Privacy Policy

1. Overview

MetaHealth360 (“we”, “us”, “our”) is a metabolic wellness application operated by Dr. Vivek Raskar, providing health tracking, clinician review, and AI-assisted guidance to users primarily in India. This policy explains what personal data we collect when you use the MetaHealth360 mobile app or website, how we use it, with whom we share it, and the rights you have over it.

This policy is issued under India’s Digital Personal Data Protection (DPDP) Act, 2023 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Where MetaHealth360 processes your health data, such data is treated as sensitive personal data and handled accordingly.

2. Information we collect

2.1 Information you provide

• Identity: name, email address, phone number, date of birth, gender, and — where provided — city or pin code.
• Account credentials: via Google Sign-In (we receive your verified email and display name; we do not store your Google password).
• Health and lifestyle data you log: blood glucose and HbA1c readings, blood pressure, weight, BMI, waist circumference, diet and food photographs, sleep, steps and activity, medications and adherence, PCOS tracking (where applicable), mood, stress, and any notes you add.
• Clinical uploads: lab reports, prescriptions, and scans you upload for your own record or to share with a clinician you select.
• Communications: messages you send through the in-app chat with clinicians or with the Dr. Meta AI assistant, and appointment requests you make.

2.2 Information collected automatically

• Device and app data: device model, operating system and version, unique device identifier, app version, language preference, and timezone.
• Push notification tokens: Firebase Cloud Messaging (FCM) tokens tied to your device, used solely to deliver reminders and clinic messages.
• Usage data: which screens you open, which features you use, and how often — via Firebase Analytics, aggregated and pseudonymised.
• Crash and diagnostic data: crash traces, device state at crash time, and stack traces via Firebase Crashlytics. This data is used to fix bugs and is not linked to your health data.

2.3 Information from third parties

• If you sign in with Google, we receive your verified email address, display name, and profile photograph.
• If your clinician invites you to the platform, we receive the phone number or email address they used to invite you.

3. How we use your information

We use your personal data only for the purposes below, under the DPDP Act’s lawful-basis framework (primarily your consent, and in some cases legitimate-use purposes such as responding to medical emergencies you ask us to help with):

• To operate the core functionality of the app: logging and charting your health metrics, reminders, education content, and report generation.
• To let you share data with a clinician you explicitly select, and to let that clinician respond to you through the platform.
• To provide AI-assisted responses through the Dr. Meta chat feature (see Section 8 for details).
• To improve the app by analysing anonymised, aggregated usage data and crash reports.
• To send you service notifications you have opted into (appointment reminders, medication reminders, weekly summaries).
• To comply with legal obligations, respond to lawful requests, and protect the safety of users.

We do not sell your personal data. We do not share it with advertisers, and we do not use it to target ads to you.

4. Sharing and disclosure

We share personal data only in the limited circumstances below, with service providers who are bound by confidentiality and data-protection terms at least as strict as this policy:

• Google / Firebase — authentication, cloud database (Firestore), cloud functions, messaging (FCM), crash reporting (Crashlytics), and analytics. Data is processed in Google’s Asia-South1 (Mumbai) region.
• Anthropic, PBC — for Dr. Meta AI chat, where your chat message text is sent to the Claude API through our secured Cloud Functions proxy. See Section 8.
• Your clinician — only when you have explicitly linked your account to that clinician. They see the data you have shared, not your full history beyond that scope.
• WhatsApp — if you opt in to appointment confirmations via WhatsApp, your phone number and confirmation text are sent via WhatsApp Business messaging.
• Regulators, courts, or law enforcement — where we are required by law in India or a relevant jurisdiction to disclose data, and where we have a good-faith belief that disclosure is necessary.

5. Data storage and security

Your personal and health data is stored in Google Cloud’s Asia-South1 (Mumbai) region. It is encrypted in transit (TLS) and at rest (AES-256 as provided by Google Cloud).

We apply role-based access controls: clinician accounts can only read data for patients who have linked to them; administrators can access only the minimum data required for support. All administrative access is logged.

While we take industry-standard measures to protect your data, no system can be perfectly secure. If we become aware of a personal-data breach that materially affects you, we will notify you and the Data Protection Board of India without undue delay, as required by the DPDP Act.

6. Retention and deletion

• Your health data and account data are retained while your account is active.
• If you delete your account, your personal identifiers (name, email, phone) are removed within 30 days. Health readings are anonymised and may be retained in aggregated form for population-level analytics.
• Chat transcripts with Dr. Meta AI are retained for 90 days for quality and safety review, then deleted or anonymised.
• Crash and diagnostic logs are retained for 90 days.
• Where a longer retention period is required by law (for example, medical record retention obligations on clinicians), we will retain data for that period.

7. Your rights under the DPDP Act, 2023

As a Data Principal under the DPDP Act, you have the right to:

• Access — obtain a summary of the personal data we hold about you and how we have processed it.
• Correction — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your personal data, subject to our legal retention obligations.
• Withdraw consent — at any time, for any processing that relies on your consent.
• Nominate — designate another individual to exercise your rights if you become unable to do so.
• Grievance redressal — raise a complaint with our Grievance Officer (Section 11). If unresolved, you may escalate to the Data Protection Board of India.

You can access, export, or delete most of your data directly from the app: Profile → Settings → Data & Privacy. For anything not exposed there, contact us (Section 11) and we will action the request within 30 days.

8. AI features and Dr. Meta chat

Dr. Meta is an AI assistant powered by Anthropic’s Claude language model. When you send a message to Dr. Meta, the message text (and, if you have opted in, a summary of your recent health trends for context) is transmitted through our secured Cloud Functions proxy to the Claude API operated by Anthropic, PBC.

• Anthropic processes the message to generate a response. Anthropic’s terms for API traffic prohibit training on your data.
• We store your chat transcripts for 90 days to review response quality and catch unsafe outputs, then delete or anonymise them (see Section 6).
• Dr. Meta does not replace a clinician. Its responses are educational. Do not use it to make treatment decisions without clinical review.
• You can opt out of Dr. Meta by disabling it in Settings → AI Features. No chat data is sent when it is disabled.

9. Children and minors

MetaHealth360 is intended for users aged 18 and above. Certain features (for example the PCOS tracker) are directed at women aged 15–49, and where a user is below 18, we require verifiable parental or legal-guardian consent before processing their personal data, in line with the DPDP Act.

We do not knowingly market the service to children under 15. If you believe a child has provided personal data to us without appropriate consent, contact us (Section 11) and we will delete it.

10. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make a material change, we will revise the “Last updated” date at the top and — where the change is significant — notify you through the app before it takes effect.

11. Contact and grievance redressal

Data Fiduciary: Dr. Vivek Raskar (sole operator of MetaHealth360).

Grievance Officer: Dr. Vivek Raskar
Email: privacy@metahealth360.in

If your concern is not resolved to your satisfaction, you may escalate to the Data Protection Board of India once its procedures are notified.