How SwasthaID handles patient data

SwasthaID is a patient record-management service for storing medical reports, managing family-linked profiles, sharing records with doctors through patient-issued tokens, and reviewing access history.

This policy covers the patient mobile app, the public website, and the supporting backend APIs used by those surfaces. It does not grant third parties any right to use patient data outside the authorized SwasthaID workflows.

We may process the following categories of information when you use the patient mobile app:

• Health and fitness data: medical reports, report metadata, medical profile details, vitals, symptoms, mood logs, pain logs, appointments, and linked family-member health profiles.
• Contact information: email address used for one-time-passcode authentication and support workflows.
• Identifiers: SwasthaID/RHH, patient account ID, linked family-member IDs, and push-notification token.
• Sensitive information: national ID entered by the patient.
• Security and activity data: audit history, device-generated push-permission state, and access-log metadata such as IP address and doctor access timestamps.

• Authenticate the account with email OTP.
• Encrypt, store, sync, and display reports and profile information.
• Generate doctor access tokens and enforce time-bound access.
• Maintain patient-visible audit trails showing who accessed records, from which hospital, and when.
• Send service notifications such as patient-access prompts or account-security messages when push notifications are enabled.
• Honor support, security, and account-deletion requests.

We do not use patient mobile-app data for advertising, cross-app tracking, or brokered data sales.

SwasthaID uses service providers only as needed to operate the product:

• Our backend API processes authentication, profile, reports, token, and audit requests.
• Supabase storage is used for cloud-hosted medical report files and related secure retrieval workflows.
• Brevo is used to send email OTP messages.
• Expo push services and Firebase Cloud Messaging are used for patient push notifications when enabled.

These processors act on our behalf to provide app functionality or security. We do not use them for advertising or third-party tracking.

Account holders may create or manage linked family-member profiles. That means SwasthaID can process health data entered on behalf of a family member by the primary account holder.

If you manage a dependent or family profile, you are responsible for ensuring you have authority to add, view, share, and delete that information. Linked family data follows the same security controls and deletion flow as the primary account.

National ID values are stored separately from the doctor-sharing flow and are intended for patient-controlled account context only. National ID is not included in doctor token sessions, patient-facing audit summaries for clinicians, or patient mobile AI disclosures for store-submission scope.

When a doctor uses the doctor portal's Smart Assistant on records that a patient has already authorized for that session, relevant excerpts of those authorized records may be processed by the configured AI provider to generate grounded, non-tracking responses for the clinician.

At the time of this policy, the configured provider may include Google Gemini or a self-hosted local Ollama deployment, depending on environment configuration. This doctor-portal AI workflow is distinct from the patient mobile app's store-submission scope, but it is described here for transparency.

• Tokens and encryption material used by the patient app are kept in secure device storage where supported.
• Cloud records are stored in encrypted transport channels and retrieved through authenticated backend flows.
• Our default production submission profile assumes application hosting in South Asia and Supabase database and storage services in the Mumbai region, while OTP and push-delivery providers may process delivery metadata through their own international infrastructure.
• Audit logs and security records are retained until account deletion or up to 7 years, whichever happens first, while short-lived operational delivery logs are typically retained for up to 30 days.

Optional backup or migration helpers are not treated as active store-submission features for this release unless they are explicitly enabled before shipment.

You can delete your account inside the mobile app from the Profile screen, or by using our public account-deletion page.

Permanent deletion removes the patient account, linked family-member records, cloud-hosted reports, clinical logs, access tokens, and related push-token metadata. The public deletion flow is available at /account-deletion.

Privacy questions: privacy@swasthaid.com.np

General support: support@swasthaid.com.np