Get started
DPDPA 2023 Compliant · All 8 Data Principal Rights

Privacy Policy

Effective date: 12 April 2026·Version 2.0

Goalka ("we", "us", "our") is operated by Goalka Technologies Private Limited, a company incorporated under the Companies Act, 2013, with its registered office in Bengaluru, Karnataka, India. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA 2023"), the Information Technology Act, 2000 ("IT Act"), the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian law.

1. Data We Collect

We collect personal data that you provide directly, data generated by your use of the platform, and data from integrated third-party services (only where you have explicitly authorised the connection).

Account & Professional Data

  • Full name, email address, mobile number (WhatsApp-capable)
  • NMC registration number and state medical council affiliation
  • Specialty, sub-specialty, and qualifications (MBBS, MS, DNB, DM, MCh, etc.)
  • Hospital or clinic affiliations and practice address
  • Professional photograph (optional)
  • ABDM Health Professional ID (if provided for integration)
  • LinkedIn and Instagram handles (if connected via OAuth)

Clinical & Practice Data

When you use the Clinical Vault or AI Command Center, you may store patient-related data. This includes:

  • De-identified or pseudonymised patient case notes and procedure records
  • Clinical outcomes, complication logs, and follow-up notes
  • Referral relationship data (doctor-to-doctor; no patient identifiers in referral analytics)
  • Financial records: consultation fees, procedure billing, GST-applicable transactions
  • AI command text (your natural language instructions to the Command Center)
Doctor's Responsibility: You are the Data Fiduciary for patient data you store in Goalka's Clinical Vault. Goalka acts as a Data Processor under DPDPA 2023. You are responsible for obtaining appropriate, specific, and informed consent from your patients before storing their personal health information on any third-party platform, including Goalka.

Voice & Audio Data

  • Microphone input streamed to AssemblyAI Medical Mode for speech-to-text conversion
  • Raw audio is never stored by Goalka — it is streamed, transcribed, and the audio stream discarded
  • Transcribed text commands are stored for 90 days as part of your AI command log

Usage & Technical Data

  • Browser type, device type, operating system, screen resolution
  • IP address (truncated to /24 after 30 days; full IP never stored beyond session)
  • Pages visited, features used, session duration, click paths
  • Error logs and crash reports transmitted to Sentry (anonymised, no PII)

Integration & OAuth Data

When you connect third-party services (Google Calendar, Gmail, LinkedIn, Instagram, WhatsApp via Gupshup, Razorpay), we collect only the minimum data necessary for that integration to function. OAuth access and refresh tokens are stored encrypted (AES-256). We never request permissions broader than what is required for the stated purpose. You can revoke any integration at any time from Settings → Integrations.

Payment Data

Subscription and billing data is processed by Razorpay. Goalka stores only your subscription tier, billing email, GST registration number (GSTIN), and invoice history. Card numbers, CVVs, and UPI credentials are held exclusively by Razorpay and never transmitted to or stored by Goalka.

2. How We Use Your Data

Service Delivery

To provide, maintain, and improve the Goalka platform — including AI command processing, content generation, clinical vault operations, morning briefings, financial intelligence, PR tools, and CME tracking.

Personalisation

To learn your preferences (specialty context, briefing time, alert thresholds, voice settings) and configure the AI Command Center to work effectively for your practice pattern.

AI Model Training — Opt-In Only

We do NOT use your patient data or clinical case notes to train AI models — neither our own nor those of third-party providers (Anthropic, AssemblyAI, ElevenLabs). AI processing of your data is transient and stateless. You may separately opt in to contributing anonymised, aggregated usage patterns for product improvement. This is strictly opt-in.

Communications

WhatsApp briefings and alerts, email notifications, product updates, and billing communications — only with your consent or as necessary for the service. Adjust preferences or unsubscribe at any time from Settings → Notifications.

Security & Compliance

To detect fraud, enforce rate limits, maintain audit trails, and comply with applicable Indian law including DPDPA 2023, IT Act 2000, NMC regulations, GST Act, and Income Tax Act.

Business Analytics

Aggregated, anonymised platform usage data to understand feature adoption and guide product development. This is never linked back to individual doctor profiles.

3. Legal Basis for Processing

Under DPDPA 2023 and the IT (SPDI) Rules 2011, we process personal data on the following lawful bases:

  • C
    Consent: Account creation, WhatsApp briefings, optional integrations (Google, LinkedIn, Instagram), marketing communications. You may withdraw consent at any time from Settings → Consent without detriment.
  • P
    Contract Performance: Processing necessary to provide the service you have subscribed to, including billing, feature access, data export, and customer support.
  • L
    Legal Obligation: Audit log maintenance, GST invoice records, and compliance with court orders or government directives under applicable Indian law including Section 69B of the IT Act.
  • I
    Legitimate Interest: Security monitoring, fraud prevention, rate limit enforcement, and platform abuse detection — where our interests do not override your fundamental rights as assessed under a balancing test.

