Privacy Policy

Asian Hospital (“Asian Hospital”, “we”, “us”) operates the website asianhospitals.in. We are a multi-specialty hospital at Millat Nagar Ring Road,, Beside Tipu Sultan College, Gulbarga 585104.

For the purposes of the Digital Personal Data Protection Act 2023 (the “DPDP Act”), Asian Hospital is a Data Fiduciary — the entity that determines the purpose and means of processing your personal data.

Questions or complaints about how your data is handled should reach our Data Protection Officer:

• Email: contact@asianhospitals.in (use the subject line “DPO enquiry”)
• Post: Data Protection Officer, Asian Hospital, Millat Nagar Ring Road,, Beside Tipu Sultan College, Gulbarga 585104
• Phone: +91 96064 96370

We respond to DPO enquiries within 7 working days of receipt.

We collect only what we need to run the services you ask for. Each category below names the data, the purpose for collecting it, and the lawful basis under the DPDP Act.

3.1 Appointment booking (/book)

• What: full name, age, gender, phone number, email (optional), reason for visit, preferred doctor / department / date / time.
• Why: so reception can call you to confirm a slot and so the consulting doctor knows what the visit is about.
• Basis: your consent at the point of submission (DPDP s.6(1)).
• Retention: 3 years from your last visit, in line with Karnataka clinical-records rules.

3.2 Phone verification (Truecaller / OTP)

• What: verified phone number, first + last name from Truecaller (when you choose the 1-tap path), email (when Truecaller has it).
• Why:to confirm a real human submitted the request and to pre-fill your contact details so you don't have to type them.
• Basis:your consent — you explicitly tap “Continue with Truecaller” or request an OTP.
• Retention: the Firebase Auth session is destroyed when you close the chat or sign out.

3.3 AskHealthAI chat (/ask-ai)

• What: messages you type into the chat, messages the AI responds with, the URL you were on, your verified phone number (only if you verified during the chat), and a session identifier.
• Why: to give you useful answers (current-turn context) and so our team can spot bugs and improve replies (review of past conversations).
• Basis: your consent (you opened the chat) + legitimate interest in safety review and abuse prevention.
• Retention: 180 days for chat content, then automatic deletion. Aggregate statistics (number of chats, average length) retained indefinitely.
• Important: AskHealthAI is not a doctor and never gives a medical diagnosis or drug dosage. For anything urgent, call our ambulance on +91 96064 96370 or visit casualty.

3.4 Job applications + course enquiries

• What: name, phone, email, role applied for, qualifications, experience, shift availability.
• Why: so HR can review your application and call you back.
• Basis: your consent at submission.
• Retention:12 months from submission, then deleted unless you have been hired (in which case the record migrates to our HR system under that system's policy).

3.5 Grievances (/grievance)

• What: your complaint text, attachments, and (if not anonymous) your name + contact.
• Why: so the Grievance Officer can investigate and respond within 24 hours.
• Basis: your consent at submission + legal obligation to maintain a public grievance channel.
• Retention: 3 years from resolution for quality-assurance audits.
• You may file an anonymous grievance — we will only have the ticket number to track it.

3.6 Analytics + cookies

• What: a Google Analytics 4 client ID (random number stored in a cookie), the pages you visit on our site, the device + browser type, the country (not city or address), and which buttons you tap.
• Why:to understand which pages help patients and which don't, so we can improve the site.
• Basis: your explicit consent via the cookie banner. We do NOTset any analytics cookies before you tap “Accept”.
• Retention: 14 months at Google Analytics; you can revoke consent any time by tapping “Decline” in the banner (it reappears on next visit if you revoked).
• We NEVER send your appointment data, grievance text, or chat transcript to analytics. Analytics only ever sees anonymous usage counts.

We use the following third-party services to operate the site. Each is a Data Processor under the DPDP Act and is contractually bound to use your data only for the purpose we have engaged them for.

• Google Firebase (Authentication + Firestore + Storage + Analytics + Cloud Functions) — hosts patient bookings, grievances, doctor profiles, and session data. Servers in Mumbai, India (asia-south1).
• Google Cloud Platform (Cloud Run, Cloud Secret Manager) — runs the application backend. Servers in Mumbai, India.
• Truecaller Software Technologies India Pvt Ltd — phone verification when you choose the 1-tap option. Their privacy policy applies to that hop: truecaller.com/privacy-policy.
• Google Gemini API— powers AskHealthAI. Your chat messages are sent to Google's Generative Language API for the duration of each reply, and Google undertakes not to use them to train its models. Servers in asia-southeast1 (Singapore) — transferred outside India under DPDP s.16 with equivalent protection.
• Google Maps Platform (Places API for the live reviews chip on our homepage). Receives only our Place ID, not your personal data.
• Gmail / Google Workspace — sends appointment + grievance + application notifications to our reception / HR / compliance desks.

Operational data (appointments, grievances, applications, doctor profiles, photographs) lives in Google Cloud's Mumbai (asia-south1) region. AI chat is processed in Singapore (asia-southeast1) via Google Gemini under Google's data-processing agreement; messages are not retained by Google for model training.

The DPDP Act gives you the following rights:

• Right to access — ask us what personal data we hold about you.
• Right to correction + erasure — ask us to fix wrong data or delete it.
• Right to withdraw consent— for any processing based on consent. Tap “Decline” on the cookie banner to revoke analytics consent. For other categories, email the DPO.
• Right of grievance redressal — if you think we have mishandled your data, write to the DPO. If unsatisfied within 30 days, you may complain to the Data Protection Board of India.
• Right to nominate — you may nominate a person to exercise these rights on your behalf in case of incapacity or death.

To exercise any right, email contact@asianhospitals.in with the subject line “DPDP rights request” and a brief description.

We do not knowingly collect personal data of patients under 18 years of age except through a parent or guardian who completes the booking on their behalf. The DPDP Act requires verifiable parental consent for data of children and our reception desk obtains this verbally at registration.

We take reasonable steps to protect your data, including:

• TLS 1.3 encryption on every connection between your device and our servers.
• Firestore security rules that block every read or write not explicitly allowed.
• Admin access gated behind Firebase Authentication + custom claims.
• Secrets (API keys, signing keys) stored in Google Cloud Secret Manager — not in code, configuration files, or source control.
• Periodic dependency vulnerability scans.

If we discover a data breach affecting your personal data, we will notify you and the Data Protection Board within 72 hours, as required by DPDP s.8.

For any complaint or violation of your rights under this policy, our Grievance Redressal Officer is the same Data Protection Officer named in Section 2 above. We acknowledge complaints within 48 hours and resolve them within 30 days.

If you are dissatisfied with the resolution, you may escalate to the Data Protection Board of India once it is constituted; until then, complaints may be filed with the Information Commissioner under the IT Act 2000.

We may update this policy from time to time. The effective date at the top of the page reflects the latest change. If we make a material change, we will notify you on the site and (where appropriate) by email.