Effective Date: 2026-05-26 · Last Updated: 2026-05-26

Carevie Privacy Policy

This Privacy Policy describes how PROBOX Infotech Private Limited (“Carevie”, “we”, “our”, “us”), the operator of the Carevie platform, collects, uses, processes, stores, shares, retains, and protects your personal data when you use our website https://carevie.in, our mobile applications (collectively, the “Platform” or “Services”), or when you otherwise interact with us.

This Policy is published in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules 2021”). By accessing or using the Platform, you confirm that you have read, understood, and consent to the practices described in this Policy.

1. Introduction

Carevie is a personal health information management platform that allows users to securely store, organize, and share their medical records and health information with family members, caregivers, and trusted contacts.

We take the privacy and confidentiality of your personal and health-related information seriously. Because the Platform processes sensitive health data, we apply enhanced safeguards consistent with the SPDI Rules and Section 8 of the DPDP Act.

Important note

Carevie is not a hospital, clinic, telemedicine provider, or healthcare professional. The Platform does not provide medical advice, diagnosis, or treatment. Any AI-generated summaries are informational only and must not be used as a substitute for consultation with a qualified medical professional.

2. Who we are

Carevie is owned and operated by PROBOX Infotech Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at [REGISTERED OFFICE ADDRESS], India.

For the purposes of the DPDP Act, PROBOX Infotech Private Limited acts as the “Data Fiduciary” in relation to the personal data processed through the Platform. You, the User, are the “Data Principal”.

3. Scope and applicability

This Policy applies to all individuals located in India who access or use the Platform, whether through our website, Android application, or any other channel through which we make the Services available.

The Platform is intended only for Users located in India and is governed by the laws of India.

4. Definitions

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
• “Sensitive Personal Data or Information” (“SPDI”) includes health information, medical records, biometric data, financial data, and other categories specified under Rule 3 of the SPDI Rules.
• “CareCircle” means the feature that enables you to share your stored health records with selected contacts (“CareCircle Members”).
• “Child” means an individual who has not completed eighteen (18) years of age.
• “Child Profile” means a sub-profile created and managed by a Parent User on the Platform for a Child in their care.
• “Processing” has the meaning given to it under the DPDP Act and includes collection, storage, use, sharing, and erasure of Personal Data.

5. Information we collect

We collect the following categories of information when you use the Platform:

5.1 Identity and contact data

• Full name
• Date of birth
• Gender (if voluntarily provided)
• Mobile phone number (used for OTP-based authentication)
• Residential or correspondence address
• Profile photograph (if uploaded)
• Names and contact details (such as phone numbers) of family members, caregivers, or trusted contacts you designate, including any individuals you nominate as emergency or trusted contacts on your profile

5.2 Health and medical information (SPDI)

• Lab and diagnostic reports
• Prescriptions
• Medical bills and invoices
• Health insurance documents
• Medication history (which may be auto-populated from prescriptions you upload)
• Blood group, supported by an identifying document you upload for verification
• Any other health-related document, image, or note you voluntarily upload, enter, or store on the Platform

5.3 Authentication and security data

• One-time passwords (OTPs) sent to your mobile number, verified through our authentication service provider (2Factor)
• Login session tokens and authentication cookies
• Records of security-related events such as failed login attempts, password resets (if applicable), and device changes

5.4 Usage and technical data

• IP address, device type, operating system, browser type and version
• Pages or features accessed, time spent, and navigation paths
• Server logs, error reports, and diagnostic information
• Anonymized analytics events collected through Google Analytics (see our Cookie Policy)

5.5 Communications data

Any information you provide when you contact us by email, through in-app support, through the AI chat assistant (see Section 9), or by submitting feedback through the Platform, including the contents of your message and any attachments.

5.6 Onboarding and health-profile data

Information you provide through our onboarding questionnaire and health-profile setup, including (but not limited to) basic health attributes, lifestyle inputs, and any health-status responses you choose to enter. This data is used to personalise your experience and populate your health profile on the Platform.

