Effective Date: 2026-05-26 · Last Updated: 2026-05-26
This page supplements our Privacy Policy and Terms of Service. It describes the enhanced safeguards we apply to health-related information stored on the Carevie Platform (the “Platform”) and contains important disclaimers about the medical, clinical, and informational limitations of the Services.
In the event of any inconsistency between this page and our Privacy Policy in respect of health data, this page shall prevail to the extent of the inconsistency.
Carevie is a personal health information management platform operated by PROBOX Infotech Private Limited. The Platform allows individuals to store, organise, and selectively share health-related records (such as lab reports, prescriptions, bills, insurance documents, and appointment information) with family members, caregivers, and other trusted contacts. Because the Platform processes Sensitive Personal Data or Information, we apply enhanced protection measures.
Carevie is not a healthcare provider.
PROBOX Infotech Private Limited is not a hospital, clinic, telemedicine service, pharmacy, diagnostic laboratory, registered medical practitioner, or healthcare professional. We do not provide medical advice, diagnosis, prescription, second opinions, or treatment of any kind. Nothing on the Platform is intended to be, and nothing on the Platform should be relied upon as, professional medical advice.
The Platform exists to help you store and organise your health records, and (where you choose to use AI-powered features) to generate plain-language summaries from documents you upload. AI summaries, explanations, extracted medication information, and any other automated output are informational only and may be incomplete, inaccurate, outdated, or misleading. You must not rely on such output to make any decision regarding your health, symptoms, medication, dosage, treatment, or care.
Always seek the advice of a qualified, registered medical practitioner with any questions you may have regarding a medical condition. Never disregard professional medical advice or delay in seeking it because of something you have read on, or that has been generated by, the Platform.
Carevie is NOT an emergency service.
If you believe you, or someone you know, is experiencing a medical emergency, do not use the Platform to seek assistance. Instead, contact emergency services immediately by calling 112 (Pan-India Emergency), 102 (Ambulance), or 108 (Emergency Response), or visit the nearest hospital. The Platform may be unavailable, delayed, or inaccessible at any time, and is not designed to support urgent communications.
We treat health data as Sensitive Personal Data or Information under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Digital Personal Data Protection Act, 2023. Our practices are designed to align with:
• Digital Personal Data Protection Act, 2023 (DPDP Act);
• Information Technology Act, 2000;
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules); and
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021).
For the purposes of this page, “health data” includes (without limitation):
• Medical history, symptoms, and conditions you record on the Platform;
• Responses to our onboarding and health-profile questionnaire (such as basic health attributes, lifestyle inputs, and health-status responses);
• Diagnostic reports, pathology and lab results, imaging reports, and other diagnostic documents;
• Prescriptions and the medications extracted or auto-populated from them;
• Hospital and pharmacy bills, invoices, and insurance documents;
• Blood group and the identifying document submitted for blood-group verification;
• Appointment details, notes, and any messages or files containing health information, including questions and contextual data you submit to the Carevie AI chat / FAQ assistant; and
• Any other health-related document, image, or note you voluntarily upload, enter, or store on the Platform.
All such information is treated as Sensitive Personal Data or Information and is subject to enhanced protection.
We process health data only with your explicit, free, specific, informed, and unambiguous consent, or where processing is necessary for the performance of the services you have requested under the Terms of Service, or for compliance with a legal obligation.
You may withdraw your consent at any time by contacting us at support@carevie.in. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal and may limit or prevent your continued use of certain features. Where consent is withdrawn for the processing necessary to operate your account, we will treat such withdrawal as a request to delete your account.
We process health data only for the following specified, lawful purposes:
• Storing, organising, retrieving, and displaying the health records you upload to your Vault;
• Verifying your declared blood group using the document you submit;
• Generating AI-powered summaries and explanations of your reports and conditions, and auto-populating medication fields from your prescriptions (only where you choose to use such features);
• Operating the Carevie AI chat / FAQ assistant to answer your questions about the Platform and your records;
• Enabling controlled sharing through the CareCircle feature and through tokenised share links;
• Delivering service-related notifications to your device (including push notifications) and personalising your onboarding experience;
• Providing customer support and responding to your queries and feedback;
• Maintaining Platform security, preventing unauthorised access, detecting misuse, and keeping access and security audit logs; and
• Complying with legal, regulatory, or governmental obligations.
