Skip to main content
Back to Home
Aarogya Assist

Privacy Policy

Last updated: June 27, 2026

1. Introduction

Aarogya Assist ("we", "us", or "our") is an AI-powered health report analysis platform designed to help users understand their medical reports, track health trends, and receive actionable health insights. This Privacy Policy explains how we collect, use, store, and protect your personal and health data in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 (India).

2. Data We Collect

We collect the following categories of data:

  • Profile Information: Name, email address, phone number, date of birth, gender, blood group
  • Health Data: Uploaded medical reports (PDFs, images), lab test results, health conditions, allergies, current medications, emergency contacts
  • AI Interaction Data: Chat messages with our AI assistant, AI-generated insights and summaries
  • Device & Usage Data: Browser type, IP address, pages visited, feature usage patterns
  • Authentication Data: Email-based OTP verification records, JWT session tokens

3. How We Use Your Data

  • AI-Powered Analysis: We process your health reports using large language models (Anthropic Claude) to generate insights, extract lab results, and provide health summaries. All data is de-identified (PII removed) before being sent to AI providers.
  • Health Trend Tracking: Lab test results are stored and analyzed over time to identify health trends.
  • Personalized Insights: Your health data is used to generate contextual recommendations and doctor-ready summaries.
  • Communication: OTP verification emails via SendGrid for authentication.
  • Service Improvement: Anonymized usage data may be used to improve our platform.

4. Third-Party Services

  • AI/LLM Providers (Anthropic Claude): Process de-identified health report text only. No personally identifiable information is shared with AI providers.
  • SendGrid: Email delivery for OTP verification.
  • Cloud Infrastructure: Application and data hosting with encryption at rest and in transit.

Cross-border transfer: The AI/LLM providers that analyze your de-identified health data are operated in the United States. Accordingly, that de-identified data is transferred to and processed outside India. We only transfer data after removing personal identifiers, and by consenting to AI analysis you consent to this cross-border transfer.

5. Data Storage & Security

  • All data is encrypted at rest and in transit (TLS 1.2+).
  • Health reports are stored securely with authenticated access controls.
  • PII is removed from health report text before AI processing.
  • JWT tokens have a 15-minute access lifetime and 7-day refresh lifetime.
  • Rate limiting and brute-force protection are enforced on all authentication endpoints.

6. Your Rights Under DPDP Act, 2023

As a Data Principal under the DPDP Act, you have the following rights:

  • Right to Access: Request a copy of all your personal data we hold (via Settings → Data Export).
  • Right to Correction: Update your profile information at any time.
  • Right to Erasure: Request deletion of your account and anonymization of personal data (via Settings → Delete Account).
  • Right to Data Portability: Export your data in JSON or CSV format.
  • Right to Withdraw Consent: Withdraw consent for specific data processing purposes at any time (via Settings → Consent Management).
  • Right to Grievance Redressal: Submit a grievance ticket for any privacy concern (via Settings → Grievances).

7. Data Retention

  • Active accounts: Data is retained as long as your account is active.
  • Data exports: Export files are available for 7 days after generation, then automatically deleted.
  • Deleted accounts: Personal data is anonymized. Health reports are retained in de-identified form for research purposes as permitted under DPDP Act provisions.
  • Audit logs: Clinical access logs (health data views, report access) are retained for 7 years per applicable health data regulations. General activity logs are retained for 2 years.

8. Cookies & Local Storage

We use browser cookies and local storage to maintain your authentication session, prevent cross-site request forgery, and store consent preferences. We do not use third-party tracking cookies. See our Cookie Policy for the full list of cookies and local-storage keys.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated through in-app notifications. Your continued use of the service after changes constitutes acceptance.

10. Contact, Data Protection Officer & Grievance Officer

For privacy-related queries or to exercise your DPDP rights, please use the appropriate channel below. Our dedicated Your Data Rights page documents the full process for each right under DPDP §11-§16.

Data Protection Officer

General privacy and data-protection queries.

Email: dpo@aarogyaassist.com

Grievance Officer

Formal grievance redressal per DPDP §10(7). Response SLA: 30 days.

Name: Shubham Soni

Email: grievance@aarogyaassist.com

Phone: +91-9251187144

For logged-in users, you may also submit a formal grievance through Settings → Grievances in your account.

11. Google API Services — Limited Use Disclosure

Aarogya Assist's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Gmail Data (when you connect your Gmail account):

  • Scope accessed: gmail.readonly — read-only access to attachments from a defined list of diagnostic-lab senders only.
  • Purpose: Auto-import lab report attachments into your Aarogya Assist health record. No other mailbox content is read or stored.
  • Not used for advertising: Gmail data is never used for serving advertisements.
  • Not sold or transferred: Gmail data is not sold or transferred to third parties, except as necessary to provide the import feature.
  • Human access: No Aarogya Assist employee reads your Gmail data except for security, support, or legal compliance purposes with your explicit consent.
  • Retention: OAuth tokens are deleted immediately upon disconnecting Gmail. Imported lab reports follow standard report retention policy.
  • Revoke access: Disconnect Gmail at any time via Settings → Connected Accounts.

12. Health Platform Integrations (HealthKit & Health Connect)

When you connect Apple HealthKit (iOS) or Google Health Connect (Android), Aarogya Assist may read the following vitals for your personal health tracking and insights:

  • Blood pressure, blood glucose, body weight, body temperature
  • Blood oxygen saturation (SpO₂), heart rate
  • Purpose: Display your vitals alongside your lab results and health trends for a complete health picture.
  • Not used for advertising: Health platform data is never used for serving advertisements.
  • Storage: Vitals synced from health platforms are stored on DPDP-compliant India-region servers with encryption at rest and in transit.
  • Retention & deletion: Synced vitals are deleted when you delete your account or disconnect the health platform integration (Settings → Connected Accounts).
  • Health Connect: A data-use rationale is shown in-app before requesting Health Connect permissions, as required by Google Play policy.