Privacy Policy

Version 1.0 | Effective 9 May 2026 | Operated by Tru-Path Labs, Aberdare Close, Chichester, United Kingdom

This Privacy Policy is a working legal draft for Hamro Swasthya. It should be reviewed by a qualified lawyer before full public launch.

This Privacy Policy explains how Tru-Path Labs ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Hamro Swasthya App ("App"). We are committed to handling your health data with care and transparency.

Contact: truepath.labs67@gmail.com | Aberdare Close, Chichester, United Kingdom

1. Data Controller

The data controller for your personal data is Tru-Path Labs, Aberdare Close, Chichester, United Kingdom. Contact: truepath.labs67@gmail.com.

We are primarily subject to the laws of Nepal. As we expand internationally, we will comply with the applicable data protection laws of the markets we serve, including UK GDPR where applicable given our UK registration address.

2. Data We Collect

2.1 Account data

Full name
Email address
Date of birth
Gender
Country and preferred language
Authentication credentials, managed securely by Firebase Auth

2.2 Health profile data

Blood group
Known medical conditions
Known allergies
Emergency contact name and phone number

2.3 Medical Records

Photos and scans of medical documents you upload
Record metadata: title, category, document date, optional notes
Page count and thumbnail data

2.4 Technical and usage data

Device type and operating system version
App crash reports and error logs
App usage analytics, aggregate and not used to profile individuals
Security and access logs retained for 180 days
IP address and login timestamps

2.5 Data we do not collect

We do not perform OCR on your documents.
We do not expose raw text content of Medical Records to any third party.
We do not collect location data.
We do not display advertisements.

3. Lawful Basis for Processing

Contract: processing necessary to provide the App and Services you requested.
Explicit consent: processing special category data, including health and medical records.
Legitimate interests: security logging, fraud prevention, and service improvement where these do not override your rights.
Legal obligation: where required by applicable law.

4. How We Use Your Data

To create and maintain your Account.
To securely store and organise your Medical Records.
To generate and serve QR Share links you initiate.
To send service notifications such as email verification, inactivity warnings, and policy updates.
To monitor App stability and fix crashes.
To understand aggregate App usage and improve the product.
To detect and prevent fraud, abuse, and security incidents.

We will never sell your data. We will never use your health data for advertising.

5. Data Storage and Security

5.1 Cloud storage

Your Account data, Medical Records, and health profile are stored on Google Firebase infrastructure, including Firebase Auth, Firestore, and Firebase Storage. Firebase uses encryption at rest and TLS encryption in transit. Data is stored in Google's cloud infrastructure under our Firebase project.

5.2 On-device security

Medical record images are also stored locally on your device in encrypted storage backed by the Android Keystore system. Encryption keys never leave your device.

5.3 Access controls

Your data is protected by Firebase Security Rules. Only you can access your own records. Shared records via QR are read-only and time-limited. No Tru-Path Labs employee has routine access to your Medical Records.

5.4 Biometric lock

The App supports biometric and passcode lock to prevent unauthorised local access.

6. Data Retention

Active account data and recordsRetained while account is active

After account deletion requestDeleted from active systems within 60 days

Backup copiesPurged within 60 days of deletion

Security and access logs180 days

Inactivity warning sent12 months of inactivity

Account eligible for closure18 months of inactivity, with notice

7. Third-Party Processors

We use the following sub-processors, all operated by Google LLC:

Firebase AuthUser authentication

FirestoreAccount and metadata storage

Firebase StorageMedical record files

Firebase CrashlyticsCrash reporting

Firebase AnalyticsUsage analytics

All Google Firebase services are governed by Google's Privacy Policy and data processing terms. No other third parties have access to your personal data. We do not use third-party human support tools that would expose your data to support agents.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: request correction of inaccurate data.
Right to erasure: delete your Account and data at any time from within the App.
Right to restriction: request that we restrict processing of your data in certain circumstances.
Right to withdraw consent: withdraw health data consent at any time; this will require Account closure.
Right to lodge a complaint with the relevant data protection authority in your country.
Data export: export is planned for a future update. To request a manual export in the meantime, contact us.

To exercise any of these rights, contact us at truepath.labs67@gmail.com. We will respond within 30 days.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent to your registered email address and, where required, to the relevant supervisory authority.

10. International Data Transfers

Your data is stored on Google Firebase infrastructure, which may involve transfers to servers outside Nepal or the UK. Google maintains appropriate safeguards for such transfers, including Standard Contractual Clauses where required. By using the App, you consent to these transfers.

11. Cookies and Tracking

The App does not use browser cookies. We use Firebase Analytics SDK for aggregate usage analytics. You can opt out of analytics collection in the App settings. We do not track you across third-party websites or apps.

12. Children

The App is not directed to users under the age of 16. If we become aware that a user under 16 has created an Account, we will delete the Account and associated data promptly. If you believe a child has registered, please contact us.

13. Changes to This Policy

We will notify you of any material changes to this Privacy Policy at least 30 days before they take effect, by email or in-App notification. The date of the latest update is shown at the top of this document.

14. Contact and Complaints

For privacy questions, data requests, or complaints, contact:

Email: truepath.labs67@gmail.com
Address: Aberdare Close, Chichester, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country.