← Back

Privacy Policy

Last updated: 28 May 2026

1. Who we are

BlueSting is a doctor-to-doctor patient flagging platform operated in India. This policy explains how we collect, use, and protect personal data in accordance with the Digital Personal Data Protection (DPDP) Act 2023.

2. Data we collect and why

DataPurpose
Name, NMC registration numberVerify medical credentials before granting access
Mobile numberIdentity verification via OTP; account authentication
Email addressAccount notifications (approval, rejection)
Specialization, city, stateDoctor directory and service quality
Patient name, phone, date of birth (masked Aadhaar optional)Creating patient records for flagging purposes
Ratings and clinical flagsCore platform functionality — doctor-to-doctor warnings
Audit logsSecurity and compliance logging

3. Legal basis for processing

We process personal data on the basis of consent obtained at registration (self-declaration checkbox) and for the legitimate purpose of providing the platform service. Patient data is entered by verified doctors in the course of their medical practice.

4. Data retention

Doctor account data is retained for as long as the account is active. Deleted accounts are purged within 30 days. Patient records and ratings are retained for the minimum period required to fulfil the platform purpose, currently indefinite pending regulatory guidance. OTP codes are automatically deleted after 24 hours.

5. Data sharing

We do not sell personal data. Data is shared only with:

  • Supabase (AWS Mumbai, ap-south-1) — database hosting, data stored in India
  • Google Cloud Run (asia-south1) — application hosting
  • MSG91 / notify service — OTP delivery via SMS to registered mobile numbers
  • Gmail SMTP — transactional email notifications

6. Your rights under DPDP Act 2023

As a Data Principal you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete personal data
  • Erase your personal data (subject to legal retention requirements)
  • Withdraw consent for data processing
  • Nominate a person to exercise rights on your behalf
  • File a complaint with the Data Protection Board of India

To exercise any of these rights, contact us at the address below.

7. Data security

We implement reasonable security safeguards including HTTPS encryption in transit, bcrypt password hashing, JWT-based authentication, rate limiting on all endpoints, and audit logging of moderation actions. Data is stored within India (Mumbai region).

8. Breach notification

In the event of a personal data breach that is likely to result in harm, we will notify affected users and the Data Protection Board of India within the timeframe prescribed under the DPDP Act 2023.

9. Grievance Officer

For any data-related complaints or requests, contact our Grievance Officer:

Deepak K

BlueSting

Email: contactus@bluesting.com

We will respond within 48 hours on business days.

10. Changes to this policy

We may update this policy periodically. Material changes will be communicated to registered users by email. Continued use of the platform after updates constitutes acceptance of the revised policy.