Privacy Policy
Last updated: February 24, 2026
1. Introduction
HelixaCare (“we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with:
- The Digital Personal Data Protection Act, 2023 (DPDP Act) — India's primary data protection legislation
- The Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- ABDM (Ayushman Bharat Digital Mission) data handling guidelines, where applicable
By using HelixaCare, you consent to the collection and use of your information as described in this policy. If you do not agree with this policy, please do not use our services.
2. Data Fiduciary Information
Under the DPDP Act, HelixaCare acts as a Data Fiduciary. Our contact details are:
- Entity: HelixaCare Health Technologies Private Limited
- Email: support@helixacare.com
- Grievance Officer: Available at support@helixacare.com
You may contact our Grievance Officer for any privacy-related concerns. We will acknowledge your grievance within 24 hours and resolve it within 30 days, as required under IT Act rules.
3. Personal Data We Collect
3.1 Information you provide
- Account information: Name, email address, date of birth, gender, phone number
- Health data (Sensitive Personal Data): Lab reports (blood tests, pathology reports), health metrics (blood sugar, cholesterol, etc.), medical history, prescriptions, activity and diet logs
- Family member information: Name, date of birth, gender, and relationship of dependants you add to your account
3.2 Information collected automatically
- Device information (browser type, OS, screen resolution)
- IP address and approximate location (city-level)
- Usage data (pages viewed, features used, session duration)
- Cookies and similar technologies (see Section 9)
4. Purpose of Data Processing
We process your personal data only for specific, lawful purposes as defined under the DPDP Act:
| Purpose | Lawful basis |
|---|---|
| Providing the HelixaCare platform and services | Consent / Contract performance |
| Processing and storing your lab reports | Consent |
| Health trend analysis and visualisation | Consent |
| Sending notifications about your health data | Consent |
| Customer support and grievance resolution | Legitimate interest / Legal obligation |
| Improving our platform and fixing bugs | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not sell your personal data to any third party. We do not use your health data for advertising purposes.
5. Data Storage and Security
5.1 Where we store your data
Your data is stored on secure cloud infrastructure (Amazon Web Services) with servers located in the Mumbai (ap-south-1) region, ensuring your data remains within India as per RBI and government data localisation guidelines.
5.2 Security measures
In compliance with the IT Act 2000 (Section 43A) and SPDI Rules, we implement reasonable security practices including:
- Encryption: AES-256 encryption at rest, TLS 1.2+ encryption in transit
- Access controls: Role-based access, multi-factor authentication
- Audit logs: All access to health data is logged and monitored
- Secure uploads: Lab reports are processed via encrypted channels and stored in private S3 buckets
- Regular security audits: Periodic vulnerability assessments
6. Your Rights Under the DPDP Act
As a Data Principal, you have the following rights:
- Right to access: You can request a summary of your personal data and the processing activities related to it
- Right to correction and erasure: You can request correction of inaccurate data or erasure of data that is no longer necessary
- Right to grievance redressal: You may raise a complaint with our Grievance Officer or escalate to the Data Protection Board of India
- Right to nominate: You may nominate another person to exercise your rights in the event of your death or incapacity
- Right to withdraw consent: You may withdraw consent at any time. Withdrawal will not affect the lawfulness of processing done before withdrawal
To exercise any of these rights, email us at support@helixacare.com. We will respond within 30 days.
7. Data Sharing and Disclosure
We may share your data only in the following circumstances:
- With your explicit consent: When you choose to share reports with a healthcare provider or family member
- Service providers: Cloud hosting (AWS), email delivery services — all bound by data processing agreements
- Legal requirements: When required by Indian law, court order, or government authority under the IT Act or DPDP Act
- ABDM integration: If you choose to link your ABHA (Ayushman Bharat Health Account), your data may be shared via ABDM's Health Information Exchange as per ABDM consent framework
We do not transfer personal data outside India without your explicit consent and adequate safeguards as required by the DPDP Act.
8. Data Retention
- Account data: Retained as long as your account is active, plus 30 days after deletion request
- Health data: Retained as long as your account is active. Upon account deletion, health data is permanently erased within 90 days
- Backup data: Encrypted backups are purged within 180 days of account deletion
- Legal retention: Certain records may be retained longer if required under the IT Act, Companies Act, or other applicable Indian laws
9. Cookies and Tracking
We use essential cookies for authentication and session management. We do not use third-party advertising trackers. You can manage cookie preferences through your browser settings.
10. Children's Data
HelixaCare is intended for users aged 18 and above. If a parent or guardian adds a child (under 18) as a family member, the parent/guardian is the Data Principal for that child's data, in compliance with Section 9 of the DPDP Act. Verifiable parental consent is obtained before processing a child's health data.
11. Breach Notification
In the event of a personal data breach, we will notify the Data Protection Board of India and affected users as soon as practicable, in accordance with the DPDP Act. Notification will include the nature of the breach, data affected, and remedial steps taken.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of HelixaCare after changes constitutes acceptance of the updated policy.
13. Grievance Redressal
If you have any privacy concerns or complaints:
- Contact our Grievance Officer: support@helixacare.com
- Escalate to the Data Protection Board of India if your grievance is not resolved within 30 days
This policy is governed by the laws of India. Any disputes will be subject to the exclusive jurisdiction of the courts in India.