Privacy Policy
Last Updated: March 14, 2026 | Effective Date: February 18, 2026
Notice under the Digital Personal Data Protection Act, 2023 (DPDP Act)
Before you use our platform, we are required by law to inform you: Swara Healthtech Pvt. Ltd. (operating as Health Companion 360) collects and processes your personal data as described in this policy. You have the right to access, correct, and erase your data at any time. Giving us your data is voluntary — you may withdraw consent at any time by visiting your Account Settings. Withdrawing consent will limit certain platform features.
1. Data Fiduciary Identity
This Privacy Policy is issued by the Data Fiduciary as defined under §2(i) of the Digital Personal Data Protection Act, 2023:
| Legal Entity | Swara Healthtech Pvt. Ltd. |
| Brand Name | Health Companion 360 |
| Registered Address | Mumbai, Maharashtra, India |
| Privacy Email | privacy@healthcompanion360.in |
| Grievance Officer | grievance@healthcompanion360.in (responds within 48 hours) |
| Role under DPDP | Data Fiduciary (§2(i) DPDP Act 2023) |
2. Introduction
Welcome to Health Companion 360 ("we," "our," or "us"). We are committed to protecting your privacy and personal data in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our platform. We operate as a healthcare discovery and clinic management SaaS platform — we are a technology intermediary, not a healthcare provider.
3. Data We Collect
3.1 From Patients (Data Principals)
- Identity Data — First name, last name, email address, phone number
- Health Data — Symptom descriptions, blood group, allergies, chronic conditions (collected with explicit consent; categorised as sensitive personal data)
- Location Data — GPS coordinates or IP-derived city (to find nearby clinics; can be declined)
- Account Data — Password hash (bcrypt), Google/Apple OAuth token, profile photo URL
- Usage Data — Symptom searches, clinic views, appointment history, device/browser identifiers
- Payment Data — Processed via Razorpay; we store only order IDs and payment status — never card numbers or UPI credentials
3.2 From Clinics (Business Users)
- Clinic profile: name, address, city, specialties, consultation fee, operating hours
- Staff user data: name, email, phone, role designation
- Subscription and billing records (order IDs, tier, renewal dates)
- Platform usage: dashboard activity, login timestamps, audit logs
3.3 Automatically Collected Data
- IP address (for rate limiting and fraud detection)
- User agent / browser type
- Page views and navigation patterns (Mixpanel analytics)
- Error logs and performance metrics
4. Lawful Basis and Consent (DPDP §6–7)
We process personal data only on one or more of the following lawful bases:
- Consent (§6) — For health/symptom data, location, and marketing communications. Consent is sought via explicit in-app checkboxes before data collection. You may withdraw consent at any time.
- Legitimate Use (§7) — For account creation and service delivery (processing necessary to provide the service you requested), fraud prevention, and legal compliance.
- Legal Obligation — For audit logs and records required by Indian law (IT Act, GST, tax compliance).
Health data (symptoms, blood group, allergies, chronic conditions) is treated as sensitive personal data and collected only with explicit opt-in consent. You may skip health profile fields at any time.
5. How We Use Your Data
- AI-powered symptom classification to recommend appropriate medical specialties
- Connecting patients with relevant nearby clinics based on location and specialty
- Enabling clinics to manage patient inquiries, appointments, and operations via dashboard
- Processing payments for clinic subscriptions and patient services
- Sending transactional notifications (appointment confirmations, inquiry alerts via email and WhatsApp)
- Fraud prevention, abuse detection, and platform security
- Aggregate analytics to improve platform performance (de-identified data only)
- Compliance with legal obligations and regulatory reporting
We do not use your data for automated profiling that produces legal or similarly significant effects.
6. Data Processors (Third-Party Sub-Processors)
As the Data Fiduciary, we engage the following Data Processors under written agreements that require them to process data only as instructed and maintain equivalent security standards:
| Processor | Purpose | Data Transferred | Country |
|---|---|---|---|
| Neon / PostgreSQL | Primary database hosting | All structured data | USA (AWS) |
| Upstash Redis | Session caching, rate limiting | Session tokens, rate counters | USA |
| Resend | Transactional email delivery | Name, email, appointment details | USA |
| Razorpay | Payment processing | Order amount, user identifier | India |
| Meta (WhatsApp Business API) | WhatsApp notifications | Phone number, message content | USA |
| Groq / OpenAI | AI symptom classification & insights | Symptom text (no name/phone) | USA |
| Vercel | Application hosting & CDN | All HTTP request/response data | USA/Global edge |
| Mixpanel | Product analytics | Anonymised usage events | USA |
6.1 Cross-Border Data Transfers
Some processors listed above are located outside India. We transfer data to them only where: (a) the transfer is necessary to provide the service you requested, (b) appropriate contractual safeguards are in place, or (c) the recipient country has been notified under the DPDP Act. Symptom data sent to AI processors is stripped of direct identifiers (name, phone, email) before transmission.
