Welcome to ARHA (Alpha MD Rural Health Application)

ARHA, an integrated digital health platform developed by Alpha MD, is committed to safeguarding the privacy and security of the user’s personal data. Your privacy is of utmost importance to us. This Privacy Notice outlines who we are and how we/healthcare professional collect, store, use, disclose, safeguard and/or share (‘process’) your data and personal health information in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 of India and other applicable health regulations. This Notice also explains, what are your rights and duties and how you can exercise your data protection rights.

Please read this notice carefully. By using ARHA, you agree to the practices described in this Privacy Notice.

Our name and contact details

Alpha MD Private Limited, 1st Floor, 315, Balgovind Wadi, New Prabhadevi Road, Prabhadevi, Mumbai – 400025

Questions or Concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you still have any questions or concerns, please contact our Data Protection Officer, Ms. Nishi Sharma at the email address nishi.sharma@alphamd.com

To contact Alpha MD’s Support Team: https://www.alphamd.com/connect-us

Further information about Alpha MD is available via our website: ARHA – Alpha MD

What we do 

ARHA is an integrated digital health platform designed to tackle rural healthcare challenges and bridge the rural-urban health gap, ensuring a continuum of care that is accessible, affordable, and efficient. ARHA provides real-time patient health information to doctors, which helps them make informed decisions about their patients’ care.

It is designed to assist doctors and healthcare providers in creating and managing patient profiles, medical histories, case sheets, including chief complaints, vitals, examinations, investigation results, diagnosis, prescriptions, and other relevant healthcare data during patient visits.

Types of Users

The ARHA Service can be used by three types of users, each with specific access privileges and responsibilities in managing patient data:

• Doctors/Healthcare Providers: These are the primary users of the ARHA platform. Doctors and other healthcare professionals may use ARHA to create and manage patient profiles, medical histories, prescriptions, examination records, case sheets, and treatment plans. They are responsible for ensuring that patient data is entered accurately and securely.
• Medical Assistants/Nurses/Staff: These users may assist doctors in entering data such as patient examination results, vital signs, and other healthcare-related information. They may have limited access compared to doctors but still interact with patient data in a supportive role.
• Administrator: These users may have administrative access to the platform and manage user permissions, roles, and access controls within ARHA. Admins ensure the platform’s functionality and overall system maintenance, though they do not directly interact with patient health data unless necessary for operational issues.

Each type of user is granted access based on their role and responsibilities within the healthcare setting to ensure that patient data is handled with the utmost care and confidentiality.

What information do we collect?

ARHA collects the following two types of data:

1. Patient Data (Data Subjects)

As part of the healthcare services provided via ARHA, doctors may enter various types of data into the platform for the purpose of registration and patient care. The data collected may include:

• Personal Identification Information: Patient Full Name, Date of Birth, Age, Gender, Contact Details, and Unique ID.

* When the patient’s unique ID card is scanned, ARHA does not allow any image capture in the device gallery or album used by doctors/healthcare professional, ARHA only uses the data extracted from the unique ID card to auto populate the patient registration form.

• Health Data: Medical history, health conditions, diagnostic results, medications, and other relevant health information.
• Clinical Data: Case sheets, treatment plans, examination results, prescriptions, and progress notes.
• Doctor’s Notes and Records: Any other healthcare-related information entered by doctors for managing patient care.

If you are a patient, we receive information about you in two ways: 

• Via doctors/healthcare professional or organisations who use the ARHA platform.
• If you contact us directly, for example through Email or Contact Form.

All personal information that you provide to the doctor must be true, complete, and accurate, and you must notify of any changes to such personal information.

1. Doctors / Health and Care Professionals

ARHA also collects personal data related to doctors and healthcare professionals who use the platform. If you are working for a healthcare organization that uses ARHA, we receive information about you. The data collected may include:

• Personal Identification Information: Name, Contact details (email, phone number) and Qualifications.
• Professional Information: Medical license details and any other information required for managing the doctor’s profile within the platform.
• Usage Data: Information related to the usage of the ARHA platform, such as login data, interactions with the platform, and any actions performed within the system (e.g., entering patient data, viewing medical records).

• Information automatically collected: This information does not reveal your specific identity but may include device or usage information, such as:
• IP address
• Browser and device characteristics
• Operating system
• Pages visited
• Time spent on the app and other technical information

This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

If you are a doctor/healthcare professional working for a healthcare organization that uses ARHA, we receive information about you in three ways:

• ARHA account registration – signed up by doctors
• Use of the ARHA platform by prescribing or doctor

Your doctor / healthcare professional is accountable for how your information is used in our platform (i.e., they are the “Data Fiduciary”). In case of service interruption, they either provide us with the information and instruct us how to use it. In such case, Alpha MD therefore operates as a “Data Processor” on behalf of your doctor / healthcare professional and we hold a legal agreement with them that sets out what we do with the data and how we keep it safe and secure.

