Privacy Policy
Last updated: 10 March 2026 · Effective: 10 March 2026
1. Introduction
This privacy policy explains how we collect, use, store, and protect your personal data when you visit arko.care (the "Website"). This policy is published in compliance with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Digital Personal Data Protection Rules, 2025 (the "DPDP Rules").
This policy applies only to the marketing website at arko.care. The Arko software application at app.arko.care is governed by a separate privacy policy.
2. Data Fiduciary
This Website is operated by Arko Healthcare Technologies Private Limited, a company incorporated under the laws of India, with its registered office at Bengaluru, Karnataka, India ("Arko", "we", "us", or "our").
As a Data Fiduciary under the DPDP Act, we determine the purpose and means of processing your personal data and are responsible for ensuring compliance with the Act.
3. Grievance Officer
In accordance with Section 8(10) of the DPDP Act, we have appointed a Grievance Officer for privacy-related matters:
Grievance Officer: The Privacy Team, Arko Healthcare Technologies Pvt. Ltd.
Email: [email protected]
Response timeline: We will acknowledge your communication within 48 hours and aim to resolve it within 30 days of receipt.
4. Personal Data We Collect
In accordance with Section 5 of the DPDP Act, we provide you with the following itemised description of the personal data we collect through this Website:
| Data Category | Specific Data | How Collected |
|---|---|---|
| Contact Information | Full name, email address, phone number | Contact/demo request form (you provide voluntarily) |
| Professional Information | Hospital/organisation name, bed count range | Contact/demo request form (you provide voluntarily) |
| Communication Content | Message text, enquiry details | Contact/demo request form (you provide voluntarily) |
| Newsletter | Email address | Newsletter signup form (you provide voluntarily) |
About Website Analytics
This Website uses Cloudflare Web Analytics, which is a cookieless, privacy-preserving analytics service. It collects only anonymous, aggregated data such as page views, referrer URLs, and country-level location. No personal data, IP addresses, or device identifiers are collected or stored through analytics. Since no personal data is processed, consent is not required for this purpose under the DPDP Act.
5. Purpose of Processing
We process your personal data only for the following specific purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to demo requests and enquiries | Name, email, phone, hospital name, message | Consent (Section 6) |
| Providing product information and scheduling demos | Name, email, phone, hospital name, bed count | Consent (Section 6) |
| Sending newsletter communications | Email address | Consent (Section 6) |
| Improving website content and user experience | Anonymous analytics only (no personal data) | Not applicable (no personal data) |
We do not process your personal data for any purpose other than those listed above. We do not sell, rent, or trade your personal data to third parties.
6. Consent
In accordance with Section 6 of the DPDP Act, we obtain your consent before collecting and processing your personal data:
- How consent is obtained: When you submit a contact form, demo request, or newsletter signup on this Website, you provide explicit consent by the affirmative action of clicking the submit button. No pre-checked boxes are used.
- Scope of consent: Your consent applies only to the specific purposes described in Section 5 above and is limited to the data you provide in the form.
- Withdrawing consent: You may withdraw your consent at any time by emailing [email protected] with the subject line "Withdraw Consent". Withdrawal is as simple as granting consent, as required by Section 6(4) of the DPDP Act. Upon withdrawal, we will cease processing your personal data and erase it within 30 days, unless retention is required by law.
- Consequences of withdrawal: If you withdraw consent, we will be unable to respond to your enquiry or provide you with product information. This will not affect the lawfulness of processing carried out before the withdrawal.
7. Data Retention
In accordance with Section 8(7) of the DPDP Act, we retain your personal data only for as long as necessary to fulfil the purpose for which it was collected:
| Data Category | Retention Period | Basis |
|---|---|---|
| Contact/demo form submissions | 2 years from submission, or until you request erasure (whichever is earlier) | Reasonable period to complete sales enquiry and follow-up |
| Newsletter subscriptions | Until you unsubscribe or request erasure | Ongoing consent |
| Anonymous analytics | Per Cloudflare's retention policy (aggregated, non-personal) | Not personal data |
When the retention period expires or consent is withdrawn, we erase your personal data within 30 days, unless we are required to retain it under applicable law.
8. Data Processors and Sharing
In accordance with Section 8(2) of the DPDP Act, we may engage Data Processors to process your personal data on our behalf under valid contracts. We remain responsible for all processing carried out by our processors.
| Processor | Purpose | Data Processed |
|---|---|---|
| Cloudflare, Inc. (USA) | Website hosting (Cloudflare Pages) and anonymous analytics (Cloudflare Web Analytics) | Website content delivery; anonymous usage statistics only (no personal data stored by analytics) |
We do not share, sell, rent, or trade your personal data with any other third parties. If we engage additional processors in the future, this policy will be updated accordingly.
9. Cross-Border Data Transfer
In accordance with Section 16 of the DPDP Act, we disclose that your personal data may be transferred outside India in the following circumstances:
- This Website is hosted on Cloudflare Pages, which uses a global content delivery network (CDN). When you access this website or submit a form, your data may transit through Cloudflare edge nodes located outside India.
- As of the date of this policy, the Central Government of India has not restricted data transfers to any specific country under Section 16(1) of the DPDP Act.
- Cloudflare implements appropriate technical and organisational security measures to protect data during transit and processing, including encryption in transit (TLS).
For details on Cloudflare's data handling practices, please refer to Cloudflare's Privacy Policy.
10. Your Rights as a Data Principal
Under the DPDP Act 2023, you have the following rights:
- Right to Access Information (Section 11): You may request a summary of the personal data we are processing about you, and the identities of all Data Processors with whom your data has been shared.
- Right to Correction and Erasure (Section 12): You may request correction of inaccurate or incomplete personal data, or erasure of your personal data. We will action erasure requests within 30 days.
- Right to Withdraw Consent (Section 6(4)): You may withdraw your consent at any time. See Section 6 above for the withdrawal process.
- Right to Grievance Redressal (Section 13): You have the right to raise a grievance about our data processing practices. See Section 11 below.
- Right to Nominate (Section 14): You may nominate another individual to exercise your rights under this policy in the event of your death or incapacity. To register a nomination, please email [email protected] with the subject line "Data Rights Nomination" along with the nominee's name, contact details, and your relationship.
How to exercise your rights: Send an email to [email protected] with the relevant subject line. We will verify your identity before processing your request and respond within 30 days.
11. Grievance Redressal
In accordance with Section 13 of the DPDP Act, we provide the following grievance redressal mechanism:
- Step 1 — Contact us: Email your grievance to [email protected] with the subject line "Privacy Grievance". Include a description of your concern and any relevant details.
- Step 2 — Acknowledgement: We will acknowledge your grievance within 48 hours of receipt.
- Step 3 — Resolution: We aim to resolve your grievance within 30 days of receipt. We will provide a written response explaining the outcome and any actions taken. If your request cannot be fulfilled, we will provide a written explanation of the reasons.
- Step 4 — Escalation: If you are not satisfied with our response, or if we fail to respond within the stated timeline, you may file a complaint with the Data Protection Board of India established under Section 18 of the DPDP Act.
12. Security Safeguards
In accordance with Section 8(4) of the DPDP Act, we implement reasonable technical and organisational security safeguards to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These include:
- Encryption of data in transit using TLS (Transport Layer Security)
- Hosting on Cloudflare's secure infrastructure with built-in DDoS protection
- Access controls limiting data access to authorised personnel only
- Regular review of security practices and procedures
13. Data Breach Notification
In the event of a personal data breach affecting your data, we will, in accordance with Section 8(6) of the DPDP Act:
- Notify the Data Protection Board of India without unreasonable delay, with a detailed report within 72 hours of becoming aware of the breach.
- Notify you (the affected Data Principal) without unreasonable delay, providing details of the breach, its likely consequences, and the measures we are taking to address it.
14. Cookies and Tracking Technologies
This Website does not use cookies for analytics or tracking purposes. Cloudflare Web Analytics operates without cookies and does not collect personal data.
The only client-side storage used is a localStorage item ("arko-privacy-dismissed") to remember if you have dismissed the privacy transparency notice banner. This does not contain personal data and is stored only on your device.
15. Children's Data
This Website is not directed at children under the age of 18. In accordance with Section 9 of the DPDP Act, we do not knowingly collect personal data from children. If you believe that a child has submitted personal data through our forms, please contact us at [email protected] and we will promptly delete it.
16. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or in applicable law. Any changes will be posted on this page with an updated "Last updated" date. If we make material changes that affect how we process your personal data, we will provide prominent notice on our Website before the changes take effect.
17. Governing Law
This privacy policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. Any disputes arising from this policy shall be subject to the jurisdiction of the Data Protection Board of India and the courts of Bengaluru, Karnataka, India.
18. Contact
For any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:
Arko Healthcare Technologies Private Limited
Email: [email protected]
General enquiries: [email protected]
Website: arko.care
Legal References
This policy is published in compliance with the following legislation:
- Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
- Digital Personal Data Protection Rules, 2025 (notified by MEITY)
- Information Technology Act, 2000 (as applicable)