CureNexis Logo Get Started
Legal

Privacy Policy

How CureNexis collects, uses, and protects your personal and health information.

On this page

Last updated: 1 January 2026

1. Overview

CureNexis (operated by CureNexis Technologies Private Limited, hereinafter "we", "us", or "our") is committed to protecting the privacy and security of your personal data, including sensitive health information. This Privacy Policy applies to all users of our platform, website, and mobile applications in India.

This policy is prepared in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 and its amendments, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and guidelines issued by the National Health Authority (NHA) under the Ayushman Bharat Digital Mission (ABDM).

By using CureNexis, you consent to the collection, use, and processing of your information as described in this Privacy Policy.

2. Information We Collect

We collect the following categories of data to provide our services:

Personal Identification Data:

  • Full name, date of birth, gender, and contact details (email, phone number, address)
  • Government-issued ID references (Aadhaar number — masked/tokenised only, PAN where applicable)
  • ABHA (Ayushman Bharat Health Account) ID, if linked
  • Login credentials (stored in encrypted form)

Health & Medical Data (Sensitive Personal Data):

  • Medical history, diagnoses, prescriptions, and treatment records
  • Lab reports, diagnostic imaging, and pathology results
  • Vaccination records and chronic condition information
  • Information shared during secure consultations with doctors

Usage & Technical Data:

  • IP address, device identifiers, browser type, and operating system
  • Pages visited, features used, and session duration
  • Cookies and similar tracking technologies (see our Cookie Policy)

Communication Data:

  • Messages sent via our secure in-platform messaging system
  • Support tickets and feedback submitted to us

3. How We Use Your Information

We use your data only for legitimate purposes directly related to providing our healthcare platform services:

  • Creating and managing your secure health profile
  • Enabling you to share medical records with authorised healthcare providers
  • Generating AI-assisted health summaries and clinical decision support
  • Facilitating secure communication between patients, doctors, and institutions
  • Complying with legal and regulatory obligations under Indian law
  • Improving platform performance, security, and user experience
  • Sending service-related communications (never marketing without explicit consent)

We will never use your health information for advertising or sell it to third parties for commercial purposes.

4. Data Sharing & Disclosure

We do not sell your personal data. We share data only in the following limited circumstances:

  • With your explicit consent: When you choose to share your records with a specific doctor, clinic, or institution on our platform
  • Service providers: Cloud infrastructure and security vendors operating under strict data processing agreements and bound by equivalent privacy obligations
  • Legal obligations: When required by Indian law, court order, or government authority — including mandated reporting under the National Health Policy
  • Public health emergencies: As permitted under DPDPA Section 17 for legitimate State functions
  • Business transfers: In the event of a merger or acquisition, your data will remain subject to this policy and you will be notified in advance

All data shared with third parties is governed by data processing agreements that require equivalent levels of data protection.

5. Data Security

We implement industry-standard technical and organisational measures to protect your data:

  • AES-256 encryption for all data at rest and TLS 1.3 in transit
  • Role-based access control (RBAC) ensuring only authorised personnel access sensitive data
  • Regular penetration testing and third-party security audits
  • Comprehensive audit logs for all data access and modifications
  • ISO 27001-aligned security management practices
  • Data stored exclusively within India on compliant cloud infrastructure
  • Multi-factor authentication for all platform accounts

In the event of a data breach that is likely to affect your rights and freedoms, we will notify the Data Protection Board of India and affected users as required under the DPDPA.

6. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

  • Right to Access: Request a summary of your personal data we hold and how it is being used
  • Right to Correction: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data, subject to legal retention obligations
  • Right to Withdraw Consent: Withdraw consent for specific processing activities at any time
  • Right to Grievance Redressal: Raise a grievance with our Data Protection Officer within 30 days of any privacy concern
  • Right to Nominate: Nominate another individual to exercise these rights in the event of your death or incapacity

To exercise any of these rights, please contact our Data Protection Officer at [email protected] with the subject line "Privacy Request".

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Health records are retained in accordance with applicable Indian regulations, including the Clinical Establishments Act and guidelines from the Medical Council of India, which generally require a minimum of seven (7) years for medical records. You may request deletion of non-mandatory data at any time.

8. Children and Minors

Our platform may be used for managing health records of minors (persons below 18 years of age) by a parent or legal guardian acting as their representative. We require verifiable parental consent before processing data of minors. We do not knowingly collect data from children without such consent.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or platform features. We will notify you of material changes via email or a prominent notice on our platform at least 15 days before the change takes effect. Continued use of the platform after that period constitutes acceptance of the revised policy.

10. Contact & Grievance Redressal

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact:

Data Protection Officer — CureNexis
Email: [email protected]
Response time: Within 30 days of receiving your request

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDPA, 2023.