We do not use health data for advertising, marketing, profiling, behavioural targeting, or any commercial purpose other than providing the Services.
Where you choose to use AI-powered features, the relevant document content may be transmitted to the following third-party AI service providers for processing:
• OpenAI: Used to summarise medical reports, generate plain-language explanations of conditions or abnormalities reflected in the documents you upload, and power the Carevie AI chat / FAQ assistant.
• Google (Gemini): Used to extract structured medication information from prescriptions you upload (for example, to auto-fill the medication field of your profile).
The Carevie AI chat / FAQ assistant is orchestrated through our backend application server (which we operate on DigitalOcean, with Supabase providing the underlying database). When you interact with the assistant, your queries and limited contextual data (such as the active profile identifier and, where relevant, intent context) may be transmitted to the underlying AI provider through an encrypted API call. The assistant is not designed to provide medical advice or to handle medical emergencies.
Transmissions to these providers are made through encrypted Application Programming Interface (API) calls. To the best of our knowledge and based on the standard API terms of these providers as of the last update of this page, data submitted through API calls is not used to train their underlying models. However, we encourage you to review their current policies independently. By using AI-powered features, you provide explicit consent to such processing, including any cross-border transfer involved.
AI outputs are not medical advice.
AI-generated summaries, explanations, and extracted medication data may be incomplete, inaccurate, out-of-date, or misleading. They are intended only to help you understand or organise your records. They are not a diagnosis, prescription, treatment plan, or medical opinion. Always verify any AI-generated content with a qualified medical practitioner before acting on it. Do not change, start, or stop any medication, dosage, or treatment based on AI output.
We apply data minimisation and least-privilege principles to health data:
• We collect only the data necessary to provide the requested feature;
• Access to health data within our systems is restricted to authorised personnel and processes with a documented operational need;
• Internal access is governed by role-based access controls, is logged, and is subject to periodic review;
• Where an authorised staff member opens your medical records, they must first record a reason, and each such access is individually written to a tamper-evident audit trail (who accessed what, when, and why);
• Production health data is not used in development or testing environments; and
• Health data is not accessed except where required for service delivery, support requested by you, security investigation, or legal compliance.
PROBOX Infotech Private Limited implements reasonable technical and organisational safeguards consistent with Rule 8 of the SPDI Rules and Section 8(5) of the DPDP Act, including:
• Encryption of data in transit using industry-standard Transport Layer Security (TLS 1.2 or higher);
• Encryption of data at rest using AES-256 on our database and storage infrastructure (currently Supabase, with our application and AI backend hosted on DigitalOcean);
• Authentication based on OTP verification of your registered mobile number through our authentication service provider (2Factor);
• Role-based and least-privilege access controls for internal personnel;
• Network-level safeguards (firewalls, access policies, isolation of production systems);
• Logging, monitoring, and periodic review of access events and security alerts;
• Contractual security and confidentiality obligations on all third-party service providers; and
• Periodic review and updating of our security practices.
Despite these safeguards, no method of electronic storage or transmission is one hundred percent secure. In the event of a personal data breach affecting your data, we will notify the Data Protection Board of India and affected Users in accordance with applicable law.
We do not sell, rent, or trade your health data to any third party.
Health data is shared only as follows:
• Service providers: Supabase (database and authentication), DigitalOcean (hosting of our website and our backend application server, including AI processing workloads), Upstash (rate-limiting and security counters), 2Factor (OTP delivery), Expo Push Notification Service (delivery of push notifications to your device — health records are not sent through push notifications), OpenAI and Google Gemini (AI processing where you use the relevant features, including the AI chat assistant), and Google Analytics (non-identifiable usage measurement only — no health data is sent to Google Analytics).
