HealthArc Privacy Policy (Beta)
1. Who we are
HealthArc is a family health-records organizer operated by an independent team (currently Alok Chokhani and collaborators). This beta privacy policy describes how we collect, use, and protect your data during the beta period.
HealthArc is not a hospital, clinic, insurance company, or healthcare provider. We are a technology platform that helps you organize health records you already have.
Contact: contact@healtharc.in
2. What data we collect
2.1 Data you provide
- Account data: email, display name, password hash, profile photo (optional).
- Family data: names, relationships, dates of birth, blood groups, and other demographic details of family members you add.
- Health data: records you upload or enter (labs, medications, documents, symptoms, vitals, allergies, conditions, vaccinations, etc.).
- ABHA identifiers: if you choose to add your ABHA ID or ABHA address.
- Support messages: when you contact us.
2.2 Data we do NOT collect during beta
- Aadhaar, passport, PAN, driver’s-license, or non-Indian national identity numbers. Fields for these are disabled in the interface during beta.
- Device IMEI, SIM-level data, or biometric identifiers.
- Payment data (the service is currently free).
2.3 Data we collect automatically
- Server logs: IP address, user-agent, timestamp, URL accessed, response code — retained for 90 days for security and debugging.
- Audit logs: actions you take inside the app (uploads, shares, deletions) with actor identity — retained for the minimum required by applicable law.
- Cookies and session tokens: required for authentication. We do not use third-party advertising cookies.
3. How we use your data
We use your data to:
- Provide the service you signed up for — store, display, and organize your health records.
- Run automated processing (OCR, parsing, classification, pattern detection, AI summarization) to derive the features of HealthArc.
- Send service-related communications (security alerts, critical updates). We will not send marketing email without your separate opt-in.
- Maintain and improve the service — including aggregated, de-identified analytics. We do not use your identifiable records to train third-party AI models.
- Comply with legal obligations and respond to lawful requests from authorities.
4. Third parties we share data with
We use the following processors to run the service. Each receives only the data required for its function.
| Processor | Purpose | Data shared |
|---|---|---|
| Supabase (Amazon AWS) | Database, storage, authentication | All data you store in the app, in the region you selected. |
| Cloudflare | Edge hosting, CDN, DDoS protection | Traffic metadata, request/response bodies in transit. |
| Resend | Transactional email (sign-in links, alerts) | Email address, message content. |
| Twilio | SMS (if you opt in to SMS alerts) | Mobile number, message content. |
| OpenAI | Summarization and classification of health data via API | De-identified text fragments (we do NOT send identifying fields like name, Aadhaar, phone, etc. to OpenAI). OpenAI states that API data is not used to train their models. |
| Google Cloud Document AI | OCR of uploaded documents | Document images and extracted text. |
We do not sell your data. We do not rent it. We do not use it for advertising.
We will disclose data to law enforcement only when required by a lawful order from a competent authority with jurisdiction, and we will notify you unless we are prohibited by law from doing so.
5. Where your data is stored
Your primary Supabase data resides in the AWS region configured for the HealthArc project (currently intended to be ap-south-1 Mumbai or ap-south-2 Hyderabad for Indian data residency). Backups may be stored by Supabase in the same region. Cloudflare may temporarily cache response content at its global edge network but does not persist personal health data.
If you are outside India, your data may still be processed in India for the purposes of providing the service.
6. Security
We take reasonable security precautions, including:
- Encryption in transit (TLS).
- Encryption at rest for Supabase-managed storage.
- Row-level security (RLS) policies that enforce access boundaries between families.
- Short-lived signed URLs for document access.
- Audit logs with hash-chain tamper evidence (rolling out in Slice 1 of the control-plane plan).
- Webhook signature verification on inbound integrations.
- Least-privilege role separation for staff access.
We do not yet hold independent certifications (SOC 2, HIPAA, ISO 27001, NABH-equivalent for IT). We do not claim to meet those standards during beta.
No system is perfectly secure. We commit to notifying you promptly if we become aware of a breach that likely affects your data, in line with applicable law.
7. How long we keep your data
During beta, we apply the following retention policies (configured in the database, subject to legal hold):
| Category | Retention | Note |
|---|---|---|
| Clinical records (labs, medications, discharge summaries, etc.) | 7 years | At or above typical Indian medical-records minimums. |
| Administrative records (profile metadata, preferences) | 3 years from inactivity | |
| Audit logs | 2 years | May be longer if required for legal hold. |
| Inbound webhook raw bodies | 90 days | Shorter retention for high-volume operational data. |
| Identity references (ABHA ID, profile photograph) | 10 years | Matches clinical minimums for identity linkage. |
| Server / infrastructure logs | 90 days |
You can request deletion at any time (see §9). Deletion is subject to legal-hold overrides — if we are required by law to retain specific records, we will notify you that your deletion request is partially blocked and tell you what the blocker is.
8. Your rights
You have the right to:
- Access — ask for a copy of the data we hold about you.
- Correct — fix inaccurate data. Most corrections can be made directly in the app.
- Delete — request full or partial deletion of your data.
- Export — ask for your data in a portable format.
- Object — object to specific uses, including profiling or automated decisions.
- Withdraw consent — for any processing that relies on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Complain — lodge a complaint with the Data Protection Board of India or your local data protection authority.
We do not currently make automated decisions that produce legal or similarly significant effects on you. AI-generated insights are advisory only — see the Beta Disclaimer.
9. How to exercise your rights
Email contact@healtharc.in with:
- The email address of your HealthArc account.
- The specific request (access, correction, deletion, export, etc.).
- Any necessary details to locate your data.
We aim to respond within 30 days. We may verify your identity before processing sensitive requests.
10. Children
HealthArc is intended for adults managing their own records or acting for their minor children. We do not market the service to children. If you believe a child has created an account without parental consent, email us and we will remove the account.
Records of minor children added by their parent/guardian are treated as the minor’s personal data; the adult in charge of the family is the custodian of that data until the minor becomes an adult, at which point they have the right to claim their own account.
11. Cookies
We use only cookies that are strictly necessary for authentication and session management. We do not use third-party advertising or tracking cookies in the HealthArc app during beta.
12. International transfers
If you are in the EU, UK, or other jurisdictions with international-transfer restrictions, note that HealthArc processes data in India and may use cloud processors in other regions. By using the service, you consent to such transfers. We will not transfer data to a jurisdiction that lacks basic data protection standards.
13. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. Material updates will be shown to you in the app.
14. Contact
Privacy and data-rights questions: contact@healtharc.in