Privacy Policy
Effective Date: April 1, 2026 | Last Updated: April 1, 2026 | Version: Final — v1.0
1. Introduction
Arodya Health Technologies Pvt. Ltd. ("Arodya", "we", "our", or "us") operates the Arodya patient mobile application (the "App") to help patients access world-class medical care globally — connecting them with hospitals, managing travel logistics, and supporting their medical journey from quote to recovery.
This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Arodya App. It applies to all users of the App, regardless of your country of residence.
By creating an account or using the App, you acknowledge that you have read and understood this Privacy Policy.
If you do not agree with this policy, please do not use the App.
2. Who This Policy Applies To
This policy applies to:
- Patients — individuals using the App to seek medical treatment abroad
- Companions — individuals accompanying patients on medical travel, whose information may be entered into the App by the patient
This App is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you are under 18, please do not use this App. If we become aware that we have collected data from a person under 18, we will delete it promptly.
3. Data We Collect
We collect information you provide directly and information generated by your use of the App.
3.1 Identity and Contact Information
| Data | Source |
|---|---|
| Phone number | Account registration |
| Name | Profile setup |
| OTP verification records | Authentication (via Twilio) |
3.2 Medical Information
| Data | Source |
|---|---|
| Medical condition / diagnosis | Treatment request form |
| Medical reports and documents (uploaded by you) | Document upload |
| Treatment history and case notes | Case management |
| Medical quotes and treatment cost estimates | Hospital communication |
| Post-treatment recovery notes | Post-treatment module |
Note: Medical information is particularly sensitive. We apply heightened protections to this category of data as described in Section 8.
3.3 Payment and Transaction Data
| Data | Source |
|---|---|
| Payment method type (card, UPI, etc.) | Checkout |
| Transaction reference numbers | Payment processing |
| Booking amounts and currency | Order records |
We do not store full payment card numbers. Payment processing is handled by Stripe (international) and Razorpay (India). Please refer to their respective privacy policies for details on how they handle your payment data.
3.4 Travel and Booking Information
| Data | Source |
|---|---|
| Flight booking details | Travel coordination (via Duffel) |
| Hotel and accommodation bookings | Travel coordination (via Duffel) |
| Visa information (where assisted) | Travel coordination |
| Companion names and travel details | Trip planning |
| Country and city of treatment destination | Hospital search |
3.5 Location Data
We infer location information (at country level) when you search for hospitals or treatment destinations. We do not collect real-time GPS location data without your explicit consent.
3.6 Device and Technical Data
| Data | Source |
|---|---|
| Device type and operating system | App sessions |
| App version | App sessions |
| Push notification token | Notification registration |
| Crash reports and error logs | Sentry crash reporting |
| App usage events and screen interactions | PostHog analytics |
| IP address (approximate) | Server logs |
4. How We Use Your Data
We use your data to provide and improve the Arodya service.
4.1 Core Service Delivery
- Account management — creating and managing your account, OTP-based authentication via Twilio
- Medical coordination — sharing your medical information with hospitals you contact for quotes and treatment
- Booking management — processing flight and hotel bookings on your behalf via Duffel
- Payments — processing transactions through Stripe and Razorpay
- Notifications — sending case updates, booking confirmations, and appointment reminders via push notifications
- Post-treatment support — delivering recovery tips, follow-up prompts, and referral rewards
4.2 Safety and Quality
- Diagnosing and fixing technical errors (Sentry crash reporting)
- Preventing fraud and verifying identity
- Responding to customer support requests
4.3 Product Improvement
- Analysing how features are used to improve the App (PostHog product analytics)
- Understanding aggregate user behaviour (no sale of individual profiles)
4.4 Legal Compliance
- Meeting obligations under applicable laws and regulations
- Responding to lawful requests from authorities
5. How We Share Your Data
We do not sell your personal information. We share data only in the following circumstances.
5.1 Hospitals and Healthcare Providers
When you request a quote or book treatment, we share relevant medical information and contact details with the hospital or clinic you have selected. You initiate this sharing by using our service. The hospital then becomes an independent data controller for the information they receive.
5.2 Payment Processors
- Stripe (international transactions) — stripe.com/privacy
- Razorpay (India / UPI transactions) — razorpay.com/privacy
We share the minimum data necessary for payment processing.
5.3 Technology Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Sentry | Crash reporting and error monitoring | Device data, error logs, anonymised user identifiers |
| PostHog | Product analytics | App usage events, anonymised identifiers |
| Twilio | OTP / SMS delivery for authentication | Phone number, OTP message |
| Duffel | Flight and hotel booking search and ticketing | Traveller names, travel dates, destination |
| Vercel Blob | Secure storage of uploaded medical documents | Encrypted medical files |
| Vercel | Application hosting and serverless API processing (arodya.com) | All data in encrypted form |
| Expo / EAS | App delivery and over-the-air updates | Device token, app version |
All service providers are contractually bound to handle your data only as instructed by Arodya and to maintain appropriate security standards.
5.4 Legal Requirements
We may disclose your information where required by law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Arodya, our users, or others.
5.5 Business Transfers
If Arodya is acquired, merged, or its assets transferred, user data may be transferred as part of that transaction. We will notify you via the App or email before your data is transferred and becomes subject to a different privacy policy.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (name, phone) | Duration of account + 2 years after deletion request |
| Medical records and reports | 7 years from last treatment (legal/medical record obligation) |
| Payment and transaction records | 7 years (financial record obligation) |
| Booking and travel records | 3 years from booking date |
| Crash reports and logs | 90 days |
| Analytics data | 2 years (aggregated thereafter) |
When retention periods expire, we delete or anonymise the data. You may request early deletion subject to legal retention obligations (see Section 7).
7. Your Rights
Depending on your country of residence, you may have the following rights:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Ask us to correct inaccurate or incomplete data |
| Deletion | Ask us to delete your personal data (subject to legal retention obligations) |
| Portability | Receive your data in a machine-readable format |
| Restriction | Ask us to restrict processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Where we rely on consent, withdraw it at any time |
| Complaint | Lodge a complaint with your local data protection authority |
To exercise any of these rights, contact us at privacy@arodya.com.
We will respond within 30 days. We may need to verify your identity before fulfilling a request.
8. How We Protect Your Data
- Encryption in transit — all data is transmitted over HTTPS/TLS
- Encryption at rest — sensitive data is encrypted at the database level; medical documents are stored encrypted on Vercel Blob
- Access controls — only authorised Arodya staff with a business need can access patient data
- Secure authentication — OTP-based login via Twilio with no passwords stored
- Medical data isolation — medical records are handled separately from operational data
- Vendor due diligence — all third-party processors are assessed for security standards
- Incident response — we maintain a breach notification procedure and will notify affected users without undue delay if required by law
9. GDPR — Users in the European Economic Area (EEA) and UK
If you are located in the EEA or UK, the following additional provisions apply.
9.1 Data Controller
Arodya Health Technologies Pvt. Ltd. is the data controller for personal data processed through the App.
Contact: privacy@arodya.com
9.2 Lawful Basis for Processing
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Medical data processing for treatment coordination | Explicit consent (Art. 9(2)(a)) + vital interests where applicable |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| OTP / SMS delivery via Twilio | Contract performance (Art. 6(1)(b)) |
| Travel booking via Duffel | Contract performance (Art. 6(1)(b)) |
| Crash reporting and error monitoring | Legitimate interests (Art. 6(1)(f)) |
| Product analytics (PostHog) | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
9.3 International Data Transfers
Your data may be processed outside the EEA (e.g., in India or the US where some service providers operate). Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
9.4 Your EEA/UK Rights
All rights listed in Section 7 apply. To lodge a complaint, contact your local supervisory authority. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
10. HIPAA Notice — Users Accessing Care in the United States
Arodya is not a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA). However, we recognise the sensitivity of health information and apply equivalent protections:
- Medical information is used only for the purposes described in this policy
- We do not sell or market your health information
- We will not disclose health information without your consent except as required by law
If you are receiving treatment at a US-based facility, that facility's own HIPAA Notice of Privacy Practices will also apply to the health information they collect directly.
11. Cookies and Tracking
The App does not use browser cookies. On mobile, we use:
- Device identifiers — for PostHog analytics event attribution (anonymised)
- Push notification tokens — to deliver notifications you have opted into
You can disable push notifications at any time via your device settings.
12. Third-Party Links and Services
The App may contain links to hospital websites or third-party services. This Privacy Policy does not cover those sites. We encourage you to review the privacy policies of any third parties you interact with.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We will update the Effective Date at the top of this document
- For material changes, we will notify you via a push notification or in-app alert
- Continued use of the App after notification constitutes acceptance of the updated policy
We recommend reviewing this policy periodically.
14. Contact Us
For privacy-related questions, data requests, or concerns:
Email: privacy@arodya.com
Company: Arodya Health Technologies Pvt. Ltd.
Address: B-110, Bhoomi Hills, Thakur Village, Kandivali East, Mumbai, Maharashtra 400101, India
For urgent privacy concerns, please mark your email subject line: PRIVACY — URGENT.