Privacy Policy
Last updated: July 5, 2026
This Privacy Policy explains how Chintamanikrupa Solutions Private Limited ("Velorian," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Velorian clinic-management platform (the "Service"). It applies to our marketing website, our onboarding flow, and the Portal used by subscribing clinics and their staff.
1. Scope of this policy
This policy covers two distinct categories of information, which we treat differently:
- Account & usage information — information about you as a website visitor, prospective customer, or as an Authorized User of a subscribing Organization (name, email, phone, role, log/device data). We are the data fiduciary/controller for this information.
- Patient data— information about patients that a subscribing clinic enters into the Service (demographics, medical history, vitals, diagnoses, prescriptions, visit and appointment records, invoices). The subscribing clinic is the data fiduciary/controller for this information; we process it only as a service provider on the clinic's behalf. See Section 4.
2. Who we are
Velorian is a product of Chintamanikrupa Solutions Private Limited, a company based in Nanded, Maharashtra 431602, India. For any privacy-related question, see Contact us below.
3. Information we collect
Information you provide directly
- Account & organization details: name, email address, phone number, password (stored as a salted hash, never in plain text), clinic/organization name, branch details, branding preferences (logo, accent color), and role.
- Verification data: one-time email verification codes (stored as a hash, not in plain text) used to confirm your email during signup.
- Billing information: the subscription plan you choose, and payment metadata such as Razorpay order/payment identifiers, amount, and currency. We do not collect or store your card number, UPI ID, or bank account details — those go directly to Razorpay, our payment processor.
- Google Sign-In data:if you choose "Continue with Google," we receive your name, email address, and email-verification status from Google, subject to your Google account settings.
- Communications: messages you send us (e.g. support requests, recovery requests), and the email address you use to send them.
- Patient Datayour Organization's Authorized Users enter into the Portal — see Section 4.
Information collected automatically
- Log and device data: IP address, request method/path, response status, timestamps, and similar technical request metadata, collected for security, debugging, and abuse-prevention purposes.
- Session data:authentication tokens stored in your browser's session storage to keep you signed in during onboarding and while using the Portal.
4. Special notice about patient data
5. How we use information
- To provide, operate, and maintain the Service, including the Portal your Organization uses day to day.
- To create and secure accounts, verify email addresses, and authenticate sign-ins.
- To process payments and manage subscriptions through Razorpay.
- To send transactional communications: verification codes, welcome/setup emails, appointment confirmations and reminders, and payment-related notices.
- To respond to support requests and account-recovery requests.
- To detect, prevent, and investigate fraud, abuse, or security incidents.
- To maintain audit trails required for clinical-record integrity (e.g., edits to completed visit records).
- To comply with legal obligations, and to enforce our Terms of Service.
- To improve and develop the Service.
We do not sell personal information, and we do not use Patient Data for advertising.
6. Legal basis for processing
Where applicable law requires a legal basis for processing, we rely on: performance of our contract with you (providing the Service you signed up for), your consent (e.g. email verification, Google Sign-In), our legitimate interests (security, fraud prevention, service improvement), and compliance with legal obligations (e.g. tax and accounting records for payments).
9. International data transfers
Our infrastructure providers may process or store data on servers located outside your home country, including outside India. Where we transfer personal information across borders, we take reasonable steps to ensure it continues to receive an appropriate level of protection consistent with this policy and applicable law.
10. Data retention
We retain account and billing information for as long as your Organization's subscription is active, and for a reasonable period afterward to allow data export, resolve disputes, and meet accounting/tax/legal retention obligations. Patient Data is retained per your Organization's instructions and for as long as your subscription continues; upon termination, it is handled as described in our Terms of Service. We delete or anonymize information once it is no longer needed for these purposes, subject to any longer retention required by law.
11. Data security
We use industry-standard safeguards designed to protect information, including salted password hashing (bcrypt), HMAC-verified payment webhooks, encrypted transport (HTTPS), and rate-limiting on authentication-sensitive endpoints. No system is completely secure, and we cannot guarantee the absolute security of information transmitted to or stored by the Service.
12. Your rights
Subject to applicable law (including India's Digital Personal Data Protection Act, 2023), you may have the right to:
- request access to the personal information we hold about you;
- request correction of inaccurate or incomplete information;
- request erasure of your personal information, subject to our legitimate retention needs (e.g. legal/accounting obligations);
- withdraw consent you previously gave us, where processing is based on consent, without affecting processing carried out before withdrawal;
- nominate another individual to exercise these rights on your behalf in the event of your death or incapacity; and
- lodge a grievance with our Grievance Officer (Section 14) and, if unresolved, with the competent data protection authority.
If you are a patient, please direct these requests to the clinic that treated you, as explained in Section 4 — we support clinics in fulfilling such requests but do not independently control patient data.
To exercise these rights regarding your own account/organization information, contact us at support@velorian.app.
13. Children's privacy
The Service is intended for use by clinic staff and administrators who are adults, and account registration is not directed at children. Where a clinic records patient data about a minor, that data is entered and managed under the clinic's own authority and the consent of the minor's parent or lawful guardian, not collected by us directly from the child.
14. Grievance officer
In accordance with applicable Indian law, our Grievance Officer is:
- Name: Govind Deshmukh
- Email: Govind.Deshmukh@velorian.app
You may contact the Grievance Officer with any complaint or concern regarding the processing of your personal information, and we will make reasonable efforts to acknowledge and address it as soon as reasonably practicable.
15. Changes to this policy
We may update this policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or a notice within the Portal) before the changes take effect. The "Last updated" date above reflects the most recent revision.
16. Governing law
This policy is governed by the laws of India. Subject to applicable law, the courts of Nanded, Maharashtra 431602, India have exclusive jurisdiction over any dispute arising out of or relating to this policy.
17. Contact us
Questions about this policy or our data practices can be sent to:
- General inquiries: info@velorian.app
- Privacy/legal notices: contact@velorian.app
- Support (including data access/correction/deletion requests): support@velorian.app
- Grievance Officer: Govind.Deshmukh@velorian.app
Chintamanikrupa Solutions Private Limited — Nanded, Maharashtra 431602, India.