How do we process your information?

The data entered into ARHA is used by doctors/healthcare professionals and authorized users for the following purposes:

• Patient Care – To provide accurate and timely medical care based on comprehensive patient records, including history, medications, diagnoses, and treatment plans.
• Medical Record Keeping – To maintain up-to-date patient profiles, case sheets, prescriptions, and other medical documentation.
• Compliance and Reporting – For legal, regulatory, and operational purposes related to healthcare services.
• Platform Improvement – To improve the functionality and usability of the ARHA platform, including feedback and usage data.
• Doctor Profile Management – To manage and update doctor profiles for administrative and professional purposes.
• To respond to user (Healthcare Professionals) enquiries / offer support to users (Healthcare Professionals) – We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
• To send you marketing and promotional communications – We may process your information when necessary for our marketing purposes, if this is in accordance with the consent provided. You can opt out of our marketing emails, including newsletters and promotional materials at any time. For more information, see ‘WHAT ARE YOUR PRIVACY RIGHTS?’ below.

Legal Grounds for Processing Data

Under the DPDP Act, the legal grounds for processing personal data on ARHA are as follows:

• Performance of a Contract – Patient data is processed as part of the contract for healthcare services, including diagnosis, treatment, and other healthcare activities.
• Legal Obligation – Healthcare providers are required to maintain patient records and comply with healthcare regulations, making it necessary to process patient data.
• Vital Interests – In emergency situations, patient data may be processed to protect the life of the patient or others.
• Public Interest – Healthcare data may be processed for public health purposes, such as disease prevention, health monitoring, or healthcare quality assurance.

In most cases, explicit consent from the patient may not be required because the processing of their personal data is necessary for the healthcare treatment process or is governed by legal obligations. However, patients will be informed of the data being processed and its intended purpose, and they have the right to request access, correction, or deletion of their data in accordance with the DPDP Act. For more information, see ‘WHAT ARE YOUR PRIVACY RIGHTS?’ below.

How do we keep your information safe?

• We have put in place appropriate administrative, technical, and physical security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, destroyed, or accessed without authorisation.
• These measures include confidentiality agreements with third parties, secure development practices, security due diligence of service providers, and ISO 27001-based organisational security policies. We have also put in place procedures to deal with any suspected personal data breaches and will notify you any applicable regulator of a breach where we are legally required to do so.
• Data Encryption: All your personal and health data is encrypted during transmission and storage to ensure privacy and security.
• Access Control: Access to data is restricted based on user roles and responsibilities. Only authorized users (doctors, healthcare providers, admins) can access patient or doctor data relevant to their responsibilities.
• Data Minimization: Only the necessary data for patient care, medical services, and platform operation is collected and processed.
• Security Audits: We conduct regular security checks to identify and resolve potential vulnerabilities.
• ARHA platform continuously strives and has established compliance with India’s Digital Personal Data Protection Act, 2023. This act provides a framework for data protection, transparency, and accountability, ensuring that users have control over their personal data and that the organization handle it responsibly.

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee or promise that hackers, cybercriminals or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal or modify your information.

Information disclosure and further use

We do not use, disclose, sell, share or rent your information to anyone except as described in this Privacy Notice.

We may share your data with third party vendors, service providers, contractors
who perform services on our behalf and require access to such information to do that work. We give those organisations access only to the minimum personal information (for example, IP address or email address) to attain the objective or help you with your queries. They are bound by a contract and a duty of confidentiality to help safeguard your personal information.

The third parties we may share personal information with are as follows:

• Cloud Computing Service Provider (Amazon Web Services – AWS)
• Data Backup and Security (Google One Drive Backup)
• Functionality and Infrastructure Optimisation (Flairlabs Pvt. Ltd.)
• Google Analytics, or any other Analytical Tool

We may also need to share your information in the following scenarios:

• For Legal Compliance: We may disclose your information if required to do so by law or in response to legal processes or government requests.
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or portion of our business to another company.
• Business Partners – We may share your personal information with our business partners to offer you certain products, services or promotions.

Cookies and Tracking Technologies

ARHA may use cookies and other tracking technologies for functionality, security, and to improve the user experience. Doctors using the platform can manage cookie settings through their browser preferences, though disabling cookies may affect the performance of the platform.

What are your Privacy Rights?

Under the DPDP Act, patients and doctors have the following rights regarding their data:

• Access – Patients may request access to the data that has been recorded about them by healthcare professionals using ARHA. Doctors may also access to the personal data held by ARHA regarding their professional profile and usage of the platform.
• Rectification – If any data entered into ARHA is inaccurate or incomplete, patients may request corrections from their healthcare provider.If any data related to a doctor’s professional profile is inaccurate or outdated, they may perform corrections.
• Erasure – Patients have the right to ask us to erase your personal data where it is no longer required for the purpose for which it was collected, subject to legal, regulatory, and operational obligations that require retention.
• Objection – Patients may request restrictions on how their data is processed, under specific conditions.
• Grievance redressal – Patient shall have the right to have readily available means of grievance redressal. You have the right to complain to Data Protection Board of India, only after exhausting this opportunity of grievance redressal with the healthcare provider and Alpha MD.

• Nominate – you shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of your death or incapacity, shall exercise your rights.

If you have any questions or comments about your privacy rights, you may email us at nishi.sharma@alphamd.com

What are your Duties?

With the rights, comes the duties. We encourage patients and doctors to perform the following duties:

• Not to impersonate another person while providing personal data or health information for a specified purpose.
• Not to suppress any material information while providing personal data for a specified purpose.
• Not to register a false or frivolous complaint or grievance with Alpha MD or Supervisory Authority.
• Furnish only verifiably authentic information, while exercising right to rectification or erasure.

Retention of Data

We retain both patient and doctor data for as long as necessary for the purposes outlined in this Privacy Notice, including for medical records, legal obligations, and healthcare purposes. The data is retained on servers located in the AWS Mumbai Region in an encrypted mode. When data is no longer required, it will be securely deleted in accordance with applicable legal and regulatory requirements. Notification to the patients shall be sent 48 hours before erasure.

Cross-border Data Transfers

ARHA do not transfer your data to countries under India’s “negative list”. Where appropriate, cross-border transfers of Personal Data of individuals outside India, are performed using lawful transfer mechanisms pursuant to DPDP. These agreements also incorporate the protections and requirements provided for under Chapter IV of the DPDP.  

Processing of Child’s Data

ARHA may process children’s personal data (i.e., patients under 18 years of age) when entered by doctors for medical treatment. In compliance with the DPDP Act, ARHA ensures the following safeguards:

• For patients under 18 or a person with a disability, data is processed only under the authorization of a parent or lawful guardian. Doctors must ensure that the necessary verifiable consent is obtained before entering a child’s data into ARHA.
• ARHA does not process children’s data in a manner that is detrimental to their well-being.
• The platform does not use children’s data for any form of profiling, targeted advertising, or behavioural tracking.

Grievance Redressal Mechanism

ARHA takes your data protection questions and concerns seriously, and we are committed to resolving complaints about our collection or use of your data in a time bound manner. If you believe your data protection rights have been infringed, we encourage you to contact us by sending an email to info@alphamd.com. In case of any breach, the healthcare professionals would be required to notify affected patients without delay. The Grievance Officer shall redress grievances  expeditiously and within 7 days from the date of receipt of grievance.   

Where your issue may be more substantive in nature, more information may be sought from you. If you are unsatisfied with the reply received, you may refer your complaint to the Data Protection Board of India.

Supplementary material 

Doctors must ensure that patient’s personal data is:

• Processed lawfully, fairly and in a transparent manner.
• Collected only for specified, explicit and legitimate purposes.
• Collected is adequate, relevant, and limited to what is necessary in relation to the services that we are providing you. This means we collect the minimum amount of personal data that we need to deliver an individual element of the service (Data minimisation).
• Accurate, consistent, and complete i.e. kept up to date.

Contact Us

If you have any questions or comments about this Notice, you may contact our Data Protection Officer (DPO) by email at nishi.sharma@alphamd.com or contact us by post at:

Alpha MD Private Limited

1st Floor, 315, Balgovind Wadi, Opposite Prabhadevi Temple

Prabhadevi, Mumbai – 400025, India

Changes to This Privacy Notice

This Privacy Notice may be updated periodically to reflect regulatory changes or improvements to ARHA. The updated version will be indicated by an updated ‘Revised’ date at the top of this privacy notice. We will notify you of any changes either by prominently publishing a notice on the platform/website or directly send you a notification about the new version. This may further trigger re-consenting of users before continued use of the app (if consent was the lawful basis).