DPDP Compliance
Digital Personal Data Protection Act, 2023
Effective Date: 1 April 2025 · Last Updated: 13 April 2025 · Version 1.0
✅ Nirogo Assist is designed from the ground up to comply with India's Digital Personal Data Protection (DPDP) Act, 2023. This page explains how we meet each key obligation of the Act as both a Data Fiduciary and a platform serving healthcare professionals.
1. Overview of the DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection legislation that governs the processing of digital personal data of individuals (Data Principals) within India. It establishes rights for individuals and obligations for organisations (Data Fiduciaries) that process personal data.
Nirogo Assist processes personal data of two types of individuals:
- Doctors (our users) — whose account and professional data we collect
- Patients — whose clinical data doctors enter into the platform
2. Our Role as Data Fiduciary
Under the DPDP Act, Nirogo Technologies Private Limited is the Data Fiduciary — the entity that determines the purpose and means of processing personal data.
For patient data entered by doctors, the treating doctor is also a Data Fiduciary under applicable medical law, and Nirogo acts as a Data Processor on their behalf. This means:
- Nirogo processes patient data only as instructed by the doctor (the platform's features)
- Doctors remain responsible for obtaining appropriate consent from their patients before entering data
- Nirogo does not use patient data for any purpose beyond providing the platform's features
3. Lawful Basis for Processing
We process personal data under the following lawful bases under the DPDP Act:
✅
Consent
We obtain explicit consent from doctors during account registration for processing their personal data. Consent is freely given, specific, informed, and revocable.
📋
Contractual Necessity
Processing of account data, consultation notes, and patient records is necessary to deliver the services described in our Terms of Service.
⚖️
Legal Obligation
We may process data where required by Indian law, court order, or regulatory authority.
🏥
Public Health & Medical Purpose
Processing of health data in the context of medical care by licensed physicians falls under permitted processing for healthcare purposes.
4. Consent Management
- Consent is collected during account registration before any data processing begins
- Doctors can withdraw consent at any time by deleting their account
- Withdrawal of consent does not affect lawfulness of processing before withdrawal
- We use clear, plain language — no pre-ticked boxes or bundled consent
- Consent records are maintained with timestamps
Patient Consent: Doctors are responsible for obtaining and documenting patient consent for recording consultations, as required by the Indian Medical Council Regulations and applicable state laws. Nirogo Assist provides the tool; the doctor governs the consent workflow with patients.
5. Data Minimisation
We collect only what is strictly necessary for the platform to function:
- Doctor data: name, email, phone, specialty — minimum needed for account creation and communication
- Patient data: only what the doctor manually enters — we do not scrape or infer additional data
- Voice recordings are processed in real-time and not stored as audio files — only the text output is saved
- Analytics: aggregated and anonymised — no individual tracking
6. Purpose Limitation
Personal data collected for one purpose is not used for another without fresh consent. Specifically:
- Doctor data is used solely for account management and service delivery
- Patient clinical data is used solely to generate and display notes within that doctor's account
- Data is never used for advertising, sold to third parties, or shared with pharmaceutical companies
- Aggregated, anonymised data may be used for product improvement — never individual records
7. Data Localisation
In line with India's data sovereignty requirements:
- All Firestore data is stored in asia-south1 (Mumbai) — within India
- Authentication data is managed by Google Firebase (Google LLC) with servers in India
- Consultation transcripts are sent to OpenAI's API for processing — this involves cross-border transfer. We mitigate risk through OpenAI's API data processing agreement which prohibits use of API data for model training
- We are committed to maximising Indian data residency as infrastructure options expand
8. Security Safeguards
We implement appropriate technical and organisational measures as required by the DPDP Act:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest (Google Firebase default)
- Role-based access control — each doctor accesses only their own data
- Two-factor authentication (Google SSO + phone OTP) for account access
- Regular security reviews and vulnerability assessments
- Incident response plan with 72-hour breach notification commitment
9. Data Principal Rights
Under the DPDP Act, you (the Data Principal) have the following rights, which we honour:
📋Right to Access
Request a summary of your personal data held by us. We will respond within 30 days.
✏️Right to Correction
Request correction of inaccurate or outdated personal data. You can update most data directly in the platform settings.
🗑️Right to Erasure
Request complete deletion of your account and all associated data. We process deletion requests within 30 days.
🏳️Right to Withdraw Consent
Withdraw your consent to data processing at any time. This will result in account termination as processing is necessary for service delivery.
📣Right to Grievance Redressal
Raise a complaint with our Data Protection Officer. We must acknowledge within 48 hours and resolve within 30 days.
👤Right to Nominate
Nominate another individual to exercise your data rights in case of death or incapacity.
To exercise any right: privacy@nirogo.in
10. Processing of Children's Data
Nirogo Assist is intended exclusively for licensed medical professionals aged 18 and above. We do not knowingly collect data from individuals below 18 years of age.
Patient records may include data about minor patients entered by the treating doctor. Such data is processed solely within the doctor's clinical record and in the context of medical care, which is a permitted purpose under the DPDP Act.
11. Grievance Redressal
If you have a complaint about how we handle your personal data:
- Step 1: Email our Data Protection Officer at privacy@nirogo.in with the subject line "DPDP Grievance"
- Step 2: We will acknowledge your complaint within 48 hours
- Step 3: We will provide a resolution within 30 days
- Step 4: If unsatisfied, you may escalate to the Data Protection Board of India (once constituted under the DPDP Act)
Data Protection Officer
Nirogo Technologies Private Limited
Email: privacy@nirogo.in
Website: assist.nirogo.in
Response time: 48 hours for acknowledgement, 30 days for resolution