7. Data Sharing
We share your personal data only in the following circumstances:
- With Clinics: When you submit an inquiry, your name, phone number, and symptom description are shared with that specific clinic to enable them to respond to you.
- With Data Processors: As listed in Section 6 above, under contractual data processing agreements.
- Legal Requirements: When required by applicable law, court order, or government authority. We will notify you unless prohibited by law.
- Business Transfers: In the event of a merger, acquisition, or asset sale — users will be notified in advance and may request erasure.
We do NOT sell, rent, or trade your personal data to any third party for their commercial purposes.
8. Your Rights under DPDP Act 2023
As a Data Principal under §12–14 of the DPDP Act, you have the following enforceable rights:
§11 — Right to Access & Data Portability
Request a summary of personal data we hold and how it is used. Registered patients can download a machine-readable copy of all their data (appointments, prescriptions, inquiries, symptom searches) from Account Settings → Download My Data.
§12 — Right to Correction & Completion
Request correction of inaccurate, incomplete, or outdated personal data. Update your profile directly at Account Settings or email us.
§12 — Right to Erasure
Request deletion of your personal data. Registered patients can delete their account from Account Settings → Delete Account. Upon deletion, all PII is anonymised within 24 hours; audit logs are retained for 5 years as required by law.
§13 — Right to Nominate
Nominate another individual to exercise privacy rights on your behalf in the event of death or incapacity. Contact us at privacy@healthcompanion360.in with a written nomination.
Right to Withdraw Consent
Withdraw previously given consent at any time. Withdrawal does not affect lawfulness of prior processing. You can manage consent preferences in Account Settings.
§14 — Right to Grievance Redressal
Lodge a complaint with our Grievance Officer at grievance@healthcompanion360.in. If unsatisfied with our response, you may escalate to the Data Protection Board of India once notified under the DPDP Act (contact details will be published at dpboard.gov.in upon establishment).
To exercise any right, email privacy@healthcompanion360.in. We will acknowledge within 48 hours and respond substantively within 30 days.
9. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Symptom search data | 30 days | Minimisation principle |
| Inquiry records | 2 years | Dispute resolution |
| Appointment & prescription records | 5 years | Medical records compliance |
| Clinic account data | Subscription period + 1 year | Regulatory |
| Audit logs | 5 years | IT Act / regulatory requirement |
| Payment records | 7 years | GST / Income Tax compliance |
After the retention period, data is securely deleted or irreversibly anonymised.
10. Security
We implement appropriate technical and organisational measures (§8 DPDP Act) including:
- HTTPS/TLS 1.3 encryption for all data in transit
- bcrypt password hashing (12 rounds) — passwords are never stored in plaintext
- JWT tokens with short expiry and issuer/audience validation
- IP-based rate limiting on all API endpoints
- Security headers: CSP, X-Frame-Options DENY, HSTS, nosniff
- Access controls: clinic staff see only their own clinic data; patients see only their own data
- Regular dependency updates and vulnerability scanning
In the event of a personal data breach that is likely to result in high risk to individuals, we will notify the Data Protection Board of India within 72 hours and affected Data Principals without undue delay.
11. Cookies
We use cookies for authentication, analytics, and preferences. Please see our Cookie Policy for full details.
12. Children's Privacy
Our platform is not intended for children under 18 years of age. We do not knowingly collect personal data from minors. Under the DPDP Act, we do not process personal data of children without verifiable parental consent. If you believe a minor has provided data, contact us immediately at privacy@healthcompanion360.in and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users via email at least 14 days before taking effect. The updated policy will always be available at /legal/privacy with the "Last Updated" date revised accordingly. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
14. Contact Us
For privacy concerns, rights requests, or to exercise your DPDP Act rights:
- Privacy Email: privacy@healthcompanion360.in
- Grievance Officer: grievance@healthcompanion360.in
- Response SLA: Acknowledgment within 48 hours; resolution within 30 days
- Data Fiduciary: Swara Healthtech Pvt. Ltd., Mumbai, Maharashtra, India
This policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (India), Information Technology Act, 2000, and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.