CardMetCare
Talk to us Request early access
Legal

Privacy policy

Last reviewed: 2026-05-02. [LEGAL: review and replace before launch]

1. Who we are

CardMetCare is operated by [LEGAL: legal entity name, CIN, GST number — review and replace] ("CardMetCare", "we", "us"). We act as a data fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP") for personal data we process on the platform.

2. What we collect

  • Account data — username, display name, role, tenant. Submitted by you at signup or invite acceptance.
  • Health data — vitals (blood pressure, glucose, weight), medications, goals, care-plan tasks, alerts, timeline events. Created when you log a reading or your care team writes to your record.
  • Operational data — order placements with partner-network providers, consent records, audit-event metadata (action, actor, timestamp).
  • Technical data — IP address, user agent, browser session cookies for authentication and rate-limit enforcement.

3. Why we collect it

  • To provide the cardiometabolic platform you signed up for.
  • To route partner-network orders and settle charges with our partners.
  • To detect and respond to security threats (rate-limit, lockout, audit).
  • To meet legal and regulatory obligations (GST invoicing, audit retention).

We do not sell your data. We do not share it with advertisers or analytics resellers.

4. Lawful basis

We rely on consent for the bulk of processing (DPDP §6) — captured at signup and visible on the patient governance page. We rely on legitimate use (DPDP §7) for limited operational categories such as fraud prevention and audit.

5. Your rights

  • Correction (DPDP §11) — fix inaccurate data. Use the patient governance page or write to support@cardmetcare.com.
  • Erasure (DPDP §12) — request deletion of your record.
  • Withdraw consent — revoke any consent you previously granted. Service availability may degrade where the consent was load-bearing.
  • Grievance — escalate unresolved issues to our Grievance Officer at grievance@cardmetcare.com. [LEGAL: Grievance Officer name + DPB registration — review and replace]

6. Sharing your data

Your data is shared only with the parties needed to deliver the service you requested: the clinic / care team you signed up under, the pharmacy / lab / telehealth partner you ordered from, and our hosting / payment infrastructure providers under data-processing agreements.

7. Retention

We retain personal and health data while your account is active and for a minimum of seven (7) years after closure for medical-record retention obligations, then we delete or anonymise. [LEGAL: retention table — review and replace]

8. Security

See our security page for the technical detail. Briefly: TLS in transit, encryption at rest, tenant isolation at the database layer, audit log on every privileged action, and standard security headers + dependency scanning in CI.

9. Cookies

We use HttpOnly cookies for authentication and a small number of first-party cookies for functional state (e.g. remembering your selected patient context). We do not use third-party tracking cookies.

10. Children's data

CardMetCare is not intended for direct use by children under 18 in India. Where a parent / guardian creates a household record covering a minor, the parent / guardian acts as verifiable guardian under DPDP §9.

11. International transfers

Production data resides on infrastructure within India by default. Where transfer outside India is necessary (e.g. for vendor sub-processing), we apply the safeguards listed in the DPDP Act and notify the data principal where required.

12. Changes

We update this policy from time to time. Material changes are communicated by email and / or in-app banner at least 14 days before they take effect.

13. Contact

Questions: hello@cardmetcare.com. Privacy / DPDP: privacy@cardmetcare.com. Grievance: grievance@cardmetcare.com.