Privacy Policy

1. Introduction

Welcome to Reclaim Bharosa ("we," "our," "us," or "Data Fiduciary"). We are committed to protecting your privacy and ensuring the security of your personal information in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian laws.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our insurance claim assistance platform. By using our services, you ("Data Principal") consent to the collection and processing of your personal data as described in this policy.

Legal Compliance: This Privacy Policy is designed to comply with:

• Digital Personal Data Protection Act, 2023 (DPDP Act)
• Information Technology Act, 2000 and its rules
• Consumer Protection Act, 2019
• Other applicable Indian laws and regulations

Contact Information:

• Email: support@reclaimbharosa.com
• Phone: +91 90045 97095
• Offices: Mumbai, India

2. Information We Collect

2.1 Personal Information

• Full name
• Email address
• Phone number
• Location data (pincode, city, state)

2.2 Insurance-Related Information

• Insurance type (Health, Life, Motor, General, Others)
• Insurance provider/company name
• Policy number and identifier type
• Claim details and descriptions
• Issue type (rejected, delayed, short settlement, new claim)

2.3 Documents

We collect and store documents you upload, including:

• Policy documents (PDF, DOC, DOCX)
• Medical records
• Correspondence with insurance companies
• Rejection letters
• Other supporting documents

2.4 Authentication Data

• Azure AD authentication tokens
• Account credentials (managed by Microsoft Azure AD)
• Session information

2.5 Usage Data

• Chat conversations with AI assistant
• Website interaction data
• Language preferences
• Device and browser information

2.6 Technical Data

• IP addresses
• Browser type and version
• Operating system
• Referral URLs
• Timestamps

3. How We Use Your Information (Purpose Limitation)

Under the DPDP Act, we process your personal data only for the following specified, explicit, and legitimate purposes:

3.1 Service Delivery (Primary Purpose)

We process your data to provide our core services:

• Process and manage insurance claims
• Provide claim assistance and consultation
• Communicate with insurance companies on your behalf
• Prepare and submit claim documents
• Track claim status and progress

Legal Basis: Performance of contract and your explicit consent

3.2 Communication (Legitimate Interest)

We process your contact information to:

• Send OTP verification codes via email (essential for account security)
• Send claim updates and notifications (service-related)
• Respond to inquiries and support requests
• Send onboarding reminders (service delivery)

Legal Basis: Legitimate interest and consent

3.3 Platform Functionality (Necessary for Service)

We process technical data to:

• Authenticate users via Azure AD (security requirement)
• Provide AI-powered chat assistance (core service)
• Manage document uploads and storage (service delivery)
• Enable multi-language support (user preference)

Legal Basis: Performance of contract

3.4 Legal and Compliance (Legal Obligation)

We process data to comply with legal requirements:

• Comply with insurance regulations and Indian laws
• Protect against fraud and abuse (legitimate interest)
• Enforce terms of service (contractual necessity)
• Respond to legal requests from authorities (legal obligation)

Legal Basis: Legal obligation and legitimate interest

3.5 Analytics and Improvement (Legitimate Interest)

We process anonymized data to:

• Analyze usage patterns (anonymized, aggregated data only)
• Improve platform functionality
• Enhance user experience
• Develop new features

Legal Basis: Legitimate interest (anonymized data)

Note: We do not use personal data for analytics without your explicit consent. Analytics are performed on anonymized, aggregated data only.

4. Data Storage, Security, and Retention

4.1 Storage Location (Data Localization)

In compliance with DPDP Act requirements:

• Your data is primarily stored in Microsoft Azure cloud infrastructure with servers in India (where available)
• Cosmos DB for structured data (India region preferred)
• Azure Blob Storage for documents (India region preferred)
• We ensure appropriate safeguards for any cross-border data transfers as required by DPDP Act

Cross-Border Transfers: If data is transferred outside India, we ensure:

• Transfer is necessary for service delivery
• Appropriate safeguards are in place (contractual clauses, adequacy decisions)
• You are informed of such transfers

4.2 Security Measures (Section 8(5) DPDP Act)

As a Data Fiduciary, we implement reasonable security safeguards to protect your personal data:

• Technical Safeguards:
  • Encryption in transit (HTTPS/TLS 1.2+)
  • Encryption at rest (AES-256)
  • Secure authentication (Azure AD with MFA support)
  • Regular security updates and patches
• Organizational Safeguards:
  • Access controls and role-based permissions
  • Employee training on data protection
  • Data breach response procedures
  • Regular security audits and assessments
• Physical Safeguards:
  • Secure data centers (Microsoft Azure)
  • Secure document handling procedures

Data Breach Notification: In case of a data breach that may harm you, we will notify you and the Data Protection Board as required by DPDP Act Section 8(6).

4.3 Data Retention (Storage Limitation)

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Active claims: Retained for duration of claim processing + 7 years (as per Indian insurance regulations and IRDAI requirements)
• Inactive accounts: Retained for 3 years after last activity, then anonymized or deleted
• Documents: Retained as per legal requirements (insurance records: 7 years minimum)
• Authentication data: Retained while account is active, deleted upon account closure
• Marketing data: Retained until consent is withdrawn

Right to Deletion: You may request deletion of your data. We will comply unless:

• Retention is required by law (e.g., insurance record retention)
• Data is necessary for ongoing legal proceedings
• Deletion would harm legitimate interests of others

Upon retention period expiry, data will be securely deleted or anonymized.

5. Data Processors and Third-Party Services

Under the DPDP Act, we may engage Data Processors to process personal data on our behalf. We ensure all Data Processors comply with DPDP Act requirements through contractual obligations.

5.1 Microsoft Azure Services (Data Processor)

We use Microsoft Azure services as Data Processors for:

• Azure AD (authentication and user management)
• Azure Functions (backend processing)
• Cosmos DB (database storage)
• Azure Communication Services (email delivery)
• Azure Blob Storage (document storage)

Data Processing Agreement: We have contractual agreements with Microsoft ensuring compliance with DPDP Act. Microsoft processes data only as instructed by us and implements appropriate security measures.

Microsoft's privacy policy applies to their services. Learn more at Microsoft Privacy.

5.2 OpenAI (Data Processor)

We use OpenAI's services as a Data Processor for:

• AI chatbot functionality
• Policy document analysis
• Knowledge base queries

Data Processing Agreement: We have contractual agreements with OpenAI ensuring data protection. OpenAI processes data only for specified purposes and does not use your data to train their models without explicit consent.

OpenAI's privacy policy applies. Learn more at OpenAI Privacy.

5.3 Google Fonts

We use Google Fonts for web font delivery. Google may collect your IP address. This is a minimal data collection for service delivery. Learn more at Google Privacy.

5.4 Data Sharing with Third Parties

We only share your personal data:

• With insurance companies: As necessary for claim processing (with your explicit consent)
• With legal authorities: If required by law or court orders (legal obligation)
• With Data Processors: Under strict contractual obligations for service delivery

We do NOT:

• Sell your personal data to third parties
• Share your data for marketing purposes without consent
• Transfer data to unauthorized third parties

Your Rights: You have the right to know which Data Processors we share your data with. Contact our DPO for this information.

6. Your Rights Under DPDP Act 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

6.1 Right to Access Information (Section 11)

You have the right to:

• Obtain a summary of personal data being processed
• Know the identities of all Data Fiduciaries and Data Processors with whom your personal data has been shared
• Receive a copy of your personal data in a structured, commonly used, and machine-readable format

We will respond to your access request within 30 days.

6.2 Right to Correction and Erasure (Section 12)

You have the right to:

• Correct inaccurate or misleading personal data
• Update incomplete personal data
• Request erasure of personal data that is no longer necessary for the purpose for which it was processed

We will process correction/erasure requests within 30 days, subject to legal obligations.

6.3 Right to Grievance Redressal (Section 13)

You have the right to:

• Register a grievance with our Data Protection Officer (DPO)
• Receive a response within 30 days
• Appeal to the Data Protection Board if unsatisfied with our response

Grievance Contact: dpo@reclaimbharosa.com

6.4 Right to Nominate (Section 14)

You have the right to nominate any other individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

6.5 Right to Withdraw Consent

You can withdraw your consent for processing personal data at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Note: Withdrawal of consent may affect our ability to provide services to you.

6.6 Right to Data Portability

You can request your personal data in a structured, commonly used, and machine-readable format for transfer to another service provider.

6.7 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Data Protection Officer: dpo@reclaimbharosa.com
• Privacy Email: privacy@reclaimbharosa.com
• Phone: +91 90045 97095

We may require identity verification before processing your request. We will respond within 30 days as required by the DPDP Act.

7. Cookies and Tracking Technologies

7.1 Types of Cookies

• Essential Cookies: Required for authentication (MSAL session cookies) - cannot be disabled
• Functional Cookies: Language preferences (localStorage) - can be disabled
• Third-Party Cookies: Azure AD and Google Fonts may set cookies

7.2 Cookie Management

You can manage cookies through your browser settings. Disabling essential cookies may affect platform functionality.

For more details, see our Cookie Policy.

8. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. International Data Transfers

Your data is primarily stored in India. Some services may use international servers (Azure global infrastructure). We ensure appropriate safeguards are in place for any cross-border data transfers.

14. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a prominent notice
• Updating the "Last Updated" date
• Sending email notifications for significant changes
• Obtaining fresh consent if required by DPDP Act

Your continued use of our platform after changes constitutes acceptance of the updated policy, unless the changes require fresh consent under DPDP Act.

Last Updated: January 2025

Next Review Date: January 2026

11. Data Protection Officer (DPO)

In compliance with DPDP Act requirements, we have designated a Data Protection Officer to oversee data protection matters and handle your requests:

• Data Protection Officer: dpo@reclaimbharosa.com
• Phone: +91 90045 97095
• Address: Mumbai, India

The DPO is responsible for:

• Overseeing data protection compliance
• Handling data protection grievances
• Liaising with the Data Protection Board
• Conducting data protection impact assessments
• Training staff on data protection

12. Consent and Notice Requirements

12.1 Notice to Data Principal (Section 5 DPDP Act)

Before or at the time of collecting personal data, we provide you with a notice containing:

• The purposes for which personal data is being processed
• The manner in which you may exercise your rights under the DPDP Act
• The manner in which you may make a complaint to the Data Protection Board
• Details of any Data Processor with whom we share your data

This Privacy Policy serves as our notice to you.

12.2 Consent Requirements (Section 6 DPDP Act)

We obtain your consent before processing personal data, except when:

• Processing is for a legitimate use (as defined in DPDP Act Section 7)
• Processing is necessary for compliance with legal obligations
• Processing is for medical emergencies or public health

Consent Withdrawal: You can withdraw consent at any time. Withdrawal will not affect processing done before withdrawal.

12.3 Legitimate Uses (Section 7 DPDP Act)

We may process personal data without consent for:

• Performance of any function under Indian law
• Compliance with court orders
• Medical emergencies involving threat to life
• Employment purposes (for our employees)

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights under the DPDP Act, please contact us:

• Data Protection Officer: dpo@reclaimbharosa.com
• Privacy Email: privacy@reclaimbharosa.com
• Phone: +91 90045 97095
• Support Email: support@reclaimbharosa.com
• Offices: Mumbai, India

Data Protection Board: If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as per DPDP Act Section 13(2).