Privacy Policy
1. Who We Are
Siha ("we", "us", "our") is a healthcare appointment management platform operated by [COMPANY LEGAL NAME], a company incorporated under the Companies Act 2013, with its registered office at [REGISTERED ADDRESS], India.
We act as the Data Fiduciary under the DPDP Act 2023 for all personal data processed through the Siha mobile application and associated services.
For questions about this policy, contact us at: support@sihahealth.in
2. Data We Collect
We collect two categories of data, kept separate by design (pseudonymization):
2.1 Personal Identification Information (PII)
Collected at registration and stored separately from your medical records:
| Data | Purpose | Required? |
|---|---|---|
| Full name | Display and identity | Yes |
| Age | Healthcare context | Yes |
| Gender | Healthcare context | Yes |
| Blood group | Healthcare context | Yes |
| Phone number | Authentication (OTP) | Yes |
| Email address | Optional contact | No |
| Profile photograph | Identity display | No |
2.2 Health & Medical Data (Sensitive Personal Data)
Stored under a pseudonymous ID — not directly linked to your name in our database:
| Data | Purpose |
|---|---|
| Appointment records | Booking management |
| Consultation notes written by your doctor | Medical history reference |
| Prescription photographs uploaded by you | Personal health records |
| Blood report images and extracted values | Health analytics |
2.3 Technical Data
Automatically collected during app use:
| Data | Purpose |
|---|---|
| Device FCM token | Push notifications |
| Approximate GPS location | Finding nearby doctors |
| App usage logs | Bug fixing and improvement |
| Crash reports | App stability |
2.4 Doctor Data
Collected when a doctor is registered on the platform and when they set up their profile:
| Data | Purpose | Required? |
|---|---|---|
| Full name | Profile display to patients | Yes |
| Phone number | Authentication (OTP) and account identity | Yes |
| Medical specialization | Search and profile display | Yes |
| Medical qualification | Profile display (e.g. MBBS, MD) | Yes |
| Years of experience | Profile display | Yes |
| Medical license number | Identity verification by our team | Yes |
| Profile photograph | Profile display to patients | No |
| Languages spoken | Profile display | No |
| Device FCM token | Push notifications | Yes |
Doctor medical license numbers are used solely for verification purposes by our internal team. They are not displayed to patients.
2.5 Clinic & Receptionist Data
Collected when a receptionist registers their clinic on the platform:
| Data | Purpose | Required? |
|---|---|---|
| Receptionist name | Account identity | Yes |
| Clinic contact phone number | Authentication (OTP) and patient-facing contact | Yes |
| Clinic name | Search and profile display to patients | Yes |
| Clinic address and location | Search, distance display, and map listings | Yes |
| Clinic license / registration number | Identity verification by our team | Yes |
| Device FCM token | Push notifications | Yes |
Clinic license numbers are used solely for verification by our internal team and are not displayed publicly.
2.6 Walk-in Patient Data
When a receptionist creates an offline (walk-in) booking for a patient who does not have a Siha account, the following minimal information is recorded:
| Data | Purpose | Required? |
|---|---|---|
| Patient name | Appointment record and doctor reference | Yes |
| Age | Clinical context for the doctor | Yes |
| Gender | Clinical context for the doctor | Yes |
| Phone number | Record linkage if patient later creates an account | No |
This data is stored as part of the appointment record only. No Siha account is created for walk-in patients. If a walk-in patient later creates a Siha account using the same phone number, their offline appointment history will become visible in their account.
3. How We Use Your Data
We use your data only for the following purposes:
- Authentication — verifying your identity via OTP
- Appointment management — booking, confirming, rescheduling, and cancelling appointments with doctors
- Health records — storing consultation notes and prescription photos for your personal reference
- Health analytics — displaying trends from your uploaded blood reports
- Notifications — sending appointment reminders and updates via push notification and WhatsApp
- Finding doctors — using your location to show nearby available doctors
- Platform improvement — using anonymized, aggregated usage data to improve the app
- Doctor and clinic verification — using license numbers to verify credentials before listing on the platform
- Staff notifications — sending appointment alerts and platform updates to doctors and receptionists via push notification
We do not use your data for advertising, profiling, or selling to third parties.
4. Legal Basis for Processing
Under the DPDP Act 2023, we process your personal data on the basis of your explicit, informed consent, given at the time of registration.
- You may withdraw consent at any time by deleting your account (see §8.3)
- Withdrawal of consent will result in permanent deletion of all your data
- Certain data may be retained for a limited period where required by applicable law
5. Data Sharing & Third Parties
We share your data with the following third-party processors solely for service delivery:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Google Firebase (Google LLC) | All app data | Cloud storage, authentication, push notifications |
| Google Cloud Vision API | Blood report images | OCR text extraction for analytics |
| Gupshup Technologies Pvt. Ltd. | Phone number, appointment details | WhatsApp reminder messages |
| Siha Health (WhatsApp Business) | Phone number, appointment time | Message delivery |
All third-party processors are contractually bound to process data only as instructed by us, maintain appropriate security standards, and not use your data for their own purposes.
We do not sell your data to any third party.
5.1 Doctor Access
The doctor associated with your appointment can view:
- Your consultation notes (written by them)
- Prescription photos you choose to upload for that appointment
- Your first name, age, and gender (for clinical context)
Doctors cannot access your phone number, email, or prescription uploads from other doctors' appointments.
5.2 Receptionist Access
Clinic receptionists on our platform can view:
- Your appointment date, time, and status
- Your first name (for check-in purposes only)
Receptionists cannot access consultation notes, prescription photos, blood reports, or any medical data.
5.3 Internal Admin Access
Our internal team accesses doctor and clinic license numbers solely for the purpose of verifying credentials before approving a listing. This access is limited to authorised personnel only and is not shared externally.
5.4 Walk-in Patient Data
Walk-in patient details (name, age, gender, phone) entered by a receptionist are visible to the receptionist who entered them and the doctor associated with that appointment. This data is not shared with any third party beyond the Firebase infrastructure listed in §5.
5.5 Cross-Border Data Transfer
Your data is stored on Google Firebase servers. Firebase data for Indian users is hosted in the asia-south1 (Mumbai) region. Some Firebase services may process data in other regions. Google complies with applicable data protection laws for cross-border transfers.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & PII data | Until you delete your account |
| Appointment records | Until you delete your account |
| Consultation notes | Until you delete your account |
| Prescription photos | Until you delete your account |
| Blood report data | Until you delete your account |
| Technical/crash logs | 90 days |
| Anonymized aggregate analytics | Indefinitely (cannot be linked to you) |
| Doctor profile and license data | Until the doctor account is removed from the platform |
| Clinic and receptionist data | Until the clinic account is removed from the platform |
| Walk-in patient appointment records | Until the associated clinic account is removed |
Upon account deletion, all identifiable data is permanently deleted within 30 days.
7. Security Measures
We implement the following security measures as required under the DPDP Act 2023 and IT (SPDI) Rules 2011:
- Pseudonymization: Your personal identity (name, phone, age) is stored separately from your medical records, linked only by an anonymous internal ID
- Encryption at rest: All data stored in Firebase is encrypted at rest using AES-256
- Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2 or higher
- Access controls: Role-based access ensures doctors, receptionists, and patients can only access data they are authorised to see
- Authentication: All access requires OTP-verified phone authentication
- Audit logging: Access to medical records is logged
In the event of a data breach that is likely to affect your rights, we will notify you and the Data Protection Board of India within the timeframe prescribed by law.
8. Your Rights Under the DPDP Act 2023
8.1 Right to Access Information
You have the right to know what personal data we hold about you and how it is being processed. You can view your profile data within the app at any time.
8.2 Right to Correction and Erasure
You can update your name, age, gender, blood group, email, and profile photo at any time from the Profile screen in the app.
8.3 Right to Erasure (Delete Your Account)
You can permanently delete your account and all associated data from the Profile screen → "Delete Account". This action:
- Is irreversible
- Permanently deletes all personal data, medical records, prescriptions, and blood reports
- Removes your Firebase authentication credentials
- Is completed within 30 days
8.4 Right to Grievance Redressal
If you have a complaint about how your data is handled, you may contact our Grievance Officer (see §10). We will acknowledge your complaint within 3 business days and resolve it within 30 days.
If your grievance is not resolved satisfactorily, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act 2023.
8.5 Right to Nominate
You may nominate another individual to exercise your data rights in the event of your death or incapacity. To register a nominee, contact us at support@sihahealth.in.
8.6 Consent Withdrawal
You may withdraw your consent to data processing at any time by deleting your account (§8.3). Note that withdrawal of consent will make it impossible for us to provide services to you.
8.7 Rights for Doctors and Receptionists
Doctors and receptionists registered on the Siha platform have the following rights:
- Access: View your profile data within the app at any time
- Correction: Doctors can update their specialization, qualification, experience, languages, and profile photo from the Profile screen. Clinic receptionists can update clinic details from their account.
- Name and license number changes: These fields can only be updated by contacting us at support@sihahealth.in, as they are tied to your verified identity.
- Account removal: To have your doctor or clinic account removed from the platform, contact us at support@sihahealth.in. Removal will deactivate your listing and delete your profile data. Appointment records associated with your account will be retained for patient medical history purposes.
Walk-in patients (offline bookings created by a receptionist) do not have a Siha account. If you are a walk-in patient and wish to access, correct, or delete your data, contact us at support@sihahealth.in with your name and the approximate date of your appointment.
9. Children's Privacy
Our platform is open to users of all ages, including individuals under 18 years. We do not collect any data beyond what is listed in §2 from any user, regardless of age.
If you believe a child's data has been collected inappropriately, contact us at support@sihahealth.in.
10. Grievance Officer
As required under the DPDP Act 2023 and the IT Act 2000, we have appointed a Grievance Officer:
| Name | Nechiketh Surendran |
| Designation | Co-Founder |
| support@sihahealth.in | |
| Phone | +91 96060 50789 |
| Address | [COMPANY ADDRESS] — TBD |
| Working hours | Monday to Friday, 10:00 AM – 6:00 PM IST |
Grievances will be acknowledged within 3 business days and resolved within 30 days.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The "Last Updated" date at the top will be revised
- If changes are significant, we will notify you via push notification and/or in-app prompt
- Continued use of the app after changes constitutes acceptance of the revised policy
12. Contact Us
For questions, requests, or concerns about your privacy:
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS]
Email: support@sihahealth.in
Phone: +91 96060 50789
This document was drafted to comply with the Digital Personal Data Protection Act 2023 (India), the Information Technology Act 2000, and the IT (Reasonable Security Practices and Sensitive Personal Data) Rules 2011. It must be reviewed and approved by a qualified legal professional before publication.