4. Data Sharing & Processors

We do not sell your personal data. We do not share data with advertising networks. We share data only with the following service providers under Data Processing Agreements (DPAs) that require equivalent data protection standards. All processors are bound by confidentiality obligations.

ProcessorCountryPurposeData shared
SupabaseIndia (Mumbai, ap-south-1)Database, authentication, file storageAll account, clinical & practice data
Anthropic (Claude API)United StatesAI command & content processingCommand text only — no patient PII
AssemblyAIUnited StatesVoice-to-text (Medical Mode STT)Audio stream — deleted post-transcription
ElevenLabsEuropean UnionText-to-speech voice synthesisAI response text only
GupshupIndiaWhatsApp Business messagingMessage content, phone number
RazorpayIndiaPayment processing & subscriptionsBilling data, GSTIN, invoice history
VercelUnited StatesFrontend hosting & global CDNHTTP request logs (30 days, no PII)
RailwayEuropean UnionBackend API infrastructureApplication logs (30 days, anonymised)
SentryUnited StatesError & performance monitoringScrubbed error logs — no personal data

We may also disclose personal data to law enforcement or government authorities when required by a valid court order, search warrant, or government directive under Indian law. We will notify you of such requests to the extent permitted by law.

5. Cross-Border Data Transfers (DPDPA 2023, Section 16)

The DPDPA 2023 (Section 16) permits cross-border transfer of personal data to countries approved by the Central Government. Pending the issuance of such notifications, we apply the following safeguards and minimisation measures for each cross-border transfer:

  • Anthropic / Claude API (United States): Command text is sent for transient, stateless AI inference. No patient personally identifiable information (PII) is included in API payloads. Anthropic's API Terms prohibit use of inputs for model training without opt-in. Data is not retained beyond the active API call. Standard contractual clauses apply.
  • AssemblyAI (United States): Voice audio is streamed in real time for Medical Mode speech-to-text conversion using AssemblyAI Universal-3 Pro. Audio is deleted by AssemblyAI upon transcription completion. No audio segments are retained beyond the active session. AssemblyAI HIPAA BAA is in place.
  • ElevenLabs (European Union): AI-generated response text is sent for voice synthesis. The EU is subject to GDPR, which provides an equivalent or superior level of data protection. EU Standard Contractual Clauses (SCCs) apply.
  • Vercel (United States): Frontend request logs contain IP addresses and HTTP metadata only. No clinical or personal health data passes through Vercel infrastructure. Log retention is 30 days. Vercel DPA applies.
  • Railway (European Union): Backend application logs contain operational metadata only. Logs are anonymised within 30 days. EU GDPR protections apply.
  • Sentry (United States): Error reports are processed by Sentry's server-side PII scrubber before transmission. Our Sentry configuration explicitly strips user identifiers, email addresses, and clinical text from error payloads. Sentry DPA and SCCs apply.

By using Goalka and its integrated AI features, you acknowledge and consent to these cross-border transfers as described above. If you object to a specific transfer, contact privacy@goalka.com — we will advise you on which platform features you can continue to use.

6. Data Residency & Storage

Your primary account data, all clinical records, professional data, and financial records are stored in Supabase's Mumbai (ap-south-1) data centre on Amazon Web Services, ensuring primary data residency within India.

Transient AI processing occurs outside India as described in Section 5. No personal data is persisted by those processors beyond the active request lifecycle.

All data at rest is encrypted using AES-256. All data in transit uses TLS 1.3 as the minimum standard. Database backups are encrypted with separate key material and retained for 7 days with Point-In-Time Recovery (PITR) enabled. Encryption keys are managed via Supabase's Vault, with rotation every 90 days.

OAuth tokens for third-party integrations (Google, LinkedIn, Instagram) are stored in an additional application-layer AES-256 encryption envelope using a key stored separately from the database.

7. Your 8 Rights Under DPDPA 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you hold the following eight statutory rights. All rights are exercisable via your Privacy self-service page, your Consent Settings, or by emailing privacy@goalka.com. We acknowledge all requests within 48 hours and resolve within 30 days.

1. Right to Information (Section 11)
Know what personal data we hold about you, the lawful basis on which it was collected, the purposes of processing, and the identity of processors we share it with. Request a full data summary at any time.
2. Right to Correction & Completion (Section 12)
Correct inaccurate, incomplete, or out-of-date personal data. You can update most profile data directly in Settings → Profile. For data in audit logs (which must remain immutable), we append a correction notice.
3. Right to Erasure (Section 12)
Request deletion of your personal data and all associated records. Processed within 30 days. Subject to mandatory legal retention obligations: GST records (8 years), clinical records (7 years per Medical Records Rules, 2023), audit logs (7 years per DPDPA 2023).
4. Right to Data Portability (Section 12)
Receive a complete copy of all data you have provided to Goalka in machine-readable JSON (FHIR-compatible for clinical records) or CSV format. Available immediately from Settings → Export Data.
5. Right to Withdraw Consent (Section 13)
Withdraw any consent you have given at any time, with equal ease to how it was given — one click in Settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Some features may become unavailable after withdrawal.
6. Right to Grievance Redressal (Section 13)
File a formal complaint with our Grievance Officer (details in Section 12). Acknowledged within 48 hours. If not resolved within 30 days, you may escalate to the Data Protection Board of India at dpb.gov.in.
7. Right to Nominate (Section 14)
Nominate a trusted individual to exercise your DPDPA rights on your behalf in the event of your death or incapacity. Register a nominee by contacting privacy@goalka.com with a witnessed nomination letter.
8. Right Against Automated Decision-Making
Request meaningful human review of any decision taken solely by automated processing (including AI outputs) that significantly affects your professional interests. All Goalka AI outputs are explicitly advisory — final decisions remain yours.

8. Data Retention

We retain your data only for as long as is necessary for the stated purpose or as required by applicable Indian law. The following schedule applies:

  • Active account data: Duration of account; 90 days post-account closure to allow data export
  • Patient clinical records: 7 years from last entry (Medical Records Rules, 2023 / Indian Medical Council Act)
  • Financial & GST records: 8 years (Income Tax Act, 1961 — Section 44AA requirements)
  • Admin audit logs: 7 years (DPDPA 2023 compliance requirement)
  • AI command logs (text): 90 days from creation, then automatically and permanently deleted
  • Voice audio: Never stored by Goalka — deleted by AssemblyAI immediately post-transcription
  • Episodic memory (AI context): 365 days from last interaction; doctor can delete individual memories at any time
  • Sentry error reports: 30 days, anonymised — no personal data included per scrubbing configuration
  • Vercel / Railway infra logs: 30 days, contain IP metadata only
  • Deleted account data: Permanently purged within 30 days of deletion request, except where legal holds apply

9. Cookies & Tracking

We use only essential cookies and browser storage required for authentication and session management. We do not use third-party advertising cookies, cross-site tracking pixels, browser fingerprinting, or behavioural advertising technologies.

Supabase Auth uses a secure, HttpOnly session token stored in a cookie or localStorage depending on your browser's configuration. This token expires after 1 hour of inactivity and is renewed on activity up to a maximum 24-hour session.

We use first-party, privacy-preserving aggregated analytics to understand which features are used and identify performance issues. This data is not shared with advertising networks. For a full breakdown of cookies, see our Cookie Policy.

10. Children's Privacy

Goalka is a professional platform intended exclusively for licensed medical practitioners who must be at least 21 years of age (per eligibility requirements). We do not knowingly collect personal data from individuals under 18 years of age.

Under DPDPA 2023 Section 9, processing of children's personal data requires verifiable parental consent. Goalka's platform does not process data of minors. If you believe a minor has created an account, notify us immediately at privacy@goalka.com and we will delete the account within 48 hours of verification.

11. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email to your registered address and via in-app notification at least 30 days before changes take effect. Non-material changes (e.g., clarifications, formatting) may take effect without prior notice.

Your continued use of Goalka after the effective date of any material change constitutes your acceptance of the revised Policy. If you disagree with changes, you may exercise your right to erasure and close your account before the new Policy takes effect. Version history is available at /changelog.

12. Contact & Grievance Officer

For all privacy inquiries, data rights requests, consent withdrawals, or formal complaints, contact our Grievance Officer as designated under Rule 5(9) of the IT (SPDI) Rules, 2011 and DPDPA 2023:

Grievance Officer (DPDPA / SPDI Rules)
Designated Privacy Officer
Goalka Technologies Private Limited
Email
privacy@goalka.com
Response: 48 hours acknowledgement / 30 days resolution
Registered Office
Goalka Technologies Private Limited
91Springboard, Koramangala
Bengaluru, Karnataka 560034, India
Legal contact
legal@goalka.com

If your grievance is not resolved within 30 days of filing, you may approach the Data Protection Board of India at dpb.gov.in once the Board becomes operational, or approach a competent court with jurisdiction in Bengaluru, Karnataka, India.