India Compliance Notice

1. Applicability

This India Compliance Notice supplements our global Privacy Policy and applies to all users who access or use MyHealthBuddy.AI from within India, or whose personal data is processed in India. In the event of a conflict between this Notice and the global Privacy Policy, this Notice prevails for Indian users to the extent necessary to comply with Indian law.

MyHealthBuddy Technologies Pvt. Ltd. acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) — the entity that determines the purpose and means of processing your personal data.

2. DPDP Act 2023 — Our Obligations as Data Fiduciary

The DPDP Act, 2023 governs the processing of digital personal data of individuals (Data Principals) in India. As a Data Fiduciary, MyHealthBuddy.AI commits to the following obligations:

• Lawful purpose: We process personal data only for lawful purposes that are clearly specified at the time of collection.
• Consent-based processing: All processing of personal data requires free, specific, informed, and unambiguous consent, except where a "legitimate use" applies (see below).
• Data minimisation: We collect only the data necessary for the stated purpose — no more.
• Data accuracy: We take reasonable steps to ensure data is accurate and up to date.
• Storage limitation: Data is retained only as long as necessary for the stated purpose or as required by law.
• Security safeguards: Appropriate technical and organisational measures are implemented to prevent data breaches (see our Security section).
• Accountability: We are responsible for complying with the DPDP Act and can demonstrate compliance on request.

Legitimate Uses (Processing Without Consent)

The DPDP Act permits processing without consent in limited "legitimate use" scenarios. We rely on these only where strictly applicable:

• Processing necessary for performance of a function of the State or compliance with any law or court order in India.
• Processing necessary for responding to a medical emergency threatening life.
• Processing for employment purposes within the bounds of applicable law.

We never use "legitimate use" as a basis to circumvent consent requirements for marketing, profiling, or any commercial purpose.

3. IT Rules 2011 — SPDI Protections for Health Data

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 classify health and medical records as Sensitive Personal Data or Information (SPDI). These rules remain in force transitionally alongside the DPDP Act.

Under the IT Rules 2011, we comply with the following for all health data:

• Written (or digital equivalent) consent before collecting any SPDI.
• Clear privacy policy disclosing the type of SPDI collected, purpose, and disclosure practices — available at all times on our website and app.
• Option not to provide: You may choose not to provide SPDI. We will inform you of the consequences (e.g., reduced functionality) but will not compel disclosure.
• Right to review and correct: You may review the SPDI you have provided and correct any inaccuracies.
• No third-party disclosure without consent: Your SPDI is not shared with third parties without your prior consent, except as required by law.
• Reasonable security practices: We implement ISO/IEC 27001-aligned security practices across our infrastructure handling SPDI.

4. Consent Framework

The DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous. Our consent framework is designed to meet this standard at every stage:

5. Your Rights as a Data Principal

The DPDP Act grants you the following rights, exercisable free of charge:

To exercise any right, use Settings → Privacy → Data Requests in the App, or email privacy@myhealthbuddy.ai. We will respond within 30 days.

6. Cross-Border Data Transfers

The DPDP Act restricts transfer of personal data to countries not on an approved whitelist to be published by the Government of India. Until that list is finalised, we manage cross-border transfers as follows:

• Primary storage: All health data (PHI) is stored in AWS ap-south-1 (Mumbai), India. Data does not leave India's borders for storage.
• AI processing (Anthropic): Anonymised, de-identified symptom queries are sent to Anthropic's Claude API, whose servers are in the United States. No personally identifiable information is included in these queries.
• Telemedicine (Twilio): Video and voice call metadata may be processed by Twilio on servers in the US or EU. Call content is encrypted in transit and not stored by Twilio.
• Compliance commitment: When the Government of India publishes the approved transfer country list, we will review and ensure all transfers comply. If any current transfer destination is not on the list, we will implement additional safeguards (Standard Contractual Clauses or equivalent) as directed by the Data Protection Board of India.

7. ABDM / ABHA Integration

MyHealthBuddy.AI supports the Ayushman Bharat Digital Mission (ABDM) — India's national digital health infrastructure. Integration is optional and requires your explicit consent.

ABHA (Ayushman Bharat Health Account)

• You may link your ABHA number to your MyHealthBuddy.AI account via Settings → Health ID → Link ABHA.
• Linking enables sharing of your health records with other ABDM-compliant healthcare providers and hospitals — only with your consent for each share.
• ABHA linking uses India's official ABDM APIs. We do not store your Aadhaar number; only the ABHA ID (non-sensitive) is retained.

PHR App Obligations

As a Personal Health Records (PHR) application operating within the ABDM ecosystem, we comply with NHA's PHR App guidelines including:

• Consent Manager integration — all health record sharing requires a digitally signed consent artefact from you.
• Granular consent — you can share individual records (a specific lab report, a single consultation note) rather than your entire health history.
• Consent revocation — any consent given to share records with another provider can be revoked at any time, after which the recipient must cease using the shared records.

8. Significant Data Fiduciary (SDF) Obligations

The DPDP Act empowers the Government of India to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed. Health app platforms processing large volumes of health data are expected to be designated as SDFs once the formal designation process is operationalised.

In anticipation of SDF designation, we are proactively implementing SDF obligations:

• Data Protection Officer (DPO): A dedicated DPO is appointed and contactable at dpo@myhealthbuddy.ai.
• Data Protection Impact Assessments (DPIAs): Conducted for any new processing activity involving sensitive health data.
• Annual data audits: Independent audits of our data processing practices, with results submitted to the Data Protection Board as required.
• Algorithmic transparency: Where AI decisions materially affect a user's health recommendations, we provide an explanation of the factors that influenced the AI output.

9. Children's Data (DPDP Act)

The DPDP Act defines a child as any person below 18 years of age and imposes strict obligations for processing their data:

• Verifiable parental consent is required before processing any personal data of a child. We obtain this during registration through a parent/guardian verification flow.
• We do not engage in behavioural tracking or targeted content for users identified as children.
• We do not process children's data in a manner that is detrimental to their well-being.
• Parents or guardians may request access to, correction of, or erasure of their child's data by contacting privacy@myhealthbuddy.ai.

A person who has registered a child account may notify us when the child turns 18, at which point the account transitions to a standard adult account and parental access is removed.

10. Breach Notification (India)

In the event of a personal data breach, we will notify the Data Protection Board of India (DPBI) as soon as possible, and no later than within the timeframe prescribed by the DPDP Act (expected to be 72 hours from discovery once rules are finalised).

Affected Data Principals will be notified without undue delay with:

• Nature of the data breach and categories of data affected.
• Estimated number of individuals affected.
• Steps we have taken or propose to take to address the breach.
• Contact details of the Data Protection Officer.
• Protective measures you can take to mitigate potential harm.

To report a suspected breach or security vulnerability, contact security@myhealthbuddy.ai immediately.

11. Grievances and DPBI Complaints

Internal Grievance Redressal

Submit a grievance via App → Settings → Privacy → File a Grievance or email grievance@myhealthbuddy.ai. Our Data Protection Officer will acknowledge within 48 hours and resolve within 30 days.

Escalation to the Data Protection Board of India

If your grievance is not resolved to your satisfaction within 30 days, you have the right to lodge a complaint with the Data Protection Board of India (DPBI):

• Website: meity.gov.in (DPBI portal once operational)
• Ministry of Electronics and Information Technology (MeitY), Government of India

We will not retaliate against any user for exercising their data rights or for filing a complaint with the DPBI.