Privacy Policy

Account information: When you sign up, we collect your name, email address, and password (stored as a one-way hash — never in plain text).

Family member profiles: Names, dates of birth, gender, relationship, and any health information you choose to add — vaccination records, doctor visit notes, prescriptions, medical reports, and vitals.

Health data you enter: Vaccination history, blood pressure readings, blood sugar levels, growth measurements, custom health trackers, doctor visit logs, prescriptions, and uploaded medical documents.

Usage data: Standard server logs including IP address, browser type, and pages visited — used only for security monitoring and improving the service.

We do not collect: Payment information (the service is free), location data, or any data from your device beyond what you voluntarily enter.

We use your information only to provide and improve the HealthAYF service:

• To store and display your family's health records securely
• To send vaccination and doctor follow-up reminder emails you have opted into by using the service
• To generate PDF health summaries when you request them
• To enable profile sharing with people you explicitly authorise
• To respond to support requests sent via our contact form
• To improve our service based on anonymised, aggregated usage patterns

We will never use your health data for advertising, profiling, or any commercial purpose.

All data is stored on Microsoft Azure enterprise-grade cloud infrastructure — the same technology trusted by hospitals, banks, and governments.

• Encryption in transit: All data between your device and our servers is encrypted using TLS/HTTPS
• Encryption at rest: Stored data is encrypted at the database level
• Passwords: Stored as irreversible hashes — even we cannot see your password
• Access control: Only authorised HealthAYF systems can access the database; no individual employee has direct access to your records

While we take every reasonable precaution, no system is 100% impenetrable. In the unlikely event of a data breach affecting your information, we will notify you within 72 hours as required by law.

We do not sell your data. Ever. We do not share your personal or health information with advertisers, data brokers, or any third party for commercial purposes.

We share data only in these specific circumstances:

• When you explicitly share: If you use the Profile Sharing feature to share a family member's records with a doctor, caregiver, or family member — only the information you choose to share is accessible to them
• Service providers: Microsoft Azure (infrastructure), Microsoft Graph API (transactional emails only). These providers are bound by strict data processing agreements and cannot use your data for their own purposes
• Legal requirements: If required by a valid court order or Indian law enforcement with proper legal authority

HealthAYF is designed for parents and caregivers to manage health records for their minor children. Children do not create their own accounts — a parent or guardian creates and controls all records for minor family members.

We treat health data for minors with the highest level of care. Records for children are:

• Accessible only to the account holder (parent/guardian) and people they explicitly authorise
• Subject to all the same encryption and security protections as adult records
• Deletable at any time by the parent/guardian account holder

If you believe a child's data has been added to our platform without appropriate parental consent, please contact us at support@healthayf.com and we will act immediately.

Under India's Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:

• Right to access: You can view all data we hold about you and your family at any time within the app
• Right to correction: You can update or correct any information directly within the app
• Right to erasure: You can delete any health record, family member profile, or your entire account at any time. Deletion is permanent and irreversible
• Right to grievance redressal: You can raise a privacy concern with us and we will respond within 30 days
• Right to nominate: You may nominate another person to exercise your rights in the event of your incapacity, as permitted under DPDPA

To exercise any of these rights, email support@healthayf.com.

We retain your data for as long as your account is active. If you delete your account:

• All personal and health data is permanently deleted within 30 days
• Anonymised, aggregated usage statistics (which cannot identify you) may be retained for service improvement

Uploaded files (prescriptions, reports) stored on Azure Blob Storage are deleted at the same time as account deletion.

The HealthAYF web application uses minimal cookies:

• Session authentication: A JWT token stored in localStorage to keep you logged in
• No third-party tracking cookies: We do not use Google Analytics, Facebook Pixel, or any other third-party tracking on the app

The public website (healthayf.com) may use standard Next.js performance cookies. No personal data is captured from the public site unless you fill in the contact form.

If we make material changes to this Privacy Policy, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of HealthAYF after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or concerns: