Svasthya Privacy Policy

Svasthya may act as a Data Fiduciary, joint Data Fiduciary, or data processor on behalf of healthcare providers depending on contracts, jurisdiction, and service configuration. This policy applies to:

• Patients seeking or receiving healthcare services, consultations, or medical documentation.
• Healthcare Professionals (HCPs) — clinicians, doctors, and nursing staff providing services via the platform.
• Employees — internal staff, contractors, interns, and job applicants.
• Website Visitors & Administrators accessing digital assets or managing platform backends.

2.1 Data you provide directly

• Identity data: name, age/date of birth, profile details, organization and role.
• Contact data: phone number, email address, postal address (if provided).
• Account data: login credentials, authentication events, account preferences.
• Consultation data: audio recordings, transcript content, prescriptions, notes, attachments.
• Health data: symptoms, diagnoses, medications, lab recommendations, follow-up plans.
• Support data: inquiries, tickets, and communication records.

2.2 Data collected automatically

• Device and technical data: IP address, device model, OS version, browser/app version.
• Usage data: feature interactions, timestamps, session metadata, crash and performance logs.
• Security data: risk signals, suspicious login attempts, abuse prevention telemetry.

2.3 Data from third parties

• Healthcare providers, laboratories, insurers, or authorized integration partners.
• Identity verification, analytics, security, hosting, and communication service providers.

• Providing core healthcare workflows, consultations, and digital prescription operations.
• Delivering clinical documentation tools such as speech-to-structured extraction.
• Facilitating medical consultations between preferred HCPs and Patients via WhatsApp for Business.
• Processing employee payroll, benefits, and statutory HR compliance.
• Authenticating users and securing access to protected health information (PHI).
• Complying with legal, regulatory, and contractual obligations.
• Providing customer support and responding to incidents or legal requests.
• Operating, maintaining, and improving service quality, reliability, and safety.

Depending on region and use case, we rely on one or more of:

• User consent (optional features, marketing, or specific processing flows).
• Performance of a contract (service delivery and account operation).
• Legitimate interests (security, fraud prevention, service reliability).
• Compliance with legal obligations (records, safety, and law enforcement requests).
• Provision of healthcare or health system management as permitted by applicable law.

This section supplements this Privacy Policy to support compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. If there is any inconsistency between this Section 4A and the rest of this Privacy Policy for users in India, Section 4A will apply to the extent of that inconsistency.

A. WhatsApp Business Account — Clinical Usage

Registered patients may be contacted via an authorized WhatsApp Business Account for consent capture, symptom discussion, digital prescription delivery, and care coordination. Messages are encrypted in transit, but users must manage device-level security and cloud backups.

B. Choice — Opt-In and Opt-Out

Users must provide explicit, affirmative opt-in to enable clinical WhatsApp messaging. Opt-out is available anytime using the “STOP” keyword in WhatsApp or via app settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

C. Third-Party Platform Disclaimer

WhatsApp is a third-party platform not controlled by the Application. While reasonable security safeguards are implemented, the Application shall not be responsible for breaches, delays, or unauthorized access due to vulnerabilities in third-party platforms.

D. Data Sharing and Transfer Protocols

Data is shared on a ‘need-to-know’ basis with verified third-party processors. International transfers are protected by safeguards such as Standard Contractual Clauses (SCCs).

E. Employee and HCP-Specific Processing

Employee and HCP data is processed strictly for employment management and professional verification, and is segregated from patient health records.

F. Role as Data Fiduciary

For purposes of applicable Indian law, Svasthya acts as a Data Fiduciary for personal data processed through the Services. In some deployments, healthcare providers may act as independent Data Fiduciaries or Data Processors based on contractual arrangements.

G. Notice at the Time of Collection

• Personal data categories: identity, contact, account, consultation records, and health-related data including medical history, symptoms, prescriptions, and clinical notes.
• Processing purposes: healthcare service delivery, account and authentication management, care coordination, legal compliance, platform safety, fraud prevention, and service improvement.
• Sensitive data: health-related information is treated as Sensitive Personal Data or Information under applicable Indian rules.
• Consent basis: where required, processing is based on your free, specific, informed, and unambiguous consent, except where otherwise permitted by law.

H. Withdrawal of Consent

You may withdraw consent at any time through in-app privacy controls, via WhatsApp, or by contacting the Grievance Officer. On withdrawal we stop future processing unless continued processing is required by legal, medical, or regulatory obligations.

I. Rights of Data Principals

• Right to access information about processing of your personal data.
• Right to correction, completion, updating, or erasure of inaccurate or unnecessary data.
• Right to withdraw previously given consent at any time.
• Right to grievance redressal through the Data Fiduciary.
• Right to nominate another individual to exercise rights in the event of death or incapacity.

J. Data Breach Notification

If a breach is likely to affect your rights, Svasthya will notify affected users and applicable authorities, including the Data Protection Board of India, where legally required. We maintain a 72-hour notification protocol for high-risk breaches.

K. Cross-Border Data Transfers

Personal data may be transferred outside India for processing in accordance with applicable Indian law. We do not knowingly transfer personal data to jurisdictions restricted by the Government of India.

L. Children’s Data (Users Under 18)

For users under 18, processing is based on verifiable consent of a parent or legal guardian, where required by law. Svasthya does not engage in tracking, behavioral monitoring, or targeted advertising directed at children.

M. Security Practices and Procedures

Svasthya applies reasonable administrative, technical, and physical safeguards to protect personal and sensitive personal data, consistent with applicable Indian legal requirements.

• Clear in-product disclosures for sensitive processing that may not be obvious from the immediate feature context.
• Runtime permissions are requested only where required and only for relevant functionality.
• Affirmative action is sought for consent where legally required, with mechanisms to withdraw.
• Withdrawing consent does not affect processing already completed lawfully before withdrawal.

We do not sell personal health data. We may disclose data to:

• Healthcare professionals and authorized clinic/hospital personnel.
• Service providers (cloud hosting, security, analytics, communications, support).
• Partners required to fulfill a service explicitly requested by you.
• Regulators, courts, or law enforcement when required by law.
• Successors in case of merger, acquisition, or business restructuring (with safeguards).

• Health data is classified as sensitive and handled with elevated controls.
• Access is role-based and limited to authorized users with legitimate need.
• Encrypted in transit using HTTPS/TLS and encrypted at rest where supported.
• Audit trails maintained for key actions affecting health records.
• Retention controls, secure archival, and secure deletion where feasible.

We retain personal data only for as long as needed for service delivery, safety, legal compliance, and dispute resolution.

• Account data: retained while account is active and for required compliance periods after closure.
• Clinical records: retained per National Medical Commission (NMC) and jurisdiction-specific requirements.
• Employee records: retained for the duration of employment plus statutory tax and labor law retention periods.
• Logs and telemetry: retained for operational security and performance analysis for limited durations.

Where permitted, data may be anonymized and retained for research, service quality, or analytics.

• Access and receive a copy of your personal data.
• Correct inaccurate or incomplete data.
• Delete account and associated data (subject to legal retention obligations).
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.
• Data portability where legally applicable.
• Opt out of non-essential marketing communications.

To submit a privacy or deletion request, email the Grievance Officer. We may require identity verification and target a response within 30 days unless local law permits otherwise. For users in India, see Section 4A.

Users can request deletion through in-product settings (when available) or by emailing the Grievance Officer with the subject line “Account Deletion Request”. We will delete or de-identify eligible data, except where retention is required for legal, safety, audit, anti-fraud, clinical integrity, or regulatory reasons.

If data is processed outside your jurisdiction, we apply legally recognized safeguards (such as contractual clauses and equivalent protective controls) where required.

• Cookies are used to remember your preferences.
• Some cookies keep the website working smoothly and securely.
• Analytics cookies help us understand usage patterns — not to track individuals.
• Recent activity (e.g. recent doctors) may be stored in your browser for quick access.
• Login and session information may be stored to keep you signed in.
• You can control or delete cookies via browser settings; some features may not work if disabled.

• Encryption in transit and at rest (where applicable).
• Role-based access controls and least-privilege design.
• Logging, monitoring, and incident response workflows.
• Periodic security testing and vulnerability management.
• Vendor due diligence for subprocessors handling protected data.

We maintain app-store privacy disclosures consistent with this policy, including declarations for data collection, use, sharing, encryption-in-transit status, and account/data deletion pathways where required.

• Google Play: User Data policy and Data Safety form alignment.
• Apple: App Privacy disclosures and in-app policy accessibility requirements.

We may update this Privacy Policy from time to time. Material changes will be communicated through the Services or other appropriate channels.

We process only the minimum data reasonably necessary for these purposes. Data is shared with:

• Regulators, courts, or law enforcement when required by law.
• Successors in case of merger, acquisition, or business restructuring (with safeguards).
• Third-party processors (e.g. cloud hosting) bound by confidentiality and security obligations consistent with this policy.

• Google Play User Data Policy and Data Safety guidance.
• Apple App Store Review Guidelines (Privacy section 5.1).
• Healthcare market references for policy structure patterns.