Privacy Policy

1. Introduction & Scope 

Rx Consultants Pvt. Ltd. (“ICanHeal,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, retain, and secure information through our mobile application and website (collectively, the “Services”), and describes your rights under applicable laws. 

This Policy applies to all users in India accessing or using our Services. We design our data practices to align with: 

• India’s Digital Personal Data Protection Act (DPDP) 
• Ayushman Bharat Digital Mission (ABDM) requirements 
• ISO/IEC 27001 security standards 
• (Where applicable) GDPR, HIPAA 

2. Definitions 

• Personal Data: Any information relating to an identified or identifiable individual. 
• Sensitive Personal Data: Data that is intrinsically sensitive—e.g., health records, biometric identifiers, financial information, SMS content. 
• Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or destruction. 
• Data Controller: ICanHeal, which determines purposes and means of Processing. 

3. Data Controller & Contact 

Rx Consultants Pvt. Ltd.
Privacy Contact: corporate@icanheal.com 

4. Data We Collect 

Category 

Examples 

Trigger / Feature 

Registration & Profile 

Name, email, phone, gender, nationality, DOB 

Account setup 

Health & Medical 

Medical history, prescriptions, lab reports, infusion/discharge summaries, mental health conditions 

PAP, EHR, teleconsultations 

ABHA & ABDM Documents 

ABHA ID, linked documents 

ABDM compliance, ABHA creation 

Usage Analytics 

App features used, pages viewed, crash logs 

UX improvement 

Location Data 

GPS coordinates 

Geotargeted reminders, serviceability 

SMS (Android Only) 

Insurance‑related SMS metadata 

Cashless claim tracking 

Financial & Credit 

Bank statements, insurance policies, ITR, CIBIL data via CRIF 

Loan underwriting 

KYC Documents 

Aadhaar, PAN via Digio 

Regulatory compliance 

5. Sources of Data 

• Directly from You: During sign‑up, form submissions, uploads, in‑app inputs. 
• Automatically: Analytics SDKs, device signals, crash reports. 
• Third‑Party Integrations: 
• Digio: KYC (Aadhaar/PAN). 
• CRIF: CIBIL bureau data. 
• Perfios / Scoreme: Bank statement analysis. 
• VAS Partners: Medical reports from labs, counsellors. 

6. Legal Basis for Processing 

Data Category 

Legal Basis 

Registration & Profile 

Consent 

Health & Medical 

Consent; Contractual necessity (PAP agreements) 

ABHA & ABDM 

Consent; Legal obligation under ABDM 

Analytics & Device 

Consent; Legitimate interests (service improvement) 

Location 

Consent 

SMS Metadata 

Consent; Claim‑processing necessity 

Financial & KYC 

Consent; Necessity for loan/claim processing 

7. Purposes of Use 

1. Account & Profile Management: Create, maintain, secure your ICanHeal account. 
2. Healthcare Services: Evaluate PAP applications; manage EHR; schedule teleconsultations; send medicine and service reminders. 
3. Cashless Claims: Read insurance SMS metadata to track claim status and alert you to missing requirements. 
4. Financing & Underwriting: Analyze creditworthiness via CIBIL data, bank statements, ITRs. 
5. ABHA Integration: Create/link ABHA, fetch and display ABHA medical records. 
6. UX & Product Improvement: Analyze feature usage, crash reports, optimize workflows. 
7. Personalization: Tailor content, notifications, and recommendations based on profile, location, device. 
8. Communications: Email, SMS, WhatsApp, in‑app notifications for transactional, promotional, and security messages. 
9. Compliance & Legal: Respond to lawful requests, audits, regulatory reporting. 
10. Fraud Prevention & Security: Monitor for suspicious activity, detect and block fraud. 

