1. Introduction and Scope
This Privacy Policy explains how Gagahealth Private Limited (trading as “GagaHealth” / “gagahealthtech”), an India-based health-technology company (the “Operator”, “we”, “us”, or “our”), handles information in connection with the website doctaverse.com (the “Service”).
The Service is a free, clinician-facing pediatric point-of-care reference website. It has no user accounts, no login or registration, and no forms. We do not ask you to submit, and you do not submit to us, any personal data directly. Like most websites, however, the Service uses analytics technology and is served through a content-delivery network, which results in the processing of limited technical data as described below. This Policy explains exactly what is processed, by whom, why, and what rights you have.
This Policy should be read together with our Terms of Use.
2. Who Is Responsible for Your Data
The data controller (and, under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), the “Data Fiduciary”) responsible for the processing described in this Policy is:
- Gagahealth Private Limited (GagaHealth / gagahealthtech)
- Registered address: Bengaluru, Karnataka, India
- Contact email: contact@gagahealth.com
For the analytics processing described below, the Operator is the controller / Data Fiduciary. Our service providers (Google and Cloudflare) act primarily as processors acting on our instructions under their respective data-processing terms, and as independent controllers only for the limited purposes they reserve under those terms (see Section 5).
3. We Collect No Data Directly — But We Do Use Analytics and a CDN
To be clear and honest:
- We do not operate any account, login, registration, contact form, comment field, or other mechanism through which you would actively give us personal data.
- We use Google Analytics 4 (loaded via Google Tag Manager) to understand site usage. Analytics is non-essential and, under Google Consent Mode, does not load or set cookies until you accept analytics via our cookie banner (see Sections 7 and 9).
- We serve the site through Cloudflare, which processes limited connection and request-log data to deliver and secure the Service.
- We store a single flag in your browser’s local storage to remember your professional-use acknowledgement.
4. What Is Processed
4.1 Google Analytics 4 (via Google Tag Manager — container GTM-MHZC7RJ7)
Where loaded, Google Analytics 4 (“GA4”) sets cookies and collects analytics data about your visit. This may include:
- usage and interaction data (pages viewed, time on page, clicks, navigation paths, referring URLs, session data);
- device and technical data (browser type and version, operating system, screen/viewport, language, device type);
- approximate geographic location (derived from IP address — typically city/region level, not precise GPS); and
- online identifiers and cookie IDs / pseudonymous analytics identifiers used to distinguish devices and sessions.
On IP addresses: GA4 uses your IP address only transiently to derive approximate location and does not log, store, or expose IP addresses in reports. (There is no IP-anonymization toggle in GA4 because IP addresses are not retained.) We use GA4 data in aggregate to understand and improve site usage.
4.2 Cloudflare (CDN / edge hosting)
The Service is hosted on Cloudflare Pages and served via Cloudflare’s global edge network. To deliver, secure, and route traffic, Cloudflare processes connection and request-log data, including:
- your IP address (Cloudflare, unlike GA4, does process the full IP address in its request logs);
- request metadata (timestamps, requested URLs, HTTP method, response status, bytes transferred);
- user-agent and other HTTP headers; and
- security-related signals used for DDoS mitigation and abuse prevention.
Cloudflare may set strictly-necessary operational/security cookies (for example __cf_bm or cf_clearance) only if the relevant bot-management or challenge features are enabled on this deployment; see the cookie table in Section 7 for what is actually set.
4.3 Local storage — professional-use acknowledgement flag
On your first visit, an interstitial asks you to confirm that you are a qualified healthcare professional and that you accept our Terms and this Policy. Your acknowledgement is recorded as a flag in your browser’s local storage so that you are not prompted again on the same browser. This storage is strictly necessary to provide functionality you have explicitly requested (not re-prompting you), and is therefore exempt from consent requirements under the EU ePrivacy rules and analogous regimes. It is not used for analytics or tracking. The flag stays on your device, contains no personal identifier, and is not transmitted to our servers; you can clear it at any time via your browser settings.
5. Third-Party Providers and Recipients
We rely on the following providers, who process the data described above:
- Google LLC / Google Ireland Ltd — Google Tag Manager and Google Analytics 4. For the analytics you direct, Google acts as our processor under the Google Ads / Google Analytics Data Processing Terms, and as an independent controller only for the limited purposes Google reserves under those terms. Google’s handling of data is also governed by its privacy policy (policies.google.com/privacy).
