Privacy Policy

1. Identity of the Data Fiduciary

Broca is the Data Fiduciary responsible for the processing of your personal data as defined under Section 2(i) of the DPDP Act, 2023.

2. Consent & Lawful Basis for Processing

Under Section 6 of the DPDP Act, 2023, we must have a lawful basis before processing your personal data. The table below sets out the lawful basis for each category of processing:

2.1 How We Obtain Consent

Before you register, we present a clear and plain-language consent notice explaining:

• What personal data will be collected.
• The specific purposes for which it will be used.
• The identities of any Data Processors or third parties with whom it will be shared.
• How you can withdraw consent and the consequences of doing so.

Consent is obtained through an explicit, affirmative tick-box on the registration form ("I agree to the Terms of Service and Privacy Policy"). Pre-ticked boxes are not used. Consent is separately requested before processing medical health data (special category data) and before sharing your data with any new category of third party.

2.2 How to Withdraw Consent

3. Personal Data We Collect

3.1 Data You Provide Directly

• Account data: full name, email address, hashed password, and phone number at registration.
• Health & medical data (special category): symptoms, concerns, prior diagnoses, prescriptions, and diagnostic reports (PDFs/images) submitted when booking a consultation. This data is treated with the highest level of protection.
• Profile data: age and any additional details you add to your profile.
• Support communications: messages you send to our support team.

3.2 Data Collected Automatically

• Log data: IP address, browser type, device type, pages visited, and timestamps — used solely for security monitoring and debugging.
• Authentication tokens: JWT tokens stored in your browser's localStorage to maintain your session.
• Consultation metadata: call duration, timestamps, and status (not audio/video content).

3.3 Data We Do NOT Collect

4. Purpose of Processing

Under Section 5 of the DPDP Act, personal data must be processed only for the specific, clear purposes disclosed at the time of consent. We process your personal data only for the following purposes:

• Service delivery: creating and managing your account, matching you with a doctor, and conducting your consultation.
• Transactional communications: booking confirmations, OTPs, email verification, and appointment reminders.
• Support: responding to your queries, complaints, and data rights requests.
• Security: detecting fraud, unauthorised access, and abuse of the platform.
• Legal compliance: fulfilling obligations under the DPDP Act, Information Technology Act 2000, and other applicable Indian law.
• Platform improvement: using fully anonymised, non-identifiable aggregated metrics to improve reliability.

We will not process your data for any new purpose without issuing a fresh consent notice and obtaining your explicit consent in advance.

5. How We Share Your Data

We do not sell, rent, or share your personal or medical data for advertising or any commercial purpose. Data is shared only in the circumstances below:

• Assigned doctor: the doctor accepting your consultation will access your name, contact details, and submitted medical context solely to provide care. Doctors are bound by professional confidentiality obligations and a data processing agreement with Broca.
• Data Processors (service providers): Microsoft Azure (cloud infrastructure, India regions), email delivery providers, and payment processors. All processors operate under written data processing agreements as required by Section 8(2) of the DPDP Act and may use your data only on our documented instructions.
• Legal obligation: if required by a court order, the Data Protection Board of India, CERT-In, or other competent authority under applicable law.
• Business transfer: in a merger, acquisition, or asset sale, your data may be transferred to the successor entity, which will be bound by this policy or an equivalent standard. You will be notified of any such transfer.

6. Data Storage & Security

• All personal data is stored on Microsoft Azure infrastructure physically located in India.
• Medical files are encrypted with AES-256-GCM using a key derived from your password. Only you and your assigned doctor can decrypt files during an active consultation.
• All data in transit is protected by TLS 1.3 (minimum TLS 1.2).
• Passwords are stored as bcrypt-hashed salted hashes — we never store plaintext passwords.
• Production database access is restricted by role-based access controls (RBAC) and multi-factor authentication (MFA).
• Infrastructure is monitored 24/7 for anomalous access and intrusion attempts.

6.1 Personal Data Breach Notification

In the event of a personal data breach, Broca will act in accordance with Section 9 of the DPDP Act and Rule 7 of the DPDP Rules, 2025:

• Notification to the Data Protection Board of India (DPBI) and CERT-In: Within 6 hours of becoming aware of a notifiable breach, we will submit an initial report. A full incident report will follow within 72 hours, as mandated by the Rules.
• Notification to affected Data Principals (you): We will notify every affected user as soon as practicable, and no later than 72 hours after confirming the breach affects your rights or interests. The notification will include:
  • A description of the data involved.
  • The likely consequences of the breach.
  • The remedial measures taken or proposed.
  • Contact details for further queries.
• Notifications will be sent to your registered email address. If a large number of users are affected and individual notification is not reasonably feasible within the timeframe, we will issue a prominent notice on our website and send a general email notification.

7. Data Retention

Under Section 8(7) of the DPDP Act, personal data must not be retained longer than necessary for the specified purpose. Our retention periods are:

8. Cookies & Local Storage

Broca uses browser localStorage to store your authentication token and your locally-generated encryption keys. We do not use third-party advertising cookies, tracking pixels, or behavioural profiling technologies. Necessary session cookies may be set by Microsoft Azure (our infrastructure provider) for load balancing; these do not track you across sites and are not shared with any third party.

9. Your Rights as a Data Principal

Under Sections 11–14 of the DPDP Act, 2023, you have the following rights with respect to your personal data:

• Right to access information (Section 11): obtain a summary of the personal data we process and the processing activities undertaken.
• Right to correction and erasure (Section 12): request correction of inaccurate or incomplete data, or erasure of data no longer needed for the consented purpose.
• Right to grievance redressal (Section 13): raise a complaint with our Grievance Officer (contact details in Section 13). We will acknowledge within 48 hours and resolve within 30 days.
• Right to nominate (Section 14): nominate another individual to exercise your data rights in the event of your death or incapacity.
• Right to withdraw consent (Section 6(4)): as described in Section 2.2 above.
• Right to data portability: request your consultation history in a common machine-readable format (JSON or CSV).

To exercise any right, email support@broca.in with the subject line "Privacy Request — [Right Name]". We may verify your identity before processing the request. There is no fee for exercising your rights. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.

10. Children's Data & Parental Consent

Broca takes the protection of minors' data seriously in accordance with Section 9 of the DPDP Act and Rule 10 of the DPDP Rules, 2025.

• Age threshold: Broca does not permit individuals under 18 years of age to register or use the platform independently.
• Verifiable parental/guardian consent (Section 9, DPDP Act): where a parent or guardian wishes to register an account to manage healthcare for a minor dependent, they must:
  • Register using their own verified email address and identity.
  • Provide explicit written consent by completing the parental consent form available at support@broca.in.
  • Acknowledge they are the parent or lawful guardian of the minor.
• We will not process any personal data of a minor without verified parental or guardian consent. Any such consent is subject to additional safeguards and will be recorded and retained in accordance with our retention policy.
• If we become aware that personal data of a minor has been collected without valid parental consent, we will delete that data promptly and notify the parent or guardian if contact details are available.

11. Cross-Border Data Transfers

All personal data processed by Broca is stored on Microsoft Azure servers physically located in India. We do not currently transfer personal data outside India.

If a future operational need requires cross-border transfer (for example, a disaster recovery site in another country), Broca will:

• Transfer data only to countries notified by the Central Government of India as permissible destinations under Section 16 of the DPDP Act.
• Update this Privacy Policy with details of the transfer mechanism at least 14 days before such transfers begin.
• Obtain fresh consent from Data Principals if the transfer involves medical health data.

12. Third-Party Links

The Broca platform may contain links to external websites (for example, payment provider portals). Broca is not the Data Fiduciary for data processed on those sites. We encourage you to review the privacy policies of any third-party site you visit.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or applicable law. For material changes (changes that affect the legal basis of processing or introduce new categories of data sharing), we will:

• Notify you by email to your registered address at least 14 days before the change takes effect.
• Where required, obtain fresh consent before the new processing begins.
• Post the updated policy at broca.in/privacy with the revised date.

For non-material changes (typo corrections, clarifications), the updated policy will be published without individual notice.

14. Grievance Officer & Contact

In accordance with Section 13 of the DPDP Act and Rule 14 of the DPDP Rules, 2025, Broca has designated a Grievance Officer to address complaints regarding the processing of personal data: