This Privacy Policy explains how HealthPort collects, uses, shares, stores and protects your personal data when you use our Platform.
This policy is drafted to align with India’s digital personal data protection framework, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the notified DPDP Rules, 2025.
1.1 “Personal Data” has the meaning assigned under applicable law and, in general, means any data about an individual who is identifiable by or in relation to such data.
1.2 “Data Principal” (you) has the meaning under the DPDP Act.
1.3 “Data Fiduciary” (HealthPort) means the person who determines the purpose and means of processing personal data.
1.4 “Data Processor” means any person processing personal data on behalf of the Data Fiduciary (e.g., cloud hosting providers, analytics providers, AI service providers).
1.5 “Personal Data Breach” refers to a breach that compromises confidentiality, integrity or availability of personal data, as addressed through DPDP Act obligations regarding security safeguards and breach intimation.
2.1 Where this applies. This Privacy Policy applies to the Platform and to processing of Personal Data collected digitally (and offline data that is later digitised), in line with the DPDP Act’s scope framework.
2.2 Users outside India. The DPDP Act may also apply where digital personal data is processed outside India in connection with offering goods or services to individuals in India.
We collect Personal Data in the following categories (depending on the features you use):
3.1 Account and identity data. Name, phone number, email address, date of birth/age (if provided), gender (if provided) and profile photo (optional).
3.2 Health and wellness data (Health Data). Records you upload or import, such as prescriptions, diagnoses, lab reports, radiology reports, discharge summaries, allergies, medications, vitals and notes.
3.3 Visit and scheduling data. Appointment entries, provider names, visit notes, follow-up schedules and reminder preferences.
3.4 Voice and transcript data (if you enable transcription). Audio captured through your device microphone, transcripts and summaries generated from those transcripts.
3.5 Family member profile data (if you add family members). Similar categories of data for each family member profile that you manage, to the extent you provide it.
3.6 Device and usage data. Device model, operating system, app version, IP address, log data, approximate location (if enabled), crash logs and analytics events.
3.7 Communications. Messages you send to support, feedback and survey responses.
3.8 Payment data (if paid features exist). Billing information and transaction confirmations (note: payment processing may be handled by a payment gateway see Section 8).
4.1 Directly from you. When you create an Account, upload records, enter appointments, enable reminders, record audio or use the AI Features.
4.2 From your device (with permissions). When you permit access to camera, microphone, storage/files, location or notifications.
4.3 From third parties (only when you choose/authorise). If you connect or import from a third-party source (e.g., a lab portal export or provider-shared document), we process what you provide or authorise.
We process Personal Data for lawful purposes, including:
5.1 Providing the Platform. To create and manage your Account, maintain your health timeline, store your records, run reminders and deliver features you request.
5.2 Generating summaries and timelines (AI Features). To create intelligible summaries, structured notes and timelines from complex reports or conversations and to help you prepare to share relevant information with providers.
5.3 Find a Doctor. To show nearby provider listings and provide directions/guidance.
5.4 Safety, security and fraud prevention. To protect accounts, prevent abuse and secure systems.
5.5 Support and communications. To handle queries, provide customer support and send service communications (including essential notifications).
5.6 Improvement and analytics. To understand usage, debug issues and improve features; where feasible, we use aggregated or de‑identified datasets for product improvement.
6.1 Consent. Where required, we process Personal Data based on your consent. Under the DPDP Act, consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action and limited to what is necessary for the specified purpose.
6.2 Notice. We provide notice at or before the time of seeking consent, including the data, purpose and rights mechanisms, consistent with DPDP notice requirements.
6.3 Withdrawal of consent. You may withdraw consent and the ease of withdrawal will be comparable to the ease of giving consent; processing before withdrawal remains lawful. Certain consequences (such as inability to provide a feature) may follow withdrawal.
6.4 Legitimate uses.In certain circumstances, processing may be permitted without consent under “legitimate uses” recognised by law. (If HealthPort relies on any such basis for a specific feature, it should be disclosed within the Platform’s contextual notices).
We do not sell your Personal Data.
We may share Personal Data only as follows:
7.1 At your direction. When you choose to share records/summaries with a doctor or caregiver or with a family member profile manager.
7.2 With Data Processors. We may share Personal Data with vetted service providers who process data on our behalf (e.g., cloud hosting, analytics, transcription, AI processing), under contractual obligations to process only per our instructions and implement security safeguards.
7.3 With Third-Party Providers you contact. If you use “Find a Doctor” and contact a provider, your relationship is with that provider; we do not control how they handle your data once you share it directly with them.
7.4 Legal obligations and safety. We may disclose Personal Data where required by law, legal process or to protect rights, safety and prevent fraud.
