Privacy Policy
Effective Date: February 2026 | Last Updated: February 2026
Your privacy is fundamental to Swasth. This policy explains how we collect, use, protect, and share your personal and health information in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable laws.
1. Data Controller
Laxhar Tech Private Limited ("we," "us," "our") is the data controller responsible for your personal data collected through the Swasth platform.
- Registered Address: Bangalore, Karnataka, India
- Email: [email protected]
- Data Protection Officer: Ridam Phule — [email protected]
2. Categories of Data Collected
2.1 Account Information
- Name, email address, profile picture
- Authentication credentials (managed via OAuth)
- Account preferences and settings
2.2 Health and Wellness Data (Sensitive Personal Data)
We collect various categories of health data based on features you use:
| Category | Data Types | Purpose |
|---|---|---|
| Vital Signs | Blood pressure, heart rate, temperature, oxygen saturation, blood sugar | Health tracking, anomaly detection |
| Body Metrics | Weight, height, BMI, body composition, bone density (DEXA T-scores, Z-scores) | Progress tracking, health insights |
| Nutrition | Meals, calories, macronutrients, water intake, dietary preferences, allergies | Nutrition planning, goal tracking |
| Sleep & Mood | Sleep duration, quality, mood ratings, emotions, stress levels | Wellness insights, pattern analysis |
| Fitness | Workouts, exercises, duration, calories burned | Activity tracking, fitness goals |
| Medical | Conditions (ICD-11), medications, prescriptions, medical documents | Health management, professional care |
| Reproductive Health | Menstrual cycles, pregnancy data, fertility indicators, menstrual analytics | Cycle tracking, pregnancy monitoring |
| Mental Health | Assessment scores (PHQ-9, GAD-7), therapy notes, safety plans | Mental wellness support, professional care |
| Symptom & Diagnostic Data | Body part selections, symptom descriptions, severity ratings, duration, condition match results, self-assessment responses | Symptom analysis, condition identification, health awareness |
| Recovery Data | Substance use tracking, quit dates, relapse logs, craving logs, triggers, coping strategies, money saved calculations, consumption milestones | Recovery support, progress tracking, relapse prevention |
| Injury & Surgery Recovery | Injury type, mechanism, severity, body part, recovery phase, swelling/range-of-motion logs, RICE protocol tracking, rehab exercise assignments, surgery type, post-operative protocols | Rehabilitation tracking, recovery phase management, professional care coordination |
| Beauty & Dermatological Data | Skin conditions, hair conditions, product usage, skincare/haircare routines, adverse product reactions | Personal beauty tracking, product reaction monitoring |
| Ayurveda & Traditional Wellness | Dosha assessment answers and results, herb usage logs, pranayama logs, dinacharya (daily routine) logs, seasonal wellness guidelines | Traditional wellness tracking, personalized routine management |
| Disability & Disorder Data | Disability types, functional limitations, accommodation needs, disorder classifications | Health context management, contraindication safety checks |
2.3 Child and Baby Data
For baby care features, we collect:
- Baby profile: name, date of birth, gender
- Growth metrics: weight, length, head circumference
- Feeding logs, sleep patterns, milestones, vaccinations
See our Children's Privacy Policy for additional protections.
2.4 Professional Interaction Data
- Professional-client relationship records
- Consultation history, appointments, and bookings
- Encrypted messages (end-to-end encrypted)
- Assignments, prescriptions, payment requests
2.5 Technical and Usage Data
- Device information, browser type, operating system
- IP address, location data (with consent)
- Usage patterns, feature interactions
- Error logs and performance data
3. Legal Basis for Processing
Under the DPDPA 2023, we process your data based on:
- Consent: For sensitive personal data including health information
- Contract Performance: To provide Platform services you requested
- Legitimate Interests: For security, fraud prevention, service improvement
- Legal Obligations: To comply with applicable laws
4. How We Use Your Data
4.1 Primary Purposes
- Providing health tracking and wellness features
- Generating personalized health insights and recommendations
- Facilitating professional-client relationships
- Enabling family health management
- Processing payments between professionals and clients
- Running contraindication safety checks against your health context
- Providing symptom checking and condition matching
- Supporting recovery and rehabilitation tracking
4.2 AI and Analytics
With your consent, we use your data for:
- AI-powered health analysis and recommendations
- Nutrition analysis and meal planning suggestions
- Health anomaly detection and alerts
- Personalized insights and reports
AI features are available through two models: BYOK (Bring Your Own Key) where you provide your own API keys, and free-tier providers where shared API credentials are used. See Section 6 for details on each model's privacy implications.
4.3 Communication
- Service notifications and updates
- Health reminders (medication, appointments, etc.)
- Professional messages (encrypted)
- Marketing communications (with separate consent)
5. Data Sharing
5.1 With Healthcare Professionals
You control what health data is shared with connected professionals through granular privacy settings. You can enable/disable sharing of:
- Health profile and goals
- Weight and vital logs
- Nutrition and meal data
- Fitness and workout data
- Medical conditions and medications (opt-in only)
- Injury and surgery recovery data (opt-in if assigned professional)
- Condition recovery data (opt-in only — stigmatized health data)
- Beauty and dermatological data (opt-in only)
- Ayurveda data (opt-in, default on for Ayurvedic practitioners)
- Disability and disorder data (opt-in only)
5.2 With Family Members
Through Family Circles, you can share selected health data with family members. Each member controls their own sharing preferences.
5.3 With Third-Party Service Providers
We may share data with:
- Cloud infrastructure providers for data storage and processing
- Authentication providers (LaxharAccess) for secure login
- Push notification services for alerts and reminders
5.4 With AI Providers (User-Controlled)
BYOK providers: When you use AI features with your own API keys, relevant health data is sent to your chosen provider (OpenAI, Anthropic, Google, etc.). Data handling is governed by each provider's privacy policy and your API key terms.
Free-tier providers: When you use free-tier AI providers (Groq, OpenRouter, Together AI, Cerebras), data is sent through shared API credentials managed by Swasth. This means your data may be subject to the provider's standard data retention and processing policies for shared-tier usage. We recommend using BYOK providers for sensitive health queries where you want maximum control over data handling.
5.5 Legal Requirements
We may disclose data when required by law, legal process, or government request.
6. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| OpenAI / Anthropic / Google AI | AI health analysis (BYOK) | Health data for analysis |
| Groq / OpenRouter / Together AI / Cerebras | AI health analysis (free tier) | Health data for analysis (shared credentials) |
| Google Fit | Health data sync | Vital signs (bidirectional) |
| OpenWeather | Weather-based recommendations | Location (city level) |
| Web Push (VAPID) | Notifications | Device tokens |
See our Third-Party Services page for detailed information.
7. Data Security
7.1 Encryption
- In Transit: All data transmitted via HTTPS/TLS
- At Rest: Medical documents encrypted with AES-256-GCM
- Messages: End-to-end encrypted using Olm/Vodozemac (Double Ratchet algorithm)
7.2 Access Controls
- OAuth 2.0 with PKCE for authentication
- Role-based access controls
- Rate limiting on sensitive endpoints
- Audit logging for data access
7.3 Infrastructure
- Secure cloud hosting with regular security audits
- Automated backup and disaster recovery
- Intrusion detection systems
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Health logs | Until account deletion |
| Medical documents | Until user deletion or 7 years |
| Messages | Until conversation deletion |
| AI activity logs | 90 days |
| Audit logs | 7 years (regulatory compliance) |
| Recovery data (substance use) | Until account deletion (user-controlled purge available) |
| Symptom checker results | Until account deletion |
9. Your Rights
Under the DPDPA 2023 and applicable laws, you have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Receive your data in a portable format
- Withdraw Consent: Withdraw consent for processing
- Grievance Redressal: File complaints with our DPO
To exercise these rights, contact [email protected] or use in-app settings.
10. Children's Privacy
We do not knowingly collect personal data from children under 13 without verifiable parental consent. Baby care features are designed for parents to manage their children's health data. See our Children's Privacy Policy for details.
11. International Transfers
Your data is primarily processed in India. If we transfer data internationally, we ensure appropriate safeguards are in place as required by DPDPA and applicable laws.
12. Cookies and Tracking
We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for details and controls.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified through the Platform or email at least 30 days before taking effect. Your continued use constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries:
- Email: [email protected]
- Data Protection Officer: Ridam Phule — [email protected]
- Address: Laxhar Tech Private Limited, Bangalore, Karnataka, India
15. Grievance Redressal
If you have concerns about our data practices, contact our Data Protection Officer, Ridam Phule ([email protected]). If unsatisfied with our response, you may file a complaint with the Data Protection Board of India under the DPDPA 2023.