Privacy Policy

Introduction

Curefleet Technologies Private Limited ("Curefleet," "Company," "we," "us," or "our"), a company incorporated under the Companies Act, 2013 bearing Corporate Identity Number U52219DL2025PTC457848, having its registered office at AI-1 Rama Park, Najafgarh Road, Uttam Nagar, West Delhi, New Delhi, Delhi 110059, India, operates an integrated healthcare technology platform available via web portals, mobile applications, application programming interfaces (APIs), and affiliated digital services (collectively, the "Platform").

Curefleet is a technology aggregator and marketplace that facilitates connections between Users and independent healthcare service providers including doctors, clinics, hospitals, ambulance operators, diagnostic centres, pharmacies, home healthcare agencies, vaccination providers, and other third-party healthcare vendors (collectively, "Healthcare Partners"). Curefleet acts as a technology intermediary, marketplace facilitator, scheduling platform, communication enabler, and payment aggregator. Curefleet does not itself render medical treatment, diagnosis, prescriptions, clinical opinions, emergency response services, or any form of healthcare services unless separately and explicitly stated in a specific service agreement.

We are acutely aware that the information you entrust to us — including health records, personal identifiers, location data, financial details, and communication data — is among the most sensitive information in your possession. We are committed to handling such information with the highest degree of integrity, transparency, security, and accountability consistent with applicable Indian law and globally recognised data protection principles.

This Privacy Policy ("Policy") describes, in full:

• What categories of personal data and sensitive personal data we collect;
• How, why, and on what legal basis we collect, use, process, and store such data;
• With whom we share data and under what circumstances;
• How long we retain data;
• The rights available to you as a Data Principal under applicable law;
• How we protect your data using technical and organisational measures;
• Disclaimers, limitations of liability, and indemnifications applicable to data processing on our Platform;
• How to contact us with queries, complaints, or requests.

This Policy is to be read alongside our Terms of Service, Cookie Policy, and any service-specific terms that may apply to particular features of the Platform.

Scope of Policy

This Privacy Policy applies to all interactions with Curefleet, including but not limited to:

• Accessing or browsing the Curefleet website(s) or mobile applications;
• Creating, registering, or maintaining a User account;
• Searching for, booking, or scheduling appointments with Healthcare Partners;
• Uploading medical records, prescriptions, diagnostic reports, or health documents;
• Engaging in teleconsultations, home healthcare, vaccination scheduling, or pharmacy orders;
• Booking ambulance services through the Platform;
• Interacting with AI-powered features, chatbots, symptom checkers, or recommendation engines;
• Making payments through the Platform's integrated payment infrastructure;
• Communicating with Curefleet's customer support, grievance, or care teams;
• Participating in surveys, feedback mechanisms, promotions, or research programmes;
• Using any API, SDK, widget, or embedded tool operated by Curefleet.

This Policy applies to all registered Users, guest Users, prospective Users, Healthcare Partners accessing the platform on their own behalf, and any other natural person whose personal data is processed by Curefleet (collectively, "Data Principals" or "Users" or "you").

This Policy does not govern: the privacy practices of independent Healthcare Partners listed on the Platform; third-party websites or applications accessible via links on the Platform; social media platforms on which Curefleet maintains a presence; or any data processed exclusively by a Healthcare Partner in connection with clinical services rendered directly to a patient outside the Platform's functional scope.

Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:

Consent

Curefleet obtains and processes personal data, including sensitive personal data, on the basis of informed, free, and affirmative consent. By accessing or using the Platform, creating a User account, or submitting any personal or health information through the Platform, you provide express consent to the collection, use, storage, processing, and disclosure of your personal data as described in this Privacy Policy.

Consent is separately sought and documented for specific high-sensitivity data operations, including but not limited to: sharing of health records with Healthcare Partners; use of health data for AI model training and improvement (subject to anonymisation or pseudonymisation wherever technically feasible); use of sensitive personal data for research and analytics purposes; receipt of marketing and promotional communications.

Where you provide personal data of any third person (such as a family member whose appointment you book), you represent and warrant that you have obtained all necessary consents from such third person on their behalf, that you are legally authorised to provide such data to Curefleet, and that you have informed such person about this Privacy Policy.

Consent to this Privacy Policy constitutes your understanding and acknowledgment that:

• Healthcare services are rendered by independent Healthcare Partners and not by Curefleet;
• The Platform is an intermediary and facilitation technology and cannot guarantee specific medical or diagnostic outcomes;
• AI-generated outputs on the Platform are informational and are not medical advice;
• Emergency medical situations may require direct engagement with emergency services (dial 112 in India) rather than reliance on this Platform.

Categories of Information Collected

Curefleet collects information through multiple channels — information you provide directly, information generated through your use of the Platform, information received from Healthcare Partners and other third parties, and information inferred from other data we hold. The categories of information collected are set out in detail in Sections 6 through 25 of this Policy.

We collect only such information as is necessary, adequate, relevant, and limited to the purposes for which it is processed, consistent with the principle of data minimisation under applicable law. We do not knowingly collect data beyond what is described in this Policy without seeking your fresh consent.

We collect the following categories of basic personal information directly from you at the time of account creation, use of the Platform, or provision of services:

• Full legal name, as provided by you;
• Date of birth and age;
• Gender identity;
• Nationality and country of residence;
• Mobile phone number (used as primary account identifier);
• Email address;
• Residential address, PIN code, city, and state;
• Profile photograph (where voluntarily uploaded);
• Government-issued identification numbers (such as Aadhaar number, PAN, Passport number) — only where required for regulatory compliance, identity verification, or as required by a Healthcare Partner in connection with services rendered;
• Emergency contact details, including name, relationship, and phone number of a nominated person.

In the ordinary course of operating a healthcare technology platform, Curefleet collects and processes significant quantities of sensitive personal data and information (SPDI) as defined under the SPDI Rules, 2011, including:

• Physical, physiological, and mental health conditions;
• Medical records and history;
• Biometric data (if and where collected for identity verification or specific service requirements, with separate explicit consent);
• Financial information including bank account details, credit card or debit card information, UPI identifiers, and other payment instrument details;
• Sexual orientation or sexual health information (where voluntarily disclosed by you in a healthcare context);
• Passwords and authentication credentials for your Curefleet account.

Curefleet collects detailed health and medical information in connection with the provision of healthcare facilitation services. This includes, without limitation:

• Chief complaints and symptoms described by you;
• Current and past medical diagnoses;
• Current medications, dosages, and treatment histories;
• Surgical and hospitalisation histories;
• Known allergies, adverse drug reactions, and contraindications;
• Family medical history (where voluntarily provided);
• Mental health records and psychological assessments;
• Pregnancy status and obstetric history (where relevant and voluntarily provided);
• Vaccination history and immunisation records;
• Diagnostic and pathology reports, lab results, radiology reports, and imaging (CT, MRI, X-ray, ultrasound);
• Prescriptions and doctor notes uploaded or generated through the Platform;
• Height, weight, BMI, blood pressure, blood glucose, oxygen saturation, and other biometric health measurements;
• Substance use history (where voluntarily disclosed in a healthcare context).

When you access the Platform through any device, we automatically collect the following device-level information:

• Device type, make, model, and operating system version;
• Unique device identifiers (IMEI, UDID, IDFA, GAID, or equivalent);
• Mobile network operator and SIM card information (where accessible);
• Browser type and version;
• Screen resolution and display settings;
• Device language and regional settings;
• Hardware configuration and available storage;
• Installed applications on the device (only where necessary for specific Platform functionalities and with your consent).

Curefleet's servers automatically collect technical data regarding your use of the Platform, including:

• Internet Protocol (IP) address and approximate geographic location derived therefrom;
• Date, time, and duration of access sessions;
• Pages, screens, and features accessed and time spent on each;
• Referral URLs (the webpage from which you navigated to the Platform);
• Search queries entered on the Platform;
• Error logs, crash reports, and performance data;
• Network connection type and speed;
• API call logs and endpoint access records.

Cookies and Tracking Technologies

Curefleet uses cookies, web beacons, pixel tags, local storage, session storage, and similar tracking technologies (collectively, "Cookies") to enhance your experience on the Platform, analyse usage patterns, personalise content, and deliver targeted communications.

