Privacy & Security Policy

How Svastheya collects, uses, and protects your health data.

1. Introduction

Svastheya (“Svastheya”, “we”, “us”, or “our”) provides a mobile and web application (the “App”, package name com.khealthcare.app) that helps individuals and families store, organize, and share digital health records with doctors and clinics. This Privacy & Security Policy explains what information we collect, how we use and protect it, who we share it with, and the choices you have.

Because Svastheya stores medical records and other health information, we treat this data as sensitive by default and apply stricter safeguards and access controls to it than we do to ordinary account information. By creating an account or using the App, you agree to the collection and use of information as described in this policy.

Last updated: July 2, 2026

2. Information We Collect

a. Account & Profile Information

  • Name, email address, and password (managed via Firebase Authentication)
  • Phone number, date of birth, gender, and address (optional, where provided)
  • Profile photo / avatar and, for doctors, an uploaded signature image
  • Role information (patient, doctor, or family/child account) and account preferences such as language

b. Health & Medical Information

This is the core purpose of the App, and the most sensitive category of data we process. It is provided directly by you, a family member you manage, or a doctor/clinic you have granted access to, and may include:

  • Medical records such as consultation notes, prescriptions, lab results, imaging reports, and surgical records
  • Diagnoses, treatments, medications, dosages, and instructions
  • Allergies, chronic conditions, blood type, and vaccination records
  • Emergency contact details
  • Uploaded documents, photos, and PDF attachments related to your health records (via camera, photo library, or file picker)
  • Family health information you add while managing a family/child profile

c. Doctor & Professional Information

  • Medical registration number, issuing council, and year of registration, used solely to verify a doctor’s credentials
  • Specialization, department, hospital/clinic affiliation, and clinic membership details

d. Device & App Permissions

The App requests certain device permissions strictly to provide its core functionality. We do not use these permissions for advertising or tracking:

  • Camera — to scan or photograph a document (e.g. a prescription or lab report) for upload.
  • Photo library — to select an existing image to attach to a health record or use as a profile photo.
  • File storage / document picker — to select and upload PDF or image files as medical record attachments.

e. Information We Do Not Collect

We do not use third-party advertising SDKs, ad identifiers, or behavioral analytics/tracking networks in the App, and we do not sell your personal or health information.

3. How We Use Your Information

  • Create and maintain your account, and authenticate you securely
  • Store, organize, and let you retrieve your (and your family members’) medical records
  • Let you generate and export records as PDF summaries for your own use
  • Enable doctor-patient and clinic collaboration only where you have explicitly granted access
  • Verify a doctor’s professional registration before activating a doctor account
  • Send account-related emails, such as one-time passwords (OTPs) for email verification and access-request notifications
  • Maintain the security, integrity, and reliability of the App, including detecting misuse
  • Respond to support requests you send us

4. Consent-Based Sharing With Doctors & Clinics

Your medical records are private by default. A doctor or clinic can only view a patient’s records after the patient (or a parent/guardian managing a family profile) explicitly approves an access request. Patients can review who currently has access and revoke that access at any time from within the App, which immediately removes the doctor or clinic’s ability to view the record.

We do not share your health information with any other third party for their own marketing or commercial purposes.

5. Service Providers We Use

We use a small number of trusted infrastructure providers to operate the App. These providers process data on our behalf under their own security and confidentiality commitments, and do not use your data for their own purposes.

  • Google Firebase (Authentication, Firestore database, and Cloud Storage) — hosts your account credentials, medical records, and app data.
  • Supabase — stores profile avatars and doctor e-signature images in access-controlled storage buckets using signed, time-limited URLs.
  • Our mail delivery service — sends transactional emails only (OTP verification codes and doctor-verification notifications). It does not receive your medical records.

6. How We Protect Your Data

We apply layered technical and organizational safeguards designed for handling sensitive health information:

  • Encryption in transit — all traffic between the App and our servers is encrypted using HTTPS/TLS.
  • Access-controlled storage — files such as avatars and signatures are served via short-lived signed URLs rather than public links.
  • Role-based & consent-based access control — every request to view a patient’s records is checked against explicit, granular access grants (individual doctor or clinic-wide), which patients can revoke at any time.
  • Doctor identity verification — doctor accounts are manually reviewed and verified against professional medical council registration details before they can request patient access.
  • Secure credential storage— authentication tokens are stored on-device using the operating system’s secure storage rather than plain text.
  • Security event logging — sensitive actions are logged for audit and abuse-detection purposes.
  • Least-privilege database rules — our database and storage rules restrict every read/write to the specific user or grantee it belongs to.

No method of electronic storage or transmission is 100% secure. We continuously work to protect your information but cannot guarantee absolute security.

7. Data Retention

We retain your account and health information for as long as your account is active, so that your records remain available to you. If you delete your account, we delete or anonymize your personal data and health records within a reasonable period, except where we are required to retain certain information to comply with legal, regulatory, or accounting obligations, or to resolve disputes.

8. Your Rights & Choices

You are always in control of your data. You can, at any time:

  • Access, review, and export your medical records as a PDF from within the App
  • Correct or update your profile and health information
  • Grant or revoke a doctor’s or clinic’s access to your records
  • Add, manage, or remove linked family/child profiles you are responsible for
  • Request deletion of your account and associated data — even without logging in — via our account deletion request page, or by contacting us at the email below

If you are located in a jurisdiction with statutory data-protection rights (such as access, correction, portability, or erasure), we will honor requests to exercise those rights in accordance with applicable law.

9. Family & Child Profiles

Svastheya lets a parent or guardian create and manage a linked family/child profile so a family’s health history can be kept in one place. Child profiles are created and controlled by the parent/guardian’s account; we do not knowingly allow a minor to independently create an account or provide personal information to us without a parent or guardian’s involvement.

10. International Data Storage

Our infrastructure providers (Google Firebase and Supabase) may process and store data on servers located outside your country of residence. Where this occurs, we rely on the security safeguards those providers maintain to protect your information regardless of where it is processed.

11. Changes to This Policy

We may update this Privacy & Security Policy from time to time to reflect changes in the App or applicable law. We will update the “Last updated” date above, and where changes are material, we will provide additional notice (such as an in-app or email notification) before they take effect.

12. Contact Us

If you have questions about this policy, want to exercise a data right, or want to request deletion of your account and data, contact us at hello@svastheya.in.

SvastheyaSvastheya

Your secure digital health vault. Keep medical records organized, manage family health history, and collaborate with doctors.

Platform

Company

Svastheya

© 2026 Svastheya. All rights reserved.