Privacy Policy

This Privacy Policy describes how ADVAIT CHERISH CART PVT LTD and its affiliates (collectively "SettlHealth", "we", "our", "us") collect, use, share, protect, or otherwise process your information / personal data through our website https://settlhealth.in (hereinafter referred to as the "Platform").

Please note that you may be able to browse certain sections of the Platform without registering with us. We do not offer any product or service under this Platform outside India, and your personal data will primarily be stored and processed in India.

By visiting this Platform, providing your information, or availing any product or service offered on the Platform, you expressly agree to be bound by the terms and conditions of this Privacy Policy, the Terms of Use, and the applicable service / product terms and conditions, and agree to be governed by the laws of India, including but not limited to the laws applicable to data protection and privacy. If you do not agree, please do not use or access our Platform.

We collect your personal data when you use our Platform, services, or otherwise interact with us during the course of our relationship. Some of the information we may collect includes but is not limited to:

Account & Identity Data

• Personal data provided during sign-up or registration: full name, date of birth, address, telephone / mobile number, email ID, and any such information shared as proof of identity or address.
• Government-issued identity documents: Aadhaar card (front & back), PAN card, or Passport — collected for KYC verification purposes.
• Sensitive personal data collected with your explicit consent, such as bank account number and IFSC code (for claim payouts), and biometric or physiological information where applicable and opted for by you on the Platform, in accordance with applicable law.

Dependent Data

• Name, date of birth, and relationship of enrolled dependents (spouse, children, parents).
• KYC documents for dependents: Aadhaar card, birth certificate, or marriage certificate as applicable.

Medical & Claims Data

• Medical prescriptions from registered medical practitioners.
• Pharmacy bills, diagnostic test reports, and doctor consultation receipts submitted for claims.
• Nature of illness or condition as stated in prescriptions.
• Claim amounts, dates, status, and payout decisions.

Behavioural & Technical Data

• We may track your behaviour, preferences, and other information you choose to provide on our Platform. This information is compiled and analysed on an aggregated basis.
• IP address, browser type, device type, operating system, pages visited, session duration, and navigation patterns.
• Authentication logs (login timestamps, token refresh events) and API request metadata for security and debugging purposes.
• Information related to your transactions on the Platform and on third-party business partner platforms.

You always have the option to not provide information by choosing not to use a particular service or feature on the Platform. When a third-party business partner collects your personal data directly from you, you will be governed by their privacy policies. We are not responsible for third-party privacy practices and request you to read their policies prior to disclosing any information.

If you receive an email or call from a person claiming to be SettlHealth and seeking sensitive information such as your debit/credit card PIN, net-banking password, or mobile banking password — do not provide such information. Report it immediately to the appropriate law enforcement agency.

We use your personal data to provide the services you request. Specifically, we use it to:

• Process subscriptions, verify KYC, evaluate and process OPD claims, and issue payouts.
• Assist service partners in handling and fulfilling service requests.
• Enhance customer experience and personalise your Platform usage.
• Resolve disputes, troubleshoot problems, and respond to customer support queries.
• Inform you about online and offline offers, products, services, and updates. To the extent we use your personal data to market to you, we will provide you the ability to opt out of such uses.
• Detect and protect against error, fraud, and other criminal or illegal activity.
• Enforce our Terms of Use and other applicable policies.
• Conduct marketing research, analysis, and surveys on an aggregated, anonymised basis.
• Comply with legal obligations, regulatory requirements, and court orders.

You understand that your access to products / services may be affected in the event permission is not provided to us for the collection or processing of certain required information.

We do not sell your personal data. We may share your personal data in the following limited circumstances:

• Group entities & affiliates: We may share your personal data internally within our group entities, other corporate entities, and affiliates to provide you access to the services and products offered by them. These entities may market to you as a result of such sharing unless you explicitly opt out.
• Payment processors: PhonePe (subscription payments and payouts). Governed by PhonePe's own privacy policy.
• Third-party service providers: SMTP providers for transactional emails, cloud infrastructure providers (Render.com), and technology partners. These disclosures are required for us to provide our services. Data processing agreements are in place.
• Employer organisations (Enterprise plan): Aggregate plan usage statistics may be shared with your employer (e.g., total claims processed). Individual medical records and prescriptions are never shared with employers.
• Law enforcement & government agencies: We may disclose personal and sensitive personal data to government agencies or authorised law enforcement agencies if required to do so by law, or if we have a good-faith belief that such disclosure is necessary to respond to subpoenas, court orders, or other legal process.
• Third-party rights & safety: We may disclose personal data to law enforcement offices, third-party rights owners, or others in the good-faith belief that such disclosure is reasonably necessary to enforce our Terms of Use or Privacy Policy; respond to claims that content violates the rights of a third party; or protect the rights, property, or personal safety of our users or the general public.