We use advanced analytics technologies to measure and analyse how Users interact with the Platform. These tools may include: session replay tools that record anonymised user interactions for UX improvement; funnel analytics to understand drop-off points in key user journeys; A/B testing frameworks to evaluate design and feature variants; cohort analysis tools to understand user retention and lifecycle; heatmap and click-tracking tools; and real-time event streaming systems.

Data collected through analytics tools is used in aggregated and anonymised form wherever possible. Where individual-level analytics data is retained, it is protected by the security measures described in Section 46.

You may control and manage Cookie preferences through our Cookie Consent Manager accessible on the Platform. You may also configure your browser to block or delete Cookies. However, disabling certain Cookies may impair the functionality of the Platform or prevent access to certain features. Please refer to our Cookie Policy for detailed information on our Cookie practices and your options.

Location Information

Curefleet collects and processes your location data for a variety of service delivery purposes critical to the Platform's functioning. Location data may be collected at different levels of precision depending on the service you use and the permissions you have granted.

• Precise GPS Location: Collected with your explicit permission via your device's GPS sensor when you use services such as ambulance tracking, home healthcare scheduling, nearest clinic or pharmacy search, and real-time service matching.
• Approximate Location: Derived from IP address, Wi-Fi network data, mobile tower triangulation, or Bluetooth signals — used for general service personalisation and regional content.
• Manually Entered Locations: Addresses and PIN codes you enter when booking services, setting delivery addresses, or registering your account.
• Background Location: Collected only where explicitly consented to for specific features such as real-time ambulance tracking or home visit scheduling; you may revoke this permission at any time through your device settings.

• Identifying and displaying nearest doctors, hospitals, clinics, pharmacies, diagnostic centres, and ambulance providers;
• Enabling accurate routing and estimated time of arrival (ETA) for ambulance and home healthcare services;
• Auto-populating service addresses for scheduling and logistics;
• Fraud detection and security — identifying anomalous location-based activity;
• Regulatory compliance — some healthcare regulations require verification of User location for telemedicine and prescription services;
• Anonymised, aggregated location analytics for Platform and network optimisation.

Curefleet does not sell precise location data to third-party advertisers. Location data shared with Healthcare Partners is limited to what is necessary for the specific service requested.

Communication Data

Curefleet collects and retains communication records generated through the Platform for the purposes of service delivery, quality assurance, dispute resolution, regulatory compliance, and Platform safety.

• In-Platform Messaging: Messages, notes, and communications exchanged between Users and Healthcare Partners through the Platform's secure messaging features;
• Consultation Transcripts: Where permitted and disclosed, transcriptions or summaries of video or audio teleconsultations;
• Support Communications: Records of communications with Curefleet's customer support, grievance, and clinical care coordination teams — including emails, chats, tickets, and call recordings;
• Automated Notifications: Records of SMS, push notifications, email, and in-app messages sent by Curefleet to you, and your interactions with such communications;
• Feedback and Reviews: Written reviews, star ratings, and feedback submitted about Healthcare Partners or Platform services.

Where calls to customer support are recorded, you will be notified of such recording at the commencement of the call. Recordings are retained for quality assurance, training, dispute resolution, and legal compliance purposes for a period not exceeding such time as may be required under applicable law or internal retention schedules, whichever is longer.

Payment Information

Curefleet facilitates payments between Users and Healthcare Partners through integrated, third-party compliant payment infrastructure. Curefleet does not directly store full credit card numbers, CVVs, full debit card details, or banking passwords on its own servers.

• Transaction identifiers and references;
• Amount, currency, date, and time of each transaction;
• Masked card numbers (last four digits only) and card type for display and identification purposes;
• UPI Virtual Payment Addresses (VPAs);
• Bank account details (where used for refund purposes, subject to applicable regulations);
• Payment gateway-assigned tokens or reference numbers;
• Transaction status records (success, failure, pending, refund);
• Billing address associated with payment instruments (where provided);
• GST-related billing details where applicable.

Payment processing is carried out by Payment Card Industry Data Security Standard (PCI-DSS) compliant third-party payment service providers. Curefleet's role is limited to passing transaction parameters to and receiving status information from such payment processors. By using the Platform's payment features, you also agree to the terms and privacy policies of such payment processors.

Payment data is used solely for the purpose of completing transactions, processing refunds, resolving payment disputes, generating invoices and receipts, detecting and preventing payment fraud, and complying with applicable tax and financial regulations.

Healthcare Service-Specific Information

When you book or engage in a consultation through the Platform, Curefleet collects and processes detailed consultation-related information, including:

• Chief complaints and presenting symptoms as described by you in pre-consultation questionnaires or chat interfaces;
• Duration, frequency, and severity of symptoms;
• Relevant medical history provided in connection with the consultation;
• Consultation date, time, mode (video, audio, text, in-person), and duration;
• Name, specialisation, and registration number of the treating doctor or healthcare professional;
• Consultation notes, clinical observations, and doctor-generated summaries (where available through the Platform);
• Diagnoses, differential diagnoses, or clinical impressions recorded by the Healthcare Partner;
• Treatment recommendations, advice, referrals, and follow-up schedules;
• Prescriptions generated or uploaded in connection with the consultation;
• Diagnostic and investigation orders placed by the Healthcare Partner.

Consultation information is shared with the relevant Healthcare Partner conducting the consultation. It may also be accessed by Curefleet's technical and quality assurance teams for Platform integrity, fraud prevention, and regulatory compliance purposes.

Where you use telemedicine services facilitated through the Platform, Curefleet processes additional information in compliance with the Telemedicine Practice Guidelines, 2020 issued by the Ministry of Health and Family Welfare, Government of India, and the Board of Governors of the Medical Council of India:

• Verification of your identity and age for purpose of telemedicine regulation compliance;
• Consent records for telemedicine consultation (affirmative acknowledgment required by applicable guidelines);
• Video session metadata including session identifiers, connection quality, and technical parameters;
• Audio/video recordings of consultations (only where separately consented to by both Patient and Healthcare Partner);
• Digital prescriptions generated by the Healthcare Partner in compliance with applicable norms.

Where you book ambulance services through the Platform, Curefleet processes the following information for the purpose of facilitating that service:

• Precise pickup location (GPS coordinates and address);
• Intended destination (hospital, clinic, or other specified location);
• Nature of medical emergency or condition (as described by the requestor) — used for matching appropriate ambulance type;
• Contact number for the patient and the person making the booking;
• Real-time GPS tracking data of the dispatched ambulance;
• Ambulance provider details, driver identity, and vehicle registration number;
• Time of booking, dispatch, pickup, and completion;
• Payment data related to the ambulance booking.

When you use pharmacy services facilitated through the Platform, Curefleet collects:

• Prescription details — medicines ordered, dosages, and prescribing doctor details;
• Prescription images or digital prescriptions uploaded for dispensing;
• Delivery address and delivery time preferences;
• Payment information for pharmacy orders;
• Order status records, delivery tracking data, and confirmation records;
• Refill reminders consented to by you.

Prescription medicines may only be dispensed against a valid prescription from a registered medical practitioner. Curefleet and its pharmacy partners are prohibited from dispensing Schedule H, H1, and X drugs without a valid prescription under the Drugs and Cosmetics Act, 1940 and applicable rules.

For diagnostic services facilitated through the Platform:

• Test requisitions and orders (including doctor-referred and self-referred tests);
• Sample collection details — time, location (home/centre), type of sample;
• Patient preparation instructions and compliance records;
• Diagnostic reports, pathology results, and radiology interpretations;
• Comparative and historical test records where maintained on the Platform;
• Billing records for diagnostic services.

For home healthcare services (nursing, physiotherapy, elder care, wound care, IV therapy, etc.) facilitated through the Platform:

• Home address and entry/access instructions;
• Clinical instructions provided by the prescribing or referring doctor;
• Care plans, nursing notes, and visit records;
• Healthcare professional identity, qualifications, and visit schedule;
• Progress notes and patient condition assessments (where entered into the Platform by the Healthcare Partner);
• Billing records for home healthcare services.

For vaccination services facilitated through the Platform:

• Prior vaccination history and immunisation certificates;
• Vaccine type, brand, batch number, and dose number;
• Vaccination date, time, and administering healthcare professional;
• Post-vaccination observation period and adverse event records (if any, as reported by you);
• Co-WIN or equivalent government immunisation registry data (where applicable and consented).

AI and Automated Systems

Curefleet operates, integrates, or may in the future deploy artificial intelligence (AI), machine learning (ML), natural language processing (NLP), and automated decision-support systems in connection with various Platform features, including but not limited to symptom checking, appointment recommendations, health record summaries, medicine interaction alerts, and care pathway suggestions.

AI and automated systems on the Platform may process the following categories of data:

• Symptom descriptions and health questionnaire responses;
• Medical history and health records uploaded to the Platform;
• Search queries and browsing patterns on the Platform;
• Appointment history and healthcare utilisation patterns;
• Diagnostic reports and structured health data where available;
• Aggregated and anonymised health data from the Platform's broader user population (for model training, where separately consented).

Subject to your separate consent, Curefleet may use anonymised or pseudonymised data derived from Platform usage to train, improve, validate, and refine AI and ML models used on the Platform. Where such use of data for model improvement is contemplated, we will seek explicit, granular consent from you. You may withdraw such consent at any time through your account privacy settings.

User Generated Content and Third-Party Information

The Platform may enable you to submit, upload, post, or otherwise contribute content, including health records, diagnostic reports, prescriptions, profile photographs, reviews, testimonials, forum posts, and other materials (collectively, "User Content").

By submitting User Content, you: (a) represent and warrant that you own all rights in such content or have the necessary permissions to submit it; (b) grant Curefleet a non-exclusive, royalty-free, worldwide licence to use, process, store, and display such content to the extent necessary to provide the services; and (c) acknowledge that you are solely responsible for the accuracy and legality of all User Content you submit.

Curefleet does not verify the accuracy, authenticity, or completeness of any User Content. You should not submit User Content that contains false, misleading, or fraudulent health information, as this may result in inadequate or inappropriate services being facilitated on your behalf.

Curefleet may receive personal information about you from third parties, including:

• Healthcare Partners: Diagnoses, prescriptions, clinical notes, and appointment records created by Healthcare Partners during the course of services facilitated through the Platform;
• Insurance Companies and Third-Party Payers: Coverage details, pre-authorisation information, and claim records (where you have used the Platform in connection with health insurance services);
• Government Registries: Information received from government immunisation registries (e.g. Co-WIN) where you have authorised such data sharing;
• Payment Service Providers: Transaction verification and fraud screening data;
• Identity Verification Services: KYC data from regulated identity verification providers where required;
• Referrers: Basic information about you provided by another User who referred you to the Platform;
• Analytics and Attribution Partners: Aggregated marketing attribution data linking your arrival on the Platform to specific campaigns or channels.

Information received from third parties is combined with the information we collect directly from you to provide a more complete and accurate service experience. All such information is subject to the protections and purposes described in this Policy.

How We Use Your Information

Curefleet processes personal data on the following legal bases under the DPDPA, 2023 and applicable Indian law:

We use your information primarily to provide, maintain, and improve the Platform's services, including:

• Creating and managing your User account;
• Processing appointment bookings, service requests, and healthcare facilitation;
• Displaying relevant Healthcare Partners based on your location, health needs, and preferences;
• Sending appointment confirmations, reminders, and post-consultation follow-ups;
• Processing payments and managing transaction records;
• Enabling communication between Users and Healthcare Partners through the Platform;
• Maintaining your health records and documents stored on the Platform;
• Facilitating prescription uploads and digital prescription management;
• Coordinating ambulance dispatch, home healthcare, and diagnostic sample collection logistics.

We process personal data for the prevention, detection, investigation, and prosecution of fraud, abuse, and security threats, including:

• Identifying and verifying the identity of Users to prevent impersonation and fraudulent account creation;
• Monitoring transaction patterns to detect suspicious or potentially fraudulent payment activity;
• Analysing access logs and session data to detect unauthorised account access;
• Running automated risk scoring on transactions and service requests;
• Investigating complaints of abuse, misuse, or fraudulent representations;
• Cooperating with law enforcement and regulatory authorities in connection with investigations.

We use data — primarily in aggregated, anonymised, or pseudonymised form — to improve the Platform's features, performance, reliability, and User experience, including:

• Analysing feature usage patterns to prioritise product development;
• Conducting A/B tests and user experience research;
• Identifying and resolving technical issues, bugs, and performance bottlenecks;
• Developing new services and features;
• Conducting aggregate public health or epidemiological research in anonymised form (with applicable ethical approvals).

Subject to your consent and to applicable law, we may use your contact information to send you:

• Promotional offers, discounts, and health packages relevant to your usage patterns;
• Health awareness content, wellness tips, and preventive care recommendations;
• Information about new Platform features, services, and Healthcare Partner additions;
• Survey invitations and feedback requests;
• Seasonal health campaigns and vaccination drives.

You may opt out of marketing communications at any time by clicking "Unsubscribe" in any marketing email, by adjusting your notification preferences in your account settings, or by contacting us at Care@curefleet.com. Opting out of marketing communications will not affect your receipt of transactional communications relating to services you have requested.

Regardless of your marketing preferences, Curefleet will send you transactional communications necessary for the operation of your account and the services you have requested, including appointment confirmations and reminders, payment receipts and invoices, service status updates, prescription refill alerts, critical health reminders, account security notifications, and significant changes to terms or policies.

Sharing of Information

Curefleet does not sell your personal data to any third party for monetary consideration. However, we share your personal data in the following circumstances, as described below:

When you book an appointment, consultation, diagnostic service, pharmacy order, ambulance, home healthcare visit, or vaccination through the Platform, we share with the relevant Healthcare Partner the minimum personal and health data necessary to enable that specific service. This may include your name, contact details, health information you have provided in connection with that service, appointment details, and payment confirmation.

Important: Healthcare Partners are independent entities that operate under their own professional ethical obligations, privacy policies, and regulatory frameworks. Curefleet does not control the data practices of Healthcare Partners once data is shared with them for service delivery purposes. You are encouraged to review the privacy policies of Healthcare Partners you engage with through the Platform.

Curefleet enters into data processing agreements with Healthcare Partners where technically and contractually feasible, requiring them to process User data only for the purpose of delivering the requested service and to implement appropriate security measures.

We engage third-party service providers and data processors who process personal data on our behalf, under our instructions, and subject to contractual data protection obligations. Categories of such service providers include:

• Cloud computing and data storage providers (including AWS, Google Cloud, Microsoft Azure, or equivalent);
• Payment processing and gateway services;
• Identity verification and KYC service providers;
• Analytics and business intelligence platforms;
• Customer relationship management (CRM) and support software providers;
• Push notification and messaging service providers;
• Map, geolocation, and routing service providers;
• Cybersecurity and fraud detection service providers;
• AI and machine learning infrastructure providers.

Curefleet may disclose your personal data to government authorities, law enforcement agencies, courts, or regulatory bodies in the following circumstances:

• Where required or compelled by applicable law, court order, or legal process;
• Where requested by a competent authority in the exercise of its statutory powers;
• Where necessary to comply with legal obligations under the IT Act, DPDPA, or other applicable regulations;
• Where disclosure is necessary to detect, prevent, or investigate cybercrime, fraud, or other illegal activities;
• Where the Ministry of Health, Central Drugs Standard Control Organisation (CDSCO), or other health regulatory authorities request data in connection with a public health emergency or disease surveillance;
• Where directed by the Data Protection Board of India established under the DPDPA, 2023.

Where legally permissible and reasonably practicable, Curefleet will notify you of any such request before making a disclosure.

In the event of a merger, acquisition, demerger, amalgamation, restructuring, sale of business, assignment of assets, insolvency proceedings, or change of control involving Curefleet, your personal data may be transferred to the acquiring entity or surviving entity as part of such transaction. We will take reasonable steps to ensure that the acquiring entity is bound by data protection obligations consistent with this Policy, and we will notify you of any material change in control that affects how your data is processed.

Curefleet primarily stores and processes data within India. However, certain service providers and technology infrastructure components may involve processing of data outside India. Where data is transferred outside India, Curefleet ensures such transfer is:

• Permitted under the DPDPA, 2023 and any notifications or rules issued by the Central Government thereunder;
• Subject to contractual safeguards requiring the recipient to maintain standards equivalent to those under this Policy;
• Limited to countries or jurisdictions approved by the Government of India for such data transfers.

Data Retention

Curefleet retains personal data for the period necessary to fulfil the purposes set out in this Privacy Policy, subject to any longer retention periods required by applicable law, regulation, court order, or legitimate business necessity.

