Privacy Policy

MyHealthX ("we", "our", "us") operates the website myhealthx.co.in and the MyHealthX mobile application (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, protect, and share your personal and medical information when you use our Platform. By using MyHealthX, you consent to the practices described in this policy.

MyHealthX is committed to protecting your privacy in full compliance with the Digital Personal Data Protection Act (DPDPA) 2023, the Information Technology Act 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

Under the DPDPA 2023, MyHealthX acts as a "Data Fiduciary" as defined under Section 2(i), and you, the user, are a "Data Principal" as defined under Section 2(j). Under the IT Act 2000, MyHealthX functions as a "body corporate" under Section 43A and as an "intermediary" under Section 2(w) and Section 79.

We collect the following categories of personal data, each for a specific and stated purpose:

Personal Information: Full name, age, phone number (for OTP authentication), and emergency contact details (names and phone numbers). Purpose: To create your account, verify your identity, and enable emergency contact features.

Sensitive Personal Data (as defined under IT Rules 2011, Rule 3): Medical records and history including blood group, blood thinner status, chronic diseases, allergies, medical conditions, and current medications. Purpose: To display critical medical information on your Emergency QR scan page during emergencies.

Technical Information: Device type, browser type, IP address, and usage data. Purpose: To improve our services and ensure platform security.

Payment Information: Payment transactions are processed through third-party payment gateways (Razorpay/Cashfree). We do not store your credit card, debit card, or UPI details on our servers. Purpose: To process subscription payments.

Consent Records: Timestamps and versions of each consent you provide during registration. Purpose: To maintain auditable proof of consent as required by Section 6(10) of the DPDPA 2023.

We collect only data that is necessary for the specified purposes and do not collect any data beyond what is required (data minimization principle).

We process your personal data under the following legal bases:

Under DPDPA 2023:
(a) Consent — Section 6: You provide explicit, informed, specific, and unambiguous consent during registration through four separate consent checkboxes covering: data collection and storage, emergency QR data display, emergency contact alerts, and agreement to Terms and Privacy Policy.
(b) Legitimate Use — Section 7(f): When your QR code is scanned in a medical emergency, displaying your emergency medical information to the scanner is a legitimate use under Section 7(f), which permits processing for "responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual."

Under IT Act 2000:
(a) Section 43A: As a body corporate handling sensitive personal data (medical information), we implement and maintain reasonable security practices and procedures as prescribed.
(b) Section 72A: We process personal information under a lawful contract (our Terms of Service) and will not disclose such information in breach of this contract.
(c) Section 79: As an intermediary, we observe due diligence as prescribed by the Central Government.

We use your information solely for the following purposes, each of which you consent to separately during registration:

• To create and maintain your Emergency Medical QR ID
• To display critical medical information when your QR code is scanned in an emergency
• To send emergency alerts to your designated contacts via WhatsApp when the alert button is manually pressed
• To enable verified doctors and hospitals to access your medical records with OTP verification from your emergency contact (time-limited to 15 minutes)
• To process subscription payments
• To improve our Platform and services
• To communicate with you about your account and our services
• To comply with legal obligations under applicable Indian law

When your QR code is scanned in an emergency, the following information is displayed to the scanner without requiring any login (Level 1 — Emergency Data):

• Your first name and age
• Blood group
• Blood thinner status (if applicable)
• Allergies
• Chronic diseases and medical conditions
• Current medications
• Emergency contact names with partially masked phone numbers

The following information is NEVER displayed on the QR scan page: full legal name, home address, Aadhaar number, government IDs, insurance details, financial information, or your own phone number.

Full medical records (Level 2 data) are only accessible through verified doctor/hospital login with OTP verification from your emergency contact, and access is limited to 15 minutes with the ability to revoke at any time.

Important: By activating your QR code, you explicitly consent to the above information being visible to anyone who scans your QR code. This consent is obtained separately during registration.

In compliance with Section 6 of the DPDPA 2023 and Rule 5 of the IT Rules 2011, MyHealthX obtains the following consents separately, each through a clear affirmative action (checkbox):

(a) Data Collection Consent: Agreement to collect, store, and process your personal and medical information on servers in India.

(b) Emergency Display Consent: Agreement that your emergency medical information will be visible to anyone who scans your QR code.

(c) Emergency Contact Alert Consent: Authorization for MyHealthX to enable WhatsApp alerts to your designated emergency contacts when someone presses the alert button.

(d) Terms and Privacy Policy Consent: Agreement to our Terms of Service and this Privacy Policy.

Each consent is recorded with a timestamp and version number in our database for audit purposes as required by Section 6(10) of DPDPA 2023.

Withdrawal of Consent: As per Section 6(4) of the DPDPA 2023, you may withdraw any or all consents at any time by deleting your account from the Profile page. Withdrawal of consent is as easy as giving it — a single button press. Upon withdrawal, your account is deactivated immediately and your QR access is disabled. Personal data is scheduled for deletion within 30 days, unless retention is required for legal, security, or regulatory purposes. Note: Consequences of withdrawal include deactivation of your QR code and loss of all stored medical data.

In compliance with Section 8(5) of the DPDPA 2023 and Section 43A of the IT Act 2000, we implement reasonable security practices and procedures:

Infrastructure Security:
• All data is stored on Google Firebase servers located in India (Mumbai — asia-south1 region), in compliance with data localization requirements.
• Data is encrypted in transit using TLS 1.3 / HTTPS.
• Data at rest is encrypted using AES-256 encryption. Sensitive medical fields (phone numbers, emergency contacts, allergies, medications) are encrypted at the field level using AES-256-GCM before storage.
• Access to the database is controlled through Firebase security rules and Firebase Custom Claims authentication. All uploaded files are scanned for viruses using ClamAV on Google Cloud. Emergency sessions expire after 4 minutes. Auto-logout after 15 minutes of inactivity. Per-IP and per-phone rate limiting on all APIs.

Application Security:
• Phone OTP authentication verifies user identity before access to profile.
• Doctor/hospital access to full records requires additional OTP verification and is time-limited to 15 minutes.
• Emergency contact phone numbers are partially masked on the scan page.
• All access events are logged for audit purposes.
• QR codes are generated once and the URL never changes, preventing link manipulation.

Compliance Standards:
• Our security practices are designed in accordance with IS/ISO/IEC 27001 standards as referenced in Rule 8 of the IT (Reasonable Security Practices) Rules 2011.
• We conduct periodic reviews of our security practices. Real-time WhatsApp alerts notify our team of suspicious activity. Automated daily backups to Google Cloud Storage (Mumbai region).
• We maintain documented Standard Operating Procedures for information security.

Under Section 43A of the IT Act 2000: As a body corporate possessing, dealing, and handling sensitive personal data (medical information), we have implemented and maintain reasonable security practices. Any person who suffers wrongful loss due to negligence in maintaining these practices may claim compensation as provided under Section 43A.

We do not sell, trade, or rent your personal or medical information to third parties. Your data is shared only in the following circumstances:

• Emergency QR Scan: When your QR is scanned, basic emergency medical information is displayed as consented by you during registration.
• Doctor/Hospital Access: Only when explicitly authorized through OTP verification, for a limited time (15 minutes).
• Emergency Contacts: Alerts are sent only when the alert button is manually pressed — never automatically.
• Payment Processors: Payment data is shared with Razorpay/Cashfree solely for processing your subscription payment.
• Legal Requirements: If required by law, court order, or government authority under applicable Indian law including orders under Section 69 of the IT Act 2000.

We do not transfer any personal data outside India (Section 16 of DPDPA 2023 compliance). Under Section 72A of the IT Act 2000, any disclosure of personal information in breach of a lawful contract is punishable with imprisonment up to three years or fine up to twenty-five lakh rupees.

Under DPDPA 2023:

Right to Access (Section 11): You can view all data we hold about you through your Profile page at any time.

Right to Correction (Section 12(1)): You can edit and update your medical profile at any time through the "Edit Profile" feature.

Right to Erasure (Section 12(2)): You can delete your entire account and all associated data by using the "Delete My Account" button. Your QR code will immediately stop working and your data will be scheduled for permanent deletion within 30 days, with a recovery window if you change your mind.

Right to Grievance Redressal (Section 13): You have the right to file a grievance with us and, if unsatisfied, with the Data Protection Board of India.

Right to Nominate (Section 14): Your emergency contacts designated during registration act as your nominees for exercising your data rights in case of your death or incapacity.

Right to Withdraw Consent (Section 6(4)): You can withdraw consent at any time by deleting your account.

Under IT Act 2000:

Section 43: If anyone accesses your data without authorization through our platform, you have the right to claim compensation under Section 43.

Section 66E: If anyone violates your privacy by capturing or publishing your private medical information without consent obtained through our platform, they are liable to punishment under Section 66E (up to 3 years imprisonment or ₹2 lakh fine).

In compliance with Section 9 of the DPDPA 2023:

• For users under 18 years of age, registration must be done by a parent or legal guardian.
• We require verifiable parental consent before processing any child's personal data.
• We do not track, profile, or conduct behavioural monitoring of children.
• We do not serve targeted advertising to children.
• We do not process children's data in any way that is likely to cause detrimental effect to their well-being.

In compliance with Section 8(6) of the DPDPA 2023 and in line with Section 70B of the IT Act 2000 (CERT-In reporting requirements):

• We will notify the relevant authorities as required under applicable law.
• We will report the incident to CERT-In (Indian Computer Emergency Response Team) as required under IT Act Section 70B.
• We will notify all affected Data Principals without undue delay via SMS, email, or in-app notification.
• The notification will include: description of the breach, categories of data affected, approximate number of Data Principals affected, potential consequences, and remedial measures taken or proposed.
• We will cooperate fully with any investigation by the Data Protection Board or CERT-In.
• We maintain internal incident response procedures to detect, investigate, and respond to breaches promptly.

In compliance with Section 8(10) and Section 13 of the DPDPA 2023, and Rule 5(9) of the IT Rules 2011:

Grievance Officer:
Name: MyHealthX Privacy Team
Email: support@myhealthx.co.in
Response Time: Acknowledgment within 48 hours, resolution within 30 days.

Step 1 — Contact Us: Email support@myhealthx.co.in with the subject "Data Grievance". Include your registered phone number and a description of your grievance.

Step 2 — Data Protection Board: If unsatisfied with our response, you may file a complaint with the Data Protection Board of India as per Section 13 of the DPDPA 2023 at dataprotection.gov.in.

Step 3 — Adjudicating Officer: For claims of compensation under Section 43 or 43A of the IT Act 2000, you may file a complaint before the Adjudicating Officer appointed under Section 46 of the IT Act.

Step 4 — Appellate Tribunal: Appeals against orders of the Adjudicating Officer may be filed before the Appellate Tribunal under Section 57 of the IT Act 2000.

MyHealthX functions as an "intermediary" as defined under Section 2(w) of the IT Act 2000. In accordance with Section 79 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

• We publish our Terms of Service and Privacy Policy prominently on our Platform.
• We inform users not to host, display, upload, modify, publish, or share any information that is harmful, defamatory, or violates any law.
• We have a mechanism for receiving complaints (Grievance Officer).
• We will remove or disable access to unlawful content within 36 hours of receiving a court order or government notification.
• We preserve information as required for investigation purposes for 180 days or as directed.
• We cooperate with government agencies in investigating cyber incidents.

• We retain your data as long as your account is active and your subscription is valid.
• If you delete your account, data is scheduled for deletion within 30 days, unless retention is required for legal, security, audit, or regulatory purposes.
• QR codes linked to deleted accounts display a "Profile Not Found" page.
• If your subscription expires for 90 days, your QR code will be deactivated (data retained for 1 year for reactivation).
• After extended inactivity, data may be scheduled for deletion in accordance with our retention policy.
• Consent records and access logs are retained for 3 years for audit and legal compliance.
• Information required for legal proceedings or government investigation is preserved as directed under Section 67C of the IT Act 2000.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated version number and date. For significant changes, we will notify you via SMS or in-app notification as required. Continued use of the Platform after changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.

If you have any questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at:

Grievance Officer: support@myhealthx.co.in (48-hour acknowledgment, 30-day resolution)
Website: myhealthx.co.in
Data Protection Board of India: dataprotection.gov.in
CERT-In (Cyber Security Incidents): cert-in.org.in