Owval

Privacy Policy

Owval ("Company," "we," "our," or "us") is committed to protecting the privacy and personal data of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our platform ("Platform"), in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), and the Information Technology Act, 2000 ("IT Act").

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

1. Definitions

In this Privacy Policy, the following terms have the meanings defined by the DPDP Act, 2023:

  • "Data Fiduciary" means the entity that determines the purpose and means of processing personal data. Owval is the Data Fiduciary for the personal data collected through this Platform.
  • "Data Principal" means the individual to whom the personal data relates. If you provide personal information on the Platform (for example, as a contact person for a registered Partner), you are a Data Principal.
  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
  • "Processing" means any operation performed on personal data, including collection, storage, use, sharing, and deletion.

2. Information We Collect

2.1 Information You Provide

  • Partner Registration Information: Organization name, organization type, GST Identification Number (GSTIN), registered business address, and details of authorized contact persons (name, email address, phone number, designation).
  • Contact Form Information: Name, email address, organization name, and message content when you submit inquiries through our contact form.
  • Order and Transaction Information: Product selections, quantities, delivery addresses, order history, and payment-related details.
  • Communication Records: Correspondence and interactions with our team, including support requests.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, time spent on pages, navigation patterns, and interaction data collected through our analytics services.
  • Device Information: Browser type and version, operating system, device type, and screen resolution.
  • Network Information: IP address, used for security, fraud prevention, and approximate geographic location.

3. Legal Basis for Processing

Under the DPDP Act, 2023, we process personal data on the following grounds:

  • Consent: Where you provide explicit consent for processing, such as when you submit a partner application or contact form. Consent under the DPDP Act must be free, specific, informed, unconditional, and based on clear affirmative action.
  • Certain Legitimate Uses: Where processing is necessary for the performance of a contract (fulfilling Orders), compliance with legal obligations (GST filings, regulatory reporting), or other legitimate uses recognized under the DPDP Act.

You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, and certain data may be retained where required by law.

4. How We Use Your Information

We process your information for the following specified purposes:

  • Processing and managing partner applications and account registration.
  • Fulfilling Orders and providing delivery updates.
  • Generating GST-compliant invoices and maintaining financial records.
  • Sending account-related communications, order confirmations, and service notifications.
  • Responding to your inquiries, support requests, and feedback.
  • Improving our Platform, products, and services through aggregated usage analysis.
  • Conducting credit assessments for Partners requesting credit terms.
  • Ensuring the security and integrity of the Platform, including fraud prevention.
  • Complying with legal and regulatory obligations.

We do not process your personal data for purposes beyond those stated above without obtaining additional consent.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients, only to the extent necessary for the specified purposes:

  • Payment Service Providers: To process transactions and manage payment-related services.
  • Logistics and Delivery Partners: To fulfill Orders and provide delivery services.
  • Communication Service Providers: To send transactional emails, notifications, and account-related communications.
  • Analytics Service Providers: To help us understand usage patterns and improve the Platform. These services process anonymized or aggregated usage data.
  • Cloud Infrastructure Providers: To securely host and operate the Platform.
  • Legal and Regulatory Authorities: When required by law, court order, or government regulation, or to protect the rights and safety of Owval, our Partners, or the public.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, subject to the acquiring entity agreeing to be bound by this Privacy Policy.

All third-party service providers are contractually bound to process personal data only for the purposes specified by Owval and in compliance with applicable data protection requirements.

6. Cross-Border Data Transfer

Your personal data is primarily stored and processed in India. In certain cases, data may be processed by service providers located outside India. Any cross-border transfer of personal data is conducted in compliance with Section 16 of the DPDP Act, 2023, which permits transfer to countries not restricted by the Central Government. We ensure that adequate safeguards are in place for any such transfer.

