Privacy Policy
This Privacy Policy explains how Tru-Path Labs ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the HamroSwasthya App ("App"). We are committed to handling your health data with care and transparency.
Contact: [email protected]
1. Data Controller
The data controller for your personal data is Tru-Path Labs, the operator of HamroSwasthya. Contact: [email protected].
We are primarily subject to the laws of Nepal. As we expand internationally, we will comply with applicable data protection laws in the markets where the App is made available.
2. Data We Collect
2.1 Account data
- Full name
- Email address
- Date of birth
- Gender
- Country and preferred language
- Authentication credentials, managed securely by Firebase Auth
2.2 Health profile data
- Blood group
- Known medical conditions
- Known allergies
- Emergency contact name and phone number
2.3 Medical Records
- Photos and scans of medical documents you upload
- Record metadata: title, category, document date, optional notes
- Page count and thumbnail data
2.4 Technical and usage data
- Device type and operating system version
- App crash reports and error logs
- App usage analytics, aggregate and not used to profile individuals
- Security and access logs retained for 180 days
- IP address and login timestamps
2.5 Data we do not collect
- We do not perform OCR on your documents.
- We do not expose raw text content of Medical Records to any third party.
- We do not collect location data.
- We do not display advertisements.
3. Lawful Basis for Processing
By creating an account, accepting the in-App consent screens, uploading Medical Records, or entering health profile information, you voluntarily provide that data and give us permission to process it for the purposes described in this Policy. For health-related data, this includes your explicit consent to process special category or sensitive health data where such consent is required by law.
- Contract: processing necessary to provide the App and Services you requested.
- Explicit consent: processing special category data, including health and medical records.
- Legitimate interests: security logging, fraud prevention, and service improvement where these do not override your rights.
- Legal obligation: where required by applicable law.
If you add a family or dependent profile, you confirm that you have the consent, parental responsibility, legal authority, or other lawful basis required to provide that person's personal and health-related information to us.
4. How We Use Your Data
- To create and maintain your Account.
- To securely store and organise your Medical Records.
- To generate and serve QR Share links you initiate.
- To send service notifications such as email verification, inactivity warnings, and policy updates.
- To monitor App stability and fix crashes.
- To understand aggregate App usage and improve the product.
- To detect and prevent fraud, abuse, and security incidents.
We will never sell your data. We will never use your health data for advertising.
5. Data Storage and Security
5.1 Cloud storage
Your Account data, Medical Records, and health profile are stored on Google Firebase infrastructure, including Firebase Auth, Firestore, and Firebase Storage. Firebase uses encryption at rest and TLS encryption in transit. Data is stored in Google's cloud infrastructure under our Firebase project.
5.2 On-device security
Medical record images are also stored locally on your device in encrypted storage backed by the Android Keystore system. Encryption keys never leave your device.
5.3 Access controls
Your data is protected by Firebase Security Rules. Only you can access your own records. Shared records via QR are read-only and time-limited. No Tru-Path Labs employee has routine access to your Medical Records.
5.4 Your responsibility for access and sharing
You are responsible for keeping your login credentials, device passcode, biometric unlock, and QR Share links secure. If you choose to share records using a QR link, the recipient may view, copy, photograph, screenshot, or otherwise record information displayed to them. We cannot control the actions of recipients once you choose to share your data.
5.5 Biometric lock
The App supports biometric and passcode lock to prevent unauthorised local access.
6. Data Retention
7. Third-Party Processors
We use the following sub-processors, all operated by Google LLC:
All Google Firebase services are governed by Google's Privacy Policy and data processing terms. No other third parties have access to your personal data. We do not use third-party human support tools that would expose your data to support agents.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure: delete your Account and data at any time from within the App.
- Right to restriction: request that we restrict processing of your data in certain circumstances.
- Right to withdraw consent: withdraw health data consent at any time; this will require Account closure.
- Right to lodge a complaint with the relevant data protection authority in your country.
- Data export: export is planned for a future update. To request a manual export in the meantime, contact us.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent to your registered email address and, where required, to the relevant supervisory authority.
10. International Data Transfers
Your data is stored on Google Firebase infrastructure, which may involve transfers to servers outside Nepal or your country of residence. Google maintains appropriate safeguards for such transfers, including Standard Contractual Clauses where required. By using the App, you consent to these transfers where consent is a valid lawful basis.
11. Accuracy, Backups, and User Responsibility
We do not verify, clinically review, interpret, or guarantee the accuracy, completeness, authenticity, or medical usefulness of any Medical Records or profile information you provide. You are responsible for checking that uploaded records are correct and readable.
You should keep your own backup copies of important medical documents. HamroSwasthya is a convenience and storage tool, not an official medical record system, healthcare provider, insurer, hospital, government database, or emergency medical service.
12. Cookies and Tracking
The App does not use browser cookies. We use Firebase Analytics SDK for aggregate usage analytics. You can opt out of analytics collection in the App settings. We do not track you across third-party websites or apps.
13. Children
The App is not intended for children under 16 to create or operate their own Account. If we become aware that a child under 16 has created an Account, we may delete the Account and associated data.
A parent, guardian, or legally authorised caregiver may create and manage a dependent profile for a child, provided they have the necessary consent or legal authority to do so.
If you believe a child has created an Account without appropriate authority, please contact us.
14. Changes to This Policy
We will notify you of any material changes to this Privacy Policy at least 30 days before they take effect, by email or in-App notification. The date of the latest update is shown at the top of this document.
15. Contact and Complaints
For privacy questions, data requests, or complaints, contact:
Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country.