Privacy Policy
Effective Date: December 2024 | Last Updated: December 2024
Your privacy is fundamental to Swasth. This policy explains how we collect, use, protect, and share your personal and health information in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable laws.
1. Data Controller
Laxhar Tech Private Limited ("we," "us," "our") is the data controller responsible for your personal data collected through the Swasth platform.
- Registered Address: Bangalore, Karnataka, India
- Email: [email protected]
- Data Protection Officer: [email protected]
2. Categories of Data Collected
2.1 Account Information
- Name, email address, profile picture
- Authentication credentials (managed via OAuth)
- Account preferences and settings
2.2 Health and Wellness Data (Sensitive Personal Data)
We collect various categories of health data based on features you use:
| Category | Data Types | Purpose |
|---|---|---|
| Vital Signs | Blood pressure, heart rate, temperature, oxygen saturation, blood sugar | Health tracking, anomaly detection |
| Body Metrics | Weight, height, BMI, body composition | Progress tracking, health insights |
| Nutrition | Meals, calories, macronutrients, water intake, dietary preferences, allergies | Nutrition planning, goal tracking |
| Sleep & Mood | Sleep duration, quality, mood ratings, emotions, stress levels | Wellness insights, pattern analysis |
| Fitness | Workouts, exercises, duration, calories burned | Activity tracking, fitness goals |
| Medical | Conditions (ICD-11), medications, prescriptions, medical documents | Health management, professional care |
| Reproductive Health | Menstrual cycles, pregnancy data, fertility indicators | Cycle tracking, pregnancy monitoring |
| Mental Health | Assessment scores (PHQ-9, GAD-7), therapy notes, safety plans | Mental wellness support, professional care |
2.3 Child and Baby Data
For baby care features, we collect:
- Baby profile: name, date of birth, gender
- Growth metrics: weight, length, head circumference
- Feeding logs, sleep patterns, milestones, vaccinations
See our Children's Privacy Policy for additional protections.
2.4 Professional Interaction Data
- Professional-client relationship records
- Consultation history and appointments
- Encrypted messages (end-to-end encrypted)
- Assignments, prescriptions, payment requests
2.5 Technical and Usage Data
- Device information, browser type, operating system
- IP address, location data (with consent)
- Usage patterns, feature interactions
- Error logs and performance data
3. Legal Basis for Processing
Under the DPDPA 2023, we process your data based on:
- Consent: For sensitive personal data including health information
- Contract Performance: To provide Platform services you requested
- Legitimate Interests: For security, fraud prevention, service improvement
- Legal Obligations: To comply with applicable laws
4. How We Use Your Data
4.1 Primary Purposes
- Providing health tracking and wellness features
- Generating personalized health insights and recommendations
- Facilitating professional-client relationships
- Enabling family health management
- Processing payments between professionals and clients
4.2 AI and Analytics
With your consent, we use your data for:
- AI-powered health analysis and recommendations
- Nutrition analysis and meal planning suggestions
- Health anomaly detection and alerts
- Personalized insights and reports
AI features use your own API keys (BYOK model) for third-party AI providers. See Section 6 for details.
4.3 Communication
- Service notifications and updates
- Health reminders (medication, appointments, etc.)
- Professional messages (encrypted)
- Marketing communications (with separate consent)
5. Data Sharing
5.1 With Healthcare Professionals
You control what health data is shared with connected professionals through granular privacy settings. You can enable/disable sharing of:
- Health profile and goals
- Weight and vital logs
- Nutrition and meal data
- Fitness and workout data
- Medical conditions and medications (opt-in only)
5.2 With Family Members
Through Family Circles, you can share selected health data with family members. Each member controls their own sharing preferences.
5.3 With Third-Party Service Providers
We may share data with:
- Cloud infrastructure providers for data storage and processing
- Authentication providers (LaxharAccess) for secure login
- Push notification services for alerts and reminders
5.4 With AI Providers (User-Controlled)
When you use AI features with your own API keys, relevant health data is sent to your chosen provider (OpenAI, Anthropic, Google, etc.). This is subject to each provider's privacy policy.
5.5 Legal Requirements
We may disclose data when required by law, legal process, or government request.
6. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| OpenAI / Anthropic / Google AI | AI health analysis (BYOK) | Health data for analysis |
| Google Fit | Health data sync | Vital signs (bidirectional) |
| OpenWeather | Weather-based recommendations | Location (city level) |
| Web Push (VAPID) | Notifications | Device tokens |
See our Third-Party Services page for detailed information.
7. Data Security
7.1 Encryption
- In Transit: All data transmitted via HTTPS/TLS
- At Rest: Medical documents encrypted with AES-256-GCM
- Messages: End-to-end encrypted using Olm/Vodozemac (Double Ratchet algorithm)
7.2 Access Controls
- OAuth 2.0 with PKCE for authentication
- Role-based access controls
- Rate limiting on sensitive endpoints
- Audit logging for data access
7.3 Infrastructure
- Secure cloud hosting with regular security audits
- Automated backup and disaster recovery
- Intrusion detection systems
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Health logs | Until account deletion |
| Medical documents | Until user deletion or 7 years |
| Messages | Until conversation deletion |
| AI activity logs | 90 days |
| Audit logs | 7 years (regulatory compliance) |
9. Your Rights
Under the DPDPA 2023 and applicable laws, you have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Receive your data in a portable format
- Withdraw Consent: Withdraw consent for processing
- Grievance Redressal: File complaints with our DPO
To exercise these rights, contact [email protected] or use in-app settings.
10. Children's Privacy
We do not knowingly collect personal data from children under 13 without verifiable parental consent. Baby care features are designed for parents to manage their children's health data. See our Children's Privacy Policy for details.
11. International Transfers
Your data is primarily processed in India. If we transfer data internationally, we ensure appropriate safeguards are in place as required by DPDPA and applicable laws.
12. Cookies and Tracking
We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for details and controls.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified through the Platform or email at least 30 days before taking effect. Your continued use constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries:
- Email: [email protected]
- Data Protection Officer: [email protected]
- Address: Laxhar Tech Private Limited, Bangalore, Karnataka, India
15. Grievance Redressal
If you have concerns about our data practices, contact our Data Protection Officer. If unsatisfied with our response, you may file a complaint with the Data Protection Board of India under the DPDPA 2023.