7. Data Security

We implement reasonable security safeguards to protect your personal data, as required under the DPDP Act and the IT Act. These measures include:

  • Encryption of data in transit using TLS/SSL protocols.
  • Encryption, masking, or tokenization of sensitive data at rest.
  • Access controls to restrict personal data access to authorized personnel only.
  • Access logging, monitoring, and periodic review of security practices.
  • Data backup and business continuity measures.
  • Security logs retained for a minimum of one year, in compliance with the DPDP Rules, 2025.

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy or as required by Applicable Laws. Specific retention periods include:

  • Account and partner data: For the duration of the active partnership and for a reasonable period thereafter to address any post-termination matters.
  • Financial and tax records: GST-related records, invoices, and transaction data are retained for a minimum of 72 months (6 years) as required under the GST Acts.
  • Communication records: Contact form submissions and support correspondence are retained for as long as necessary to resolve the inquiry and for a reasonable period thereafter.
  • Usage data: Anonymized and aggregated analytics data may be retained indefinitely as it does not constitute personal data.

When personal data is no longer required, we will delete or anonymize it in accordance with applicable requirements. We will notify Data Principals at least 48 hours prior to the completion of the retention period before deleting personal data collected on the basis of consent, as required by the DPDP Rules.

9. Healthcare Data Compliance

As a healthcare procurement platform, we take additional care with data handling:

  • We comply with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000 in all aspects of data processing.
  • Organization and procurement data is treated as confidential business information.
  • We do not process or store patient health information (PHI). Our Platform handles institutional procurement data only - we do not collect or process any data relating to individual patients or their medical conditions.
  • Procurement patterns, order volumes, and business data of Partners are treated as confidential and are not shared with other Partners or third parties except as required by law.

10. Cookies and Tracking Technologies

We use minimal tracking technologies:

  • Essential Cookies: Required for core Platform functionality, including session management and user preferences. These cannot be disabled.
  • Analytics: We use privacy-focused analytics services to collect anonymized usage statistics, helping us improve the Platform experience. These services do not use third-party advertising cookies or cross-site tracking.

We do not use third-party advertising cookies, behavioral tracking, or cross-site tracking technologies.

11. Your Rights Under Applicable Law

Under the DPDP Act, 2023, as a Data Principal you have the following rights:

  • Right to Access: You may request a summary of the personal data we hold about you and the processing activities performed on it.
  • Right to Correction: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records (such as financial and GST records).
  • Right to Withdraw Consent: You may withdraw previously given consent at any time. We provide a mechanism for consent withdrawal accessible through your account settings or through our Contact page.
  • Right to Grievance Redressal: You may lodge a complaint with our Grievance Officer regarding any concerns about data processing. Details are provided in Section 14 below.
  • Right to Nomination: You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity, as provided under the DPDP Act.

To exercise any of these rights, please submit a request through our Contact page. We will respond to valid requests within a reasonable timeframe and in accordance with the DPDP Act.

12. Children's Data

The Platform is a B2B service designed for healthcare institutions and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent as required by the DPDP Act, we will take steps to delete that information.

13. Data Breach Notification

In the event of a personal data breach, Owval will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act and DPDP Rules. We will also notify affected Data Principals without unreasonable delay, providing information about the nature of the breach, the data involved, and the steps being taken to address it.

14. Grievance Redressal

In accordance with the DPDP Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Owval has designated a Grievance Officer to address privacy-related complaints and concerns.

To submit a privacy-related grievance, please use the contact form on our Contact page with the subject "Privacy Grievance." The Grievance Officer will acknowledge your complaint within 24 hours and endeavor to resolve it within 15 days. If you are unsatisfied with the resolution, you may file a complaint with the Data Protection Board of India or escalate to the Grievance Appellate Committee as applicable.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Material changes will be communicated through the Platform or through the contact information associated with your account. We will update the "Last updated" date at the top of this policy. Your continued use of the Platform after changes are posted constitutes acceptance of the revised Privacy Policy.

16. Contact Us

For privacy-related inquiries, to exercise your data rights, or to submit a grievance, please reach us through our Contact page.