• CareCircle Members: Individuals you specifically choose to grant access to your records or profile through the CareCircle feature. You may revoke their access at any time, but content already viewed or downloaded by them may not be recoverable, and Carevie is not responsible for further use or disclosure by a CareCircle Member.
• Recipients of tokenised share links: Any person who possesses a share link you generate may access the content the link points to until the link is revoked or expires. You are responsible for distributing share links only to intended recipients through reasonably secure channels. Carevie is not responsible for further use or disclosure by a share-link recipient.
• Legal and regulatory authorities: Where required by law, court order, or a lawful request from a competent authority, or to protect our legal rights or the safety of any person.
Cross-border processing
Health data is primarily stored on Supabase database infrastructure, with our website and backend application server (including AI processing) hosted on DigitalOcean. When you use AI-powered features, document content may be transmitted to OpenAI and Google (Gemini) servers, which may be located outside India, including in the United States. Transfers are made through encrypted API calls and are permitted under Section 16 of the DPDP Act, subject to any restrictions notified by the Central Government.
Health records you upload are retained under your control unless you explicitly delete them or your account is closed. You may delete individual records, your CareCircle access grants, share links, or your entire account at any time through the Platform (Settings → Delete Account) or by emailing support@carevie.in.
30-day recovery window: When you delete your account, your account and all associated health data are placed in a deactivated state for thirty (30) days. During this period your data is hidden from CareCircle Members and share-link recipients and is not used for any active purpose. You may restore your account during this window by logging in with your registered mobile number and OTP and clicking the “Restore Account” button.
Permanent deletion after 30 days: At the end of the recovery window, your personal and health data — including all uploaded records, onboarding responses, blood-group verification document, CareCircle relationships, share-link history, and AI chat-assistant history — is permanently deleted from our active systems. Encrypted backup copies may persist for a limited additional period (typically not exceeding 90 days) in accordance with our backup-retention cycles, after which they are purged.
Residual retention: After permanent deletion, we retain a minimal record consisting only of your registered mobile phone number and the IP address(es) associated with your account, for the limited purposes of preventing fraud and abuse, preventing re-registration of accounts that were suspended or terminated for violation of our Terms, maintaining the integrity of our security and rate-limiting systems, and complying with our obligations under applicable law. No health data is included in this residual record. We may retain other information for a longer period where required by law, for the establishment, exercise, or defence of legal claims, or for security and fraud-prevention purposes.
Subject to applicable law, you have the following rights in relation to your health data:
• Access: Obtain a copy of your stored health data and a summary of the processing activities we carry out on it.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of personal and health data that is no longer necessary for the purpose for which it was collected.
• Withdraw consent: Withdraw consent previously given for processing of your health data.
• Nominate: Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Grievance redressal: Raise a complaint with our Grievance Officer (see contact details below).
Requests can be made through the Platform (where supported) or by emailing support@carevie.in. For grievances, please email our Grievance Officer at support@carevie.in.
Health data of a Child (an individual under 18) may be stored on the Platform only through a Child Profile created and managed by a parent or lawful guardian under their own adult account, as described in our Terms of Service and Privacy Policy. By creating a Child Profile, you provide verifiable parental consent under Section 9 of the DPDP Act. We do not undertake tracking, behavioural monitoring, or targeted advertising in respect of Child Profiles, and we do not knowingly process a Child's data for any purpose detrimental to the Child's well-being.
We may update this Health Data Privacy & Medical Disclaimer page from time to time to reflect changes in law, technology, or our practices. Updates will be posted on this page with a revised “Last Updated” date. Where the changes are material, we will provide additional notice through the Platform or by other reasonable means.
Grievance Officer
Name: [GRIEVANCE OFFICER NAME]
Entity: PROBOX Infotech Private Limited
Email: support@carevie.in
Address: [REGISTERED OFFICE ADDRESS], India