This Privacy Policy explains what information PublicListen collects, why we collect it, how we use it, and the rights you have over it. Plain language first, legal precision second.
We collect the minimum data we need to verify patients, surface useful information, and keep the platform safe. Here's exactly what we collect, grouped by type.
What we do not collect: we never request your government ID number, biometric data, complete medical record, or banking credentials. If a page ever asks for these, treat it as a phishing attempt and report it to security@publiclisten.com.
Every piece of data we collect serves a specific, declared purpose. The table below lists those purposes — if a use isn't here, we don't do it.
| Data type | How we use it |
|---|---|
| Account info | Authenticate you, secure your account, send transactional emails (password reset, OTP, review status). |
| Reviews & ratings | Display under your chosen display name on doctor and hospital pages; aggregate into platform-wide metrics. |
| Bill uploads | Strip personal identifiers, then aggregate cost data points to power the Treatment Costs page. |
| Verification documents | One-time review check by our moderation team; archived encrypted; never shown to other users. |
| Usage data | Improve site performance, detect abuse/fraud, surface trending searches anonymously. |
| Location (approximate) | Show relevant doctors and hospitals in your city by default; can be disabled. |
| Email address | Send essential service emails. Marketing emails only with explicit opt-in. |
We do not use your data for: behavioural ad targeting, training third-party AI models, selling to data brokers, or any purpose not listed above.
Where applicable laws (such as the DPDP Act, 2023 in India and the GDPR) require us to declare our legal basis for using your data, we rely on:
Your data stays inside PublicListen by default. We share it only in four narrowly defined situations:
Your display name, profile photo (if uploaded), reviews, and ratings are publicly visible. Your real name, email, phone, and verification documents are never displayed.
We use a small set of vetted vendors who help us run the platform — for example, cloud hosting (AWS), transactional email (SES), SMS OTP (Twilio/MSG91), and error monitoring (Sentry). All are bound by data-processing agreements that mirror the protections in this policy.
We may disclose data when legally compelled — court order, valid law-enforcement request, or to protect the rights and safety of users. We push back on overbroad requests and publish an annual transparency report.
If PublicListen is acquired or merges with another entity, your data may transfer to the acquirer. You will be notified by email at least 30 days in advance and given the option to delete your account.
We never: sell, rent, or lease personal data to advertisers, data brokers, insurers, pharmaceutical companies, or healthcare-marketing firms.
We use cookies and similar technologies in three categories. You can manage cookie preferences from the banner shown on your first visit or from your browser settings.
We honor the Global Privacy Control (GPC) signal and Do Not Track (DNT) header. If either is present, analytics cookies are disabled.
We keep data only as long as it serves the purpose it was collected for. Specific retention windows:
| Data | Retention |
|---|---|
| Active account data | Until you delete your account |
| Public reviews | Indefinitely (or until you delete them) |
| Verification documents | 12 months after verification, then auto-purged |
| Server logs / access logs | 30 days |
| Backup snapshots | 90 days (encrypted) |
| Deleted accounts (residual) | 30 days hard-delete window, then permanent erasure |
We take security seriously and apply industry best practices, including:
No system is perfect. If we ever experience a data breach that affects your data, we'll notify you and the relevant authorities within 72 hours, as required by law.
You have full ownership of your data. Specifically, you can:
Request a copy of all personal data we hold about you.
Edit or correct inaccurate information from your account settings.
Delete your account and all associated personal data.
Download your data in a structured, machine-readable format (JSON).
Object to specific processing — for example, opt out of analytics.
Ask us to pause processing while we resolve a dispute or correction.
To exercise any of these rights, write to info@publiclisten.com. We respond within 7 business days and complete most requests within 30 days at no cost.
PublicListen is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a child has registered or contributed to the platform, please email privacy@publiclisten.com — we will delete the account and any associated data immediately.
Parents and guardians may submit reviews on behalf of a minor patient, provided the review describes the parent/guardian's perspective and no personal identifiers about the child are included.
PublicListen is headquartered in India, and primary data storage is in Indian data centres. Some of our service providers (e.g., transactional email, error monitoring) operate from other jurisdictions including the United States and the European Union.
For any cross-border transfer, we ensure that:
We may update this policy as our services evolve or as laws change. When we do:
If you have any questions, concerns, or requests about your data — or about this policy itself — reach out to our Data Protection Officer:
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India or your local data-protection regulator.
Our team is here to walk you through any aspect of this policy. No legalese, no run-around — just real answers.