• To protect your personal data from unauthorised access, disclosure, loss, or misuse, we adopt reasonable security practices and procedures in accordance with applicable law.
• Data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256.
• Passwords are hashed using bcrypt and are never stored in plain text.
• All financial transactions are processed via PhonePe's PCI-DSS-compliant payment infrastructure. SettlHealth does not store card or UPI credentials.
• Access to production databases is restricted by IP allowlisting and requires multi-factor authentication.
• Whenever you access your account information, we adhere to our security guidelines to protect it against unauthorised access and offer the use of a secure server.
• However, the transmission of information over the internet is not completely secure for reasons beyond our control. By using the Platform, users accept the security implications of data transmission over the internet and the World Wide Web, and therefore there will always remain certain inherent risks. Users are responsible for ensuring the protection of their login credentials and password records for their account.

• Medical documents (prescriptions, bills, diagnostic reports) are classified as sensitive personal data under the IT (SPDI) Rules, 2011.
• Access to medical documents is restricted exclusively to SettlHealth's claims-review team. Every access event is logged.
• Medical documents are retained for a minimum of 5 years from the date of claim submission for audit and regulatory compliance.
• We do not use your medical data for advertising, profiling, or any purpose beyond claim processing and fraud prevention.

• You have the option to delete your account by visiting your profile and settings on our Platform. This action will result in you losing all information related to your account.
• You may also write to us at the contact information provided below to assist you with deletion requests.
• We may refuse or delay deletion of the account in the event of any pending grievance, pending claims under review, or any other pending service obligations.
• Once the account is deleted, you will lose access to the account and all associated data.
• We retain your personal data for no longer than is required for the purpose for which it was collected, or as required under applicable law. Specific retention periods: account data (3 years post-deactivation), KYC documents (5 years), claim records (5 years), payment records (7 years for GST compliance), usage logs (90 days).
• We may retain data related to you if we believe it may be necessary to prevent fraud, for future abuse prevention, or for other legitimate legal purposes. We may continue to retain your data in anonymised form for analytical and research purposes.

• Access: You may access and review the personal data we hold about you directly through the functionalities provided on the Platform or by writing to us.
• Rectification: You may rectify and update your personal data directly through the functionalities provided on the Platform.
• Deletion: You may request deletion of your account and associated non-legally-mandated personal data, subject to legal retention requirements.
• Opt-out of marketing: You may opt out of marketing communications at any time.

• By visiting our Platform or by providing your information, you consent to the collection, use, storage, disclosure, and otherwise processing of your information on the Platform in accordance with this Privacy Policy.
• If you disclose to us any personal data relating to other people, you represent that you have the authority to do so and permit us to use the information in accordance with this Privacy Policy.
• By providing your personal data over the Platform or any partner platforms, you consent to us (including our corporate entities, affiliates, technology partners, marketing channels, business partners, and other third parties) contacting you through SMS, instant messaging apps, call, and/or e-mail for the purposes specified in this Privacy Policy.
• You have the option to withdraw your consent at any time by writing to our Grievance Officer at the contact information provided below. Please use the subject line: "Withdrawal of consent for processing personal data". We may verify such requests before acting on them.
• Please note that your withdrawal of consent will not be retrospective and will be in accordance with these Terms of Use, this Privacy Policy, and applicable laws.
• In the event you withdraw consent, we reserve the right to restrict or deny the provision of services for which we consider such information to be necessary.

• SettlHealth uses session cookies for authentication (JWT) only. No third-party advertising or tracking cookies are used.
• We use minimal, privacy-preserving analytics on an aggregated basis — no individual user tracking or cross-site tracking.
• You may clear cookies at any time via your browser settings, which will log you out of the Platform.

SettlHealth is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us immediately at care@settlhealth.in.

Please check our Privacy Policy periodically for changes. We may update this Privacy Policy to reflect changes to our information practices. We may alert or notify you about significant changes to the Privacy Policy in the manner required under applicable laws. Continued use of the Platform after any such update constitutes your acceptance of the revised policy.

For any privacy-related queries, requests, consent withdrawal, or grievances, please contact our designated Grievance Officer: