Start for free

DPDPA 2023 Compliance

Your data rights under the Digital Personal Data Protection Act, 2023 — and how Goalka honours every one of them.

Effective: April 12, 2026
Privacy PolicyTerms of ServiceCookie Policy

What is the DPDPA 2023?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's primary legislation governing the processing of digital personal data. Passed by the Parliament of India and notified in August 2023, it establishes obligations for organisations that collect and process personal data of individuals in India, and creates enforceable rights for those individuals ("Data Principals").

The Act applies to Goalka because we process personal data of Indian doctors (and, in some cases, their patients) to provide our services. It requires us to maintain a lawful basis for every category of data processing, respond promptly to your rights requests, and implement appropriate technical and organisational safeguards.

The DPDPA is enforced by the Data Protection Board of India. Non-compliance may result in financial penalties of up to ₹250 crore per violation.

Goalka as your Data Fiduciary

Under DPDPA, Goalka Health Technologies Pvt. Ltd. acts as a Data Fiduciary — the entity that determines the purpose and means of processing your personal data. We are responsible for ensuring that:

  • Data is collected only for specified, explicit, and lawful purposes.
  • Processing is limited to what is necessary for those purposes.
  • Data is not retained longer than required.
  • Appropriate security measures are in place to prevent unauthorised access.
  • Your rights as a Data Principal are respected and fulfilled.
  • Sub-processors (Data Processors we engage) are contractually bound to equivalent standards.

DPDPA Chapter III

Your 8 Data Principal Rights

All rights under Sections 11–18 of the DPDPA, 2023. To exercise any right, email privacy@goalka.com. We respond within 30 days.

01

Right to information about processing

You have the right to know what personal data Goalka collects, the purpose for which it is processed, and how long it is retained.

How to exercise

Request a data processing summary via privacy@goalka.com. We will respond within 30 days.

02

Right to correction and erasure

You have the right to correct inaccurate personal data we hold about you, and to request erasure of data that is no longer required.

How to exercise

Submit a correction or erasure request via /privacy (self-service) or email privacy@goalka.com.

03

Right to grievance redressal

You have the right to file a grievance with Goalka's Designated Privacy Officer if you believe your data rights have been violated.

How to exercise

File a grievance at privacy@goalka.com. We acknowledge within 48 hours and resolve within 30 days.

04

Right to nominate

You have the right to nominate another individual to exercise your data rights on your behalf in the event of death or incapacity.

How to exercise

Contact privacy@goalka.com to register a nominee. Notarised authorisation may be required.

05

Right to withdraw consent

You have the right to withdraw consent for any or all data processing categories at any time. Withdrawal does not affect lawfulness of prior processing.

How to exercise

Withdraw consent instantly via Settings → Consent, or email privacy@goalka.com. Effect within 72 hours.

06

Right to data portability

You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another service.

How to exercise

Request a full data export from Settings → Privacy, or email privacy@goalka.com. Delivered within 15 days.

07

Right to know about data breach

In the event of a personal data breach that is likely to affect your rights, you have the right to be notified without undue delay.

How to exercise

Breach notifications are sent to your registered email within 72 hours of discovery, per DPDPA Section 8(6).

08

Right against automated decision-making

You have the right to request human review of any automated decision that significantly affects you, including AI-generated clinical recommendations.

How to exercise

Flag any AI-generated output for human review via the Command Center, or email privacy@goalka.com.

Consent management

4 consent categories

Goalka uses granular consent — you can grant or withdraw each category independently. Withdrawing consent is as easy as granting it.

Platform use

Required
platform_use

Core account functionality — authentication, session management, and essential platform features. Required to use Goalka.

AI processing

Optional
ai_processing

Processing your clinical notes, commands, and vault content through AI models (Claude API, AssemblyAI) to power the Command Center and intelligent features.

Research & improvement

Optional
research

Anonymised, aggregated usage data used to improve Goalka's features and AI models. No personally identifiable information is included.

Communications

Optional
communications

Product updates, feature announcements, and educational content delivered via email and WhatsApp. You can opt out at any time.

Manage your consent

DPDPA Section 16

Cross-border data transfers

Goalka engages the following sub-processors outside India. Each is bound by a Data Processing Agreement (DPA) requiring equivalent data protection standards.

ProcessorCountryPurpose
Anthropic (Claude API)United StatesAI language model processing for Command Center, content generation, and clinical intelligence features
AssemblyAIUnited StatesSpeech-to-text transcription using Medical Mode for voice commands
ElevenLabsEuropean UnionText-to-speech synthesis for voice responses
VercelUnited StatesFrontend hosting and serverless edge functions
RailwayEuropean UnionBackend API hosting (FastAPI)
SentryUnited StatesError monitoring and performance tracking (no PII in error reports)
SupabaseUnited StatesPrimary database (Postgres), authentication, and file storage. Data at rest is encrypted.

All transfers are subject to Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms approved under DPDPA.

DPDPA Section 13

Grievance mechanism

If you believe your data rights have been violated, or if you have a complaint about how Goalka processes your personal data, you may file a grievance with our Designated Privacy Officer.

Designated officer

Privacy Officer

Goalka Health Technologies Pvt. Ltd.

Contact

privacy@goalka.com

Response time

Within 30 days

Acknowledgement within 48 hours

Escalation: If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India dpboard.gov.in once the Board is constituted and operational.

This DPDPA Policy is effective as of April 12, 2026 and applies to all doctors and users of the Goalka platform.

Privacy Policy·Terms of Service·Cookie Policy·Manage Consent