DefydHealth

Draft v0.1 — pending legal review

Privacy Policy

Last updated: 08 May 2026

Defyd.Health holds children’s health records. We treat that as a serious responsibility. This policy explains what we collect, why, where it lives, who can see it, and how you stay in control.

1. Who we are

Defyd.Health is operated by a private limited company being registered in India, with its principal place of business in Bangalore, Karnataka. For data protection questions write to privacy@defyd.health. Our grievance officer (a Digital Personal Data Protection Act requirement) can be reached at grievance@defyd.health. Registered address will be added on incorporation.

2. What data we collect

Account data

  • Parent or guardian phone number (mandatory; used for OTP login).
  • Parent name (optional).
  • Parent email (optional, used only if you join the waitlist or opt into receipts).

Child profile

  • Child’s name and date of birth.
  • Conditions list, parent-supplied (e.g. allergies, asthma).
  • Care team you tell us about (specialty, hospital, doctor name).

Health records

  • Documents you upload: lab reports, prescriptions, visit notes, discharge summaries, immunisation records.
  • Photos and PDFs of paper records, including WhatsApp screenshots.

Derived data

  • Structured fields extracted by AI from your uploaded documents (findings, medications, recommended tests, dates).
  • AI-generated visit summaries you choose to create.

Operational data

  • Device type, browser, IP address (used for security and abuse prevention).
  • Audit logs of every record view, share, edit, and delete, kept for security and to satisfy the DPDP record-keeping obligation.

3. How we collect it

Only what you give us. We do not run third-party advertising SDKs, tracking pixels, or analytics tools that identify you. We do not buy data about you from anyone. We do not scrape public sources.

4. Why we collect it (purpose limitation)

Each piece of data is collected for one or more of these purposes only:

  • To run your account and authenticate you (phone OTP).
  • To store, organise, and present your child’s health records to you.
  • To extract structured data from documents using AI, so the timeline is searchable.
  • To generate visit-prep summaries you ask us to generate.
  • To create time-limited share links you initiate for healthcare providers.
  • To detect abuse, prevent fraud, and respond to security incidents.
  • To satisfy regulatory record-keeping requirements.

We do not use your data for advertising. We do not use your data to train AI models. We do not sell your data.

5. Where data is stored

All Defyd.Health data is stored in India. Files sit in Google Cloud Storage in the asia-south1 region (Mumbai). The application database runs on Supabase in asia-south1. Backups are kept inside India. Personal data does not leave the country.

6. Encryption

  • TLS 1.3 for all data in transit.
  • AES-256 at rest, managed via Google Cloud KMS.
  • Encryption keys rotate every 90 days.
  • Sensitive fields (phone numbers, child names, medication entries) are encrypted again at the application layer using a separate key, so a database leak alone does not expose them.

7. Who has access

Only the registered parent or guardian, plus any co-guardians the parent has explicitly invited. Healthcare providers receive access through time-limited share links the parent creates. Each share link defaults to a 48-hour expiry and is gated by an OTP.

No Defyd.Health employee accesses your child’s health data without an explicit parent-initiated support request, and every such access is logged with the staff member, the reason, and the time. We will provide that audit trail on request.

8. AI processing

When you upload a document, the file is sent to Anthropic’s Claude API to extract structured data and to produce summaries. Under our API contract with Anthropic, this content is not used to train any AI model and is dropped from Anthropic’s systems after the request completes. Defyd.Health stores the extracted output and the original document; we do not retain a copy of the AI prompt or trace beyond a short-lived debugging window.

9. Children’s data and parental consent

Defyd.Health is designed for parents and guardians. The child does not have an account. Before we process any child data, the parent or guardian provides verifiable consent through phone-OTP authentication and a relationship self-declaration. Aadhaar-based eKYC is on the roadmap to strengthen this process. Each new sharing action prompts a fresh consent.

If you are not the legal guardian of the child whose records you upload, please do not use Defyd.Health.

10. Sharing

Records are shared only when you initiate a share. Each share generates a unique, revocable, time-limited link. Every share creates an audit log entry showing recipient identifier, purpose, expiry, and access events. We do not bulk-export records to third parties. We do not share with insurers, employers, advertisers, or any party other than the recipient you select.

11. Retention

Your records are retained while your account is active. When you delete your account, we run a full cascade delete within 30 days that removes the database rows and the file objects from Cloud Storage. Audit logs are anonymised and retained for the period required by Indian record-keeping rules (currently up to seven years) and then permanently deleted.

12. Your rights under the DPDP Act

  • Right to access: request a complete export of your data, in machine-readable JSON plus a printable PDF bundle.
  • Right to correction: edit or replace inaccurate information directly in the app, or write to us if anything is wrong outside your control.
  • Right to erasure: delete your account at any time. The cascade deletion described above will run.
  • Right to grievance redressal: write to grievance@defyd.health. We respond within seven business days. If unresolved, you may escalate to the Data Protection Board of India.

13. Breach notification

If we discover a personal data breach we will notify the Data Protection Board of India and affected users within 72 hours, with the facts known at the time of notification and a follow-up once the investigation closes.

14. Cookies

We use only essential session cookies needed to keep you signed in. We do not run third-party tracking cookies, advertising cookies, or analytics cookies that identify you across sites.

15. Changes to this policy

Material changes are notified by email and an in-app banner at least 30 days before the new version takes effect. Minor clarifications are noted in the change log at the bottom of this page.

16. Contact

Data Protection Officer: privacy@defyd.health
Grievance Officer: grievance@defyd.health
Hours: Monday to Friday, 10:00 to 18:00 IST (excluding Indian public holidays).

See also: Terms of Service.