7.5 Business transfer. If we undergo a merger, acquisition, restructuring or sale of assets, Personal Data may be transferred as part of that transaction, subject to applicable law and appropriate safeguards.
8.1 Processing locations. Your Personal Data may be processed in India and/or other jurisdictions depending on our service providers and infrastructure.
8.2 DPDP restrictions. The DPDP Act permits the Central Government to restrict transfers of personal data to certain countries/territories by notification. HealthPort will comply with such restrictions and any higher-protection laws that may apply.
9.1 Retention principle. We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, unless longer retention is required for compliance with law, audit or legitimate purposes.
9.2 Erasure on withdrawal or purpose completion. The DPDP Act requires erasure when consent is withdrawn or it is reasonable to assume the specified purpose is no longer served, unless retention is legally required. We will maintain retention schedules designed to align with this principle.
9.3 Account deletion. You may request deletion of your Account and associated Personal Data, subject to legal retention requirements and technical limitations (for example, backups retained for limited periods).
10.1 Reasonable security safeguards. We implement technical and organisational measures to protect Personal Data, consistent with the DPDP Act requirement to take reasonable security safeguards to prevent personal data breaches.
10.2 Encryption and access controls. We aim to use encryption in transit and at rest where appropriate, access controls and least‑privilege practices. (Exact measures may vary by system component and will evolve with risk and technology.)
10.3 Limits of security. No system is perfectly secure. You are responsible for device security and maintaining confidentiality of your login credentials.
In the event of a personal data breach, we will take reasonable steps to assess, mitigate and remediate.
Under the DPDP Act, a Data Fiduciary must intimate the Data Protection Board of India and each affected Data Principal in the event of a personal data breach, in the form and manner prescribed. HealthPort will follow applicable legal requirements.
Subject to applicable law and prescribed procedures, you have the following rights:
12.1 Right to access informationYou may request a summary of Personal Data being processed and processing activities and the identities of other Data Fiduciaries/Data Processors with whom your Personal Data has been shared (subject to statutory exceptions).
12.2 Right to correction and updatingYou may request correction of inaccurate or misleading Personal Data and completion/updating of incomplete data.
12.3 Right to erasureYou may request erasure, subject to retention requirements necessary for compliance with law or the specified purpose.
12.4 Right of grievance redressalYou have the right to readily available means of grievance redressal; you must ordinarily exhaust this before approaching the Board.
12.5 Right to nominateYou may nominate another individual who may exercise your rights in the event of death or incapacity.
12.6 How to exercise rights.You may exercise these rights by contacting us at the grievance contact details in Section 15. We may need to verify your identity before fulfilling rights requests..
13.1 Child definition. Under the DPDP Act, a “child” means an individual who has not completed 18 years of age.
13.2 Verifiable parental consent. Before processing personal data of a child (or a person with disability who has a lawful guardian), verifiable consent of the parent/guardian is required, subject to prescribed rules and exemptions.
13.3 No tracking or targeted ads to children.The DPDP Act restricts tracking/behavioural monitoring of children and targeted advertising directed at children, subject to statutory conditions/exemptions. HealthPort intends to align accordingly.
14.1 Cookies. If you use our website, we may use cookies and similar technologies for essential site functions, analytics and security. You can control cookies via browser settings.
14.2 No responsibility for third-party sites. External sites linked from our Platform have their own privacy practices; we are not responsible for them.
15.1 Grievance contact.
15.2 Resolution process. We will acknowledge and respond to grievances within timelines prescribed by applicable law and internal policy.
We may update this Privacy Policy from time to time. We will post the updated version on the Platform and update the “Last Updated” date.
This section summarises where the drafts align key DPDP Act duties/rights, so the final website/app implementation can match the text:
Consent quality and limitation (free, specific, informed; limited to necessity). Reflected in Privacy Policy Section 6 and permission‑based feature sections.
Notice requirements and multilingual accessibility expectation. Reflected in Privacy Policy Section 6.2 (and should be implemented in‑app at the point of collection).
Security safeguards + breach intimation to Board and affected individuals. Reflected in Privacy Policy Sections 10–11.
Data Principal rights to access, correction, erasure, grievance redressal, nomination. Reflected in Privacy Policy Section 12.
Children’s data obligations (under 18; parental consent; no tracking/targeted ads to children, subject to rules). Reflected in Privacy Policy Section 13.
Cross‑border transfer restrictions by notification. Reflected in Privacy Policy Section 8.
DPDP Rules, 2025 notification and operationalisation context. Reflected in Privacy Policy introduction and ongoing compliance posture.
To make these drafts production‑ready, the following blanks and implementation decisions must be completed to avoid inconsistencies between “policy text” and “actual behaviour”: