Privacy Policy

Healway.pro

Last Updated: March 26, 2026
Version 2.0
Introduction

Healway.pro ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our healthcare platform.

This policy is designed to comply with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000 and the SPDI Rules, 2011, and other applicable Indian regulations.

By using Healway.pro you confirm that you have read, understood, and agree to this Policy.

1. Information We Collect

Personal Information

  • Full name, contact details (phone, email)
  • Date of birth, gender
  • Medical registration details (for healthcare providers)
  • ABHA ID / ABHA address (if provided)

Health Information (Sensitive Personal Data & Information)

  • Medical history and symptoms
  • Consultation notes and transcriptions
  • Prescriptions and treatment plans
  • Follow-up schedules and vitals
  • Intake form responses

Technical Information

  • Device information and IP address
  • Usage patterns and preferences
  • Audio recordings (for transcription purposes, deleted after processing)
2. Consent Purposes (DPDP Act, 2023)

Under the DPDP Act, 2023, we collect and process your personal data only for the specific purposes listed below. We will seek your explicit consent for each category:

PurposeMandatory?Description
Data ProcessingYesCore healthcare service delivery — scheduling, prescriptions, clinical records
AI ProcessingOptionalAI-assisted clinical notes, risk assessment, and Healix AI assistant
AnalyticsOptionalAnonymised aggregated data for clinical dashboards and quality improvement
Prescription SharingOptionalSending prescription PDFs via SMS/WhatsApp to patients
CommunicationOptionalAppointment reminders, follow-up alerts, platform notifications

You may withdraw optional consents at any time from the Patient Portal. Withdrawal does not affect the legality of processing before withdrawal.

3. How We Use Your Information

We use your information for the following purposes:

  • Providing healthcare services and facilitating consultations
  • Generating AI-assisted clinical notes and summaries (with AI Processing consent)
  • Managing prescriptions and follow-up appointments
  • Improving our services and user experience (with Analytics consent)
  • Complying with legal and regulatory requirements
  • Communicating important updates and reminders (with Communication consent)

Note: We do not use your health data for advertising purposes or sell your information to third parties.

4. Data Retention Periods

We retain your data for the following periods, after which data is securely deleted or anonymised:

Data CategoryRetention PeriodBasis
Medical Records7 years from last consultationMCI/NMC guidelines; EHR Standards 2016
Audit Logs6 yearsIT Act compliance
Audio RecordingsDeleted immediately after transcriptionMinimal data principle
Account InformationUntil account deletion requestContractual necessity
Consent Records7 yearsDPDP Act compliance
5. Data Sharing and Disclosure

We may share your information with:

  • Healthcare Providers: Your treating physicians and their authorized staff
  • Service Providers: Third-party services that help us operate our platform (e.g., cloud hosting, AI processing)
  • Legal Requirements: When required by law or to protect our legal rights

All third-party service providers are bound by confidentiality agreements and data protection requirements.

6. Cross-Border Data Transfers

Our primary data store is located in India (Supabase, Mumbai region). However, some AI processing features involve transferring anonymised clinical text to the following international providers:

ProviderCountryPurposeData Sent
Google GeminiUSAAI clinical notes generationAnonymised text only
OpenAI GPT-4oUSAAI fallback (if Gemini unavailable)Anonymised text only
Sarvam AIIndiaSpeech-to-text (Indian languages)Audio recording (processed in India)
Twilio VerifyUSAOTP / SMS verificationPhone number + OTP only

No direct patient identifiers (name, phone, date of birth, address) are sent to AI providers. We rely on contractual safeguards (Data Processing Agreements) for cross-border transfers. Transfer to AI providers is subject to your AI Processing consent.

7. Children's Data

We recognise that patients under 18 years of age require additional protection.

  • When a minor patient is registered, we collect guardian name and contact details.
  • Parental / guardian consent is required before any AI processing or analytics are performed on the minor's data.
  • Guardians may request access to, correction of, or deletion of their child's data by contacting our Grievance Officer.
8. Your Rights (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, you have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Portability: Receive your data in a structured, commonly used format
  • Withdraw Consent: Withdraw optional consents at any time via the Patient Portal
  • Grievance Redressal: File complaints regarding data handling with our Grievance Officer
  • Nominate: Nominate another individual to exercise your rights on your behalf

To exercise these rights, please contact our Grievance Officer using the details below. We will respond within 30 days of receipt.

9. Data Security

We implement robust security measures to protect your data:

  • AES-256 encryption for sensitive health information at rest
  • TLS 1.2+ for all data in transit
  • Role-based access controls (RBAC)
  • Regular security audits and monitoring
  • Multi-factor authentication (MFA) support
  • Comprehensive HIPAA-style audit logging
  • Breach detection with Data Protection Board notification within 72 hours
10. AI and Automated Processing

Our platform uses AI-assisted tools for clinical support, including:

  • Transcription of consultation audio
  • Generation of clinical note summaries
  • Follow-up scheduling recommendations
  • Risk assessment assistance
  • Healix AI medical assistant

Important: All AI-generated content is for clinical decision support only. The treating physician is responsible for reviewing and confirming all clinical information before use. Healway.pro AI tools are not registered medical devices under CDSCO regulations and are not a substitute for professional medical judgment.

AI processing requires your explicit AI Processing consent. You may withdraw this consent at any time; this will disable AI features for your records without affecting core healthcare services.

11. Data Protection Officer & Grievance Officer

We have appointed a Grievance Officer as required under the DPDP Act, 2023 and the IT Act, 2000. You may contact our Grievance Officer for any privacy concern, data rights request, or complaint:

Grievance Officer

Name: [To be filled by legal team]

grievance@healway.pro

Response SLA: We will acknowledge within 48 hours and resolve within 30 days.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act, 2023.

Note for legal team: This privacy policy (v2.0) incorporates DPDP Act 2023 requirements and should be reviewed by qualified legal counsel before deployment. In particular: (a) confirm the Grievance Officer name and contact; (b) verify DPB notification procedures once the Board is constituted; (c) review cross-border transfer safeguards once DPB notifies restricted countries.