Compliant with: Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology Act, 2000
1. Introduction
GoDavaii ("we", "us", "our") is committed to protecting your personal data and health information. This Privacy Policy explains how we collect, use, store, share, and protect your data when you use our AI health information platform, mobile app, website, or any related service. We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
2. Data We Collect
2.1 Information you provide directly:
- Account data: Name, email address, mobile number, date of birth, gender
- Location data: Pincode, city (for localized health information and language detection)
- Health data: Symptoms you describe, questions you ask the AI, medical history, conditions, allergies, current medicines, prescriptions, lab reports, health records uploaded to your Health Vault
- Payment data: Payment method details (processed securely by payment gateway partners; we do not store full card/account details)
- Communication data: Messages you send to our support team
2.2 Information collected automatically:
- Device data: Device type, OS version, app version, unique device identifier
- Usage data: Features used, interaction patterns, session duration, crash reports
- Location data: Approximate location (city/pincode level) for regional language detection and localized health content — only when you grant permission
- Log data: IP address, browser type, timestamps, pages visited
3. Legal Basis for Processing (DPDP Act Compliance)
Under the DPDP Act 2023, we process your personal data on the following lawful grounds:
- Consent: You provide explicit, informed consent before first use of AI features and account creation
- Contract performance: To provide the services you request (AI health information, medicine database access)
- Legal obligation: To comply with Indian laws including the Drugs and Cosmetics Act, IT Act, and tax regulations
- Legitimate interest: To improve services, ensure platform safety, and prevent abuse
4. How We Use Your Data
We use your personal and health data to:
- Provide personalized AI health information responses based on your stated conditions, allergies, and medicines (cross-safety checks)
- Provide AI-powered health information, medicine details, and drug interaction checks
- Store your health records securely in your personal Health Vault
- Facilitate lab test bookings and health service appointments
- Send health reminders, feature updates, and service-related communications
- Improve the AI model's quality and safety (aggregated, anonymized data only)
- Detect and prevent fraud, abuse, and security threats
- Comply with legal and regulatory obligations
- Respond to your queries and provide customer support
We do NOT use your data to: sell to advertisers, share with third-party data brokers, train public AI models, or send unsolicited marketing without your consent.
5. AI Processing and Data Retention
Your messages to the GoDavaii AI are processed by our AI systems to generate educational medical responses. The AI does not "remember" your data between sessions unless you choose to save conversations to your account.
Retention periods:
- Chat sessions: Saved to your account until you delete them
- Health Vault records: Retained until you delete them or close your account
- Usage history: Retained for 7 years to comply with tax and regulatory requirements
- Account data: Retained while your account is active + 90 days after deletion for legal/audit purposes
- Backup data: Automatically purged within 30 days of deletion
6. Data Sharing and Third Parties
We share your data only in the following limited circumstances:
- Healthcare information providers: To enhance medicine database accuracy and drug interaction data
- Lab partners: To process test bookings you initiate (test details, contact info)
- Payment gateways: Razorpay, Paytm, or similar processors for payment processing (they operate under their own privacy policies)
- AI service providers: Your text messages, voice inputs, and uploaded photos (lab reports, prescriptions, food images, face/cough scans) are processed by Google AI Studio (Gemini family of large language models) for generating health information responses and image analysis. Voice playback ("AI reads answers aloud") uses OpenAI text-to-speech models. Both providers process data in real time under enterprise data processing agreements and do not retain user data beyond the request lifecycle or use it to train their public models. See Google's AI Privacy Notice and OpenAI's Privacy Policy for their data handling practices.
- Cloud infrastructure: Render, MongoDB Atlas, AWS, or similar providers for secure hosting and storage
- Legal compliance: When required by law, court order, or government request
We never sell your personal or health data.
6A. Face Data (Face Scan Feature)
The Face Scan feature uses your device camera to capture a single still photograph of your face for AI-generated visual health insight (e.g. skin tone changes, eye dullness, fatigue signs). This section gives a complete account of how face data is handled, per Apple App Review Guideline 5.1.1 and our DPDP Act 2023 obligations.
- What is collected: A single still image captured from your front-facing camera at the moment you tap "Scan". No video, no continuous capture, no biometric template (no Face ID-style mathematical face map), no measurements of inter-eye distance or skull geometry. The image is treated as a regular photograph.
- How it is used: The image is sent over a TLS-encrypted connection to Google AI Studio (Gemini multimodal vision model) for a single inference call, which returns plain-language health observations (e.g. "skin appears slightly dry"). The result is shown only to you, in your GoDavaii Health Vault.
- Third parties: The only third party the face image is shared with is Google AI Studio, the Gemini vision provider. Google processes the image in real time under an enterprise data processing agreement and does not retain or use it to train public models. No advertising network, data broker, or analytics provider ever receives the face image.
- Storage and retention: The face image is NEVER stored on GoDavaii servers. It is held only in transient memory during the single inference request, then discarded. Only the AI's textual observation (not the image itself) is saved to your Health Vault, and only if you choose to save the scan.
- Sharing with anyone else: We do not share, sell, license, publish, or otherwise disclose face data to any third party other than the single AI inference provider listed above. We do not aggregate face images for any purpose.
- Your control: You can decline Camera permission entirely (the Face Scan feature is then simply unavailable), revoke the saved observation from your Health Vault at any time, or delete your entire account, which removes any derived data within 30 days.
7. Your Rights Under DPDP Act 2023
As a Data Principal under the Digital Personal Data Protection Act 2023, you have the following rights:
- Right to access: Request a copy of the personal data we hold about you
- Right to correction: Request correction of inaccurate or outdated data
- Right to erasure: Request deletion of your data and account (subject to legal retention requirements)
- Right to data portability: Export your health records and chat history in a machine-readable format
- Right to grievance redressal: File a complaint with our Data Protection Officer or the Data Protection Board of India
- Right to withdraw consent: Withdraw previously given consent at any time (may affect service availability)
- Right to nominate: Nominate another individual to exercise these rights on your behalf in case of death or incapacity
To exercise these rights, contact us at [email protected] or use the in-app account settings. We will respond within 30 days of receiving a verified request.
8. Data Security
We implement technical and organizational security measures appropriate to the sensitivity of your data:
- TLS/SSL encryption for all data in transit
- Encryption at rest for stored health data
- Secure password hashing (bcrypt)
- JWT-based authentication with token expiration
- Rate limiting and abuse prevention
- Regular security audits and penetration testing
- Role-based access control for internal systems
- Secure cloud infrastructure (ISO 27001 certified providers)
- Incident response procedures for potential breaches
In the event of a data breach affecting your personal data, we will notify you and the Data Protection Board of India within the timeline specified by the DPDP Act 2023.
9. Children's Privacy
GoDavaii is not intended for independent use by children under 18 years of age. We do not knowingly collect personal data from children under 18 without parental consent. Parents or legal guardians may use GoDavaii to seek health information on behalf of their minor children, and any such data entered by the parent/guardian is treated as the parent's/guardian's data, processed with their consent.
If you believe we have collected data from a child under 18 without parental consent, please contact us immediately at [email protected] and we will delete the data promptly.
10. Cookies and Tracking Technologies
Our website uses essential cookies for authentication and session management. We may also use analytics cookies (Google Analytics or similar) to understand usage patterns. You can manage cookie preferences through your browser settings. Our mobile app uses secure device storage for authentication tokens and user preferences.
11. International Data Transfers
Some of our service providers (including Google Cloud for AI processing and cloud hosting) may process data outside India. We ensure that such transfers are subject to adequate safeguards and contractual protections consistent with Indian data protection requirements. Data is only transferred to countries that provide an adequate level of protection.
12. Data Protection Officer (DPO)
In compliance with the DPDP Act 2023, GoDavaii has designated a Data Protection Officer to oversee data protection compliance:
Email: [email protected]
Grievance Officer (IT Rules 2021): [email protected]
Response time: Acknowledgment within 24 hours; resolution within 15 days for grievances, 30 days for data rights requests.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or industry practices. We will notify you of material changes via email or in-app notification. Significant changes will require renewed consent. The "Last updated" date at the top of this page indicates when the policy was last revised.
By using GoDavaii, you consent to the collection, processing, and use of your personal and health data as described in this Privacy Policy. You have the right to withdraw consent at any time through your account settings or by contacting our Data Protection Officer.