Privacy Policy
Last Updated: 08th December 2025
This Privacy Policy explains how Krsnaa Retail Private Limited (“KRPL”, “we”, “our”, “us”) collects, uses, processes, stores, shares, and protects personal data when you access or interact with our website, mobile application, or any digital services (collectively, the “Platform”).
This Policy is designed to reflect applicable Indian data protection requirements, including the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
By accessing or using our Platform, you acknowledge and consent to the practices described in this Policy, unless processing is permitted without consent under applicable law.
Our Commitment to You
- We do not sell or rent your personal data to anyone.
- We believe in transparency regarding what data we collect and why.
- We give you control over your data — access, correct, delete, withdraw consent, or raise a grievance.
- We follow the principles of data minimisation: we collect only what is necessary, and use it only for lawful purposes
- We build our services with privacy and security by design and by default — similar to best practices adopted by leading global platforms
Scope & Applicability
This Policy applies when you interact with us via:
- Our website, digital portals, or mobile applications
- Our retail or diagnostic facilities
- Online or offline support and communications
- Any channel where personal data is collected or processed
It applies to digital personal data — whether collected directly online, or collected offline and digitised later. This includes data collected within India or outside India when services are offered to individuals in India.
Definitions
Personal Data refers to any information that can directly or indirectly identify an individual, such as name, contact details, or identification number.
Sensitive Personal Data includes but is not limited to medical records, health or diagnostic information, biometric identifiers, prescriptions, treatment details, and any information classified as sensitive personal data under applicable Indian law.
Processingmeans any operation performed on personal data, including collection, recording, organisation, storage, sharing, updating, retrieval, or deletion
What Personal Data We Collect
We may collect the following categories of personal data, only to the extent necessary
- Identity & Contact Details:Name, email, phone number, postal address, date of birth, gender, photo (if required), government ID information (where applicable).
- Health & Medical Data: Medical history, diagnostic reports, prescriptions, appointment records, diagnostic or treatment details (as required to provide services).
- Payment Information:We collect details related to your transactions, including order histories, payment method used, billing amounts, and transaction confirmations. We do not collect or store sensitive payment credentials such as card numbers, CVV, UPI PINs, or net banking passwords. These details are processed securely by authorised payment gateways.
- Technical Data:Device/browser information, IP address, cookies, device ID, session details, analytics data — when you use our website or app.
- Consent & Communication PreferencesRecords of your consent / opt-ins / opt-outs; communication preferences; logs of communications (email, SMS, WhatsApp, call records) related to services.
We collect this data directly from you, or — where authorised — from medical professionals or service partners acting on your behalf.
How We Collect Data
- We collect data through:
- Website and app forms
- Phone calls and customer support interactions
- Emails and WhatsApp messages
- Cookies and analytics trackers on the Platform
- CCTV monitoring at physical centres (for safety and compliance)
- Home sample collection staff
- Authorised third-party healthcare partners
Why and How We Use Your Data
We process personal data only for specific, lawful purposes, such as:
- To provide you with diagnostic, healthcare, retail-medical or allied services
- For appointment booking, report generation, billing, and payment processing
- To communicate with you — service updates, reports, reminders, support, or inquiries
- To improve our services, internal operations, analytics, audits, and quality controls
- To ensure system security, prevent fraud or misuse
- To comply with legal, regulatory or medical-audit requirements (e.g. regulatory bodies, healthcare compliance)
- Only with your explicit consent: to send promotional offers, newsletters, or service-related updates — with the ability to opt out any time
We do not process your data for purposes beyond what is disclosed at the time of collection.
Legal Basis for Processing
We process personal data only when one or more of the following lawful bases apply:
- You have provided explicit, informed, specific, and unambiguous consent
- Processing is necessary to deliver the services you have requested (contractual necessity)
- Processing is required to comply with applicable laws or regulatory obligations
- Processing serves our legitimate interests and does not override your fundamental rights and freedoms
- Processing is necessary in the event of a medical or other emergency, where relevant
You may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.
Sharing & Disclosure — What Happens to Your Data
We do not sell personal data and share it only in limited circumstances consistent with this Privacy Policy and applicable law. Depending on the context, your personal data may be shared with:
- Service providers and vendors: IT and cloud service providers, diagnostic partners, logistics and courier agencies, payment processors, communication and analytics providers, and other entities engaged to support our operations under appropriate contractual safeguards.
- Healthcare professionals and partner facilities: Authorised doctors, laboratories, hospitals, or healthcare professionals involved in your diagnosis, treatment, or second opinions, as requested or consented by you or as reasonably necessary to provide services.
- Financial institutions and payment intermediaries: Banks, card networks, and payment gateways that process your payments and handle refunds or chargebacks in accordance with their own regulatory obligations.
- Regulatory, governmental, or judicial authorities: Where required under applicable law, regulation, or court or authority orders, or for the detection, prevention, or investigation of offences or security incidents.
- Business transfers: In connection with any reorganisation, merger, acquisition, or transfer of business or assets, subject to the receiving entity continuing to handle personal data in a manner consistent with this Policy or providing equivalent protection.
Third parties with whom personal data is shared are expected to implement appropriate confidentiality and security measures and to use the data only for the specified purposes.
Third-Party Processors & Categories
KRPL engages only verified processors, including:
- Cloud hosting providers
- SMS / WhatsApp gateways
- Payment gateways
- Pathology and radiology lab partners
- Customer support systems
- Analytics and CRM tools
Data Storage, Security & Protection
We implement robust security measures, including encryption, secure servers, access controls, authentication, and regular security audits. We design our systems to minimise risk and protect data confidentiality, integrity, and availability. Disclaimer: However, because no system is infallible, we cannot guarantee absolute security — but promise to continuously update and improve security standards.
Data Retention & Deletion
We retain your personal data only as long as needed to fulfil the
purpose for which it was collected — or to meet legal, regulatory,
accounting or audit requirements. Once no longer needed, data is
securely deleted, anonymised, or archived.
You may also request deletion (subject to lawful
exceptions), and we will comply within reasonable timelines.
Your Rights
Subject to applicable law and certain limitations, you may have rights in relation to your personal data, including:
- Request access to the personal data we hold about you
- Correct or update inaccurate or incomplete personal data
- Request deletion or erasure of your personal data (subject to lawful requirements)
- Withdraw your consent for processing at any time
- Request data portability, where applicable
- Nominate another person to exercise your data protection rights on your behalf in the event of death or incapacity
- Raise grievances or complaints if you suspect misuse, unauthorised access, or breach of your personal data
Children’s Privacy
We do not knowingly collect or process personal data of minors (under 18 years) without explicit, verifiable parental or guardian consent. If we discover that a child’s data was inadvertently collected without consent, we will delete it immediately.
Cookies, Tracking & Analytics
When you use our website or digital platforms, we may use cookies
and similar technologies to improve user experience, track usage,
for analytics, and to ensure site functionality.
You can manage or disable cookies via your browser settings.
We strive to limit tracking to the minimal needed, in line with
privacy-by-design best practices.
Cross-Border Data Transfers
If your personal data needs to be transferred outside India (for storage or processing), we will do so only under conditions permitted by the applicable laws, with adequate protections and only for lawful, consented purposes.
Transparency & Accountability
• We will clearly notify you at the time of data collection or
before any new processing — about what data is collected, why, how
long it will be kept, and how you may exercise your rights.
• We will appoint a dedicated Grievance / Data Protection Officer
(DPO), as required under the applicable laws, especially if we
qualify as a “Significant Data Fiduciary.”
• We will maintain logs of consent, data-processing activities,
data access, and data-sharing to ensure auditability.
• We will conduct Data Protection Impact Assessments (DPIAs) where
required, and implement suitable internal policies for data
governance, breach response, and compliance.
Communication Consent
By using our services, you consent to receive transactional SMS, WhatsApp messages, emails, and calls, including OTPs, booking confirmations, test reports, and related updates.
Governing Law & Jurisdiction
This Policy, and any dispute, claim, or controversy arising from or relating to it, shall be governed by and construed in accordance with the laws of India. All disputes shall fall under the exclusive jurisdiction of the competent courts located in Pune, Maharashtra, India. In case of any enforcement or legal proceedings, both parties agree that Pune shall be the exclusive venue for resolution, without regard to conflicts of law principles
Changes to This Policy
We may update this Privacy Policy from time to time (for regulatory, operational, or legal reasons). The updated version will always be posted on our website with the “Last Updated” date. We encourage you to review it periodically. Continued use of our Services after changes implies acceptance of new terms.
Contact & Grievance Redressal
If you have any questions, requests, or complaints about this policy or how we handle your personal data, you may contact our designated Grievance Officer / Data Protection Officer (DPO) at:
Krsnaa Retail Private LimitedS. No. 243, A-Hissa No. 6/6, CTS No. 4519,
Near Mayur Trade Centre, Chinchwad,
Pune, Maharashtra – 411 019, India
Grievance / DPO Name:
Please Note – Medical reports or health-related information will be shared with family members or authorised representatives only with your explicit consent, except where disclosure is required by law or in the event of a verified medical emergency.
All queries, access requests, or complaints will be handled in accordance with applicable Indian laws and KRPL’s internal grievance-handling procedures within legally prescribed timelines.