8. Sharing & Disclosure 

We do not sell your personal data. We share only the minimum necessary: 

Recipient Type 

Purpose 

Safeguards 

Pharma Partners 

PAP evaluation 

Data‑sharing agreements; minimal scope 

VAS Providers 

Appointment booking; medical history 

Confidentiality contracts 

Digio, CRIF, Perfios/Scoreme 

KYC, credit checks, statement analysis 

Encrypted APIs; role‑based access 

Cloud & Analytics Vendors 

Hosting, data storage, analytics 

Encryption at rest/in transit; ISO 27001 compliance 

Law Enforcement & Regulators 

Compliance with legal process 

Disclosure only on valid request 

UPI/Payment Partners 

Transaction routing (if integrated) 

Limited to transaction metadata 

SMS Data Handling: We parse only relevant claim fields; full SMS bodies are neither stored nor retained. 

9. International Data Transfers 

Currently, all data Processing and storage occur within India. Should we transfer data internationally (e.g., to cloud providers’ global infrastructure), we will ensure: 

• Adequate safeguards (standard contractual clauses). 
• Your informed consent where required. 

10. Data Retention & Disposal 

• General Data: Indefinite retention unless you request deletion. 
• CIBIL Data: Retained for up to 6 months post‑consent or immediately upon withdrawal. 
• Anonymization/Deletion: 
• On account deletion: full data purge or irreversible anonymization. 
• On specific deletion requests: comply within 30 days, subject to legal retention requirements. 

11. Data Security 

We employ technical and organizational measures, including: 

• Encryption: AES‑256 at rest; TLS 1.2+ in transit. 
• Access Control: Role‑based permissions; multi‑factor authentication for admin access. 
• Monitoring & Audits: Regular vulnerability scans, penetration tests, and security audits. 
• Incident Response: Defined breach‑response plan (detection, containment, notification, remediation). 

12. Cookies & Similar Technologies 

Optional: We may use cookies, local storage, and mobile‑app identifiers to: 

• Remember preferences and login status. 
• Enable analytics (e.g., Google Analytics). 
• Serve personalized content. 

13. Sensitive Permission: SMS Reading 

• Use Case: Enables cashless‑claim workflow by tracking insurer SMS alerts. 
• Opt‑In Requirement: Explicit, granular consent at feature activation. 
• Fallback Plan: If Google denies SMS permission, related features will be removed and this Policy updated. 
• User Notification: Via email/SMS and in‑app alerts upon any change. 

15. Your Rights & How to Exercise Them 

You may exercise the following rights free of charge: 

Right 

Description 

How to Exercise 

Access 

Obtain a copy of your Personal Data 

Email: corporate@icanheal.com 

Rectification 

Correct inaccurate or incomplete data 

Email: corporate@icanheal.com 

Deletion 

Erase data, subject to legal exceptions 

https://docs.google.com/forms/d/e/1FAIpQLSc0fnqqx9eqbtjR9DlRM0rpOSB29TggaZI58U11BNKXYHM5Og/viewform?usp=dialog 

Withdraw Consent 

Stop processing based on consent (may limit features) 

In‑app settings or email 

Object / Restrict 

To direct marketing or certain processing 

Email: corporate@icanheal.com 

Portability 

Receive data in machine‑readable format 

Email: corporate@icanheal.com 

We will respond within 30 days, or notify you if more time is needed. 

16. Data Breach Notification 

In case of a security incident involving Personal Data, we will: 

1. Notify Authorities: As required by law, within 72 hours of becoming aware. 
2. Notify Affected Users: Promptly, describing nature of breach, data categories involved, mitigation steps.
    

17. Consent & Policy Updates 

• Consent Logging: We maintain records of when and how you gave consent. 
• Policy Changes: We’ll post updates on the app/website, highlight material changes, and notify you by email/SMS at least 30 days before they take effect. Continued use signals acceptance. 
• Version History: Accessible in‑app under Settings → Privacy Policy. 

18. Grievance Mechanism & Contact 

For privacy-related queries or complaints, contact: 

• Email: corporate@icanheal.com
   

19. Governing Law & Dispute Resolution 

This Policy and any disputes shall be governed by the laws of India, with exclusive jurisdiction in Mumbai courts.