Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Sehat (“we”, “us”, or “our”) collects, uses, stores, and protects your personal and health information when you use sehat.family. By using Sehat, you agree to the practices described here.

Who we are

Sehat is a family health records product operated by [PLACEHOLDER: legal entity name], a company being incorporated in India. Until incorporation is complete, Sehat operates as a sole proprietorship under the name of its founder. For all privacy-related matters, contact us at hello@sehat.family.

Our registered address upon incorporation will be updated here: [PLACEHOLDER: registered address, India].

What information we collect

Information you provide directly:

• Name, email address, and password (or OTP) when you create an account
• Family member names, ages, relationships, blood groups, and medical history details you add to profiles
• Health documents you upload: lab reports, prescriptions, discharge summaries, scan images
• Vitals readings (blood pressure, glucose, heart rate, weight, SpO₂) you log manually
• Insurance policy details, TPA information, and insurance documents you upload
• Notes and tags you add to reports
• Your preferred language and communication preferences

Information collected automatically:

• Your IP address and approximate location (country/city level)
• Browser type, device type, and operating system
• Pages visited and features used within the app
• Upload timestamps and document metadata

We do not collect:

• Precise GPS location
• Contacts or call logs
• Camera or microphone access beyond what you explicitly use to photograph a document

How we use your information

We use your information solely to provide and improve the Sehat service:

• To display your family's health records and analytics to you
• To extract structured data from uploaded documents using AI (see AI Processing below)
• To send you important account and service notifications by email
• To process your subscription payment via Razorpay
• To respond to your support requests
• To detect and prevent fraud or abuse

We do not use your health data to:

• Show you advertising of any kind
• Build profiles for sale to third parties
• Train AI models (our AI provider contractually prohibits this)
• Make automated decisions that affect your legal rights

AI processing

When you upload a document, its contents are sent to Anthropic (the maker of Claude AI) for automated extraction of structured data — biomarkers, medication names, diagnoses, and similar fields. This transmission is encrypted and governed by Anthropic's data processing agreement, which prohibits Anthropic from using your data to train their models or sharing it with third parties.

Anthropic's infrastructure is based in the United States. By using Sehat's document upload feature, you consent to this cross-border transfer for the limited purpose of processing your document.

We do not retain your document contents on Anthropic's servers — only the extracted structured data is stored in Sehat's database.

Email and WhatsApp forwarding

Family Plus subscribers can forward health documents to a personal Sehat email address (username@sehat.report). Emails received at this address are processed by our system to extract document attachments, which are then uploaded to your account. The original email is not stored after processing.

WhatsApp forwarding, when available, works similarly. Document images received via WhatsApp are processed and uploaded; the WhatsApp message itself is not retained.

Where your data is stored

Your account data, health records, and uploaded documents are stored on Supabase, a secure cloud database provider, hosted in the Asia-Pacific region (Tokyo, Japan). Payment data is processed and stored by Razorpay, subject to their privacy policy and PCI-DSS compliance.

We do not store your data in India at this time. We are evaluating India-based hosting options and will update this policy when that changes.

How long we keep your data

We keep your data for as long as your account is active. If you delete a family member, their records are soft-deleted and retained for 90 days before permanent deletion — this allows accidental deletion recovery. If you close your account entirely, all your data is permanently deleted within 30 days of your request.

You can request a full export of your data at any time from Settings. Exports are provided in standard formats (PDF and JSON) within 7 days of request.

Sharing your data

We do not sell your health data. Ever.

We share your data only in these limited circumstances:

• With Anthropic (Claude AI) for document processing — see AI Processing above
• With Razorpay for payment processing — they receive billing information only, not health data
• With Supabase as our database and storage provider — they process data as our data processor under a data processing agreement
• With Cloudflare for email routing (Family Plus email intake feature) — they route emails to our servers; document contents are not stored by Cloudflare
• If required by Indian law or court order — we will notify you unless prohibited from doing so
• In connection with a merger or acquisition — we will notify you at least 30 days in advance and you will have the option to delete your data before any transfer

Your rights under the DPDP Act 2023

Under India's Digital Personal Data Protection Act 2023, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete personal data
• Request erasure of your personal data
• Nominate a person to exercise your rights on your behalf
• Withdraw consent at any time (which may affect your ability to use the service)
• Raise a grievance with us (see Grievance Officer below)
• File a complaint with the Data Protection Board of India

To exercise any of these rights, write to us at hello@sehat.family. We will respond within 30 days.

Grievance Officer

As required under the DPDP Act 2023, we have designated a Grievance Officer for data-related concerns:

• Name: [PLACEHOLDER: Grievance Officer name — typically the founder until incorporation]
• Email: hello@sehat.family
• Address: [PLACEHOLDER: registered address upon incorporation]
• Response time: 30 days from receipt of complaint

Security

We protect your data using:

• Encryption in transit (TLS 1.2+) for all data transferred between your browser and our servers
• Encryption at rest for all data stored in our database and file storage
• Row-level security policies that ensure each user can only access their own data
• Authentication via Supabase Auth (email OTP or Google OAuth)
• No plaintext passwords stored at any time

Children's privacy

Sehat is not intended for use by children under 18 as the primary account holder. You may add children as family members to manage their health records under your account. We do not knowingly collect personal information from children as primary account holders. If you believe a child has created an account without parental consent, contact us at hello@sehat.family.

Changes to this policy

We will notify you by email at least 14 days before making any material changes to this Privacy Policy. Continued use of Sehat after the effective date of changes constitutes acceptance of the updated policy.

Contact us

• Email: hello@sehat.family
• Response time: 3–5 business days