Legal
Privacy Policy
TrueKin — by TrueKin Technologies Pvt. Ltd. (registration in progress)
By using TrueKin, you agree to the practices described here.
1. Who We Are
TrueKin Technologies Pvt. Ltd. (registration in progress) is the data controller and operator of TrueKin. We are incorporated in India and subject to Indian data protection law.
Registered Address
TrueKin Technologies Pvt. Ltd. (registration in progress), India
Governing Laws
This policy is made in compliance with the:
- Information Technology Act, 2000 (IT Act)
- IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
- Digital Personal Data Protection Act, 2023 (DPDP Act)
2. Grievance Officer
Under the IT Act 2000 and SPDI Rules 2011, we are required to appoint a Grievance Officer for privacy-related complaints. If you have any concern about how your data is handled, please contact:
Grievance Officer — TrueKin Technologies Pvt. Ltd. (registration in progress)
privacy@truekin.co.inWe will acknowledge your complaint within 48 hours and resolve it within 30 days.
For general support, visit the Support section in the TrueKin app.
3. What Information We Collect
3.1 Information You Provide Directly
Account Information
- Mobile number (for OTP login and identity verification)
- Email address (optional, for email-based login)
- Display name, gender, profile photo
Sensitive Personal Data (SPDI under SPDI Rules 2011)
The following information is classified as Sensitive Personal Data under Indian law. We collect it only with your explicit prior consent:
- Date of birth, height, weight
- Blood group
- Home address
- Health conditions you manage
- Food allergies and medicine allergies
- Medication names, dosages, schedules, doctor names, side effects, and notes
- Medical documents including lab reports, imaging reports, and prescriptions you upload
- Information extracted from documents by our AI system (only with your separate consent)
Family Care Information
- Names, relationships, and health details of family members you choose to add to your care circle
- Invitation details for people you invite to share care
3.2 Information Collected Automatically
- Device type, operating system, app version
- Feature usage and screen activity (pseudonymised — not linked to your name or phone number)
- IP address (stored in irreversibly pseudonymised form; raw IP is never stored)
- App error and crash reports
3.3 What We Do Not Collect
- Your GPS location or location history
- Your device contacts list
- Biometric identifiers (fingerprint, face scan)
- Payment or financial information
4. Why We Collect It (Purpose and Legal Basis)
| Purpose | Legal Basis Under DPDP Act 2023 |
|---|---|
| Account creation and OTP verification | Legitimate use — contract with you |
| Displaying your health profile and medications | Legitimate use — contract with you |
| Sending medication reminders | Legitimate use — contract with you |
| Enabling family care sharing | Legitimate use — contract with you |
| Processing uploaded documents with AI | Explicit consent (separate, specific) |
| Improving app reliability and performance | Legitimate interest (anonymised only) |
| Customer support and grievance resolution | Legal obligation / Legitimate interest |
| Complying with court orders or legal process | Legal obligation |
5. Sensitive Personal Data — Special Protections
Because TrueKin handles health information, the following additional protections apply under SPDI Rules 2011:
- We collect SPDI only after obtaining your free, informed, specific, and explicit consent
- You may withdraw consent at any time — see Section 12 (Your Rights)
- We do not share your SPDI with any third party without your consent, except as required by law
- All SPDI is encrypted at rest using AES-256-GCM encryption — see Section 8
6. WhatsApp Communications
When you register with TrueKin, you may receive communications via WhatsApp, including:
- OTP verification codes for login
- Medication reminders (if you enable this in Settings)
- Important account and service notifications
What We Share with Meta (WhatsApp)
Your phone number is shared with Meta Platforms, Inc. solely to deliver WhatsApp messages to your device. We do not share your health data, name, or any other personal information with Meta for this purpose.
Meta's own privacy policy governs how they process your phone number and message metadata on their platform. TrueKin has no control over Meta's data practices.
Opt-Out
You can stop WhatsApp communications from TrueKin at any time by:
- Replying STOP to any WhatsApp message from TrueKin
- Adjusting your notification preferences in Settings → Notifications
7. AI Document Processing
When you upload a medical document, TrueKin can use an AI language model to extract and structure the information in it.
This is entirely opt-in
- You must give separate, explicit consent for AI processing before any document is analysed
- This consent is distinct from general data processing consent
- You can give or withdraw this consent at any time from Settings → Privacy & Consent
- If you do not give consent, your documents are stored but not processed by AI
Who processes it
Document contents are sent to Anthropic PBC (USA) for AI extraction. Anthropic processes this data under a data processing agreement with us. They do not use your data to train their AI models.
Accuracy warning
AI-extracted information may contain errors. Always verify extracted data against your original document. Do not make medical decisions based on AI-extracted data without consulting a healthcare professional.
8. How We Protect Your Information
8.1 Encryption
All Sensitive Personal Data is encrypted before it is stored in our database, using AES-256-GCM encryption with keys managed through a secure key management system. This means the data in our database cannot be read even if someone gained unauthorised database access.
All data in transit is protected with TLS 1.2 or higher.
8.2 Access Controls
Your health data is accessible only to you and family members you explicitly authorise. Our team cannot read your health records in the normal course of operations. Access to production infrastructure is limited and logged.
8.3 Session Security
Each login is secured with a one-time password (OTP). Session tokens are stored as one-way hashes — the raw token is never stored. Logging out immediately invalidates your session.
8.4 Pseudonymisation of Analytics and Logs
We do not link app usage analytics to your name, phone number, or health data. IP addresses in logs are irreversibly pseudonymised using a cryptographic HMAC.
9. Where Your Data Is Stored
Your data is stored on servers located in India. We use Supabase (database infrastructure hosted in India) as our primary database provider.
When your documents are processed by AI (with your consent), data is temporarily sent to Anthropic servers in the USA. This transfer is covered by a data processing agreement.
10. Who We Share Your Data With
We share your information only in these specific circumstances:
| Recipient | What Is Shared | Why |
|---|---|---|
| Family members you invite | Profile and health data (based on your permissions) | You control and authorise this |
| Anyone you send a profile share link to | Data you include in the link (set by you) | You create, control, and can revoke links |
| Anthropic (USA) | Contents of uploaded documents | AI extraction — only with your explicit consent |
| AWS (India region) | Encrypted data in transit | Hosting infrastructure |
| Supabase (India) | Encrypted data at rest | Database hosting |
| MSG91 (India) | Phone number | Sending OTP via SMS |
| AWS SES | Email address | Sending OTP via email |
| Firebase (Google) | Device push token | Delivering in-app notifications |
| Meta (WhatsApp) | Phone number | Delivering WhatsApp OTPs and notifications — see §6 |
| Law enforcement / courts | As required by law | Legal obligation only |
11. Data Retention
We keep your data for as long as your account exists. Once you delete your account:
| Data Type | Retention After Deletion |
|---|---|
| Health profile, medications, documents | Deleted within 30 days |
| Medical document files | Deleted within 30 days |
| Session logs | Deleted within 90 days of session end |
| Anonymised usage analytics | Retained up to 2 years (no personal identifiers) |
| Account deletion record | Retained 5 years (pseudonymised — no health data, no name) |
| Support ticket history | Retained 2 years |
The 5-year deletion record contains only a pseudonymised identifier and deletion timestamp — no name, phone number, email, or health data. This is retained solely for legal compliance purposes.
12. Your Rights
Under the DPDP Act 2023 and SPDI Rules 2011, you have the following rights:
Right to Access
Request a full copy of all data we hold about you. You can download it directly: Settings → Privacy & Consent → Download My Data
Right to Correction
Update your profile, medications, and health records at any time within the app.
Right to Withdraw Consent
Withdraw consent for any specific purpose at any time: Settings → Privacy & Consent. Withdrawing consent for AI processing stops new documents being sent to AI (existing extractions are retained). Withdrawing consent for marketing stops all promotional communications. Withdrawing consent for health data storage will disable core features and may require account deletion.
Right to Erasure (Right to be Forgotten)
Permanently delete your account and all associated data: Account Settings → Delete Account. Deletion is irreversible. We recommend downloading your data first.
Right to Grievance Redressal
Contact our Grievance Officer at privacy@truekin.co.in. We will respond within 30 days. If you are not satisfied with our response, you may approach the Data Protection Board of India once established under the DPDP Act 2023.
Make a data request by email
13. Children's Privacy
We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will delete their account. If you believe a minor has registered, please contact privacy@truekin.co.in.
You may add family members under 18 to your care circle. In this case, you (the account holder) are acting as their guardian and are responsible for managing their health information appropriately.
14. Cookies and Analytics
The TrueKin mobile app does not use browser cookies.
We use pseudonymised analytics (no name, no phone number, no health data) to understand how features are used and improve the app. Analytics data does not identify you personally.
The TrueKin website (truekin.co.in) may use cookies for basic functionality and analytics. Cookie preferences can be managed through the banner shown on first visit or through your browser settings.
15. Changes to This Policy
- We will notify you in the app before the change takes effect
- Changes that affect how we use your sensitive health data will require your acknowledgement
- The version number and effective date at the top of this page will be updated
- We will maintain the previous version for 12 months on request
Continued use of TrueKin after the effective date of changes constitutes acceptance of the updated policy.
16. Contact
Registered office
TrueKin Technologies Pvt. Ltd. (registration in progress), India
This Privacy Policy is governed by the laws of India. Any disputes are subject to the jurisdiction of courts in India.
Applicable laws: Information Technology Act 2000 · IT (SPDI) Rules 2011 · Digital Personal Data Protection Act 2023
Questions? Contact our Grievance Officer: privacy@truekin.co.in
Response within 30 days.