1. What this page covers
This Cookie Policy explains how Aarogya Assist ("we", "us") uses cookies and similar local-storage technologies in our web application. It supplements our Privacy Policy and is published in compliance with the Digital Personal Data Protection (DPDP) Act, 2023.
2. What is a cookie?
A cookie is a small text file that a website asks your browser to store. The browser then sends the cookie back with every subsequent request to the same site, which lets the site remember things like "this person is logged in" or "they prefer English".
We also use local storage and session storage — browser APIs that store data on your device but are NOT sent automatically with requests. We treat these the same way as cookies for the purposes of this policy.
3. Cookies we set
All cookies on this site are first-party (set by aarogyaassist.com), essential for the service to function, and either session-scoped (deleted when you close your browser) or persistent with a documented expiry. We do not use advertising cookies. We do not use analytics cookies that identify you across sites.
| Cookie | Purpose | Expiry | Attributes |
|---|---|---|---|
| access_token | Authenticates your session for app + API requests. | 15 minutes | HttpOnly, Secure, SameSite=Strict |
| refresh_token | Rotates the access token without prompting re-login. | 90 days (rolling) | HttpOnly, Secure, SameSite=Strict |
| csrf_token | Prevents cross-site request forgery on state-changing requests (double-submit token). | session | Secure, SameSite=Strict |
| anonymous_consent | Stores your acknowledgement of this Cookie Policy banner (so we don't show it again). | 1 year | Secure, SameSite=Strict |
4. Local storage we use
In addition to cookies, we store a small amount of data in browser localStorage / sessionStorage:
- User profile cache(sessionStorage) — your cached profile so the dashboard doesn't re-fetch on every navigation. Cleared on sign-out and on browser close.
- Preferred language (localStorage) — the language you picked on first visit. Survives sign-out so we can render the auth pages in your language next time.
- Onboarding state(localStorage) — whether you've completed the first-run tour. Survives sign-out.
- Form drafts (sessionStorage) — partially filled forms we keep in case you accidentally close the tab. Auto-cleared on submit or sign-out.
What we never store locally: raw passwords, one-time passwords (OTPs), payment card details, your full medical history, AI chat history (loaded fresh per session).
5. Third-party cookies during payment
When you initiate a subscription purchase, our checkout experience loads Razorpay's payment surface inside an iframe. Razorpay sets its own cookies during the payment session — these are governed by Razorpay's Privacy Policy, not ours. We do not have access to Razorpay's cookies and cannot read them.
After the payment completes, Razorpay's cookies remain in your browser per their retention policy. If you want them removed, follow the "How to manage cookies" instructions in Section 7 below.
6. Do Not Track and Global Privacy Control
Modern browsers expose a Do Not Track (DNT) header and the Global Privacy Control (GPC) signal to indicate you don't want to be tracked. We respect both signals, but our cookies are essential — they exist to keep you logged in and prevent CSRF, not to track. Setting DNT or GPC does not change what we set; we just have nothing analogous to disable.
7. How to manage cookies
You can clear our cookies (and Razorpay's) at any time via your browser:
- Chrome / Edge / Brave: Settings → Privacy and security → Cookies and site data → See all site data and permissions → search "aarogyaassist" → Delete.
- Safari (macOS): Preferences → Privacy → Manage Website Data → search "aarogyaassist" → Remove.
- Firefox: Preferences → Privacy & Security → Cookies and Site Data → Manage Data → search "aarogyaassist" → Remove.
- Mobile browsers: settings vary; the equivalent is usually under Settings → Privacy → Clear browsing data.
You can also block cookies entirely in your browser settings, but the site will not work — you won't be able to sign in or submit any form.
8. Changes to this policy
If we add, remove, or change the purpose of any cookie or local-storage key, this page is updated with a new "Last updated" date. Significant changes also surface as an in-app notification.
9. Contact
Questions about this policy: dpo@aarogyaassist.com.
See also our Privacy Policy and DPDP Rights page.