Patient Privacy
Privacy Policy — ArogyaCare BookingPortal
Effective date: 1 January 2026 · Last updated: 30 March 2026 · Applies to bookmydoctor.azurewebsites.net
1. Who We Are
ArogyaCare is a patient-facing online appointment booking portal
developed and operated by CVV Technologies. This portal allows
patients to discover hospitals, book appointments with doctors, and access their
health records — all in one place.
Two parties handle your data:
• CVV Technologies — operates the ArogyaCare platform and is
responsible for how the platform itself stores and protects your data.
• Your hospital — is responsible for the clinical records
they enter about you. For questions about your medical records, contact your
hospital directly.
2. What We Collect & Why
Registration data
Name, email, mobile number, city — to create your patient account
Appointment data
Hospital, doctor, date, appointment type — to book and manage your appointments
Health records
Prescriptions, lab results, billing, medical records — shared by your hospital so you can view them
Communication data
Chat messages with hospital staff — for your support queries
Technical data
Login timestamps, browser type — for security and session management
Consent record
Date and time you agreed to this policy — as required by law
We collect only what is necessary to provide the service.
We do not collect location data beyond your selected city, payment card
details, or biometric data.
3. Your Consent
By registering on ArogyaCare, you give your explicit consent for CVV Technologies
to collect and process your personal and health data as described in this policy.
This consent is required under the
Digital Personal Data Protection Act 2023 (DPDP Act).
- Your consent is recorded with a timestamp when you complete registration
- You can withdraw consent at any time by contacting us at privacy@cvvtechnologies.com
- Withdrawing consent will deactivate your ArogyaCare account
- Your clinical records at the hospital are not deleted — contact your hospital for that
4. How We Protect Your Data
- Your data is stored in Microsoft Dynamics 365 Dataverse on Microsoft Azure with AES-256 encryption at rest
- All connections use HTTPS / TLS 1.2+ encryption
- Your password is stored as a BCrypt hash — we cannot see your password
- Access to your records by hospital staff is logged in an audit trail
- Session cookies use SameSite=Strict + Secure flags
- Your health records are only visible to hospitals you have booked with
- CVV Technologies staff do not access patient health records
5. Who We Share Your Data With
We share your data only with:
- Your chosen hospital — when you book an appointment, your name, contact
details and appointment request are shared with that hospital's staff via HospitalPortal
- Microsoft Corporation — as the cloud infrastructure provider
(Dynamics 365 Dataverse, Azure App Service) under Microsoft's Data Processing Agreement
- Government authorities — only when required by Indian law or a valid
court order
We never sell your data. CVV Technologies does not sell, rent, or
share your personal or health data with advertisers, data brokers, insurance companies,
or any third party for commercial purposes.
6. Your Rights as a Patient
Under the DPDP Act 2023, you have the following rights over your data:
Right to access
View all your personal data held in ArogyaCare via the My Health Records section, or request a full export by email.
Right to correction
Request correction of inaccurate personal data (name, mobile, email) by contacting us. Clinical records must be corrected by your hospital.
Right to erasure
Request deletion of your ArogyaCare account and personal data. We will process within 7 days. Clinical health records are held by your hospital — contact them separately.
Right to withdraw consent
You can withdraw consent at any time. This will deactivate your account. Email privacy@cvvtechnologies.com.
Right to grievance redressal
We will respond to all privacy complaints within 7 days. If unsatisfied, you may escalate to the Data Protection Board of India.
7. Children's Data
ArogyaCare is intended for users aged 18 and above. If a patient under 18 requires
an account, a parent or guardian must register on their behalf and is responsible
for consent on the child's behalf. We do not knowingly collect data from minors
without parental consent, as required by the DPDP Act 2023.
8. How Long We Keep Your Data
- Active accounts: Data is kept while your account is active
- After account deletion: Personal data (name, email, mobile) deleted within 30 days
- Appointment history: Anonymised and retained for service improvement for up to 1 year
- Audit logs: Retained for 3 years as required by IT Act 2000
- Clinical records: Governed by your hospital's own retention policy
9. Contact Us
For any privacy-related requests, complaints, or questions:
This policy was last updated on 30 March 2026.
CVV Technologies reserves the right to update this policy. You will be notified
via email at least 14 days before material changes take effect.