Privacy Policy

4.1 Personal Identification Data

• Full legal name
• Date of birth and age
• Gender identity
• Nationality and residential address
• Government-issued identification number (where required by law or healthcare provider)

4.2 Contact Data

• Email address
• Mobile telephone number
• Emergency contact information

4.3 Account and Session Data

Account registration date and time, session tokens, and authentication records.

4.4 Sensitive Health and Medical Data (Special Category Data)

The following categories of data are classified as Special Category Data and are accorded the highest level of protection:

• Medical records and clinical notes from registered healthcare providers
• Diagnostic reports, pathology results, radiology reports, and laboratory test results
• Prescription history and current medication records
• Health history, including chronic conditions, allergies, surgical history, and immunization records
• Vital health indicators (blood pressure, blood glucose, weight, BMI, and similar metrics) where voluntarily entered
• Mental health records and psychiatric assessments (if applicable)
• Appointment history and consultation notes
• Insurance information linked to health records (where applicable)

4.5 Device and Technical Data

• Device type, model, and operating system version
• Unique device identifiers (subject to user consent under the App Tracking Transparency framework)
• Internet Protocol (IP) address
• Application version and session duration logs
• Error logs and stability diagnostics
• In-app navigation patterns
• Push notification tokens

4.6 Camera Data

The Application requests access to your device camera solely for the purpose of scanning and uploading medical documents, reports, or prescriptions. Camera data is not stored, transmitted, or used for any purpose other than the immediate document upload for which your consent was obtained.

Microphone access: The Application does not currently request or use microphone access. If voice-based features are introduced in a future release, this Policy will be updated and your explicit consent will be sought prior to any microphone use.

4.7 Data We Do Not Collect

The Company does not collect financial payment card data directly. All payment transactions, where applicable, are processed by PCI-DSS-compliant third-party payment processors. The Company does not store full card numbers or bank account details. The Company does not collect location data.

5.1 Direct Collection from the Data Subject

We collect personal data directly from you when you:

• Register and create an account on the Application
• Complete your health profile and input medical information
• Upload medical records, diagnostic reports, or prescriptions
• Communicating with healthcare providers through the Application
• Contact our customer support team
• Respond to surveys, feedback forms, or research requests (with separate consent)

5.2 Automated Collection

• Server logs that record IP addresses, access timestamps, and API requests
• Performance monitoring tools that assess application stability and user interactions
• Session management tokens stored locally on device for authentication purposes

5.3 Third-Party Integrations and Healthcare Providers

Personal data may be received from:

• Registered hospitals and clinics that are formally integrated with the Application and share your medical records with your explicit consent
• Third-party identity verification services used during account creation
• Laboratory information systems or hospital management systems connected to the Application under formal data-sharing agreements

6.1 Provision and Management of Services

• Creating and maintaining your user account
• Enabling you to securely store, access, and manage your medical records and health data
• Facilitating communication and record-sharing between you and your authorized healthcare providers
• Processing appointments and sending appointment reminders
• Generating health summaries and reports for your personal use or for sharing with healthcare professionals

6.2 Application Functionality and Technical Operations

• Authenticating your identity and maintaining the security of your account
• Diagnosing and resolving technical issues, bugs, and service disruptions
• Ensuring compatibility with your device's operating system and hardware
• Sending push notifications relevant to your health records and appointments

6.3 Service Improvement and Research

• Analyzing anonymized and aggregated usage data to improve Application features, user experience, and clinical utility
• Conducting internal research and development to enhance our healthcare data management capabilities
• Where separately consented, contributing to de-identified medical research datasets

6.4 Legal and Regulatory Compliance

• Meeting obligations imposed by applicable Nepalese law, including any regulatory requirements applicable to healthcare software
• Responding to lawful requests from competent governmental, judicial, or regulatory authorities
• Establishing, exercising, or defending legal claims

6.5 Safety and Fraud Prevention

• Detecting and preventing fraudulent activity, unauthorized access, and security incidents
• Monitoring for and responding to threats to the integrity and confidentiality of health data

7.1 Healthcare Providers

With your explicit prior consent, the Company may share your health data with the hospitals, clinics, physicians, or other healthcare professionals designated by you within the Application. Such sharing occurs strictly within the scope of your consent and is governed by formal Data Processing Agreements between the Company and each healthcare provider. Healthcare providers acting as data processors are contractually bound to process your data solely for the purposes you have authorized and to maintain standards of security equivalent to those described in this Policy.

7.2 Technology and Service Providers

The Company engages vetted third-party technology providers to support the delivery of our services. Our current categories of service providers include:

• Cloud infrastructure and storage providers (hosting servers in jurisdictions with adequate data protection frameworks)
• Email delivery service (Brevo) — used for OTP delivery only; no health data is transmitted
• Push notification delivery services (Expo Push Service and Firebase Cloud Messaging)
• Application performance monitoring and error logging providers
• Customer support software providers

7.3 Legal and Regulatory Authorities

The Company may disclose personal data to governmental, law enforcement, judicial, or regulatory authorities where required by applicable law, court order, or lawful governmental request. In such cases, the Company will, to the extent permitted by law, notify you of any such disclosure.

7.4 Third-Party SDK Data Practices

The Company does not permit any third-party SDK to access, collect, or retain your Special Category Health Data. All SDK integrations are configured to ensure data minimization and to restrict data collection to the minimum necessary for the stated purpose.

9.1 Retention Periods

9.2 Secure Disposal

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized using industry-standard data destruction methods, including cryptographic erasure for cloud-stored data.

11.1 In-Application Deletion Request

You may initiate a request to delete your account and associated personal data directly within the Application by navigating to Settings > Account > Privacy & Data > Delete My Account and Data. Upon confirmation, the Company will initiate the deletion process within seventy-two (72) hours.

The public account deletion page is available at: https://swastha.id/account-deletion

11.2 Deletion Request via Email

If you are unable to access the Application, you may submit a deletion request by emailing support@swastha.idwith the subject line "Data Deletion Request", including your full name and registered email address.

11.3 Withdrawal of Consent

You may withdraw consent for any specific category of data processing at any time by accessing Privacy Settings within the Application or by emailing the Data Protection Officer at privacy@swastha.id.

12.1 Technical Safeguards

• End-to-end encryption of all health data transmitted using a minimum of TLS 1.3
• Encryption at rest of all personal and health data stored on our servers using AES-256
• Role-based access controls and Multi-factor authentication (MFA) for all staff accessing systems
• Regular penetration testing conducted by independent cybersecurity firms
• Secure device storage for mobile tokens and sensitive local cryptographic state

12.2 Personal Data Breach Notification

In the event of a personal data breach affecting your rights and freedoms, the Company will notify you without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach, alongside mandatory regulatory reporting.

13.1 App Privacy Disclosures

In compliance with Apple App Store privacy disclosures, the following data types are collected and linked to your identity:

• Health and fitness data (linked to identity) — used for health record management
• Contact information (linked to identity) — used for account creation and communication
• Identifiers (linked to identity) — used for account authentication
• Usage data and Diagnostics (not linked to identity) — used for performance monitoring and application stability

13.2 Device Permission Disclosures

Camera Access: The Application requests access to your camera solely to enable you to photograph and upload medical documents, prescriptions, and diagnostic reports to your health record.

Microphone Access: Microphone access is not requested by the Application.