Privacy Policy

Last updated: May 2025

1. Introduction

Outshade Digital Media Private Limited (“Company”, “we”, “us”, or “our”) operates the Zilo Care platform, a cloud-based healthcare practice management solution. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our Services.

This policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

By using our Services, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree, please discontinue use of our Services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Your name, email address, phone number, designation, and password when you register.
  • Organisation Information: Your practice name, registration details, address, GST number, and logo.
  • Payment Information: Billing details, bank or card information processed through our payment partners. We do not store complete card details on our servers.
  • Communications: Messages, support requests, feedback, and correspondence you send us.

2.2 Health-Related Information Processed on Your Behalf

When your Organisation uses Products such as Zilo Consult, Zilo Pharmacy, Zilo Second Opinion, or Zilo Practice OS, you may upload or generate patient data on the Platform, including patient demographics, medical history, prescriptions, diagnostic reports, and consultation notes.

We process this health-related data as a data processor on behalf of your Organisation (the data fiduciary/controller). Your Organisation is responsible for obtaining valid patient consent and ensuring compliance with all applicable healthcare and data protection laws.

2.3 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent, clicks, and in-app actions.
  • Device & Technical Data: IP address, browser type, operating system, device identifiers, and screen resolution.
  • Location Data: Approximate geographic location derived from IP address for regional pricing and compliance purposes.
  • Cookies & Tracking: Session cookies, preference cookies, and analytics cookies as described in Section 9.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Services;
  • Process subscriptions, billing, and payment transactions;
  • Authenticate your identity and manage your account;
  • Send transactional emails (account activation, billing receipts, subscription updates);
  • Provide customer support and respond to your queries;
  • Send product updates, feature announcements, and platform communications (you may opt out of non-transactional communications at any time);
  • Detect, investigate, and prevent security incidents and fraudulent activity;
  • Comply with legal obligations under the IT Act, DPDP Act, and other applicable laws;
  • Analyse aggregated and anonymised usage patterns to improve platform performance and user experience.

4. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful bases:

  • Consent: Where you have expressly consented to specific processing activities, such as receiving marketing communications.
  • Contractual Necessity: Where processing is necessary to perform our contract with you (i.e., delivering the Services you have subscribed to).
  • Legitimate Use: For purposes such as fraud prevention, security, and improving our Services.
  • Legal Obligation: Where we are required to process data to comply with applicable laws and regulatory requirements.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share your information with:

  • Service Providers: Third-party vendors who assist us in operating the Platform, including cloud hosting providers (such as Supabase), payment processors, email service providers, and analytics tools. These providers are contractually bound to use your data only to provide services to us.
  • Professional Advisors: Lawyers, auditors, and accountants, where necessary for legal, compliance, or financial purposes.
  • Legal Authorities: Where required by law, court order, or to protect the rights and safety of individuals.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity, subject to equivalent privacy protections.

We do not share health-related patient data submitted by your Organisation with any party other than those strictly necessary to provide the Services to your Organisation.

6. Data Retention

We retain your personal data for as long as your account is active and for a period of up to three (3) years after account closure, unless a longer retention period is required by law (such as for GST and financial records) or is necessary for the resolution of disputes.

Health-related patient data processed on behalf of your Organisation will be retained in accordance with your instructions and applicable healthcare regulations. Upon your request or within 30 days of account termination, we will delete or anonymise your Organisation's data, subject to any mandatory legal retention requirements.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest;
  • Role-based access controls limiting data access to authorised personnel;
  • Regular security assessments and vulnerability testing;
  • Secure cloud infrastructure hosted on SOC 2 compliant providers.

While we take all reasonable precautions, no method of data transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights or freedoms, we will notify you and the relevant authorities as required under applicable law.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable laws, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data where it is no longer necessary for the purposes it was collected, subject to legal retention obligations.
  • Withdrawal of Consent: Withdraw consent for processing activities based on consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Grievance Redressal: Raise a complaint or grievance with our designated Grievance Officer (see Section 12).

To exercise any of these rights, please contact us at privacy@zilo.care. We will respond to your request within 30 days.

9. Cookies & Tracking

We use cookies and similar tracking technologies to enhance your experience on the Platform. The types of cookies we use include:

  • Essential Cookies: Required for the Platform to function, including session authentication and security. These cannot be disabled.
  • Preference Cookies: Store your settings such as language, region, and currency preferences.
  • Analytics Cookies: Help us understand how users interact with the Platform so we can improve it. We use aggregated, anonymised data.

You can control or disable non-essential cookies through your browser settings; however, this may affect certain features of the Platform.

10. Third-Party Links & Integrations

Our Platform may contain links to third-party websites or integrate with external services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party service before providing them with your information.

11. Children's Privacy

Our Services are intended for use by healthcare organisations and professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data to us without appropriate parental consent, we will take steps to delete such data promptly.

12. Grievance Officer

In accordance with the Information Technology Act, 2000, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the following person has been designated as the Grievance Officer to address any concerns or complaints related to this Privacy Policy:

Grievance Officer

Outshade Digital Media Private Limited

Email: grievance@zilo.care

We aim to acknowledge all grievances within 48 hours and resolve them within 30 days.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or a notice on the Platform before the changes take effect. We encourage you to review this Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the revised Policy.

14. Contact Us

For any privacy-related questions, requests, or concerns, please contact us at:

Outshade Digital Media Private Limited

Privacy: privacy@zilo.care

Legal: legal@zilo.care