A Project by Meridian Bridge Strategy
Book Consultation
Healthcare

Apollo 24/7

Ready Score 35/100
Critical Risk vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 24 Feb 2026

Executive Summary

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — still relies on IT Act 2000 framework
  • Consent mechanism bundled, not 'freely given' per Section 6
  • Data retention period undefined — uses 'as long as necessary' language
  • No mention of Data Protection Board grievance escalation
  • Cross-border transfer provisions lack specificity on restricted jurisdictions
  • Nomination rights under Section 14 not addressed
  • Broad 'legitimate uses' not DPDP-compliant

✅ Strengths

  • Comprehensive data collection disclosure — categories clearly listed
  • Grievance officer contact published with email
  • Acknowledges access, correction, deletion rights
  • General security measures described including internal policies

Overview

Apollo 24/7, operated by Apollo Healthco Limited, is a major digital healthcare platform in India, offering services like online consultations, pharmacy, and diagnostic tests. It collects extensive Sensitive Personal Data or Information (SPDI) including medical records, health conditions, financial details, and biometric information. Compliance with the DPDP Act is critical due to the highly sensitive nature and volume of data it handles, making any gaps a significant concern for both users and the company.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Apollo 24/7’s policy states: “By accessing or using this Website/ App, you agree to be bound by the terms described herein…” and “By signing up on the App or proceeding to the Website… and consent to their collection, use, and disclosure in accordance with this Privacy Policy.” This means consent is bundled with terms of use, a “take it or leave it” approach.

DPDP requirement: Consent must be free, specific, informed, unconditional, and given for a specific purpose. It must be as easy to withdraw as to give.

The problem: Users have no option to consent to certain data uses (e.g., medical consultation) while opting out of others (e.g., marketing or “machine learning algorithms” mentioned in Section 4). This blanket consent does not meet the DPDP’s “freely given” and “specific” standards.

Section 7 — Certain Legitimate Uses ⚠️

The policy lists numerous uses for data, including “Offering you personalized Services and targeted advertisements,” “Creating insights for corporate/business strategy,” “Developing machine learning algorithms,” and “Contacting you to provide information on new Services, features, products, special promotions or offers.”

DPDP requirement (Section 7): Legitimate uses are narrowly defined, generally covering scenarios where obtaining consent is impractical or undesirable (e.g., voluntary provision by the individual, state functions, medical emergencies, employment, public interest).

The problem: Many of Apollo 24/7’s stated purposes, such as personalized ads, corporate strategy insights, and machine learning model development, do not fall under DPDP’s narrow legitimate uses. For these, explicit, granular consent would be required. The policy implies these are covered by general consent.

Section 8 — Obligations of Data Fiduciary ⚠️

The policy states: “We use reasonable technical, administrative, and physical security measures for the purpose of safeguarding all data you share with us.” It also mentions “comprehensive internal policies” and that third parties are “obligated to protect your data.”

DPDP requirement (Section 8): A Data Fiduciary (the company that decides how and why your data is processed) must implement “reasonable security safeguards” to prevent data breaches.

The problem: While “reasonable measures” are mentioned, the policy lacks specific details about the nature of these safeguards, certifications (like ISO 27001 or PCI-DSS), or regular audit details. Given the sensitivity of health data, a more robust and transparent description of security protocols would be expected.

Section 9 — Data Retention 🔴

Critical gap. The policy uses vague language: “We store your personal information in accordance with applicable laws, which means we keep your data for as long as necessary to provide you with our Services or as may be required under any law.” It also states, “We keep de-identified data for research and statistical purposes for a longer period.”

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose for which it was collected is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period, and not retain it indefinitely.

The problem: There are no specific retention timelines for different data types. The phrase “as long as necessary” is open to interpretation and does not meet the DPDP’s requirement for clear retention periods. Indefinite retention of de-identified data for research also raises questions regarding the practical anonymization and the original purpose.

Section 11 — Rights of Data Principal ⚠️

Apollo 24/7 acknowledges: “You have the right to access your personal information, request updation, correction, and deletion.” It also offers steps to “delete their AHL account.” Users can “withdraw consent” for data they have already provided.

DPDP requirement: Data Principals (the individual whose data is being processed) have rights including access, correction, erasure, nomination of a person to exercise rights, and grievance redressal.

The problem: While basic rights are covered, there is no mention of the right to nominate another person to exercise rights on their behalf (Section 14 of DPDP). Also, limitations on deletion (e.g., if data is for “evaluative purposes” or “prosecution”) are mentioned, which could conflict with the absolute right to erasure post-purpose fulfillment.

Section 12 — Right of Grievance Redressal 🔴

A Grievance Officer, Mr. Madhu Aravind (privacy@apollo247.com), is named for questions and exercising rights. The policy also mentions acknowledging complaints within 24 hours and disposing of them within 15 days, but this is explicitly stated for grievances “in relation to Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.”

DPDP requirement: A Data Fiduciary must establish an effective grievance redressal mechanism and inform Data Principals about their right to complain to the Data Protection Board of India if their grievance isn’t resolved.

The problem: The policy does not refer to the DPDP Act 2023 for grievance redressal. Crucially, it does not mention the Data Protection Board of India as an escalation path, which is a mandatory element under the new law. The stated timelines are tied to older IT Rules, not the DPDP Act.

Section 16 — Cross-Border Data Transfer 🔴

The policy states data may be transferred to “entities located outside India, which you hereby consent to” and “Service Providers… may be located within or outside India” and “Business Affiliates… including foreign entities.”

DPDP requirement (Section 16): Personal data can only be transferred outside India to countries notified by the Central Government. Such transfers must also adhere to specific terms and conditions.

The problem: Apollo 24/7’s blanket consent for data transfer to unspecified “entities located outside India” does not align with DPDP’s requirement for transfers only to notified jurisdictions. There is no mention of specific countries or the safeguards applied to such transfers under the new law.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Consent complianceCriticalBundled consent for sensitive health data could lead to major fines
Data retentionCriticalIndefinite retention of health data = significant exposure
Cross-border transferHighTransfers to non-notified countries are illegal under DPDP
Data principal rightsMediumIncomplete rights framework needs updating for DPDP
Grievance redressalHighAbsence of DPB escalation path is a major non-compliance

Recommendations

  1. Update legal framework references — Explicitly cite the DPDP Act 2023 throughout the policy and map sections to corresponding DPDP provisions.
  2. Implement layered, granular consent — Separate consent for different processing purposes (e.g., core service, marketing, research, third-party sharing) especially for sensitive health data.
  3. Define specific retention periods — Clearly state how long different types of data are kept, linked to the purpose of processing. “Medical records: X years as per regulatory mandate; marketing data: deleted on consent withdrawal within Y days.”
  4. Add Data Protection Board escalation — Include the DPB as the final grievance resolution step after internal processes.
  5. Address nomination rights — Allow users to nominate a person to exercise their rights, as required by Section 14.
  6. Specify cross-border transfer details — Clearly list the countries to which data is transferred (once the government notifies them) and the safeguards in place for these transfers.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation