anonymised error tracesUS / EU
Google Maps APIClinic location display on mapsClinic addressGlobal

We regularly review our sub-processors and will update this list when sub-processors change. Material changes to sub-processors will be notified to Subscribers in advance.

10. International Data Transfers

Some of our sub-processors operate outside India (e.g., Sentry in the US/EU, Vercel's global edge network). Where personal data is transferred outside India, we ensure appropriate safeguards are in place, including:

  • Data processing agreements (DPAs) with all sub-processors that include standard contractual clauses or equivalent protections.
  • Ensuring sub-processors are certified under recognised frameworks (e.g., ISO 27001, SOC 2).
  • Using sub-processors that commit to comply with the DPDP Act 2023 and applicable Indian data protection requirements.

Our primary database (Supabase PostgreSQL) is hosted in AWS ap-south-1 (Mumbai, India), ensuring that the majority of patient and clinic data stays within India.

11. Data Retention & Deletion

11.1 Retention Periods

Data CategoryRetention PeriodBasis
Subscriber account dataDuration of subscription + 30 days post-terminationContract performance; legal obligation
Outpatient (OPD) clinical recordsMinimum 3 years from date of last visit (or as per state regulations)Indian medical records guidelines
Inpatient (IPD) clinical recordsMinimum 5 years from date of dischargeIndian medical records guidelines
Billing and invoice records7 years from invoice dateGST Act 2017 / Income Tax Act 1961
Audit logs and access logs2 years from date of creationIT Act 2000; security purposes
Marketing email preferencesUntil you unsubscribe or delete your accountConsent
Anonymised aggregate analytics dataIndefinitelyLegitimate interest (no personal data)
Backup copiesDeleted within 30 days after primary data deletionOperational

11.2 Erasure Requests

You may request erasure of your personal data at any time by contacting hello@oronzo.io. We will process erasure requests within 30 days, subject to:

  • Legal obligations to retain data (e.g., GST records, medical records as required by law).
  • Ongoing contractual obligations.
  • The need to retain data for the purpose of resolving disputes or enforcing agreements.

11.3 Account Deletion

Upon account termination, your data is retained in read-only mode for 30 days to allow data export, then archived for a further 60 days, then permanently deleted (total 90 days from termination). See our Terms & Conditions, Section 21 for full details.

12. Security Measures

We implement technical and organisational measures to protect personal data in accordance with the IT (SPDI) Rules 2011, the DPDP Act 2023, and industry best practices:

12.1 Technical Measures

  • Data encryption at rest: AES-256 encryption for all data at rest in Supabase / AWS.
  • Data encryption in transit: TLS 1.2+ for all API communications and web traffic.
  • Passwords: bcrypt hashing with salt — passwords are never stored in plaintext.
  • Authentication tokens: JSON Web Tokens (JWT) with short expiry + refresh token rotation.
  • Login protection: Account lockout after repeated failed login attempts.
  • Role-based access control (RBAC): Users only access data relevant to their role.
  • Audit logging: All data access and modification events are logged with timestamps.
  • Automated vulnerability scanning: Dependencies are scanned for known vulnerabilities.

12.2 Organisational Measures

  • Principle of least privilege: Staff access to production data is strictly limited and audited.
  • Security training: All {ORG} team members receive data protection and security awareness training.
  • Vendor due diligence: Sub-processors are evaluated for security posture before engagement.
  • Secure development lifecycle (SDL): Security is incorporated at every stage of development, following OWASP guidelines.
  • Incident response plan: A documented incident response procedure is maintained and tested.
While we implement industry-standard security measures, no system is completely secure. You are responsible for securing your login credentials and devices used to access the Platform.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, Oronzo LLP will:

  1. Contain and assess the breach as quickly as possible.
  2. Notify affected Subscribers within <strong>72 hours</strong> of becoming aware of the breach, as required under the DPDP Act 2023 and IT Act 2000.
  3. Provide the following information in the breach notification: (a) the nature of the breach; (b) the categories and approximate number of affected individuals and records; (c) likely consequences of the breach; (d) measures taken or proposed to address the breach.
  4. Notify the relevant government authority (as required under DPDP Act 2023 rules) within the prescribed timeframe.
  5. Maintain records of all data breaches, including those not requiring notification.

As a Subscriber (Data Fiduciary for your patients), you are responsible for notifying your affected patients of any breach that significantly impacts them. We will provide you with the information necessary to fulfil this obligation.

14. Your Rights Under the DPDP Act 2023

The Digital Personal Data Protection Act, 2023 grants you (as a Data Principal) the following rights in respect of your personal data:

RightDescriptionHow to Exercise
Right to AccessObtain confirmation of whether your personal data is being processed, and a summary of the processing.Email hello@oronzo.io
Right to CorrectionRequest correction of inaccurate or incomplete personal data.Via account settings or email hello@oronzo.io
Right to ErasureRequest deletion of personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.Email hello@oronzo.io
Right to Grievance RedressalLodge a complaint with our Grievance Officer if you believe your rights under the DPDP Act have been violated.Email grievance@oronzo.io
Right to NominateNominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity.Email hello@oronzo.io
Right to Withdraw ConsentWithdraw consent for any processing based on consent (e.g., marketing), with effect from the date of withdrawal.Unsubscribe link in emails or hello@oronzo.io

We will respond to rights requests within 30 days of receipt. For complex requests, we may extend this period by a further 30 days with notice to you. We may need to verify your identity before processing a request.

If you are dissatisfied with our response, you may escalate to our Grievance Officer (Section 21) or to the Data Protection Board of India (once established under the DPDP Act 2023).

15. Patient Rights & Healthcare Data

Patients whose data is entered into Curex24 Clinic by Subscribers have rights under applicable law. The Subscriber (clinic / healthcare provider) is the Data Fiduciary for patient data and is responsible for:

  • Obtaining valid, informed consent from patients before entering their personal and health data into the Platform.
  • Informing patients about how their data is stored, processed, and shared.
  • Responding to patient requests to access, correct, or delete their health records.
  • Maintaining records of patient consents.
  • Complying with applicable medical records regulations, including the requirement to maintain records for the legally prescribed period.

If you are a patient and have questions about your health data on Curex24 Clinic, you should first contact the clinic or healthcare provider who treated you. If you believe your data rights have been violated and cannot resolve the matter with the clinic, you may contact us at hello@oronzo.io and we will assist to the extent possible.

As a Data Processor, Oronzo LLP will comply with lawful instructions from the Subscriber regarding patient data, and will also comply with any direct legal requirements (such as court orders or DPDP Act obligations) that apply to us.

16. Cookies & Tracking Technologies

16.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. We use cookies and similar tracking technologies (such as local storage and session tokens) to operate the Platform and understand how it is used.

16.2 Cookie Types We Use

Cookie Name / TypePurposeDurationCan Be Disabled?
Session token (JWT)Keeps you logged in during your sessionSession / 7 days (with remember me)No — required for login
CSRF tokenPrevents cross-site request forgery attacksSessionNo — security essential
Preference cookieRemembers your UI preferences (dark mode, language)1 yearYes
Analytics cookie (opt-in)Aggregated page view and feature usage data1 yearYes — opt-out in settings
WhatsApp opt-in flagRecords your consent to WhatsApp notifications2 yearsYes

16.3 Managing Cookies

You can manage cookie preferences in your browser settings. Disabling essential cookies (session tokens, CSRF tokens) will prevent you from logging into the Platform. Disabling optional cookies will not affect core functionality but may reduce personalisation. Most modern browsers allow you to: (a) see what cookies have been set; (b) allow, block, or delete cookies; (c) set preferences on a site-by-site basis.

17. Marketing & Communications

17.1 Types of Communications

We may communicate with you in the following ways:

  • <strong>Transactional</strong>: Subscription confirmations, invoices, payment receipts, password reset emails, security alerts. These are sent regardless of marketing preferences as they relate to your account.
  • <strong>Service Updates</strong>: Product feature announcements, maintenance windows, policy updates. Sent to all active Subscribers as part of the Service.
  • <strong>Marketing</strong>: Promotional offers, new feature highlights, webinar invitations. Sent only to Subscribers who have not opted out.

17.2 Opting Out

To opt out of marketing communications:

  • Click the &quot;Unsubscribe&quot; link in any marketing email.
  • Update your communication preferences in your account settings.
  • Email <a href={`mailto:${CONTACT_EMAIL}`} className="legal-link">{CONTACT_EMAIL}</a> with the subject &quot;Unsubscribe&quot;.

Please note: Opting out of marketing emails does not opt you out of transactional or service update communications, which are necessary to maintain your account.

17.3 WhatsApp Notifications

Subscribers can send appointment reminders, prescription summaries, and lab report delivery to patients via WhatsApp. Patient phone numbers are used solely for this purpose and are not used for marketing. Patients can opt out of WhatsApp messages by replying "STOP" or by asking the Subscriber to disable notifications for their record.

18. Clinic & Patient Data Roles

Under the DPDP Act 2023 and IT (SPDI) Rules 2011, the legal roles for data are:

RolePartyResponsibilities
Data FiduciaryThe Subscriber (clinic / healthcare provider)Determines the purposes and means of processing patient data. Must obtain patient consent, respond to patient rights requests, and comply with all Data Fiduciary obligations under applicable law.
Data ProcessorOronzo LLPProcesses patient data solely on the instructions of the Subscriber (Data Fiduciary). Must implement appropriate security measures, maintain confidentiality, and comply with Data Processor obligations under applicable law.
Data PrincipalThe patient (or Subscriber staff member)The individual whose personal data is being processed. Has rights to access, correct, erase, and raise grievances regarding their personal data.

This means: (a) if you are a Subscriber, you are the Data Fiduciary and are responsible for your patients' data; (b) Oronzo LLP acts as your Data Processor and will only process patient data as you direct; (c) patients whose data is on the Platform have rights that must be honoured by the Subscriber (with Oronzo LLP's technical assistance).

19. ABDM & Digital Health ID (ABHA)

If you enable ABDM (Ayushman Bharat Digital Mission) integration, Curex24 Clinic may process Ayushman Bharat Health Account (ABHA) IDs and interact with the NHA's Health Information Exchange (HIE-CM) infrastructure. In doing so:

  • Patients must provide explicit, informed consent for ABDM linkage of their health records.
  • ABDM health records are processed only for the purposes of providing integrated healthcare services.
  • ABDM data is handled in compliance with NHA’s Health Data Management Policy (HDMP), ABDM Consent Manager guidelines, and applicable NHA circulars.
  • Subscribers using ABDM integration must comply with all NHA requirements for Health Information Providers (HIPs).

For more information about ABDM and your health ID rights, visit the official NHA ABDM portal at abdm.gov.in.

The Platform may contain links to third-party websites, services, or resources (such as lab partner portals, diagnostic centres, or ABDM portals). Oronzo LLP is not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites you visit from links on our Platform. This Privacy Policy applies only to Curex24 Clinic operated by Oronzo LLP.

21. Grievance Officer & Data Protection Officer

As required under the IT Act, 2000 (Section 79), IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, Oronzo LLP has designated a Grievance Officer who also serves as our Data Protection Officer (DPO):

Grievance Officer & Data Protection Officer — Oronzo LLP

Grievance / DPO Email: grievance@oronzo.io
General Privacy Email: hello@oronzo.io
Response Time: Acknowledgment within 48 hours; resolution within 30 days.
Address: Oronzo LLP, Hyderabad, Telangana, India — 500081

Grievances must be submitted in writing (email preferred) and must include: (a) your full name and contact details; (b) your account email; (c) a detailed description of the grievance or privacy concern; and (d) any supporting documents. We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days.

If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India (once operational under the DPDP Act 2023) or to the relevant adjudicating officer under the IT Act 2000.

22. Changes to this Policy

We may update this Privacy Policy periodically to reflect changes in our practices, the Platform, or applicable law. We will provide notice of material changes by:

  • Sending an email to your registered account email address at least 14 days before the changes take effect.
  • Displaying a prominent in-app notification.
  • Updating the &quot;Effective Date&quot; at the top of this page.

Your continued use of the Platform after the effective date of revised Terms constitutes your acceptance of the updated Privacy Policy. If you do not agree to the revised Policy, you must discontinue use of the Platform.

The latest version of this Privacy Policy is always available at clinic.curex24.com/privacy.

23. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Privacy & Data Protection — Oronzo LLP

General / Privacy / DPOhello@oronzo.io
Grievance Officergrievance@oronzo.io
AddressOronzo LLP, Hyderabad, Telangana, India — 500081