- Cloudflare, Inc. — CDN, edge hosting (Cloudflare Pages), and security. Cloudflare acts as our processor for hosting and delivery, and as an independent controller for limited security purposes, under its data-processing terms. Governed by Cloudflare’s privacy policy (cloudflare.com/privacypolicy).
We have accepted (or will accept before the relevant processing) the applicable data-processing terms with each provider. We do not sell your personal data. We do not share it with other third parties except as required to operate the Service, to comply with law, or in connection with a corporate transaction (merger, acquisition, or reorganisation), subject to this Policy.
6. Purposes and Legal Bases
We process data differently depending on the legal regime that applies to you.
| Processing | Purpose | EU/UK GDPR basis | India DPDP Act basis |
|---|---|---|---|
| Cloudflare edge / IP / request logs | Deliver, secure, and route the site; prevent abuse; ensure availability | Legitimate interests (Art. 6(1)(f)) — operating and securing a website | Necessary to provide the Service / safeguard security (legitimate use, to the extent applicable) |
| Google Analytics 4 / GTM cookies | Understand usage; measure and improve content | Consent (Art. 6(1)(a)) — analytics cookies are set only after you accept via the cookie banner | Consent — analytics is not within the DPDP “legitimate uses” and relies on consent |
| Local-storage acknowledgement flag | Record professional-use confirmation; avoid re-prompting | Strictly necessary for a service you explicitly requested (no consent required) | Necessary to provide the requested functionality |
Analytics and consent. Setting or reading non-essential analytics cookies generally requires prior consent under the EU/UK ePrivacy rules, and under the DPDP Act, 2023 (India) web analytics relies on consent rather than any general legitimate-interest basis. Consent is therefore the appropriate basis for GA4; the controls available to exercise or withdraw that choice are described in Section 7 and Section 9. Legitimate-interest / legitimate-use grounds are relied upon only for essential Cloudflare security and delivery logging.
7. Cookies and Consent
The Service uses:
- Analytics cookies set by Google Analytics 4 (via GTM container GTM-MHZC7RJ7) — non-essential, set only after you accept analytics via the cookie banner; and
- Strictly-necessary / security cookies that may be set by Cloudflare.
Consent mechanism. The Service loads Google Analytics 4 through Google Tag Manager (container GTM-MHZC7RJ7) under Google Consent Mode v2, configured to default-deny analytics: no analytics cookies are set and GA4 stays in a cookieless state until you accept analytics via the cookie banner shown on your visit. Declining keeps analytics off. You can change your choice at any time by clearing your browser’s site data for doctaverse.com (which resets the banner) or by using the controls in Section 9. Declining does not affect your access to the content.
Cookie table (verify the live values before publishing; remove any cookie not actually set):
| Cookie | Set by | Purpose | Type | Typical duration |
|---|---|---|---|---|
_ga | Google Analytics 4 | Distinguishes users | Analytics (non-essential) | Up to 2 years |
_ga_<container> | Google Analytics 4 | Persists session state | Analytics (non-essential) | Up to 2 years |
__cf_bm / cf_clearance | Cloudflare | Bot management / security challenge | Strictly necessary | Session / Session — only if enabled |
You can also control or block cookies and analytics independently as described in Section 9.
8. International Data Transfers
We are India-based, and our audience is global with an India-first focus. The providers above (Google and Cloudflare) operate global infrastructure, and data may be processed in or transferred to countries outside your own, including the United States and the European Union.
- For data subject to the EU/UK GDPR: transfers to the United States rely on the EU–US / UK Data Privacy Framework (DPF) where the recipient is certified, with the EU Standard Contractual Clauses (and the UK Addendum / IDTA) as the fallback mechanism for transfers not covered by an adequacy decision, supported by transfer-risk assessments as appropriate.
- For data subject to the DPDP Act (India): cross-border transfer is permitted to all countries except any that the Central Government may restrict by notification under the Act. We will comply with any such restriction.
9. Your Choices — Controlling Cookies and Analytics
You can limit or prevent the analytics processing described above by:
- Consent controls — declining or withdrawing analytics consent through our cookie-consent mechanism;
- Browser controls — blocking or deleting cookies and clearing local storage via your browser settings;
- Google Analytics Opt-out — installing Google’s browser add-on (tools.google.com/dlpage/gaoptout);
- Global Privacy Control / Do Not Track — using browser-level signals where supported; and
- Network/extension tools — using privacy extensions or analytics blockers.
Blocking cookies or analytics will not affect your access to the Service’s content.
10. Data Retention
- Cloudflare logs are retained per Cloudflare’s standard retention periods (generally short-term, for security and operational purposes).
- Google Analytics data is retained per our GA4 configuration and Google’s retention controls (commonly between 2 and 14 months for user/event-level data, with aggregate reporting retained longer).
- Local-storage flag persists on your device until you clear it.
We do not retain data longer than necessary for the purposes set out in this Policy or as required by law.
11. Your Rights
Depending on where you live, you may have some or all of the following rights regarding personal data relating to you:
Under the EU/UK GDPR: access, rectification, erasure, restriction, objection (including to processing based on legitimate interests), data portability, and the right to withdraw consent at any time. You also have the right to lodge a complaint with your supervisory authority.
Under India’s DPDP Act, 2023: the right to access information about your personal data, to correction and erasure, to grievance redressal, and to nominate another person to exercise your rights in the event of death or incapacity. You may withdraw consent as easily as it was given.
Under the California CCPA/CPRA (to the extent it applies to us): the right to know/access, to delete, to correct, to opt out of “sale”/“sharing” (including cross-context behavioural advertising), to limit use of sensitive personal information, and to non-discrimination for exercising your rights. We do not use Google Analytics for advertising or cross-context behavioural advertising, and we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA. We honour the Global Privacy Control as an opt-out signal.
Practical limitation (pseudonymity). Because the Service holds no account and collects no directly-identifying data, and because the analytics data is pseudonymous, we generally cannot link that data to a specific individual. Consistent with GDPR Art. 11 and the analogous position under the DPDP Act, we are not required to acquire or retain additional information solely to identify you in order to satisfy a request. For most users the most effective remedy is the self-serve analytics opt-out / consent withdrawal described in Section 9. To exercise any right, contact us using the details in Section 15, and we will respond as required by applicable law.
12. Children’s Data
The Service is a professional clinical-reference tool intended exclusively for qualified healthcare professionals. It is not directed to children, and we do not knowingly process the personal data of children. Although the Service’s subject matter is pediatric medicine, its content concerns the professional care of patients and is not aimed at, or intended for use by, children or the general public. If you believe a child has interacted with the Service, please contact us.
13. Security and Breach Notification
We rely on reputable infrastructure and security providers (including Cloudflare) and serve the Service over HTTPS. No website or transmission method is completely secure; while we take reasonable measures to protect data, we cannot guarantee absolute security. Because we collect no account or directly-submitted personal data, the data-security surface is intentionally minimal.
Breach notification. In the event of a personal-data breach, we will notify the relevant authority and affected individuals where and as required by applicable law — including the Data Protection Board of India and affected Data Principals under the DPDP Act, and the relevant supervisory authority and affected data subjects within the timelines required under GDPR Articles 33 and 34 (generally within 72 hours of becoming aware, where the threshold applies) — recognising that technical data such as IP, analytics, and log data can in some circumstances constitute personal data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The current version will always be posted on this page with a revised effective date. Material changes will be reflected here, and your continued use of the Service after changes take effect constitutes acknowledgement of the updated Policy.
15. Grievance Officer / Data Protection Contact
For any question, request, or complaint regarding this Policy or your data, contact:
- Data Fiduciary / Controller: Gagahealth Private Limited (GagaHealth / gagahealthtech)
- Registered address: Bengaluru, Karnataka, India
- Grievance Officer (India, DPDP Act): The Grievance Officer, Gagahealth Private Limited — contact@gagahealth.com
- General contact email: contact@gagahealth.com
Under the DPDP Act, we publish the contact details of our Grievance Officer above. A Data Protection Officer (“DPO”) under GDPR Article 37, or under the DPDP Act for a Significant Data Fiduciary, is appointed only where legally required; where one is appointed, their contact details will be published here. Until then, please direct data-protection queries to the Grievance Officer above.
EU/UK representatives (GDPR Articles 27 / UK GDPR). We have not currently appointed representatives in the EU/EEA or the UK under GDPR Article 27 / UK GDPR. Individuals in those regions may contact us at contact@gagahealth.com and may use the analytics opt-out controls in Section 9.
We will acknowledge and respond to grievances and rights requests within the timelines required by applicable law (including the response periods under the DPDP Act and its rules, and under the GDPR).
Last updated: 28 June 2026.