Privacy Policy

My Health Docs is a sole proprietorship operated from Mumbai, Maharashtra, India. We provide a secure, private platform for individuals and families to upload, organise, and retrieve personal medical documents.

For the purpose of applicable data protection laws, My Health Docs is the Data Fiduciary(as defined under India's Digital Personal Data Protection Act, 2023) in respect of personal data we collect and process.

We collect only the minimum data necessary to provide the Service. Here is what we collect and why:

We do not store your full card number, CVV, or banking credentials at any point. Payment card data is handled exclusively by our PCI-DSS compliant payment gateway.

We use your data solely to:

• Provide, operate, and maintain the Service.
• Authenticate you and ensure only you can access your documents.
• Organise and display your uploaded documents by family member, type, and date.
• Send transactional emails (e.g., sign-in links, account notices) — no marketing emails without your explicit consent.
• Analyse anonymised usage patterns to improve the platform.
• Process subscription payments and manage billing (when paid plans are introduced).
• Comply with legal obligations under applicable Indian law.

All your data — including uploaded PDF documents — is stored in private, access-controlled cloud storage located in India. Documents are stored without public URLs and are only accessible to the authenticated account owner.

We implement the following security measures:

• Encryption in transit: All data transferred between your browser and our servers uses HTTPS/TLS.
• Encryption at rest: Stored files and database records are encrypted at rest.
• Access isolation:Each user's data is logically isolated — no user can access another user's records.
• Private file access only: Document URLs are signed and time-limited — there are no permanent public links.

While we take all reasonable steps to protect your data, no system can guarantee 100% security. In the event of a data breach, we will notify affected users as required by applicable law.

We do not sell, rent, trade, or share your personal data or medical documents with any third party for commercial purposes — ever.

We may share data only in the following strictly limited circumstances:

• Service Providers: Trusted infrastructure providers (e.g., cloud storage, database hosting) who process data solely on our behalf under strict data processing agreements. They have no right to use your data independently.
• Payment Processors (future): When paid plans are introduced, your billing information (name, email, plan details) will be shared with a PCI-DSS compliant payment gateway (e.g., Razorpay or Stripe) solely to process your subscription. Your medical documents are never shared with payment processors.
• Legal Obligation: If required by a court order, government authority, or applicable Indian law — and only to the extent strictly required.

We use a minimal set of cookies and analytics tools to operate and improve the Service:

• Essential cookies: Required for authentication and session management. You cannot use the Service without these.
• Analytics (PostHog): We use PostHog to collect anonymised usage data — such as which features are used and where users drop off — to help us improve the product. PostHog is configured to not collect personally identifiable information from your medical documents. Data is processed in the EU (PostHog Cloud EU region).

We do not use advertising cookies, tracking pixels, or retargeting technologies.

The Service has no minimum age requirement. Parents and legal guardians may create accounts and add medical records for minor family members under their care.

If a parent or guardian adds a minor's medical records, they take full responsibility for ensuring they have the authority to do so. We do not knowingly collect personal data from minors directly without parental involvement.

Currently, no AI, OCR, or automated processing is applied to your uploaded documents. Your PDFs are stored as-is and are not read, analysed, or processed by any automated system.

In the future, we may offer optional AI-powered features (such as OCR or auto-tagging). If and when such features are introduced:

• They will be entirely opt-in.
• You will be clearly informed of what processing will occur and by which third party.
• This Privacy Policy will be updated, and your explicit consent will be required before activation.

We retain your data for as long as your account is active and for a limited period thereafter as follows:

• Active account: Data is retained and accessible for as long as you maintain your account.
• After account deletion: All your data (including uploaded documents) is retained for 90 days (3 months) to allow account recovery in case of accidental deletion. After this period, all data is permanently and irreversibly deleted from our systems and backups.
• Legal hold: In limited circumstances, we may be required to retain certain records beyond this period to comply with applicable Indian law.

Please export or download any documents you need before deleting your account.

Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), you have the following rights:

• Right to Access: Request a summary of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to Grievance Redressal: Lodge a complaint if you believe your data has been processed unlawfully.
• Right to Withdraw Consent: Withdraw consent for any data processing based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at luckyinfosystems@gmail.com. We will respond within 30 days.

We are aware of the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) and endeavour to apply data minimisation, purpose limitation, and security principles consistent with its requirements.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or via a prominent in-app notice, and update the "Last Updated" date at the top of this page.

Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out:

We aim to respond to all privacy requests within 30 days.