Velorian

Privacy Policy

Last updated: July 5, 2026

This Privacy Policy explains how Chintamanikrupa Solutions Private Limited ("Velorian," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Velorian clinic-management platform (the "Service"). It applies to our marketing website, our onboarding flow, and the Portal used by subscribing clinics and their staff.

1. Scope of this policy

This policy covers two distinct categories of information, which we treat differently:

  • Account & usage information — information about you as a website visitor, prospective customer, or as an Authorized User of a subscribing Organization (name, email, phone, role, log/device data). We are the data fiduciary/controller for this information.
  • Patient data— information about patients that a subscribing clinic enters into the Service (demographics, medical history, vitals, diagnoses, prescriptions, visit and appointment records, invoices). The subscribing clinic is the data fiduciary/controller for this information; we process it only as a service provider on the clinic's behalf. See Section 4.

2. Who we are

Velorian is a product of Chintamanikrupa Solutions Private Limited, a company based in Nanded, Maharashtra 431602, India. For any privacy-related question, see Contact us below.

3. Information we collect

Information you provide directly

  • Account & organization details: name, email address, phone number, password (stored as a salted hash, never in plain text), clinic/organization name, branch details, branding preferences (logo, accent color), and role.
  • Verification data: one-time email verification codes (stored as a hash, not in plain text) used to confirm your email during signup.
  • Billing information: the subscription plan you choose, and payment metadata such as Razorpay order/payment identifiers, amount, and currency. We do not collect or store your card number, UPI ID, or bank account details — those go directly to Razorpay, our payment processor.
  • Google Sign-In data:if you choose "Continue with Google," we receive your name, email address, and email-verification status from Google, subject to your Google account settings.
  • Communications: messages you send us (e.g. support requests, recovery requests), and the email address you use to send them.
  • Patient Datayour Organization's Authorized Users enter into the Portal — see Section 4.

Information collected automatically

  • Log and device data: IP address, request method/path, response status, timestamps, and similar technical request metadata, collected for security, debugging, and abuse-prevention purposes.
  • Session data:authentication tokens stored in your browser's session storage to keep you signed in during onboarding and while using the Portal.

4. Special notice about patient data

If you are a patient of a clinic that uses Velorian: your clinic — not Velorian — decides what information about you is collected and why, and is responsible for providing you any privacy notice and obtaining any consent required by law. Velorian processes patient data only on that clinic's behalf, to provide the software the clinic uses to run its practice (appointments, records, billing). Requests to access, correct, or delete your patient information should be directed to the clinic that treated you; we will support the clinic in fulfilling such requests through the Service.

5. How we use information

  • To provide, operate, and maintain the Service, including the Portal your Organization uses day to day.
  • To create and secure accounts, verify email addresses, and authenticate sign-ins.
  • To process payments and manage subscriptions through Razorpay.
  • To send transactional communications: verification codes, welcome/setup emails, appointment confirmations and reminders, and payment-related notices.
  • To respond to support requests and account-recovery requests.
  • To detect, prevent, and investigate fraud, abuse, or security incidents.
  • To maintain audit trails required for clinical-record integrity (e.g., edits to completed visit records).
  • To comply with legal obligations, and to enforce our Terms of Service.
  • To improve and develop the Service.

We do not sell personal information, and we do not use Patient Data for advertising.

7. Cookies and similar technologies

As of the date above, we use only essential session storage/local storage to keep you signed in and to carry you through the onboarding flow — we do not currently use third-party advertising or analytics cookies/trackers on the Service. If this changes, we will update this policy and, where required by law, seek your consent before doing so.

8. How we share information

We share information only as needed to provide the Service:

  • Razorpay — to process subscription payments.
  • Google— to support "Continue with Google" sign-in, if you choose that option.
  • Email delivery providers — to send verification codes, welcome emails, and appointment-related notifications.
  • Hosting/infrastructure providers — to store and run the Service (e.g. our database and application hosting).
  • Legal & safety — where required to comply with law, legal process, or to protect the rights, safety, and security of Velorian, our customers, or the public.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

We do not sell your personal information to third parties.

9. International data transfers

Our infrastructure providers may process or store data on servers located outside your home country, including outside India. Where we transfer personal information across borders, we take reasonable steps to ensure it continues to receive an appropriate level of protection consistent with this policy and applicable law.

10. Data retention

We retain account and billing information for as long as your Organization's subscription is active, and for a reasonable period afterward to allow data export, resolve disputes, and meet accounting/tax/legal retention obligations. Patient Data is retained per your Organization's instructions and for as long as your subscription continues; upon termination, it is handled as described in our Terms of Service. We delete or anonymize information once it is no longer needed for these purposes, subject to any longer retention required by law.

11. Data security

We use industry-standard safeguards designed to protect information, including salted password hashing (bcrypt), HMAC-verified payment webhooks, encrypted transport (HTTPS), and rate-limiting on authentication-sensitive endpoints. No system is completely secure, and we cannot guarantee the absolute security of information transmitted to or stored by the Service.

12. Your rights

Subject to applicable law (including India's Digital Personal Data Protection Act, 2023), you may have the right to:

  • request access to the personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request erasure of your personal information, subject to our legitimate retention needs (e.g. legal/accounting obligations);
  • withdraw consent you previously gave us, where processing is based on consent, without affecting processing carried out before withdrawal;
  • nominate another individual to exercise these rights on your behalf in the event of your death or incapacity; and
  • lodge a grievance with our Grievance Officer (Section 14) and, if unresolved, with the competent data protection authority.

If you are a patient, please direct these requests to the clinic that treated you, as explained in Section 4 — we support clinics in fulfilling such requests but do not independently control patient data.

To exercise these rights regarding your own account/organization information, contact us at support@velorian.app.

13. Children's privacy

The Service is intended for use by clinic staff and administrators who are adults, and account registration is not directed at children. Where a clinic records patient data about a minor, that data is entered and managed under the clinic's own authority and the consent of the minor's parent or lawful guardian, not collected by us directly from the child.

14. Grievance officer

In accordance with applicable Indian law, our Grievance Officer is:

You may contact the Grievance Officer with any complaint or concern regarding the processing of your personal information, and we will make reasonable efforts to acknowledge and address it as soon as reasonably practicable.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or a notice within the Portal) before the changes take effect. The "Last updated" date above reflects the most recent revision.

16. Governing law

This policy is governed by the laws of India. Subject to applicable law, the courts of Nanded, Maharashtra 431602, India have exclusive jurisdiction over any dispute arising out of or relating to this policy.

17. Contact us

Questions about this policy or our data practices can be sent to:

Chintamanikrupa Solutions Private Limited — Nanded, Maharashtra 431602, India.