Privacy Policy

This Privacy Policy explains how Vividh Health, operated by [Vividh Health Private Limited] ("Vividh", "we", "us"), collects, uses, stores, shares, and protects information about you when you use our website, mobile application, and services (the "Platform"). It applies to all visitors, registered users, and individuals whose data is processed by us in the course of providing the Platform.

This Policy is published under the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and applicable rules thereunder. For ABHA-linked data we follow the Health Data Management Policy issued by the National Health Authority under the Ayushman Bharat Digital Mission ("ABDM").

For the purposes of the DPDP Act, Vividh is the Data Fiduciary for the personal data described in this Policy. You are the Data Principal.

1. Information we collect

1.1 Account & identity information

• Mobile number (required for OTP-based sign-in).
• Name, email address, date of birth, gender.
• Profile photo, where you choose to upload one.
• Family-member profiles you create: name, relationship, age/DOB, sex, ABHA (if linked).

1.2 Health information (Sensitive Personal Data)

• Lab reports, biomarker values, doctor consult notes, prescriptions, physiotherapy assessments.
• Symptoms, conditions, allergies, and medical history you provide during booking or consult.
• Audio/video of doctor consults, where the Doctor records them with your consent under the Telemedicine Practice Guidelines, 2020.
• ABHA identifier, linked health records, and ABDM consent artefacts.

Health information is "Sensitive Personal Data or Information" ("SPDI") under the IT Rules, 2011 and personal data of a sensitive nature under the DPDP Act. We process it only with your explicit consent or where otherwise permitted by law.

1.3 Transaction & service information

• Service addresses (home or alternate) and pincode.
• Bookings, slots, order history, cancellations, and refunds.
• Wallet balance, coupon usage, reward redemptions.
• Payment metadata received from the payment partner (e.g., status, masked instrument identifier). We do not collect or store full card numbers, UPI VPAs, CVVs, or banking credentials — these are entered directly into the payment partner's interface.

1.4 Device, log, and usage information

• IP address, device model, operating system, browser, language, time zone.
• Server logs of requests, including endpoints accessed, response codes, and timestamps.
• Crash reports and performance metrics (via our error-monitoring partner, with PHI redacted before transmission).
• Usage events: product views, search queries, screens visited.

1.5 Location information

• Pincode, latitude/longitude (only with your permission), city resolved from these.
• Field Partner location during an active sample-collection trip, for routing and ETA only.

1.6 Communications

• Customer-support tickets, chat transcripts, and concierge messages.
• Feedback, reviews, and ratings you submit.
• WhatsApp Business interactions (we do not read your wider WhatsApp activity).

2. How we collect it

• Directly from you, when you create an Account, place a booking, fill a form, or speak to a Doctor or our concierge.
• Automatically, through cookies, SDKs, and server logs when you use the Platform.
• From Providers and Field Partners, who send reports, prescriptions, sample-collection metadata, and slot status back to the Platform.
• From ABDM, where you initiate a consent-based fetch of records held by another health information provider.
• From third parties you authorise (e.g., a referrer's link, an insurance partner).

3. Purposes & legal bases

We process your data only for the purposes set out below, and only on the legal bases noted alongside each purpose (Sec. 7, DPDP Act).

• Account creation and authentication — performance of contract; consent at sign-up.
• Booking, fulfilment, and delivery of Services — performance of contract.
• Sharing required data with Providers, Field Partners, and the payment partner — performance of contract and your explicit consent for health data.
• Sample-collection routing and ETA tracking — performance of contract; legitimate use (Sec. 7(b), DPDP Act).
• Report generation, doctor review, and insight delivery — performance of contract; your consent for any human-in-the-loop review.
• Customer support and grievance handling — performance of contract and legal obligation.
• Fraud prevention, abuse detection, and platform security — legitimate use (Sec. 7(d) and 7(f), DPDP Act).
• Compliance with applicable law, including ABDM, tax, anti-money-laundering, accounting, telemedicine, and pharmacy regulation — legal obligation.
• Analytics and product improvement — legitimate use, with PHI redacted or aggregated.
• Marketing communications — only on your explicit opt-in consent, which you can withdraw at any time.
• Voluntary research (de-identified) — only with your separate, informed consent.

4. How we share information

4.1 With Providers and Field Partners

We share only the minimum information required to deliver a Service: for a lab test, that is typically the patient's name, age, sex, address, slot, and the requested panels; for a doctor consult, the symptoms you choose to disclose and any prior reports you share with the Doctor. Providers and Field Partners are independently obliged to handle this data lawfully under our written agreements.

4.2 With ABDM

Where you link your ABHA, we share health records only pursuant to a consent artefact you generate through the ABDM Consent Manager. The artefact specifies the data types, purpose, requesting party, and validity period. You may view, modify, or revoke any consent at any time from ABHA & consents.

4.3 With service providers (processors)

We engage carefully selected third parties to operate the Platform on our behalf. They process data only on our written instructions and under contractual confidentiality and security obligations:

• Cloud infrastructure: AWS (ap-south-1, Mumbai) for compute and object storage; Supabase / managed Postgres for the database.
• Payments: Cashfree Payments.
• Communications: Meta WhatsApp Business Cloud (for OTP and transactional templates), an SMS gateway for OTP fallback, and an email service provider for notifications.
• Telemedicine infrastructure: licensed video / signalling vendor used by Doctors during consults.
• Error monitoring: Sentry, with PHI redacted before transmission.
• Mapping & geocoding: for pincode lookup and partner routing.

4.4 With legal and regulatory authorities

We may disclose information where required by law, lawful order, or to protect the rights, property, or safety of users, Providers, the public, or Vividh. Disclosures are limited to what is necessary and proportionate.

4.5 In corporate transactions

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may transfer to the successor entity, subject to the same or equivalent privacy protections and to applicable law. We will notify affected users in advance where required.

4.6 We do not sell your data

We do not sell, rent, or trade your personal data to advertisers or data brokers. We do not use your PHI to train machine-learning models for any third party.

5. Cross-border transfers

We store and process personal data of Indian users on Indian infrastructure (AWS ap-south-1, Mumbai). Certain operational vendors (e.g., error monitoring, WhatsApp Business) may process limited metadata outside India under their own data-protection commitments. Such transfers occur only to jurisdictions and recipients permitted by the DPDP Act and applicable rules, under contractual safeguards.

6. How long we keep it

We retain personal data only as long as needed for the purposes set out above and for the periods required by law. Indicative periods:

• Account data: for the life of your Account, plus three (3) years after deletion to handle disputes and meet legal obligations.
• Lab reports and consult records: minimum five (5) years from the date of issue, as customary for medical records in India; longer where mandated by Provider regulation or where a legal claim is pending.
• Tax invoices and accounting records: eight (8) years, per Income-tax and GST law.
• OTP challenges: stored as a hash for up to seven (7) days for abuse prevention.
• Server logs: ninety (90) days, with privacy-sensitive fields rotated to a restricted audit store.
• Marketing consents: until withdrawn.

7. How we protect it

We implement reasonable security practices and procedures aligned with the IT Rules, 2011, including:

• Encryption at rest: PHI fields are encrypted at the application layer with AES-128 (Fernet) using a data key managed by AWS KMS; files (reports, prescriptions, invoices) are stored in S3 with server-side encryption (SSE-KMS).
• Encryption in transit: TLS 1.2+ for all client and inter-service traffic.
• Access control: role-based access (RBAC) with least-privilege; PHI access requires a documented reason and is logged.
• Audit trail: every read or export of PHI is logged with actor, target, action, timestamp, and reason; the Data Protection Officer reviews access trails on a monthly cadence.
• Hashed name lookup: customer names are searchable through a hashed lookup column to avoid exposing plaintext to broad query paths.
• Session security: sessions are bound to a per-browser fingerprint; cookies are HTTP-only, SameSite-Lax, and Secure in production.
• Network and platform hardening: rate limiting (django-ratelimit), brute-force protection (django-axes), CSRF and XSS defences, regular patching, and dependency scanning.
• Vendor due diligence: written agreements with confidentiality, security, and breach-notification obligations.
• Backups: point-in-time recovery for the database and S3 versioning with lifecycle policies for files.
• Background-checked Field Partners: identity-verified and trained before deployment.

No system can be guaranteed to be impenetrable. We continually review and improve our security; you also play a role by keeping your device, mobile number, and OTPs secure.

8. Your rights

As a Data Principal under the DPDP Act, and under the IT Rules, 2011, you have the following rights, which you can exercise from account settings or by writing to the contacts at the bottom of this Policy:

• Right to access — a summary of personal data we process about you and the parties with whom we have shared it.
• Right to correction and updation — to fix inaccurate or out-of-date information.
• Right to erasure — deletion of your Account and associated personal data, subject to legal retention windows for medical records, invoices, and ongoing claims.
• Right to data portability — an export of your personal data in a structured, machine-readable format; we aim to fulfil within seven (7) days of a verified request.
• Right to withdraw consent — at any time, with prospective effect, for any purpose that relies on consent (including marketing, voluntary research, ABDM-linked sharing).
• Right to grievance redressal — see our Grievance Redressal Policy.
• Right to nominate — you may nominate another individual to exercise your rights in the event of your death or incapacity (DPDP Sec. 14); contact us to record a nominee.

To exercise any right we will verify your identity (typically via OTP on your registered mobile number) before acting. We respond to verified requests within thirty (30) days; complex requests may be extended once, with notice to you.

9. Cookies and similar technologies

We use a small set of cookies and local-storage keys:

• Strictly necessary — session, CSRF, language, theme. These are set without consent because the Platform cannot function without them.
• Functional — remember UI preferences (e.g., dark mode, last city).
• Analytics — aggregated usage and performance, with PHI never included.

We do not use third-party advertising cookies. You may control cookies through your browser; disabling strictly necessary cookies will prevent sign-in and bookings.

10. Children's data

The Platform is intended for users aged 18 and above. We process the data of minors only where a parent or legal guardian has added the minor as a Family Member and provided verifiable consent at the time of booking, in accordance with Sec. 9 of the DPDP Act. We do not undertake behavioural tracking, profiling, or targeted advertising directed at minors.

11. Automated decisions

We do not make solely automated decisions that produce legal or similarly significant effects on you. Recommendation engines, search ranking, and rule-based insights operate as decision support; clinical decisions are made by licensed Providers, and material account decisions involve a human reviewer.

12. Security incident notification

In the event of a personal-data breach that is likely to result in risk to you, we will, in accordance with the DPDP Act and the CERT-In directions of 28 April 2022, (a) notify the Data Protection Board and CERT-In within the timelines required, and (b) notify affected users without undue delay with the nature of the breach, likely consequences, and the measures taken or proposed.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Platform or to your registered contacts at least seven (7) days before they take effect. The "Last updated" date at the top reflects the latest revision.

14. Contacts

Data Protection Officer (DPO):
[Name — to be appointed]
Email: dpo@vividh.health
Address: Plot 15, Vasundhara Society, Behind Big Bazar, Piplod, Surat, Gujarat — 395007

Grievance Officer (under IT Rules, 2011 and Consumer Protection (E-Commerce) Rules, 2020): see Grievance Redressal Policy for name and contact.

Security incidents and responsible disclosure: security@vividh.health.