Privacy Policy

1.1 Account Information. When you register for an account, we collect your full name, email address, phone number, date of birth, gender, and password. For family accounts, we also collect the names, dates of birth, and relationships of family members you add.

1.2 Health Records. You may upload, store, and manage health records including but not limited to: medical prescriptions, laboratory test reports, diagnostic imaging (X-rays, MRI scans, CT scans), discharge summaries, vaccination records, insurance documents, and any other health-related documents.

1.3 Vitals and Health Data. We collect vitals data you input such as blood pressure, heart rate, blood glucose levels, body temperature, weight, height, BMI, and oxygen saturation levels.

1.4 Medication Information. Details of medications you track, including drug names, dosages, frequency, prescribing doctor, pharmacy information, and medication schedules.

1.5 Device and Usage Data. We automatically collect device type, operating system, browser type, IP address, app version, session duration, pages visited, feature usage patterns, and crash reports.

1.6 Communication Data. Records of your communications with us, including support tickets, emails, and feedback submitted through the Platform.

2.1 To provide, operate, and maintain the Sehat Locker Platform and its core features, including health record storage, vitals tracking, medication reminders, and emergency QR code generation.

2.2 To process and securely store your health records, applying AI-powered features such as OCR text extraction, automatic document classification, medicine extraction, and health summary generation.

2.3 To enable secure sharing of health records with healthcare providers, family members, or other authorised parties through time-limited share links.

2.4 To send you medication reminders, appointment notifications, and other health-related alerts you have configured.

2.5 To calculate health scores and provide personalised health insights based on your vitals and health record data.

2.6 To improve and optimise our Platform, develop new features, conduct analytics, and perform quality assurance.

2.7 To communicate with you regarding account activity, service updates, security alerts, and customer support.

2.8 To comply with applicable legal obligations, resolve disputes, and enforce our agreements.

3.1 Encryption. All health records and sensitive personal data are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) both at rest and in transit. Data transmitted between your device and our servers is protected using TLS 1.3 encryption.

3.2 Data Residency. All user data is stored on servers located within the Republic of India, in compliance with Indian data localisation requirements. We do not transfer your health data outside of India unless explicitly required by law or with your prior written consent.

3.3 Access Controls. We implement strict role-based access controls, multi-factor authentication for administrative access, regular security audits, and automated threat detection systems to protect your data.

3.4 Data Backups. Your data is backed up regularly across geographically distributed data centres within India to ensure availability and disaster recovery. Backups are encrypted to the same standard as primary data.

3.5 Incident Response. We maintain a comprehensive security incident response plan. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities within 72 hours as required by applicable law.

4.1 With Your Consent. We share your health records only when you explicitly initiate sharing through our Platform's share link feature. You control what records are shared, with whom, and for how long.

4.2 Family Members. Within a family account, the account owner (primary member) can grant access to family members' records based on the permissions structure you define. Each family member's data is segregated and access-controlled.

4.3 Service Providers. We engage trusted third-party service providers for infrastructure hosting, AI processing (OCR, classification), email delivery, and analytics. These providers are contractually bound to process your data only as instructed by us and to maintain appropriate security measures.

4.4 Legal Requirements. We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

4.5 No Sale of Data. We do not sell, rent, lease, or trade your personal information or health data to any third party for marketing, advertising, or any other commercial purpose. This is a fundamental principle of Sehat Locker.

5.1 Essential Cookies. We use strictly necessary cookies to maintain your authenticated session, remember your language preferences, and ensure the security of your account. These cookies are required for the Platform to function and cannot be disabled.

5.2 Analytics Cookies. With your consent, we may use analytics cookies to understand how you interact with the Platform, which features are most used, and where we can improve the user experience. These cookies collect anonymised, aggregated data.

5.3 No Advertising Cookies. We do not use any advertising or marketing tracking cookies. We do not serve third-party advertisements on the Platform and do not participate in ad networks.

5.4 Managing Cookies. You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

6.1 Our Platform may integrate with or link to third-party services for specific functionality (e.g., cloud storage providers, AI processing engines, payment gateways). Each third-party service has its own privacy policy, and we encourage you to review them.

6.2 We conduct thorough due diligence on all third-party providers to ensure they meet our security and privacy standards. We require all providers to sign data processing agreements that include confidentiality obligations and data protection requirements.

6.3 We limit the data shared with third-party services to only what is strictly necessary for the specific functionality they provide.

7.1 Sehat Locker allows parents and legal guardians to store and manage health records for their minor children (under 18 years of age) as part of their family account. This is a core feature designed for family health management.

7.2 We do not knowingly collect personal information directly from children under 13 years of age. All data for minor family members must be entered and managed by a parent or legal guardian who holds the account.

7.3 Parents and guardians have full control over their children's health data, including the ability to view, edit, share, and delete all records associated with minor family members.

7.4 If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete such information.

8.1 Indian Data Protection. We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and all applicable rules and regulations issued thereunder. We process personal data only for lawful purposes and with appropriate legal basis.

8.2 HIPAA Alignment. While HIPAA (Health Insurance Portability and Accountability Act) is a United States regulation, Sehat Locker voluntarily aligns its data protection practices with HIPAA standards as a benchmark for health data security. This includes implementing administrative, physical, and technical safeguards consistent with HIPAA requirements.

8.3 Data Localisation. In compliance with Indian regulatory requirements, all health and personal data is stored exclusively on servers located within India. We do not transfer your data to servers outside of India.

8.4 IT Act Compliance. We comply with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including the designation of a Grievance Officer.

9.1 Right to Access. You have the right to access all personal and health data we hold about you and your family members. You can view this information directly through your Sehat Locker dashboard at any time.

9.2 Right to Correction. You have the right to request correction of any inaccurate or incomplete personal data. You can update most information directly through the Platform settings.

9.3 Right to Deletion. You have the right to request deletion of your account and all associated data. Upon receiving a verified deletion request, we will permanently delete all your personal data, health records, and account information within 30 days, except where retention is required by law.

9.4 Right to Data Portability. You have the right to export all your health records and personal data in a structured, commonly used, and machine-readable format (including PDF and JSON). This can be done through the Platform's data export feature in your account settings.

9.5 Right to Withdraw Consent. Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

9.6 Right to Grievance Redressal. You have the right to file a complaint with our Grievance Officer or with the Data Protection Board of India if you believe your data protection rights have been violated.

10.1 We retain your personal data and health records for as long as your account is active and you maintain an active subscription, or as needed to provide you with our services.

10.2 Upon account deletion, all personal data and health records will be permanently deleted within 30 days. Anonymised, aggregated data that cannot be used to identify you may be retained for analytical and service improvement purposes.

10.3 Certain data may be retained for longer periods where required by applicable law, such as financial transaction records (as required under Indian tax laws) or audit logs (as required for security compliance).

11.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our Platform and updating the “Last updated” date.

11.2 For significant changes that affect how we handle your health data, we will provide prominent notice through the Platform (such as an in-app notification or email) at least 30 days before the changes take effect.

11.3 Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: