PRIVACY POLICY

1. Introduction

Star Health & Allied Insurance Co. Ltd (Star Health/Data Fiduciary) takes your privacy seriously. We value the trust you place in us when sharing your personal data and are committed to handling it in a transparent and responsible manner. This Privacy Policy explains:

  • what personal data we collect,
  • the purposes of using your personal data, and
  • the rights available to you in relation to such data.

2. Scope

This Privacy Policy applies to individuals who interact with Star Health, including without limitation the customers, prospects, employees, intermediaries, vendors and business partners.

Definitions

For the purposes of this Privacy Policy:

"Applicable Law" shall mean and include all laws, statutes, rules, regulations, ordinances, notifications, circulars, guidelines, and directives issued by any governmental, statutory, or regulatory authority in India as amended from time to time, including but not limited to Digital Personal Data Protection Act, 2023 and rules made thereunder and The Insurance Regulatory and Development Authority Act, 1999 and any other regulations, guidelines, or directions issued.

"Account" means a unique account created for you to access our Service or parts of our Services.

"Child" means an individual who has not completed the age of eighteen years.

"Cookies" are small files that are placed on your computer, mobile device or any other device by a website, containing details of your browsing history on that website among its many uses. These are also known as browser cookies or tracking cookies. They are small, often encrypted text files located in the browser of your device(s) such as their computer, laptop, mobile phone or digital tablet. These cookies facilitate smoother navigation across the Star Health website and enable certain functionalities.

"Data Fiduciary" means any person who, alone or jointly with others, determines the purpose and means of processing personal data.

"Data Processor" means any third party that processes personal data on behalf Data Fiduciary.

"Data Principal" means the individual to whom the personal data relates, and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf; including without limitation customers, prospects, employees, policyholders, insured persons, beneficiaries, nominees, intermediaries, vendors and business partners.

"Personal Data" means any data about an individual who is identifiable by or in relation to such data.

"Personal Data Breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

"Services" means all insurance related services without limitation; the premium collection, claims settlement, provided by Star Health through digital and non-digital means.

"Website" means www.starhealth.in.

3. Types of Personal Data Collected

Star Health may collect and process Personal Data as necessary for the provision of insurance, wellness, and related services, in accordance with applicable law. Such Personal Data may include the following:

3.1 Information You Provide Directly:

Personal Data voluntarily provided by individuals while registering on or using Star Health’s websites, mobile applications, or services, or while communicating with Star Health through email, telephone, physical forms, or other channels. This may include name, email address, mobile number, residential address, date of birth or age, professional or occupational information, health or wellness related information where applicable, and any other information voluntarily shared for the purpose of availing Star Health’s services.

3.2 KYC and Verification Information:

Personal Data collected for identity verification, regulatory compliance, or service onboarding purposes, including government-issued identification details such as PAN, Driving Licence, Passport, Voter ID, or Aadhaar, collected only were permitted under applicable law and in accordance with regulatory requirements. Where applicable, alternate identification documents may be accepted in line with governing guidelines.

3.3 Financial and Transactional Information:

Personal Data necessary for service delivery and insurance transactions, including bank account details, payment instrument information, premium or service payment details, and other limited financial information relevant to policy issuance, servicing, underwriting, or claim settlement.

3.4 Automatically Collected Usage and Technical Information:

Personal Data that may be collected automatically when individuals access or use Star Health’s digital services, including Internet Protocol (IP) address, browser type and version, device identifiers, operating system details, interaction logs, timestamps, usage patterns, and similar technical or usage-related metadata. Such information is used to support system security, service functionality, analytics, and improvement of user experience.

3.5 Cookies and Similar Technologies:

Personal Data may also be collected through cookies and similar tracking technologies deployed on Star Health’s websites or applications, including identifiers and usage-related information associated with a browser, device, or interactions with Star Health’s Services. Where such information relates to an identifiable individual, it is treated as Personal Data and is used to enable essential service functionality, improve performance, conduct analytics, and support user preferences, subject to applicable consent mechanisms and browser or device settings.

4. How We Collect Your Personal Data

4.1 Direct Collection from Individuals:

Personal Data may be collected directly from individuals when they register, apply for, or avail insurance, wellness, or related services through Star Health’s websites, mobile applications, digital platforms, or other interfaces made available by Star Health. This includes Personal Data provided when individuals submit proposal forms, claim forms, service requests, grievance submissions, or other required documentation, whether in digital or physical form, as well as Personal Data shared during interactions with Star Health through customer support channels, call centers, email correspondence, telephone conversations, or other modes of direct communication.

4.2 Indirect Collection through Insurance Intermediaries and Third Parties:

Personal Data may also be collected indirectly through insurance intermediaries or third-party vendors who lawfully collect such data in accordance with applicable laws, including vendors engaged for lead generation or customer outreach activities, in connection with the provision of insurance services.

Any Personal Data collected through the above channels is processed solely for specified and lawful purposes, in accordance with the specific Privacy notice issued with this Privacy Policy, the Digital Personal Data Protection Act, 2023 (Act), and applicable regulatory requirements.

5. How we use personal data

Star Health collects and processes Personal Data only for lawful purposes, in accordance with the provisions of the Act. Such processing is carried out only where it is based either on explicit consent by the Data Principal or on legitimate use permitted under applicable law, and only to the extent reasonably necessary and proportionate to achieve the stated purpose or a compatible purpose consistent with the context of collection. Personal data will be processed for:

5.1 Insurance Service Delivery and Contract Administration:

Processing Personal Data for the purpose of providing insurance products and services, including entering and performing insurance contracts, underwriting and risk assessment, issuing and administering policies, managing policy servicing activities, processing and settlement of claims, facilitating coordination with network hospitals for cashless treatment, communicating with customers regarding policy information, claim status, service requests, customer support, and grievance redressal.

5.2 Marketing and Customer Engagement:

Processing Personal Data to provide information regarding insurance products, services, promotional offers, or customer engagement initiatives, only where such communication is permitted under applicable law and based on the explicit consent by the Data Principal.

5.3 Service Improvement and Analytics:

Processing Personal Data to analyse usage trends of digital services, evaluate the effectiveness of services and campaigns, conduct analytics, research, and service improvement initiatives, and enhance customer experience and platform functionality. Where feasible, such data is anonymised or aggregated.

5.4 Fraud Prevention and Security:

Processing Personal Data for the purposes of detecting and preventing fraud or suspicious activity, ensuring the security of systems and digital services, and protecting against unauthorised access, misuse, or cyber threats.

5.5 Regulatory and Legal Compliance:

Processing Personal Data to comply with applicable legal and regulatory obligations, including requirements issued by regulatory authorities such as the Insurance Regulatory and Development Authority of India (IRDAI) and other competent authorities. This may include regulatory reporting, audits, investigations, and compliance with statutory obligations.

6. Disclosure of Personal Data

Disclosure of Personal Data constitutes a form of processing and is undertaken only for lawful purposes, and only where such disclosure is necessary, proportionate, and supported either by the explicit consent of the Data Principal or by legitimate use permitted under applicable law. Your Personal Data may be disclosed in the following circumstances:

6.1 Insurance Service Delivery and Administration:

Where disclosure is necessary for the provision, administration, or servicing of insurance products and related services, including disclosure to network hospitals, third-party administrators, reinsurers, medical service providers, claims administrators, technology service providers, or other vendors and partners engaged by Star Health, strictly for purposes such as policy issuance, servicing, claims processing, verification, fraud prevention, customer support, or regulatory reporting.

6.2 Law Enforcement and Legal Compliance:

Where disclosure is necessary to comply with applicable laws, regulations, court orders, regulatory directives, or lawful requests from government or statutory authorities, including obligations imposed by the IRDAI or other competent authorities.

6.3 Protection and Enforcement:

Where disclosure is necessary for legitimate purposes such as protecting the rights, property, or interests of Star Health, preventing, detecting, or investigating fraud or other unlawful activity, protecting the safety of Data Principals or the public, or defending against legal claims or liabilities.

Where Personal Data is disclosed to private entities such as network hospitals, third-party administrators, service providers, vendors, or other partners engaged by Star Health, such disclosures are governed by appropriate contractual arrangements requiring such entities to implement reasonable technical and organizational measures to safeguard Personal Data and process it only for authorized purposes, in accordance with applicable data protection laws. This contractual requirement does not apply to disclosures made to government or statutory authorities acting in their official capacity. All disclosures of Personal Data are limited to what is reasonably necessary for the stated purpose and are carried out in accordance with applicable data protection laws and regulatory requirements.

7. Consent mechanism for Processing of Personal Data

Star Health processes Personal Data either on the basis of legitimate use permitted under applicable law or, where required, on the basis of explicit consent obtained from you in accordance with the Act. Where processing is based on consent, such consent is obtained after providing a clear and accessible notice to you, and such consent collected must be free, specific, informed, unconditional, and unambiguous by providing a clear affirmative action. Such consent is limited to the purposes disclosed in the notice at the time of collection.

7.1 Consent for Children:

Where the processing of Personal Data of a Child is required in connection with insurance products or related services, Star Health processes such Personal Data only upon obtaining verifiable consent of the parent or lawful guardian, in accordance with the Act and the rules made thereunder. Star Health adopts appropriate technical and organizational measures and exercises due diligence, as required under applicable law, to verify that such explicit consent is provided by an adult who is parent or lawful guardian.

7.2 Consent for Persons with Disabilities (PWD):

Star Health may process the Personal Data of a person with disability who is unable to take legally binding decisions on his/her own behalf, where such processing is required in connection with insurance products or related services. In such cases, Star Health processes the Personal Data of such person only upon obtaining verifiable consent from the parent or lawful guardian, in accordance with the Act and the rules made thereunder.

8. Transfer of Personal Data Outside India

Star Health may transfer Personal Data outside the territory of India only to the extent permitted under applicable law. Any such cross-border transfer of Personal Data shall be carried out strictly in accordance with the Act and subject to such restrictions, conditions, or safeguards as may be specified by the Central Government, by general or special order, in respect of making such Personal Data available to a foreign State or to any person, entity, or agency under the control of or acting on behalf of such State. Star Health ensures that appropriate safeguards are in place in connection with any permitted cross-border transfer of Personal Data.

9. Retention of Your Personal Data

9.1 Star Health retains Personal Data only for as long as it is necessary to fulfil the purposes for which such data is collected and processed, and in accordance with applicable legal, regulatory, contractual, and operational requirements. Retention periods are determined by considering factors such as the lifecycle of insurance policies, statutory and regulatory record-keeping obligations, claims and underwriting requirements, fraud-prevention needs, dispute resolution, audits, and other lawful purposes permitted under applicable law, including directions or guidelines issued by the IRDAI.

9.2 Upon expiry of the applicable retention period, Personal Data is securely deleted, purged, or anonymised, unless continued retention is required to comply with a subsisting legal or regulatory obligation, or in connection with an ongoing claim, dispute, investigation, audit, or other legitimate business purpose permitted under law.

9.3 Anonymised data, which no longer identifies any individual, may be retained and used for purposes such as analytics, statistical modelling, product development, risk assessment, or service improvement.

10. Security of Your Personal Data and Privacy Governance

10.1 Star Health implements reasonable security safeguards to protect Personal Data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by Data Processors, in accordance with the Act. Star Health maintains an information security and privacy governance framework aligned with internationally accepted standards and practices and is certified under ISO/IEC 27001, reflecting its commitment to maintaining appropriate technical and organizational controls for the protection of Personal Data.

10.2 Star Health has adopted appropriate technical and organizational measures designed to prevent unauthorized access, disclosure, alteration, misuse, loss, or destruction of Personal Data, and to reduce the risk of personal data breaches. Such measures include, where applicable, securing Personal Data through encryption or other suitable protection mechanisms; implementing role-based access controls to restrict access to authorized personnel and service providers on a need-to-know basis; maintaining visibility over access to Personal Data through appropriate logging, monitoring, and review mechanisms to enable detection of unauthorized access, investigation, and remediation; and implementing reasonable measures to ensure continued processing and availability of Personal Data in the event of a security incident, including through data backup and recovery mechanisms.

10.3 In support of these security safeguards, Star Health maintains an internal privacy governance framework that provides oversight, accountability, and operational control over data protection practices. This framework includes a designated Data Protection Officer, a Privacy and Compliance Team responsible for monitoring compliance with data protection obligations and regulatory requirements, an Information Security Team responsible for implementing and maintaining security controls, and departmental privacy champions who promote privacy-by-design principles and ensure adherence to data protection requirements within business functions.

11. Data Principal Rights and Responsibilities

11.1 Under the Act and the rules made thereunder, Data Principals have the following rights, subject to applicable law:

  • The right to obtain access to, and a summary of, the Personal Data being processed by Star Health, along with information relating to such processing, in accordance with the Act.
  • The right to request correction, completion, or updating of inaccurate, misleading, or incomplete Personal Data.
  • The right to request erasure of Personal Data, where applicable, provided that such data is no longer necessary for the specified purpose and is not required to be retained for compliance with any law for the time being in force.
  • The right to raise grievances in relation to the processing of Personal Data or the exercise of rights under applicable law, through readily available grievance redressal mechanisms provided by Star Health.
  • The right to nominate another individual to exercise rights on behalf of the Data Principal in the event of death or incapacity, in the manner prescribed under applicable law.

11.2 Data Principals may exercise the above rights or lodge any grievance by contacting Star Health through its designated customer care channels or privacy contact details. All requests and grievances are reviewed and addressed in accordance with the Act applicable rules, and regulatory requirements, and Data Principals are required to exhaust internal grievance redressal mechanisms before approaching any adjudicatory authority.

11.3 While exercising their rights under applicable law, Data Principals are expected to:

  • Comply with all applicable laws.
  • Refrain from impersonating another individual or suppressing any material information.
  • Ensure that grievances raised are not false or frivolous.

12. Personal Data Breach Management

12.1 In the event of a Personal Data Breach, Star Health will take the following actions in accordance with applicable law:

  • Promptly assess, contain, and mitigate the breach to prevent any further unauthorized access, disclosure, alteration, or loss of Personal Data.
  • Investigate the incident to identify its nature, scope, and root cause, and implement appropriate corrective and preventive measures to avoid recurrence.
  • Maintain records of the personal data breach and the actions taken, in accordance with applicable legal and regulatory requirements.
  • Intimate the appropriate authorities and each affected Data Principal, in the manner and within the timelines prescribed under the Act and the rules made thereunder.
  • Provide affected Data Principals with relevant information necessary to enable them to take appropriate protective or precautionary measures.
  • Coordinate with third-party service providers or Data Processors involved in processing Personal Data on behalf of Star Health to ensure compliance with applicable breach management and reporting obligations.
  • Issue communications relating to a personal data breach in accordance with applicable law and regulatory guidance.

13. Grievance Redressal and Contact Details

13.1 For any concerns, queries, or grievances relating to the processing of Personal Data, or to exercise rights available under the Act, Data Principals may contact Star Health through the channels set out below. All requests and grievances will be reviewed and addressed in accordance with the provisions of the Act, the rules made thereunder, and applicable regulatory requirements.

Contact Details:

  • Customer Care: 044 6900 6900 / 1800 102 4477
  • Email (Privacy-related queries): privacy@starhealth.in
  • For grievances: dpo@starhealth.in

13.2 The designated Privacy team will review and respond to grievances and rights-related requests within the timelines prescribed under applicable law.

14. Links to Other Websites

Star Health’s services may contain links to third-party websites or services that are not operated or controlled by Star Health. Star Health is not responsible for the privacy practices or content of such third-party websites, and Data Principals are advised to review the respective privacy policies of those websites independently.

15. Changes to This Privacy Policy

Star Health reserves the right to update or modify this Privacy Policy from time to time. Any updates will be published on Star Health’s website, and Data Principals are encouraged to review this Privacy Policy periodically for the latest information.

Note: Requests from Data Principals relating to withdrawal of consent, correction, or erasure of Personal Data will be processed in accordance with the timelines and requirements prescribed under the Act and applicable rules.