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with industry-standard practices. Requests for early deletion are subject to the limitations described in Section 16.4.

Security Measures and Encryption

Curefleet implements reasonable security practices and procedures as required under Rule 8 of the SPDI Rules, 2011, including the internationally recognised ISO/IEC 27001 Information Security Management Standard. Our security programme encompasses the following controls:

• Technical Controls: Firewalls, intrusion detection and prevention systems (IDS/IPS), endpoint security, vulnerability management programmes, patch management, database activity monitoring, and network segmentation;
• Access Controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication (MFA) for privileged access, privileged access management (PAM) systems, and regular access reviews;
• Operational Controls: Security awareness training for all staff handling personal data, background verification for employees with access to SPDI, data classification policies, and incident response procedures;
• Physical Controls: Secure data centre facilities with physical access controls, surveillance, and environmental monitoring;
• Third-Party Risk Management: Security assessments of key data processors and service providers, contractual security obligations in all data processing agreements.

• Data in Transit: All data transmitted between your device and Curefleet's servers is encrypted using Transport Layer Security (TLS) 1.2 or higher with strong cipher suites;
• Data at Rest: Health data, SPDI, and sensitive financial data stored on Curefleet's infrastructure is encrypted at rest using AES-256 encryption or equivalent;
• Database Encryption: Sensitive database fields containing SPDI are encrypted at the application level;
• Key Management: Encryption keys are managed using dedicated key management services (KMS) with access controls and audit trails;
• API Security: All API endpoints are secured with authentication tokens, rate limiting, and input validation.

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, Curefleet will notify the Data Protection Board of India and affected Data Principals in accordance with the timelines and procedures specified under the DPDPA, 2023 and applicable rules. Notification will include, where feasible, a description of the nature of the breach, the data categories affected, the approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, you have the following rights with respect to your personal data processed by Curefleet:

You have the right to obtain confirmation from Curefleet as to whether your personal data is being processed, and if so, to access a summary of such data, the purposes of processing, and the identities of entities with whom such data has been shared. You may exercise this right by submitting a written request to our Grievance Officer or through your account settings. Curefleet will respond to your request within the timeline specified under applicable law.

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data held by Curefleet. You may directly edit most profile and account information through the Platform. For health records and other complex data, you may submit a correction request through your account or by contacting Care@curefleet.com. Curefleet will update the relevant data within a reasonable time and will notify any third parties with whom such data was shared of the correction, where feasible.

You have the right to request the erasure of personal data that is no longer necessary for the purposes for which it was collected, subject to Curefleet's legitimate need to retain such data for legal, regulatory, fraud prevention, or dispute resolution purposes. The right to erasure is not absolute and may be limited by:

• Legal obligations requiring retention (e.g. tax records, healthcare records regulations);
• Legitimate interests of Curefleet in relation to ongoing legal proceedings or disputes;
• Public interest in archiving, research, or statistical purposes;
• Safety and fraud prevention requirements.

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal. Upon withdrawal, Curefleet will cease processing your data for the specified purpose. However, withdrawal of consent may result in inability to access certain Platform features that depend on such processing. You may withdraw consent through your account settings or by contacting Care@curefleet.com.

You have the right to have your grievances addressed by Curefleet's designated Grievance Officer. If your grievance is not satisfactorily resolved by the Grievance Officer, you have the right to approach the Data Protection Board of India established under the DPDPA, 2023.

Under the DPDPA, 2023, you have the right to nominate an individual who will, in the event of your death or incapacity, exercise your data protection rights on your behalf.

You may request closure of your Curefleet account at any time by contacting Care@curefleet.com or through the account deletion feature in the Platform. Upon account closure: (a) your personal data will be processed only for such purposes and for such periods as required by applicable law; (b) you will lose access to health records, appointment history, and documents stored on the Platform; (c) any pending transactions or service commitments must be resolved before account closure can be completed.

Children's Privacy

The Curefleet Platform is primarily designed for use by adults (persons who have attained the age of eighteen years). We recognise, however, that parents and guardians legitimately use the Platform to manage healthcare for minors in their care, and we facilitate this responsibly.

Curefleet does not knowingly collect personal data directly from children below eighteen years of age without verifiable parental or guardian consent. Where a minor's health information is provided by a parent, legal guardian, or authorised caregiver through the Platform, such information is collected on the basis of the adult's account and consent.

Parents and guardians who use the Platform on behalf of minors are responsible for:

• Providing accurate information about the minor in their care;
• Ensuring the minor's health data is used only for legitimate healthcare facilitation purposes;
• Monitoring and managing access to the Platform in relation to any minor for whom they are responsible.

Consistent with Section 9 of the DPDPA, 2023, Curefleet does not engage in tracking, behavioural monitoring, targeted advertising, or processing that is likely to cause harm to children.

If Curefleet becomes aware that personal data of a minor below eighteen years has been collected without adequate parental consent or in violation of applicable law, we will take reasonable steps to delete such data as soon as practicable.

International Users

The Curefleet Platform is operated from India and is primarily designed for use by residents of India. The services facilitated through the Platform are subject to Indian healthcare regulations, telemedicine guidelines, pharmaceutical laws, and data protection law.

If you access the Platform from outside India, please be aware that:

• Your personal data will be transferred to and processed in India, where data protection laws may differ from those in your country of residence;
• Curefleet's obligations are governed by Indian law, and you consent to the jurisdiction of Indian courts and regulatory authorities with respect to your data;
• Certain healthcare services facilitated through the Platform may not be available to, or appropriate for, Users located outside India due to regulatory restrictions;
• Digital prescriptions and certain clinical services may only be provided to patients physically located in India under applicable telemedicine guidelines.

Third-Party Services and Websites

The Platform integrates or links to a variety of third-party services, including payment gateways, mapping providers, social media login providers, video conferencing tools, and embedded insurance or pharmacy services. When you interact with these third-party services, your data may be collected and processed by those third parties under their own privacy policies and terms, over which Curefleet has no control.

Third-party service providers integrated with the Platform may include, without limitation: Razorpay, PayU, Paytm, CCAvenue, or other payment processors; Google Maps, MapMyIndia, or equivalent mapping services; Firebase, Google Analytics, Mixpanel, or equivalent analytics tools; Twilio, Exotel, MSG91, or equivalent communication platforms; AWS, Google Cloud, Microsoft Azure, or equivalent cloud infrastructure providers.

The Platform may contain links to third-party websites, including Healthcare Partner websites, insurance portals, government health portals, and other healthcare resources. Curefleet is not responsible for the privacy practices, content, or data security of any linked third-party website. We encourage you to review the privacy policies of any third-party website you visit through links on the Platform.

Disclaimers

Telemedicine consultations facilitated through the Platform involve the transmission of sensitive personal and health data over digital networks. While Curefleet implements industry-standard encryption and security measures for in-Platform communication, you acknowledge and understand that:

• No digital communication channel is entirely free from the risk of interception or technical failure;
• Healthcare Partners may maintain their own consultation records independently of the Platform, subject to their own privacy practices;
• The clinical decision-making, record-keeping, and data management practices of individual doctors or Healthcare Partners are not under Curefleet's control;
• The legal requirements applicable to medical record confidentiality (such as those under the Indian Medical Council Act and MCI Regulations) bind the Healthcare Partner, not Curefleet in its capacity as a technology intermediary.

Curefleet does not independently verify, validate, or certify the accuracy of any personal data, health information, medical records, diagnostic reports, or other information provided by Users or Healthcare Partners through the Platform. You are solely responsible for ensuring that all information you submit through the Platform is accurate, complete, current, and truthful. Curefleet expressly disclaims any liability arising from the provision of inaccurate, incomplete, false, or misleading information by any User or Healthcare Partner, to the maximum extent permitted by applicable law.

Limitation of Liability

To the maximum extent permitted by applicable Indian law, Curefleet Technologies Private Limited, and each of its directors, officers, employees, shareholders, promoters, advisors, affiliates, subsidiaries, contractors, licensors, technology partners, investors, agents, and authorised representatives (collectively, "Curefleet Parties"), shall not be liable for any loss, damage, injury, claim, or expense of any nature arising from or in connection with the following:

• Any medical outcome, clinical result, treatment decision, therapeutic outcome, or health condition, whether or not connected to services facilitated through the Platform;
• Any misdiagnosis, missed diagnosis, delayed diagnosis, or failure to diagnose by a Healthcare Partner;
• Any delay in the provision of treatment, medical attention, or healthcare services by a Healthcare Partner;
• Any negligence, misconduct, malpractice, breach of duty, or professional failure on the part of any Healthcare Partner, doctor, nurse, technician, or other healthcare professional connected with the Platform;
• Any adverse drug reaction, medication error, or pharmaceutical harm arising from prescriptions dispensed by a Healthcare Partner;
• Any incorrect, incomplete, or inappropriate treatment administered by a Healthcare Partner;
• Any clinical decision made by a Healthcare Partner on the basis of health information submitted by you through the Platform.

• Any delay in ambulance dispatch, arrival, or transportation attributable to the ambulance operator, traffic conditions, road conditions, or force majeure events;
• Any unavailability of ambulance services at the time of booking;
• Any clinical outcome attributable to the response time or quality of ambulance service;
• Any harm arising from reliance on the Platform in lieu of contacting national emergency services during a life-threatening emergency.

• Any internet connectivity outage, network failure, or disruption attributable to the User's internet service provider or mobile network operator;
• Any failure, malfunction, or downtime of the Platform or any of its features;
• Any device failure, software incompatibility, or hardware malfunction on the User's end;
• Any failure of third-party payment infrastructure, resulting in failed payments, double charges, or non-receipt of funds;
• Any failure of third-party technology services integrated with the Platform;
• Any data loss arising from a technical failure, cyberattack, or force majeure event, notwithstanding Curefleet's implementation of reasonable security measures;
• Any communication failure between the User and a Healthcare Partner attributable to network, device, or platform issues.

• Any harm, injury, or adverse consequence arising from reliance on AI-generated outputs, automated recommendations, symptom assessments, risk scores, or clinical summaries produced by the Platform's AI features;
• Any decision made by a User or Healthcare Partner on the basis of AI-generated outputs.

• Any action, omission, negligence, or misconduct of any third party including Healthcare Partners, payment processors, logistics providers, or other service providers;
• Any data breach or security incident caused by a third-party service provider or data processor, notwithstanding contractual security obligations;
• Any inaccuracy or failure in data provided by third-party sources integrated with the Platform.

• Any harm arising from inaccurate, incomplete, false, or misleading information submitted by you or any other User through the Platform;
• Any harm arising from failure to update personal data or health information on the Platform.

Indemnification

To the fullest extent permitted by applicable law, you agree to defend, indemnify, and hold harmless Curefleet and each of the Curefleet Parties from and against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable legal fees and court costs) arising from or relating to:

• Your access to or use of the Platform in violation of applicable law or these terms;
• Any inaccurate, false, incomplete, or misleading information provided by you through the Platform;
• Your breach of this Privacy Policy, the Terms of Service, or any other applicable Platform policy;
• Your infringement of any third party's intellectual property, privacy, or other rights through use of the Platform;
• Any claim arising from information provided by a third party whose data you submitted to the Platform without proper consent;
• Your negligent, reckless, or fraudulent use of the Platform;
• Any dispute between you and a Healthcare Partner in connection with services facilitated through the Platform.

This indemnification obligation shall survive the termination or expiry of your use of the Platform and the closure of your account.

Changes to This Policy

Curefleet reserves the right to update, amend, or revise this Privacy Policy at any time to reflect changes in our business practices, applicable law, regulatory requirements, or service offerings. We are committed to providing Users with meaningful notice of material changes.

When we make material changes to this Policy, we will:

• Update the "Last Revised" date displayed at the top of this Policy;
• Send a notification to your registered email address or mobile number describing the nature of the changes;
• Display a prominent notice on the Platform for a period of at least thirty (30) days following the date of change;
• In certain cases, seek fresh consent from you before applying significant changes to how we process your sensitive personal data.

Your continued use of the Platform following the effective date of any revised Policy constitutes your acceptance of such changes. If you do not agree to the revised Privacy Policy, you should discontinue use of the Platform and may request account closure as described in Section 17.7.

All prior versions of the Privacy Policy are archived and available upon written request to Care@curefleet.com.

Contact Information and Grievance Redressal

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, the processing of your personal data, or the exercise of your data protection rights, please contact us through the following channels:

Grievances will be acknowledged within forty-eight (48) hours of receipt and resolved within thirty (30) days, or such shorter period as may be prescribed under applicable law. Where a grievance cannot be resolved within thirty (30) days, we will inform you of the reasons for the delay and the expected timeline for resolution.

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to approach the Data Protection Board of India, established under Section 18 of the DPDPA, 2023, for adjudication of your complaint. Information on the Board and the complaint procedure will be available at the official website of the Ministry of Electronics and Information Technology (MeitY) and the Data Protection Board once operationalised.

Sharing with Doctors and Individual Healthcare Professionals

When you book an appointment, initiate a teleconsultation, or request a second opinion through the Platform, Curefleet shares the following categories of your personal and health data with the specific doctor or healthcare professional you engage:

• Full name, age, gender, and contact details as required to identify the patient and facilitate communication;
• Chief complaints, symptoms, and pre-consultation health questionnaire responses submitted by you;
• Relevant medical history, including prior diagnoses, current medications, allergies, and surgical history, where provided by you on the Platform;
• Medical records, diagnostic reports, prescriptions, and health documents uploaded by you in connection with the specific consultation;
• Appointment date, time, mode of consultation, and prior consultation notes available on the Platform;
• Payment confirmation to the extent necessary for the Healthcare Partner to verify the appointment booking.

The doctor or healthcare professional receiving this data is independently bound by the professional code of conduct of the National Medical Commission, applicable state medical council regulations, and the Indian Medical Council Act, 1956, which impose strict duties of patient confidentiality. Curefleet is not responsible for the data handling practices of the individual Healthcare Partner once data is transmitted for the purpose of the consultation.

Curefleet does not share your health data with doctors for marketing, research, or any purpose other than the delivery of the specific consultation service you have requested.

Sharing with Hospitals and Clinics

When you book an in-person appointment, procedure, or hospital admission through the Platform, Curefleet may share the following with the relevant hospital or clinic:

• Patient demographic data — full name, date of birth, gender, contact number, and address;
• Appointment or admission details — date, time, department, and nature of visit;
• Health summary or chief complaints provided in the pre-booking questionnaire;
• Emergency contact information where provided;
• Health insurance or third-party payer details, where provided by you and relevant to the service;
• Payment confirmation or booking reference for the hospital engagement;
• Any health documents you specifically authorise to be shared with that hospital.

Hospitals and clinics operating on the Platform maintain their own medical records systems and are independently responsible for maintaining the confidentiality of patient records under the Clinical Establishments (Registration and Regulation) Act, 2010 and applicable state healthcare regulations. Curefleet does not access, control, or manage patient records held within a hospital's internal systems.

Sharing with Ambulance Providers

When you initiate an ambulance booking through the Platform, Curefleet shares operational data with the dispatched ambulance service provider strictly to the extent necessary to facilitate the service:

• Name and mobile number of the person placing the booking;
• Name, age, and gender of the patient requiring transport (where provided);
• Precise pickup location in GPS coordinates and/or human-readable address;
• Intended destination facility;
• Nature of medical condition as described by the requestor — used to dispatch the appropriate ambulance type;
• Booking reference number and payment status.

Ambulance Partners are contractually required to use data shared by Curefleet solely for the purpose of executing the specific booking and not for marketing, profiling, or data trading.

Sharing with Pharmacies

When you order prescription or over-the-counter medicines through the Platform, Curefleet shares the following with the fulfilling pharmacy partner:

• Patient name, age, gender, and delivery address;
• Prescription details — medicines ordered, strength, quantity, and dosage instructions;
• Prescribing doctor's name and registration number as appearing on the uploaded prescription;
• Prescription image or digital prescription document, where required for dispensing scheduled drugs;
• Contact number for delivery coordination;
• Payment status and order reference.

Pharmacies operating on the Platform are licensed under the Drugs and Cosmetics Act, 1940 and applicable state pharmacy regulations, and are independently responsible for verifying prescription validity, maintaining dispensing records, and ensuring patient data confidentiality. Curefleet does not independently verify the authenticity of prescriptions uploaded by Users, but may implement automated and manual review processes to detect potentially fraudulent or altered documents.

Sharing with Diagnostic Centres and Pathology Providers

When you book a diagnostic test, pathology investigation, or radiology scan through the Platform, Curefleet shares the following with the relevant diagnostic laboratory or imaging centre:

• Patient full name, age, gender, date of birth, and contact number;
• Test requisition details — tests ordered, referring doctor's name and registration number, clinical indication where provided;
• Sample collection preference — home collection address and time, or centre appointment date and time;
• Relevant health information provided in any pre-test questionnaire;
• Payment status and order reference number.

Diagnostic reports generated by the laboratory or imaging centre are shared back with the Platform and made available in your health records, as well as shared with the referring doctor where you have authorised such sharing. Diagnostic Partners are independently accredited bodies responsible for the analytical accuracy of their reports. Curefleet is not responsible for errors, inaccuracies, or delays in diagnostic results attributable to the diagnostic provider's own processes.

Sharing with Government Authorities and Regulators

Curefleet cooperates fully with competent government authorities where legally required. We may disclose your personal data to government bodies, law enforcement agencies, regulatory bodies, or courts in the following circumstances:

• Legal Compulsion: A lawfully issued court order, judicial summons, search warrant, production order, or equivalent legal instrument;
• Regulatory Investigation: Requests by the Data Protection Board of India, MeitY, Ministry of Health and Family Welfare, CDSCO, IRDAI, RBI, or any other competent regulatory authority in connection with a regulatory inquiry;
• Law Enforcement: Requests under the CrPC, 1973, PMLA, 2002, IT Act, 2000, or any other applicable statute conferring such authority;
• Public Health Emergency: Government invocations under the Epidemic Diseases Act, 1897 or Disaster Management Act, 2005 for disease surveillance or contact tracing;
• Tax and Financial Compliance: Disclosures required by the Income Tax Department, GST authorities, or financial regulators.

Where legally permissible and operationally practicable, Curefleet will notify you prior to making any governmental disclosure. Curefleet will review the legal validity and proportionality of every governmental data request and will not comply with requests that are manifestly unlawful or overbroad.

Sharing During Legal Proceedings and Dispute Resolution

Curefleet may disclose personal data, including health data, communication records, payment records, and transactional data, in connection with legal proceedings or dispute resolution in the following circumstances:

• Litigation, arbitration, or mediation involving Curefleet as a party, where disclosure is necessary for the conduct of the proceedings;
• Consumer disputes filed before the National Consumer Disputes Redressal Commission, State Commissions, or District Forums;
• Complaints or proceedings before the Data Protection Board of India;
• Insurance claims investigations where health data is required to assess claim validity;
• Fraud investigations or criminal proceedings where Curefleet has filed a complaint;
• Enforcement of Curefleet's Terms of Service against a User or Healthcare Partner.

Data disclosed in connection with legal proceedings will be limited strictly to what is necessary for the specific proceeding. Curefleet will seek protective orders wherever legally available to limit public exposure of sensitive personal or health data.

Sharing During Corporate Transactions

In connection with any merger, demerger, acquisition, business combination, sale or transfer of business undertaking or assets, restructuring, insolvency, or change of control involving Curefleet (collectively, a "Corporate Transaction"), personal data held by Curefleet may be:

• Disclosed to prospective acquirers, investors, or transaction counterparties during due diligence, subject to confidentiality agreements;
• Transferred to the acquiring or surviving entity as part of the transaction closing;
• Processed by legal, financial, and technical advisors retained in connection with the transaction, under strict confidentiality obligations.

In the event of a Corporate Transaction resulting in data transfer to a third party, Curefleet will provide you with notice to the extent permissible under applicable law, require the recipient entity to honour the commitments in this Privacy Policy, and seek fresh consent where the transaction results in a material change to how your sensitive personal data is processed.

Cross-Border Data Transfers

Curefleet's primary data storage and processing infrastructure is located within India. However, certain operations — including data backup, AI model computation, analytics processing, and technical support — may involve transfer of data to servers located outside India.

• Transfers are made only to countries notified by the Central Government of India under Section 16 of the DPDPA, 2023 as permissible destinations;
• In the absence of a government-approved list, transfers are governed by contractual data protection clauses equivalent to the protections in this Policy;
• Recipients are contractually bound to implement security measures equivalent to those applied by Curefleet;
• Sensitive personal data and health data are processed in India wherever architecturally possible.

The following jurisdictions may be involved in Curefleet's data processing operations: United States of America (cloud infrastructure and AI services); Singapore (regional data hubs and CDN nodes); European Union member states (analytics and SaaS tools). All operations are governed by the contractual safeguards described above.

Cookies Policy — Extended Reference

Cookies are small text files placed on your device by a website or application when you visit it. They are widely used to make websites work efficiently, to improve user experience, to provide secure login sessions, and to provide analytics information to website operators. Cookies may be session-based (deleted when you close your browser) or persistent (remaining on your device for a defined period or until deleted).

First-party cookies are set by Curefleet directly for core Platform functionality, user preferences, authentication, and Platform-level analytics. Third-party cookies are set by our service partners — including payment processors, analytics providers, customer support tools, and advertising networks — and are governed by those third parties' own privacy and cookie policies.

• Web Beacons / Pixel Tags: Tiny invisible image files embedded in emails and web pages to track opens, clicks, and page visits;
• Local Storage and Session Storage: Browser-based storage mechanisms used to retain user preferences and session data locally on your device;
• Mobile SDKs: Code libraries integrated into our mobile applications enabling analytics, crash reporting, push notifications, and feature tracking;
• Device Fingerprinting: Collecting non-identifiable technical parameters to generate a probabilistic device identifier for fraud detection purposes;
• UTM Parameters: URL-appended parameters tracking the source of traffic to the Platform for marketing attribution.

You may control cookies through: our Cookie Consent Manager accessible at any time through Platform Privacy Settings; your browser settings to block or delete cookies (note: blocking essential cookies impairs functionality); your device's advertising identifier reset features; or disabling automatic image loading in your email client to prevent pixel tracking. Refusing non-essential cookies will not affect your access to the core healthcare facilitation features of the Platform.

AI Features — Extended Disclaimer

Curefleet may offer AI-powered features including: symptom checkers and triage tools; health risk assessment engines; medicine interaction checkers; appointment recommendation systems; health record summarisation tools; clinical decision support information; personalised wellness content; chatbots and conversational AI assistants; and predictive analytics for chronic disease management.

Curefleet strongly, emphatically, and unconditionally recommends that you consult a qualified, licensed, and registered healthcare professional before acting upon or relying upon any AI-generated output from this Platform. AI outputs should be used only as a starting point for discussion with your healthcare provider, and never as a final clinical determination.

To the maximum extent permitted by applicable law, Curefleet disclaims all liability for any harm, injury, worsening of condition, delayed diagnosis, missed diagnosis, adverse drug event, hospitalisation, or death arising from reliance on any AI-generated output, or from any decision made by a User or Healthcare Partner based on such outputs.

Telemedicine — Extended Privacy Disclaimer

Telemedicine services facilitated through the Platform are governed by the Telemedicine Practice Guidelines, 2020 issued by the Ministry of Health and Family Welfare, Government of India and the Board of Governors in supersession of the Medical Council of India. These Guidelines impose specific obligations on registered medical practitioners conducting teleconsultations, including patient identification, prescription issuance, and maintenance of consultation records.

• Video/Audio Session Data: Curefleet's Platform may facilitate the technical infrastructure for sessions but does not routinely record consultations without separate explicit consent from both the patient and the healthcare professional;
• Digital Prescriptions: Governed by the Telemedicine Guidelines, which impose restrictions on prescription of certain drug schedules via telemedicine;
• Consultation Summary: A structured summary including diagnosis and treatment recommendations may be generated and stored on the Platform;
• Follow-up Records: Records of follow-up consultations, prescription refills, and treatment continuity are maintained as part of your health record.

• No digital communication channel is entirely free from risk of interception;
• The quality and security of your connection depends in part on your device, internet connection, and local network;
• Healthcare professionals may take their own notes or recordings in accordance with clinical record-keeping obligations — Curefleet is not responsible for such practices;
• Third-party video conferencing infrastructure may independently collect technical session data under its own privacy policy;
• Curefleet strongly recommends using a private device and secure private network for all teleconsultations.

Emergency Services — Extended Disclaimer

The Curefleet Platform is a healthcare facilitation and discovery technology designed for scheduled and planned-care settings. It is not designed, equipped, tested, or approved as an emergency medical dispatch or emergency response system.

• Cardiac Events: Chest pain, tightness, or pressure; suspected heart attack; cardiac arrest;
• Stroke: Sudden facial drooping; arm or leg weakness (especially one side); sudden difficulty speaking; sudden severe headache; sudden vision changes;
• Respiratory: Severe difficulty breathing; respiratory distress; cessation of breathing; drowning;
• Bleeding: Severe or uncontrolled bleeding; suspected internal bleeding; haemorrhage following trauma;
• Neurological: Loss of consciousness; seizures; severe head or spinal injury; suspected drug overdose;
• Severe Allergic Reactions (Anaphylaxis): Sudden throat swelling, difficulty swallowing, hives combined with breathing difficulty;
• Serious Trauma: Road accidents, falls from height, significant burns, penetrating injuries;
• Obstetric Emergencies: Severe bleeding during pregnancy; eclampsia; imminent delivery outside clinical setting;
• Mental Health: Active suicidal ideation with intent or means; active self-harm; dangerous behaviour.

Curefleet does not own, operate, staff, or clinically supervise any ambulance vehicle. Ambulance availability through the Platform is not guaranteed. Response times depend entirely on the ambulance operator and prevailing conditions. Curefleet accepts no liability for ambulance non-availability, delayed dispatch, delayed arrival, or any clinical consequence arising therefrom.

Curefleet's AI-powered triage tool must not be used to assess whether a situation constitutes a medical emergency. If you have any doubt, treat it as an emergency and call 112 immediately.

Data Accuracy — Extended Disclaimer

You are solely and entirely responsible for ensuring that all personal data, health information, medical history, current medication lists, allergy information, diagnostic results, and other data you provide through the Platform is accurate, complete, and current. The quality of healthcare facilitation delivered through the Platform is fundamentally dependent on the accuracy of information you submit.

• Inappropriate or potentially harmful clinical recommendations by Healthcare Partners acting on incorrect information;
• Incorrect prescriptions or inappropriate medication dispensing;
• Failure to identify contraindications, drug interactions, or allergies with potentially serious health consequences;
• Misinterpretation of your health risk profile by AI tools;
• Incorrect matching with an inappropriate Healthcare Partner specialty;
• Delays in appropriate care due to reliance on inaccurate medical history.

Curefleet does not independently verify, validate, authenticate, or cross-check any health data, medical history, prescription, diagnostic report, vaccination record, or other health-related document submitted by a User. We are a technology intermediary and do not have the clinical expertise, legal authority, or technical means to verify the accuracy of health data in real time.

Clinical notes, prescriptions, diagnostic reports, and other health data generated by Healthcare Partners are the responsibility of the respective Healthcare Partners. If you believe a clinical record contains an error, contact the relevant Healthcare Partner directly for correction.

Security Monitoring and Threat Intelligence

• Security Operations Centre (SOC): Round-the-clock monitoring of security event logs, network traffic, access logs, and anomaly indicators;
• Intrusion Detection and Prevention: Automated systems scanning for known attack patterns, vulnerability exploitation attempts, and anomalous network behaviour;
• Web Application Firewall (WAF): Filtering of malicious HTTP traffic, SQL injection, XSS, and OWASP Top 10 attack vectors;
• DDoS Protection: Infrastructure-level protection against distributed denial-of-service attacks;
• API Security: Rate limiting, authentication enforcement, input validation, and schema validation on all API endpoints.

• Regular penetration testing by qualified third-party security professionals;
• Automated vulnerability scanning of infrastructure, application code, and dependencies;
• Responsible disclosure programme for external security researchers;
• Timely patching of identified vulnerabilities under a risk-based patching policy.

Security monitoring necessarily involves the collection and analysis of certain personal data — including IP addresses, device identifiers, session logs, and access records — solely for detecting and responding to security threats. This processing is conducted under legitimate interest and legal obligation under the IT Act, 2000. Security data is retained for the minimum period necessary for security operations and legal compliance and is not used for any commercial purpose.

Home Healthcare — Privacy Considerations

Home healthcare services (including nursing care, physiotherapy, elder care, wound management, IV therapy, post-surgical care, and palliative care) facilitated through the Platform involve unique privacy considerations because they are rendered at your residential or specified address:

• Address Data: Your precise residential or care address is shared with the home healthcare provider to enable the visit and is treated as sensitive location data;
• Access Instructions: Entry codes or building instructions you provide are shared only with the assigned healthcare professional and are not retained beyond the care engagement;
• Care Plans: Clinical care plans are shared between the assigning doctor, the home healthcare provider, and relevant Curefleet support staff for care coordination purposes;
• Visit Records: Digital records of visit completion and clinical observations may be entered by the healthcare professional into the Platform and made available to you and the referring doctor;
• Emergency Protocols: Home healthcare professionals are instructed to contact emergency services (112) immediately in the event of a clinical emergency during a home visit, independently of any Platform-mediated communication.

Home healthcare providers on the Platform are contractually bound to maintain the confidentiality of patient information and to implement appropriate security measures for data accessed or generated during home visits.

Vaccination Services — Privacy Considerations

• Immunisation History: Prior vaccination records uploaded by you are stored as sensitive health data and shared with vaccination providers only as necessary for the administration of the requested vaccine;
• Vaccine Administration Records: Details including vaccine name, manufacturer, batch number, dose number, administration site, and administering clinician are recorded and stored in your health record;
• Government Immunisation Registries: Where you consent, vaccination data may be reported to Co-WIN or equivalent government immunisation registry systems as required by applicable law;
• Adverse Event Reporting: If you report an adverse event following immunisation (AEFI), this information may be shared with the administering healthcare provider and, where required by law, reported to the CDSCO or equivalent pharmacovigilance authority;
• Vaccine Reminders: With your consent, Curefleet may send you reminders for due or overdue vaccine doses, including childhood immunisation schedules, travel vaccines, and annual influenza vaccinations.

Exercising Your Rights — Procedures and Timelines

• In-App: Through the Privacy Settings section of your Curefleet account for common self-service requests;
• Email: To Care@curefleet.com with the subject line "Data Rights Request — [Nature of Request]";
• Post: By written request to the Grievance Officer at the registered address of Curefleet Technologies Private Limited.

To protect your personal data from unauthorised access, Curefleet may require identity verification before processing a rights request via OTP confirmation, registered email verification, security questions, or government-issued photo ID. Verification requirements will be proportionate to the sensitivity of the data and the nature of the request.

• Manifestly unfounded or excessive (particularly repetitive) requests;
• Requests requiring breach of a legal obligation or court order;
• Data forming part of an active fraud investigation where erasure would prejudice proceedings;
• Where identity verification cannot be satisfactorily completed;
• Data relating to a third party whose rights would be adversely affected by disclosure.

Third-Party Responsibilities and Limitations

Every Healthcare Partner listed through the Platform is an independent, separately regulated entity. Healthcare Partners are not employees, agents, or representatives of Curefleet. Curefleet does not supervise, control, or direct the clinical practices, data governance practices, privacy policies, or information security measures of Healthcare Partners. The clinical relationship — and the associated fiduciary and ethical duties of confidentiality — exists between you and the Healthcare Partner, not between you and Curefleet.

Curefleet's role is limited to: (a) verifying that Healthcare Partners meet baseline registration and licensing requirements at onboarding; (b) providing the technology infrastructure through which information is transmitted; and (c) setting minimum contractual data protection standards in Partner agreements.

Payment processing is provided by independent PCI-DSS compliant payment service providers operating under their own privacy policies and security programmes. Curefleet is not responsible for data security incidents or privacy violations occurring within a payment processor's own systems.

Curefleet uses cloud computing infrastructure operated by globally recognised cloud service providers. The security of underlying physical and network infrastructure is the responsibility of the cloud provider, operating under their own certifications (ISO 27001, SOC 2) and service level agreements with Curefleet.

Where you log in using a social login or SSO service (such as Google or Apple ID), authentication is processed by that provider under their own privacy policies. Curefleet receives only the data shared by the SSO provider during authentication — typically name, email address, and profile picture. We do not receive your SSO provider password.

Special Provisions for Sensitive Personal Data

• Explicit Consent: SPDI is collected only with your explicit, informed, and documented consent, obtained separately from general Platform consent;
• Purpose Limitation: SPDI is processed strictly for the specified purpose for which consent was obtained;
• Need-to-Know Access: Internal access to SPDI is restricted to Curefleet personnel with a documented operational need and appropriate clearance level;
• Audit Logging: All internal access to SPDI is logged and subject to audit review;
• Prohibition on Sale: Curefleet does not sell, rent, or trade SPDI to any third party under any circumstances;
• Minimisation at Collection: We collect only the specific SPDI necessary for the identified purpose;
• Secure Destruction: SPDI is securely destroyed using NIST-approved data sanitisation methods upon expiry of the applicable retention period.

Mental health data — including records of psychiatric diagnoses, psychological assessments, therapy notes, medication for psychiatric conditions, and mental health-related clinical notes — is among the most sensitive categories of health data and is subject to the strictest confidentiality protections. Curefleet processes mental health data only where explicitly provided in connection with a healthcare service and does not use it for advertising, profiling, employment screening, insurance underwriting, or any non-clinical purpose.

Data relating to reproductive health, sexual health, sexual orientation, and gender identity (where voluntarily provided in a healthcare context) is processed with the highest level of confidentiality and is never used for profiling, targeted advertising, or any non-clinical purpose. Such data is shared only with the specific Healthcare Partner delivering the relevant health service, with your explicit knowledge.

Regulatory Compliance Framework

Curefleet's legal and compliance team maintains an ongoing programme of regulatory monitoring to identify and implement changes required by amendments to existing laws, new legislation, regulatory guidelines, and judicial decisions affecting data protection in India's healthcare technology sector.

Account Security — Your Obligations

Account security is a shared responsibility. You are required to:

• Maintain Confidentiality: Keep your account password, OTP codes, and authentication credentials strictly confidential. Curefleet will never ask for your password;
• Use Strong Passwords: Choose a strong, unique password not used for any other online service. Enable two-factor authentication where available;
• Secure Your Device: Ensure your device is protected by a screen lock, updated operating system, and current anti-malware protection;
• Report Suspicious Activity: Notify Curefleet immediately at Care@curefleet.com if you suspect unauthorised account access or credential compromise;
• Logout on Shared Devices: Always log out of your Curefleet account after use on shared, public, or borrowed devices;
• Do Not Share Accounts: Your Curefleet account is for your personal use only.

Curefleet is not responsible for unauthorised account access resulting from your failure to follow the security practices above, subject to our own obligations under applicable data protection law.

Data Minimisation and Purpose Limitation

We collect only the minimum personal data that is necessary, adequate, and relevant to the specific purposes identified in this Policy. We do not collect personal data speculatively or in anticipation of potential future uses for which consent has not been obtained. We regularly review our data collection practices to identify and remove data points that are no longer necessary for operational or legal purposes.

Personal data collected for a specific purpose will not be used for a different, incompatible, or unrelated purpose without obtaining fresh consent. Where Curefleet intends to use existing data for a new purpose, we will assess whether the new purpose is compatible with the original purpose and, if not, will seek fresh consent before proceeding.

Data is retained only for the period necessary to fulfil the purposes for which it was collected, subject to mandatory legal retention requirements. Our data retention schedule (Section 15) is reviewed annually to ensure ongoing compliance with the principle of storage limitation.

Anonymisation, Pseudonymisation, and Research Use

Curefleet may convert personal data into anonymised data from which all direct and indirect identifiers have been removed such that re-identification is not reasonably possible. Properly anonymised data is no longer personal data under applicable law and may be used for Platform analytics, research, public health insights, and AI model development without requiring consent. Curefleet applies rigorous anonymisation standards including removal of all direct identifiers, generalisation of quasi-identifiers, suppression of distinctive records, and technical re-identification risk testing.

Pseudonymisation involves replacing direct identifiers with artificial identifiers while retaining a separately stored key enabling re-identification. Pseudonymised data remains personal data under applicable law. Curefleet uses pseudonymisation as a risk-reduction technique for internal analytics and AI development where complete anonymisation would impair the technical purpose.

Curefleet may contribute anonymised, aggregate healthcare data to public health research, epidemiological studies, and healthcare system improvement initiatives, where appropriate ethical review, data use agreements, and government oversight frameworks are in place. All such contributions involve data that cannot be used to re-identify any individual.

Profiling and Automated Decision-Making

Profiling refers to automated processing of personal data to evaluate, analyse, or predict personal aspects relating to an individual such as health status, risk profile, behaviour, preferences, or interests. Curefleet engages in certain profiling activities in connection with Platform operation.

• Service Personalisation: Recommending relevant Healthcare Partners, health packages, and preventive health services based on your history, location, and stated interests;
• Informational Risk Indicators: Generating informational health risk indicators from health data you provide — these are informational outputs only and are not clinical assessments;
• Fraud Detection: Automated analysis of account activity, transaction patterns, and device/location data to identify potentially fraudulent behaviour;
• Content Personalisation: Tailoring health articles, wellness content, and Platform features to your profile and usage history.

Curefleet does not make decisions that produce significant legal or similarly significant effects on you through fully automated processing without human review. Where automated systems generate outputs that could materially affect your access to services, a human review step is required before such decisions are finalised. You may request human review of any automated decision that affects you by contacting Care@curefleet.com.

Platform Privacy Features and Controls

Curefleet provides you with in-Platform privacy controls to manage your data and preferences:

Grievance Redressal — Multi-Tier Mechanism

For common issues such as incorrect data, notification opt-out, and account security concerns, self-service resolution is available through Platform settings and in-app support chat. These pathways typically resolve issues within 24 to 48 hours.

For complex privacy complaints or unresolved Tier 1 issues, escalate to the designated Grievance Officer at Care@curefleet.com. The Grievance Officer will acknowledge within 48 hours and provide a substantive resolution within 30 days.

If your complaint remains unresolved after the Grievance Officer process, or if you believe Curefleet has violated your data protection rights under the DPDPA, 2023, you may file a complaint with the Data Protection Board of India. The Board has power to investigate, issue directions, and impose financial penalties on Data Fiduciaries for DPDPA violations.

Nothing in this mechanism prevents you from approaching competent courts in India. Where your complaint relates to a deficiency in service or unfair trade practice under the Consumer Protection Act, 2019, you may also file before the appropriate Consumer Disputes Redressal Forum at the District, State, or National level.

Policy Interpretation, Severability, and Entire Agreement

In this Privacy Policy: references to "include" or "including" shall be construed as "include without limitation"; section headings are for convenience only; references to statutes include all amendments, re-enactments, and subordinate legislation; words in the singular include the plural and vice versa; references to persons include legal persons, firms, and unincorporated bodies.

If any provision of this Privacy Policy is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, or if modification is not possible, shall be severed. The validity of remaining provisions shall not be affected.

This Privacy Policy, together with the Terms of Service, Cookie Policy, and any service-specific addenda, constitutes the entire agreement between you and Curefleet with respect to the processing of your personal data.

No failure or delay by Curefleet in exercising any right under this Policy constitutes a waiver. No waiver is effective unless made in writing and signed by a duly authorised representative of Curefleet.

Curefleet may assign its rights and obligations under this Privacy Policy to a successor entity in connection with a Corporate Transaction. You may not assign your rights or obligations under this Policy to any third party.

Acknowledgement and Consent Summary

By using the Curefleet Platform, you expressly acknowledge, confirm, and agree to each of the following:

• You have read this Privacy Policy in its entirety and understand its contents;
• You consent to the collection, use, processing, storage, sharing, and transfer of your personal data and sensitive personal data as described in this Policy;
• You understand that Curefleet is a technology intermediary and not a healthcare provider, and that all clinical services are delivered by independent Healthcare Partners;
• You understand that AI-generated outputs are informational only, do not constitute medical advice, and you will consult a qualified healthcare professional before acting on such outputs;
• You will not rely solely on this Platform in emergencies — in any life-threatening situation you will call 112 immediately;
• You are responsible for the accuracy, completeness, and currency of all information you submit through the Platform;
• You consent to Curefleet sharing the minimum necessary personal and health data with Healthcare Partners for the purpose of delivering services you request;
• You understand your data may be processed by third-party service providers under contractual data protection obligations;
• You have reviewed the Terms of Service and understand this Privacy Policy forms an integral part thereof;
• You understand your rights as a Data Principal under applicable Indian law and know how to exercise them.