Privacy Policy

1. Who we are and how to contact us

• Service: Healvio (healvio.app)
• Operator (Data Fiduciary): Dineshkumar Mohanlal Suthar, sole proprietor, Ahmedabad, Gujarat, India
• Contact for privacy, data rights, and grievances: healvio.support@gmail.com
• Grievance contact person: Dineshkumar Mohanlal Suthar, Ahmedabad, Gujarat, India

We acknowledge grievances within 72 hours and aim to resolve them within 15 days of receipt.

2. What this Service does

Healvio is an information tool that helps you understand medical reports. You upload a medical report (PDF or image), and our system uses artificial intelligence to produce a plain-language explanation of the values in that report.

Healvio does not provide medical advice, diagnosis, treatment, or prescriptions. It is an educational and informational aid only. Please see our Terms of Service for the full medical disclaimer.

3. What personal data we collect

We collect only the data needed to provide the Service.

a) Information you provide

• Account information: your name (if provided), email address, and password. Passwords are stored only as a secure cryptographic hash, never in plain text. If you sign in with Google, we receive your name and email address from Google instead of a password. We also use one-time passcodes (OTPs) sent to your email for verification and password reset; OTPs are stored only as secure hashes and expire quickly.
• Health information you upload: the contents of the medical reports you upload, including test names, values, reference ranges, and any personal or health details contained in those files.
• Family member information: if you use the family feature, the name and relationship label you add for a family member, and the reports you associate with them.
• Payment-related information: records of your purchases and subscriptions. We do not collect or store your full card numbers, UPI PINs, or bank credentials — these are handled directly by our payment processor (see Section 7).
• Communications: the content of any emails or messages you send us.

b) Information collected automatically

• Technical data: IP address, browser type, device type, and basic usage information needed to operate the Service securely.
• Consent records: the date, time, and version of the Terms and Privacy Policy you agreed to.
• Security data: information used to detect and prevent abuse, fraud, and automated misuse (for example, bot-protection checks).

We do not use advertising trackers, and we do not sell your personal data to anyone.

4. How we obtain your consent

We process your personal data on the basis of consent that is free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action:

• At sign-up, we present this Privacy Policy and our Terms of Service, and you provide consent through a clear affirmative action (ticking an unticked consent checkbox).
• We record the date, time, and version of the documents you consented to.
• You can withdraw your consent at any time by deleting your reports or your account within the app, or by emailing us at healvio.support@gmail.com. Withdrawing consent is as easy as giving it. Withdrawal does not affect the lawfulness of processing already carried out, and it may limit or end your ability to use the Service.

5. Health data — a special note

The medical reports you upload contain sensitive personal data about your health. We treat this data with extra care:

• We process it only to generate your explanation and to show you your own report history.
• We do not use your individual health data to train AI models, and our AI service providers process it under terms that do not permit them to use it to train their models.
• We do not share your individual health data with advertisers or data brokers.
• Access to this data within our systems is limited to what is necessary to operate the Service.

6. Why we process your data (purposes)

We process your personal data for the following purposes:

We process your data on the basis of the consent you give when you sign up and use the Service, and, where applicable, to fulfil our contract with you and to comply with law.

7. Who we share data with (processors and third parties)

We use trusted third-party service providers (“Data Processors”) to run the Service. They process data only on our instructions and only as needed. These include:

• Razorpay — payment processing (purchases and subscriptions). Razorpay handles your payment-instrument details directly under its own privacy policy.
• Amazon Web Services (AWS) — secure file storage and report processing (region: Mumbai, India).
• Neon — database hosting (region: Singapore).
• Upstash — temporary caching (region: Mumbai, India).
• Resend — sending transactional emails (region: United States).
• Google — sign-in (only if you choose Google login).
• Google (Gemini API) and Groq — AI processing used to generate the plain-language explanation of your report. Report content is processed via API and is not used by these providers to train their models under the terms of our use of their services.
• Cloudflare — bot protection and security.
• Microsoft Azure — translation of explanations into Hindi or Gujarati when you request it.

We share data with these providers only to the extent necessary. We do not sell your data. We may also disclose data if required by law, court order, or a lawful government request.

8. Where your data is stored

Your data is stored and processed on servers located in India (file storage, caching, and report processing) and Singapore (database), and certain supporting services (such as transactional email and AI processing) may process data in other regions, including the United States. Where data is processed outside India, we use providers that apply appropriate security safeguards, consistent with applicable law. We do not transfer your data to any country restricted by the Government of India under the DPDP Act.

9. How long we keep your data (retention)

• Account and report data: kept while your account is active, so you can access your report history.
• Guest (unclaimed) reports: automatically deleted after a short period (currently within 24 hours) if not linked to an account.
• Payment records: kept as long as required for accounting, tax, and legal purposes.
• Consent records: kept for as long as your account exists and for up to 3 years after deletion, as proof of consent.

When you delete your account, we delete your personal data and report history from our active systems, except for limited records we are legally required to retain (such as payment/tax records).

10. Your rights

Under the DPDP Act, you have the right to:

• Access the personal data we hold about you and a summary of how it has been processed.
• Correct inaccurate or incomplete data, and update your data.
• Erase your data (for example, by deleting your account or specific reports).
• Grievance redressal — raise a complaint with us about how we handle your data.
• Nominate another person to exercise your rights in the event of your death or incapacity.
• Withdraw consent at any time (this may limit your ability to use the Service).

To exercise any of these rights, email healvio.support@gmail.com. We will acknowledge your request within 72 hours and respond within the time required by law. You can delete reports and your entire account directly within the app at any time.

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.

11. Security

We use reasonable security measures to protect your data, including:

• Passwords and OTPs stored as secure hashes, never in plain text.
• Encrypted connections (HTTPS) across the Service.
• Access controls limiting who and what can reach your data.
• Bot protection and abuse prevention.

No system is perfectly secure. In the event of a personal data breach, we will notify the Data Protection Board of India and affected users within the timelines required under the DPDP Act and Rules (including intimation to the Board within 72 hours of becoming aware of the breach, where required).

12. Children

The Service is intended for adults (18 years and older). We do not knowingly collect data from children without verifiable parental consent.

If you add a family member who is under 18 or upload their medical report, we process their data only on the basis of your verifiable consent as their parent or lawful guardian. We may require you to verify your identity, age, and relationship through reliable details or a government-backed mechanism as required by the DPDP Rules, and we may decline or delete uploads where verification is not completed. If you believe a child’s data has been provided to us without proper consent, contact us and we will delete it.

13. Uploading other people's reports

If you upload a report that belongs to another person (for example, a parent or family member), you confirm that you have the authority and their consent (or lawful guardianship) to do so. You are responsible for ensuring you are permitted to share that person’s health information with us for processing.

14. Translations

When you request a translation of an explanation into Hindi or Gujarati, we apply technical measures designed to preserve medical values, units, and terminology during translation. However, translations are provided for convenience only, and you should always verify translated content against the original report and the English explanation.

15. Changes to this Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the “Last updated” date and, where appropriate, notify you. The version you agreed to at sign-up is recorded as part of your consent.

16. Governing law

This Privacy Policy is governed by the laws of India. Subject to your statutory rights (including your rights under the DPDP Act and consumer protection law), any disputes are subject to the exclusive jurisdiction of the courts in Ahmedabad, Gujarat, India.