DPDP Act 2023 Compliance

CureNet is built on a "Privacy by Design" architecture, ensuring absolute compliance with India's Digital Personal Data Protection (DPDP) Act, 2023.

The Core Principle: You Are The Data Principal

Under the DPDP Act, you are the Data Principal and we are the Data Fiduciary. This means you own your health data. We only process it when you explicitly ask us to, and we never monetize or sell it.

1. Local-First Storage Architecture

Unlike traditional health apps that hoard your data on central servers, CureNet operates on a local-first model. Your scanned prescriptions, lab reports, and AI-extracted FHIR clinical records are stored directly on your mobile device.

  • Zero-Knowledge Cloud: Our servers act as secure routing conduits, not databases. We do not maintain a central repository of your medical history.
  • On-Device Encryption: All local health data is encrypted using military-grade AES-256-GCM encryption.
  • Hardware-Backed Keys: The decryption keys are stored in your device's secure enclave (Android Keystore / iOS Keychain), making remote exfiltration mathematically impossible without your physical device and biometric unlock.

2. Explicit, Verifiable Consent (Section 6)

We process your personal data strictly based on explicit, clear, and affirmative consent.

  • Granular Control: When a doctor requests access to your records via ABDM, you receive a push notification detailing exactly who is requesting what, and for how long.
  • Time-Bound Access: Consents are ephemeral (e.g., granting a doctor access for exactly 30 minutes during a consultation). Once the timer expires, the access is cryptographically revoked.
  • Right to Withdraw: You can revoke any active consent grant instantly with a single tap.

3. Minimal Data Processing (Section 4)

We only collect what is strictly necessary to provide the service:

  • To create an ABHA ID, we route your basic demographic data securely to the National Health Authority (NHA) gateways.
  • When you scan a document, the image is sent via TLS 1.3 to our AI processing cluster. The text is extracted, and the image is immediately purged from RAM. It is never written to disk or used to train AI models.

4. Your Rights Under the Act (Sections 11-14)

CureNet guarantees your rights as a Data Principal:

  • Right to Access: View all your digital health records directly in the app.
  • Right to Erasure: Because your data lives on your device, deleting the app instantly destroys the local database. You can also request the deletion of your account routing metadata from our systems at any time.
  • Right to Nominate: You can designate a trusted family member to manage your account in the event of incapacitation.

5. Security Safeguards (Section 8)

We employ robust technical and organizational measures to prevent personal data breaches, including regular penetration testing, strict access controls for our engineering team, and end-to-end encryption for all ABDM data exchanges (RSA-OAEP).

For detailed legal definitions and terms, please review our full Privacy Policy. If you have compliance inquiries, you can reach our Data Protection Officer at contact@jeevant.com.