Legal

Privacy Policy

TrueKin — by TrueKin Technologies Pvt. Ltd. (registration in progress)

Version: 2.1Effective Date: 1 June 2026Last Updated: 16 June 2026
Your privacy is the foundation of TrueKin. This app handles sensitive health information — medicines, conditions, allergies, medical documents — and we take that responsibility seriously. This Privacy Policy explains exactly what we collect, why we collect it, how we protect it, and what rights you have over it.

By using TrueKin, you agree to the practices described here.

1. Who We Are

TrueKin Technologies Pvt. Ltd. (registration in progress) is the data controller and operator of TrueKin. We are incorporated in India and subject to Indian data protection law.

Registered Address

TrueKin Technologies Pvt. Ltd. (registration in progress), India

Governing Laws

This policy is made in compliance with the:

  • Information Technology Act, 2000 (IT Act)
  • IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
  • Digital Personal Data Protection Act, 2023 (DPDP Act)

2. Grievance Officer

Under the IT Act 2000 and SPDI Rules 2011, we are required to appoint a Grievance Officer for privacy-related complaints. If you have any concern about how your data is handled, please contact:

Grievance Officer — TrueKin Technologies Pvt. Ltd. (registration in progress)

privacy@truekin.co.in

We will acknowledge your complaint within 48 hours and resolve it within 30 days.

For general support, visit the Support section in the TrueKin app.

3. What Information We Collect

3.1 Information You Provide Directly

Account Information

  • Mobile number (for OTP login and identity verification)
  • Email address (optional, for email-based login)
  • Display name, gender, profile photo

Sensitive Personal Data (SPDI under SPDI Rules 2011)

The following information is classified as Sensitive Personal Data under Indian law. We collect it only with your explicit prior consent:

  • Date of birth, height, weight
  • Blood group
  • Home address
  • Health conditions you manage
  • Food allergies and medicine allergies
  • Medication names, dosages, schedules, doctor names, side effects, and notes
  • Medical documents including lab reports, imaging reports, and prescriptions you upload
  • Information extracted from documents by our AI system (only with your separate consent)

Family Care Information

  • Names, relationships, and health details of family members you choose to add to your care circle
  • Invitation details for people you invite to share care

3.2 Information Collected Automatically

  • Device type, operating system, app version
  • Feature usage and screen activity (pseudonymised — not linked to your name or phone number)
  • IP address (stored in irreversibly pseudonymised form; raw IP is never stored)
  • App error and crash reports

3.3 What We Do Not Collect

  • Your GPS location or location history
  • Your device contacts list
  • Biometric identifiers (fingerprint, face scan)
  • Payment or financial information

4. Why We Collect It (Purpose and Legal Basis)

PurposeLegal Basis Under DPDP Act 2023
Account creation and OTP verificationLegitimate use — contract with you
Displaying your health profile and medicationsLegitimate use — contract with you
Sending medication remindersLegitimate use — contract with you
Enabling family care sharingLegitimate use — contract with you
Processing uploaded documents with AIExplicit consent (separate, specific)
Improving app reliability and performanceLegitimate interest (anonymised only)
Customer support and grievance resolutionLegal obligation / Legitimate interest
Complying with court orders or legal processLegal obligation
We do not process your data for advertising, profiling, or resale. Ever.

5. Sensitive Personal Data — Special Protections

Because TrueKin handles health information, the following additional protections apply under SPDI Rules 2011:

  • We collect SPDI only after obtaining your free, informed, specific, and explicit consent
  • You may withdraw consent at any time — see Section 12 (Your Rights)
  • We do not share your SPDI with any third party without your consent, except as required by law
  • All SPDI is encrypted at rest using AES-256-GCM encryption — see Section 8

6. WhatsApp Communications

When you register with TrueKin, you may receive communications via WhatsApp, including:

  • OTP verification codes for login
  • Medication reminders (if you enable this in Settings)
  • Important account and service notifications

What We Share with Meta (WhatsApp)

Your phone number is shared with Meta Platforms, Inc. solely to deliver WhatsApp messages to your device. We do not share your health data, name, or any other personal information with Meta for this purpose.

Meta's own privacy policy governs how they process your phone number and message metadata on their platform. TrueKin has no control over Meta's data practices.

Opt-Out

You can stop WhatsApp communications from TrueKin at any time by:

  • Replying STOP to any WhatsApp message from TrueKin
  • Adjusting your notification preferences in Settings → Notifications
OTP messages required for login cannot be opted out of — they are necessary to verify your identity.

7. AI Document Processing

When you upload a medical document, TrueKin can use an AI language model to extract and structure the information in it.

This is entirely opt-in

  • You must give separate, explicit consent for AI processing before any document is analysed
  • This consent is distinct from general data processing consent
  • You can give or withdraw this consent at any time from Settings → Privacy & Consent
  • If you do not give consent, your documents are stored but not processed by AI

Who processes it

Document contents are sent to Anthropic PBC (USA) for AI extraction. Anthropic processes this data under a data processing agreement with us. They do not use your data to train their AI models.

Accuracy warning

AI-extracted information may contain errors. Always verify extracted data against your original document. Do not make medical decisions based on AI-extracted data without consulting a healthcare professional.

8. How We Protect Your Information

8.1 Encryption

All Sensitive Personal Data is encrypted before it is stored in our database, using AES-256-GCM encryption with keys managed through a secure key management system. This means the data in our database cannot be read even if someone gained unauthorised database access.

All data in transit is protected with TLS 1.2 or higher.

8.2 Access Controls

Your health data is accessible only to you and family members you explicitly authorise. Our team cannot read your health records in the normal course of operations. Access to production infrastructure is limited and logged.

8.3 Session Security

Each login is secured with a one-time password (OTP). Session tokens are stored as one-way hashes — the raw token is never stored. Logging out immediately invalidates your session.

8.4 Pseudonymisation of Analytics and Logs

We do not link app usage analytics to your name, phone number, or health data. IP addresses in logs are irreversibly pseudonymised using a cryptographic HMAC.

9. Where Your Data Is Stored

Your data is stored on servers located in India. We use Supabase (database infrastructure hosted in India) as our primary database provider.

When your documents are processed by AI (with your consent), data is temporarily sent to Anthropic servers in the USA. This transfer is covered by a data processing agreement.

10. Who We Share Your Data With

We share your information only in these specific circumstances:

RecipientWhat Is SharedWhy
Family members you inviteProfile and health data (based on your permissions)You control and authorise this
Anyone you send a profile share link toData you include in the link (set by you)You create, control, and can revoke links
Anthropic (USA)Contents of uploaded documentsAI extraction — only with your explicit consent
AWS (India region)Encrypted data in transitHosting infrastructure
Supabase (India)Encrypted data at restDatabase hosting
MSG91 (India)Phone numberSending OTP via SMS
AWS SESEmail addressSending OTP via email
Firebase (Google)Device push tokenDelivering in-app notifications
Meta (WhatsApp)Phone numberDelivering WhatsApp OTPs and notifications — see §6
Law enforcement / courtsAs required by lawLegal obligation only
We never: sell your data, share it with insurers or employers, use it for advertising, or allow third parties to access it for their own purposes.

11. Data Retention

We keep your data for as long as your account exists. Once you delete your account:

Data TypeRetention After Deletion
Health profile, medications, documentsDeleted within 30 days
Medical document filesDeleted within 30 days
Session logsDeleted within 90 days of session end
Anonymised usage analyticsRetained up to 2 years (no personal identifiers)
Account deletion recordRetained 5 years (pseudonymised — no health data, no name)
Support ticket historyRetained 2 years

The 5-year deletion record contains only a pseudonymised identifier and deletion timestamp — no name, phone number, email, or health data. This is retained solely for legal compliance purposes.

12. Your Rights

Under the DPDP Act 2023 and SPDI Rules 2011, you have the following rights:

Right to Access

Request a full copy of all data we hold about you. You can download it directly: Settings → Privacy & Consent → Download My Data

Right to Correction

Update your profile, medications, and health records at any time within the app.

Right to Withdraw Consent

Withdraw consent for any specific purpose at any time: Settings → Privacy & Consent. Withdrawing consent for AI processing stops new documents being sent to AI (existing extractions are retained). Withdrawing consent for marketing stops all promotional communications. Withdrawing consent for health data storage will disable core features and may require account deletion.

Right to Erasure (Right to be Forgotten)

Permanently delete your account and all associated data: Account Settings → Delete Account. Deletion is irreversible. We recommend downloading your data first.

Right to Grievance Redressal

Contact our Grievance Officer at privacy@truekin.co.in. We will respond within 30 days. If you are not satisfied with our response, you may approach the Data Protection Board of India once established under the DPDP Act 2023.

13. Children's Privacy

TrueKin is intended for users aged 18 and above.

We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will delete their account. If you believe a minor has registered, please contact privacy@truekin.co.in.

You may add family members under 18 to your care circle. In this case, you (the account holder) are acting as their guardian and are responsible for managing their health information appropriately.

14. Cookies and Analytics

The TrueKin mobile app does not use browser cookies.

We use pseudonymised analytics (no name, no phone number, no health data) to understand how features are used and improve the app. Analytics data does not identify you personally.

The TrueKin website (truekin.co.in) may use cookies for basic functionality and analytics. Cookie preferences can be managed through the banner shown on first visit or through your browser settings.

15. Changes to This Policy

  • We will notify you in the app before the change takes effect
  • Changes that affect how we use your sensitive health data will require your acknowledgement
  • The version number and effective date at the top of this page will be updated
  • We will maintain the previous version for 12 months on request

Continued use of TrueKin after the effective date of changes constitutes acceptance of the updated policy.

16. Contact

Privacy complaints or data requests

Grievance Officer

privacy@truekin.co.in

Response within 30 days

General support

Use the Support section in the TrueKin app, or:

naveen@truekin.co.in

Registered office

TrueKin Technologies Pvt. Ltd. (registration in progress), India

This Privacy Policy is governed by the laws of India. Any disputes are subject to the jurisdiction of courts in India.

Applicable laws: Information Technology Act 2000 · IT (SPDI) Rules 2011 · Digital Personal Data Protection Act 2023

Questions? Contact our Grievance Officer: privacy@truekin.co.in

Response within 30 days.