Privacy Policy

MyHealthX ("we", "our", "us") operates the website myhealthx.co.in, the MyHealthX mobile application when available, and related digital services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, protect, and share your personal and medical information when you use our Platform. By using the Platform, you agree to this Privacy Policy. Where required by applicable law, we obtain your specific consent separately through clear consent actions.

MyHealthX is committed to protecting your privacy in full compliance with the Digital Personal Data Protection Act (DPDPA) 2023, the Information Technology Act 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

Under the DPDPA 2023, MyHealthX acts as a "Data Fiduciary" as defined under Section 2(i), and you, the user, are a "Data Principal" as defined under Section 2(j). Under the IT Act 2000, MyHealthX functions as a "body corporate" under Section 43A and may act as an "intermediary" under Section 2(w) and Section 79 for certain user-provided information, subject to applicable conditions.

We collect the following categories of personal data, each for a specific and stated purpose:

Personal Information: Full name, age, phone number (for OTP authentication), and emergency contact details (names and phone numbers). Purpose: To create your account, verify your identity, and enable emergency contact features.

Sensitive Personal Data (as defined under IT Rules 2011, Rule 3): Medical records and history including blood group, blood thinner status, chronic diseases, allergies, medical conditions, and current medications. Purpose: To display critical medical information on your Emergency QR scan page during emergencies.

Technical Information: Device type, browser type, IP address, and usage data. Purpose: To improve our services and ensure platform security.

Payment Information: Payment transactions are processed through third-party payment gateways (Razorpay). We do not store your credit card, debit card, or UPI details on our servers. Purpose: To process subscription payments.

Consent Records: Timestamps and versions of each consent you provide during registration. Purpose: To maintain auditable proof of consent as required by Section 6(10) of the DPDPA 2023.

We collect only data that is necessary for the specified purposes and do not collect any data beyond what is required (data minimization principle).

We process your personal data under the following legal bases:

Under DPDPA 2023:
(a) Consent — Section 6: You provide explicit, informed, specific, and unambiguous consent during registration through four separate consent checkboxes covering: data collection and storage, emergency QR data display, emergency contact alerts, and agreement to Terms and Privacy Policy.
(b) Legitimate Use — Section 7(f): When your QR code is scanned in a medical emergency, displaying your selected emergency information to the scanner may also be supported as a legitimate use under Section 7(f), which permits processing for "responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual."

Under IT Act 2000:
(a) Section 43A: As a body corporate handling sensitive personal data (medical information), we implement and maintain reasonable security practices and procedures as prescribed.
(b) Section 72A: We process personal information under a lawful contract (our Terms of Service) and will not disclose such information in breach of this contract.
(c) Section 79: As an intermediary, we observe due diligence as prescribed by the Central Government.

We use your information solely for the following purposes, each of which you consent to separately during registration:

• To create and maintain your Emergency Medical QR ID
• To display critical medical information when your QR code is scanned in an emergency
• To send emergency alerts to your designated contacts via WhatsApp when the alert button is manually pressed
• To enable verified doctors and hospitals, where available in supported plans, to access your medical records with OTP verification and time-limited access
• To process subscription payments
• To improve our Platform and services
• To communicate with you about your account and our services
• To comply with legal obligations under applicable Indian law

When your QR code is scanned in an emergency, the public emergency profile may display selected emergency information without requiring login for the public emergency view, based on your visibility settings and mandatory safety fields (Level 1 — Emergency Data):

• Your first name and age
• Blood group
• Blood thinner status (if applicable)
• Allergies
• Chronic diseases and medical conditions
• Current medications
• Emergency contact names with partially masked phone numbers

The public QR scan page is not designed to display: full legal name, home address, Aadhaar number, government IDs, insurance details, financial information, or your own phone number.

Full medical records (Level 2 data), where available in supported plans, are only accessible through verified doctor/hospital login with OTP or other authentication, with time-limited access and the ability to revoke at any time.

Important: By activating your QR code, you explicitly consent to your selected public emergency information being viewable by persons who scan your QR code, subject to your visibility settings and mandatory safety fields. This consent is obtained separately during registration.

In compliance with Section 6 of the DPDPA 2023 and Rule 5 of the IT Rules 2011, MyHealthX obtains the following consents separately, each through a clear affirmative action (checkbox):

(a) Data Collection Consent: Agreement to collect, store, and process your personal and medical information on servers in India.

