Acceptable Use Policy

This policy applies to every account that signs in to Klaro Care — customers, IRDAI-licensed PoSP agents, business administrators, internal staff, insurer partners with API keys, and anyone else acting on behalf of Klaro Care Technologies Pvt. Ltd. By signing in, you accept this policy. Where it conflicts with our Terms of use, the customer-facing terms govern customer behaviour and this policy governs everything else.

• Conducting insurance business in line with IRDAI broker / aggregator regulations.
• Accessing only the data and surfaces required for your role (least-privilege).
• Using your own credentials. No shared sign-ins; no password sharing.
• Reporting suspected security incidents within 24 hours via support.

• Accessing customer PII without a documented business need.
• Bulk-exporting customer data without going through the audited export workflow with reason codes.
• Disabling or bypassing security controls (MFA, audit logging, rate limits, signing).
• Using Klaro Care systems to send unsolicited marketing or spam.
• Reverse-engineering, scraping, or load-testing live systems without explicit prior approval.
• Storing credentials, API keys, customer documents, or secrets outside Klaro Care's approved vaults.
• Using personal devices outside the BYOD program for any work involving regulated data.

• PII (Aadhaar, PAN, bank, health) is encrypted at rest (AES-256-GCM) and masked in logs.
• All access to customer records is recorded in the audit log and reviewed quarterly.
• DSAR (Data Subject Access Request) tickets must be handled within IRDAI / DPDP timelines.
• Customers may withdraw consent at any time. Their downstream records are de-identified within the regulatory retention window.

• Multi-factor authentication is mandatory for staff and required by configuration for customers handling claims over ₹2 lakh.
• Access reviews run quarterly; idle accounts are revoked after 90 days of inactivity.
• Privileged-action paths require step-up auth and a reason code that's stored in the audit log.
• Third-party integrations (insurer APIs, payment gateways, mock UAT environments) operate on scoped tokens — no broad keys.

Violations are reviewed by the security team. Outcomes scale with severity — from a documented warning, through forced password rotation and mandatory re-training, up to account termination and contract review. Material violations involving customer harm or regulatory exposure are reported to the IRDAI Principal Officer.

If you believe this policy is being violated — including by yourself, accidentally — report it within 24 hours to security@klarocare.in or via the support center. Whistleblower protections apply: there is no retaliation for reporting in good faith.

We may update this policy in line with regulatory changes (IRDAI / DPDP / RBI / CERT-In) or material changes to the platform. Updates are notified by email at least 7 days before they take effect; continued use after the effective date constitutes acceptance.