HealthSimple

Legal

Privacy Policy

Last updated: May 25, 2026

This Privacy Policy is compliant with the Digital Personal Data Protection Act, 2023 (India) and the Health Insurance Portability and Accountability Act (HIPAA, USA).

1. Introduction

HealthSimple ("we", "our", "us") is committed to protecting your personal and health data. This Privacy Policy explains how we collect, use, store, share and protect information when you use the HealthSimple mobile application ("App"). By using this App, you agree to the terms of this Privacy Policy.

This policy applies to all users globally, with specific provisions for users in India under the DPDP Act 2023 and users in the United States under HIPAA.

2. Data We Collect

Information you provide

  • Name, email address, and account credentials upon registration
  • Medical reports, lab test documents, and prescription images uploaded by you
  • Medicine names, strips, or packaging images scanned through the App
  • Language preference and in-app settings
  • Feedback, support requests, or communications with us

Automatically collected information

  • Device information: model, operating system version, unique device identifiers
  • App usage data: features used, session duration, scan frequency
  • IP address and approximate geographic location (country/region level only)
  • Crash reports and diagnostic logs

Health information (sensitive personal data)

Medical reports, diagnoses, test results, and medicine information you upload are classified as Sensitive Personal Data under the DPDP Act 2023 (India) and as Protected Health Information (PHI) under HIPAA (USA). We treat this data with the highest level of protection.

3. How We Use Your Data

  • Service delivery: To analyze your medical reports and medicine scans and provide AI-generated summaries.
  • Multilingual output: To translate and display your results in your preferred language.
  • History & records: To maintain your scan history for your personal reference within the App.
  • App improvement: Using anonymized, aggregated data only.
  • Communication: To send important service notices, policy updates, or respond to queries.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Data Storage & Retention

  • Storage location: Secure cloud servers.
  • Server region: AWS Mumbai (ap-south-1).
  • Retention period: Account data and scan history are retained while your account is active, or for a maximum of 3 years from last activity.
  • Deletion: You may request deletion of all your data at any time. See "Your Rights" below.
  • Health data: Uploaded medical reports and scan images are automatically deleted from our servers within 90 days of upload. Summaries may be retained longer for your history feature unless you delete them.

5. Data Sharing & Disclosure

We do NOT sell, rent, or trade your personal or health data to any third party. We may share data only in the following limited circumstances:

  • AI processing partners: Under strict data-processing agreements that prohibit any other use.
  • Cloud infrastructure: Encrypted storage and hosting services (data processors only).
  • Legal requirements: When required by law, court order, or government authority in India or USA.
  • Business transfer: Users will be notified before any data transfer arising from a merger, acquisition, or sale of assets.

We do not share your health data with insurance companies, employers, advertisers, or marketing agencies under any circumstances.

6. HIPAA Compliance (USA Users)

  • All health data in transit is encrypted using TLS 1.2 or higher
  • All health data at rest is encrypted using AES-256
  • Access to health data is restricted to authorized personnel under role-based controls
  • We maintain audit logs of all access to PHI
  • We do not use or disclose PHI for marketing, advertising, or non-healthcare purposes
  • Users may request access, amendment, or deletion of their PHI at any time

HealthSimple is an informational tool and is not a Covered Entity or Business Associate under HIPAA in the traditional sense. However, we voluntarily apply HIPAA-equivalent standards to all health data.

7. DPDP Act 2023 Compliance (India Users)

  • Consent: Free, specific, informed, and unambiguous consent.
  • Purpose limitation: Used only for the purposes stated in this policy.
  • Data minimization: Only the minimum data necessary.
  • Accuracy: Reasonable steps to keep data accurate and up to date.
  • Storage limitation: Not retained beyond the necessary period.
  • Data Fiduciary: HealthSimple acts as a Data Fiduciary under the DPDP Act.

Grievance contact (India): support@randomhit.site. We respond within 30 days as required by law.

8. Children's Privacy

HealthSimple is not intended for use by children under 13 (USA) or under 18 (India) without verifiable parental consent. We do not knowingly collect personal data from minors and will delete any such data immediately upon discovery.

9. Your Rights

Under DPDP Act 2023 (India)

  • Right to access your personal data
  • Right to correction and erasure of inaccurate or unnecessary data
  • Right to grievance redressal
  • Right to nominate a representative
  • Right to withdraw consent at any time

Under applicable US privacy laws

  • Right to know what personal information we collect
  • Right to request deletion of your personal information
  • Right to correct inaccurate information
  • Right to opt out of any non-essential data processing

To exercise any of these rights, email support@randomhit.site.

10. Security Measures

  • End-to-end encryption for all data in transit (TLS 1.3)
  • AES-256 encryption for all data at rest
  • Regular security audits and vulnerability assessments
  • Multi-factor authentication for internal system access
  • Incident response plan for data breaches

Data breach notification: In the event of a breach affecting your personal information, we will notify you and relevant authorities within 72 hours as required by applicable law.

11. Cookies and Tracking

The HealthSimple mobile app does not use browser cookies. We use Firebase Analytics and Firebase Crashlytics for anonymized usage statistics and crash reports. No personal or health data is shared with Google through these services. You may opt out of analytics collection in the App settings.

12. Third-Party Links

The App may contain links to third-party websites or services. We are not responsible for their privacy practices and encourage you to read their policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified at least 7 days before they take effect. Continued use of the App after the effective date constitutes acceptance of the updated policy.