(b) Emergency Display Consent: Agreement that your emergency medical information will be visible to anyone who scans your QR code.

(c) Emergency Contact Alert Consent: Authorization for MyHealthX to enable WhatsApp alerts to your designated emergency contacts when someone presses the alert button.

(d) Terms and Privacy Policy Consent: Agreement to our Terms of Service and this Privacy Policy.

Each consent is recorded with a timestamp and version number in our database for audit purposes as required by Section 6(10) of DPDPA 2023.

Withdrawal of Consent: As per Section 6(4) of the DPDPA 2023, you may withdraw consent or request deletion of your personal data through account settings or by contacting support. Withdrawal of consent is designed to be as easy as giving it. Upon withdrawal, your account is deactivated and your QR access is disabled. Personal data is scheduled for deletion within a reasonable period, except where retention is required for legal, security, tax, audit, fraud-prevention, dispute-resolution, or regulatory purposes. Withdrawal of consent may limit or disable certain Platform features, including QR emergency display and alerts.

In compliance with Section 8(5) of the DPDPA 2023 and Section 43A of the IT Act 2000, we implement reasonable security practices and procedures:

Infrastructure Security:
• All data is stored on Google Firebase servers located in India (Mumbai — asia-south1 region), in compliance with data localization requirements.
• Data is encrypted in transit using TLS / HTTPS.
• Sensitive data is encrypted at rest using industry-standard encryption methods. Sensitive medical fields are encrypted at the field level before storage.
• Access to the database is controlled through Firebase security rules and Firebase Custom Claims authentication. Uploaded files are scanned for security threats using available server-side tools. Emergency sessions expire after 4 minutes. Auto-logout after 15 minutes of inactivity. Per-IP and per-phone rate limiting on all APIs.

Application Security:
• Phone OTP authentication verifies user identity before access to profile.
• Doctor/hospital access to full records requires additional OTP verification and is time-limited to 15 minutes.
• Emergency contact phone numbers are partially masked on the scan page.
• All access events are logged for audit purposes.
• QR code URLs are designed to remain stable during an active subscription, subject to account status, security requirements, and technical limitations.

Compliance Standards:
• Our security practices are designed with reference to IS/ISO/IEC 27001 standards as referenced in Rule 8 of the IT (Reasonable Security Practices) Rules 2011.
• We conduct periodic reviews of our security practices. We maintain monitoring and alerting mechanisms for suspicious activity. Backup procedures are in place for data recovery.
• We maintain documented Standard Operating Procedures for information security.

Under Section 43A of the IT Act 2000: As a body corporate possessing, dealing, and handling sensitive personal data (medical information), we implement reasonable security practices and safeguards. However, no digital platform can guarantee absolute security. Any person who suffers wrongful loss due to negligence in maintaining reasonable security practices may claim compensation as provided under applicable law.

We do not sell, trade, or rent your personal or medical information to third parties. Your data is shared only in the following circumstances:

• Emergency QR Scan: When your QR is scanned, basic emergency medical information is displayed as consented by you during registration.
• Doctor/Hospital Access: Only when explicitly authorized through OTP or other verification, with time-limited access, in supported plans.
• Emergency Contacts: Alerts are sent only when the alert button is manually pressed — never automatically.
• Payment Processors: Payment data is shared with Razorpay solely for processing your subscription payment.
• Legal Requirements: If required by law, court order, or government authority under applicable Indian law including orders under Section 69 of the IT Act 2000.

We aim to store core production data in India where configured. Some third-party service providers, such as payment, communication, hosting, security, analytics, or support providers, may process limited data in other locations where permitted by applicable law and subject to appropriate safeguards. Unauthorized disclosure of personal information in breach of a lawful contract may attract civil or criminal liability under applicable law, including the IT Act 2000.

Under DPDPA 2023:

Right to Access (Section 11): You can view all data we hold about you through your Profile page at any time.

Right to Correction (Section 12(1)): You can edit and update your medical profile at any time through the "Edit Profile" feature.

Right to Erasure (Section 12(2)): You can delete your entire account and all associated data by using the "Delete My Account" button. Your QR code will immediately stop working and your data will be scheduled for permanent deletion within 30 days, with a recovery window if you change your mind.

Right to Grievance Redressal (Section 13): You have the right to file a grievance with us and, if unsatisfied, with the Data Protection Board of India.

Right to Nominate (Section 14): You may nominate a person to exercise your rights in the event of death or incapacity, where such functionality is made available and as permitted by applicable law. Emergency contacts are not automatically treated as legal nominees unless separately designated.

Right to Withdraw Consent (Section 6(4)): You can withdraw consent at any time by deleting your account.

Under IT Act 2000:

Section 43: If anyone accesses your data without authorization through our platform, you may have the right to claim compensation under applicable provisions of the IT Act 2000.

Section 66E: If anyone violates your privacy by capturing or publishing your private medical information without consent obtained through our platform, they may be liable under Section 66E and other applicable provisions of the IT Act 2000.

In compliance with Section 9 of the DPDPA 2023:

• For users under 18 years of age, registration must be done by a parent or legal guardian.
• We require verifiable parental consent before processing any child's personal data.
• We do not track, profile, or conduct behavioural monitoring of children.
• We do not serve targeted advertising to children.
• We do not process children's data in any way that is likely to cause detrimental effect to their well-being.

In compliance with Section 8(6) of the DPDPA 2023 and in line with Section 70B of the IT Act 2000 (CERT-In reporting requirements):

• We will notify the relevant authorities as required under applicable law.
• We will report the incident to CERT-In (Indian Computer Emergency Response Team) as required under IT Act Section 70B.
• We will notify all affected Data Principals without undue delay via available communication channels, which may include WhatsApp, email, or in-app notification.
• The notification will include: description of the breach, categories of data affected, approximate number of Data Principals affected, potential consequences, and remedial measures taken or proposed.
• We will cooperate fully with any investigation by the Data Protection Board or CERT-In.
• We maintain internal incident response procedures to detect, investigate, and respond to breaches promptly.

In compliance with Section 8(10) and Section 13 of the DPDPA 2023, and Rule 5(9) of the IT Rules 2011:

Grievance Officer:
Name: MyHealthX Privacy Team
Email: support@myhealthx.co.in
Response Time: Acknowledgment within 48 hours, resolution within 30 days.

Step 1 — Contact Us: Email support@myhealthx.co.in with the subject "Data Grievance". Include your registered phone number and a description of your grievance.

Step 2 — Data Protection Board: If unsatisfied with our response, you may file a complaint with the Data Protection Board of India as per Section 13 of the DPDPA 2023 at dataprotection.gov.in.

Step 3 — Adjudicating Officer: For claims of compensation under Section 43 or 43A of the IT Act 2000, you may file a complaint before the Adjudicating Officer appointed under Section 46 of the IT Act.

Step 4 — Appellate Tribunal: Appeals against orders of the Adjudicating Officer may be filed before the Appellate Tribunal under Section 57 of the IT Act 2000.

MyHealthX may act as an "intermediary" as defined under Section 2(w) of the IT Act 2000 for certain user-provided information. In accordance with Section 79 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

• We publish our Terms of Service and Privacy Policy prominently on our Platform.
• We inform users not to host, display, upload, modify, publish, or share any information that is harmful, defamatory, or violates any law.
• We have a mechanism for receiving complaints (Grievance Officer).
• We will remove or disable access to unlawful content within 36 hours of receiving a court order or government notification.
• We preserve information as required for investigation purposes for 180 days or as directed.
• We cooperate with government agencies in investigating cyber incidents.

• We retain your data as long as your account is active and your subscription is valid.
• If you delete your account, data is scheduled for deletion within 30 days, unless retention is required for legal, security, audit, or regulatory purposes.
• QR codes linked to deleted accounts display a "Profile Not Found" page.
• If your subscription expires for 90 days, your QR code will be deactivated (data retained for 1 year for reactivation).
• After extended inactivity, data may be scheduled for deletion in accordance with our retention policy.
• Consent records and access logs are retained for 3 years for audit and legal compliance.
• Information required for legal proceedings or government investigation is preserved as directed under Section 67C of the IT Act 2000.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated version number and date. For significant changes, we will notify you through available communication channels, which may include WhatsApp, email, or in-app notification. Continued use of the Platform after changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.

If you have any questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at:

Grievance Officer: support@myhealthx.co.in (48-hour acknowledgment, 30-day resolution)
Website: myhealthx.co.in
Data Protection Board of India: dataprotection.gov.in
CERT-In (Cyber Security Incidents): cert-in.org.in