5.7 Device and push-notification data

If you install our mobile application or enable browser notifications, we collect a push-notification token issued by your device's notification service (currently provided through Expo Push Notification Service). We use this token solely to deliver service-related notifications (such as reminders, sharing alerts, and security notices) to your device. You may disable push notifications at any time through your device or browser settings.

5.8 Feedback and support data

When you submit feedback through the Platform or contact our support, we collect the information you provide (such as your message, ratings, screenshots, and any attachments) along with limited technical context to help us respond and improve the Services.

5.9 Audit-log and access data

We maintain access and security audit logs that record events such as logins, OTP verifications, CareCircle access grants and revocations, share-link creations and revocations, and access to sensitive records. These logs are used for security monitoring, fraud prevention, and to help us respond to grievances or lawful requests.

5.10 Mobile application permissions

When you install our Android (and, if released, iOS) mobile application, we may request the following device permissions to operate specific features. None of these permissions is granted by default — your operating system will prompt you to allow or deny each permission, and you may revoke any of them at any time through your device settings.
Camera: to capture photographs of medical documents, reports, or your blood-group verification document for upload.
Photos, media, and storage: to select existing images or PDFs from your device to upload to your Vault.
Notifications: to deliver service-related push notifications (such as sharing alerts, security notices, and reminders).
Internet / network access: required to communicate with our servers (granted automatically by the operating system).

Revoking a permission may prevent or limit the related Platform feature (for example, revoking camera access will prevent you from capturing new documents from within the app).

5.11 Mobile device identifiers

Our mobile application may collect a push-notification token issued by Google Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs), which is used solely to route push notifications to your device. We do not collect your Android Advertising ID, IDFA, IMEI, IMSI, MAC address, or any persistent hardware identifier for analytics, advertising, profiling, or tracking purposes.

Sensitive Personal Data

Health information, medical records, and the blood-group identification document are treated as Sensitive Personal Data or Information under Indian law. We collect, process, and store such data only with your explicit consent and apply enhanced safeguards described in this Policy.

6. How we collect your data

We collect personal data through the following channels:

• Directly from you when you register, complete the onboarding questionnaire, set up your profile, or upload documents to the Platform
• Automatically through cookies, server logs, and analytics tools when you interact with the Platform
• From third-party authentication providers (currently 2Factor) when you verify your phone number via OTP
• From you on behalf of another individual when you create a Child Profile or invite a CareCircle Member
• From your communications with us, including support requests

7. How we use your data

We use your personal data for the following specific, lawful purposes:

• To create, authenticate, and manage your Carevie account
• To store, organize, and display the medical documents and health records you upload to your Vault
• To verify your declared blood group using the document you submit
• To generate AI-powered summaries and explanations of your medical reports and health conditions (where you choose to use such features)
• To auto-populate medication fields from prescriptions you upload
• To operate the Carevie AI chat / FAQ assistant and respond to your queries about the Platform and your records
• To enable the CareCircle feature so you can share your records with selected contacts, and to operate the share-link feature (see Section 11)
• To send service-related communications, including OTPs, security alerts, sharing notifications, and other important notices via SMS, email, and push notifications
• To respond to your support queries, grievances, and feedback
• To maintain Platform security, prevent fraud, detect unauthorized access, enforce rate limits, maintain access and security audit logs, and enforce our Terms of Service
• To personalise your onboarding experience and tailor in-app prompts based on your responses to our health-profile questionnaire
• To comply with legal, regulatory, and statutory obligations
• To improve Platform reliability, usability, and performance using aggregated, non-identifiable usage data

We do not use your health data for advertising, marketing, profiling, or behavioural targeting.

8. Legal basis for processing

Under the DPDP Act and the SPDI Rules, we process your personal data on the following lawful bases:

• Consent: For most processing activities, including the collection and storage of health records, sharing via CareCircle, and processing through AI service providers, we rely on your free, specific, informed, unconditional, and unambiguous consent obtained at or before the point of collection.
• Performance of a contract: Where processing is necessary to provide the Services you have requested under our Terms of Service.
• Legitimate uses: Including responding to medical emergencies, fulfilling legal obligations, and enforcing legal rights, as recognised under Section 7 of the DPDP Act.
• Compliance with law: Where we are required to process or disclose personal data to comply with a court order, statutory notice, or lawful direction.

You may withdraw your consent at any time by contacting us at support@carevie.in. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal and may limit or prevent your ability to use certain features of the Platform.

9. AI processing & third-party AI services

Some features of the Platform use third-party Artificial Intelligence service providers to generate summaries, explanations, and structured information from the documents and content you upload. We currently use:

• OpenAI: Used to summarize medical reports, explain health conditions, and provide easy-to-understand insights from documents you upload.
• Google Gemini: Used to extract structured information from prescriptions you upload (for example, to auto-populate the medication field).
Carevie AI chat / FAQ assistant: An in-Platform conversational assistant that helps you navigate the Platform and answer questions about your records. The assistant is operated through our backend application servers (which we host) and is powered by third-party large language models (currently OpenAI). When you use the assistant, your queries — and, where relevant, limited contextual data such as the active profile identifier — may be transmitted to the underlying AI provider through API calls for processing.

When you use any of these features, the relevant content may be transmitted to the relevant AI provider through API calls for processing. To the best of our knowledge and based on the standard API terms of these providers, your data submitted through API calls is not used to train their AI models. However, you should review the relevant providers' policies for current details.

Important — AI outputs are not medical advice

AI-generated summaries, explanations, and extracted data are informational only and may contain errors, omissions, or inaccuracies. They must not be relied upon for medical decisions. Always consult a qualified healthcare professional. See our Health Data Privacy & Medical Disclaimer page for more detail.

Reporting AI outputs: If you encounter an AI output that is inaccurate, offensive, or otherwise objectionable, you may report it through the in-app feedback option, or by emailing us at support@carevie.in. We review such reports and use them to improve the safety and quality of AI-powered features.

10. Who we share your data with

We do not sell, rent, or trade your personal data to any third party for any purpose.

We share limited personal data only with the following categories of recipients and only to the extent strictly necessary:

• Hosting and storage providers: Supabase (database and authentication infrastructure) and DigitalOcean (hosting of our website and our backend application server, including AI processing workloads). Our backend application server (which orchestrates AI workflows, audit logging, and the chat assistant) is operated by us and hosted on the foregoing infrastructure.
• Rate-limiting and security infrastructure: Upstash, which we use to enforce rate limits, protect against abuse, and maintain certain security counters.
• Authentication providers: 2Factor, which delivers and verifies the OTP sent to your registered mobile number.
• AI service providers: OpenAI and Google (Gemini), used solely to process the documents and queries you submit to the relevant feature (see Section 9).
• Push-notification service: Expo Push Notification Service, which routes service-related push notifications to your device. Only a device push token and the contents of the relevant notification are transmitted; we do not send your medical records through push notifications.
• Analytics providers: Google Analytics, used to understand aggregate usage patterns and improve the Platform.
• CareCircle Members and recipients of share links: Individuals you explicitly choose to share specific records with through the CareCircle feature or through tokenised share links (see Section 11).
• Legal, regulatory, or governmental authorities: Where disclosure is required by law, court order, or a lawful request from a competent authority, or to protect our legal rights or the safety of any person.
• Professional advisors: Lawyers, auditors, accountants, or insurers, where necessary for the protection of our legal rights or compliance with law.

All third-party service providers are bound by contractual obligations to maintain confidentiality, implement appropriate security measures, and process your data only for the purposes for which it was provided to them.

11. CareCircle and share links

11.1 CareCircle sharing

The CareCircle feature enables you to share selected health records and information from your account with chosen family members, caregivers, or trusted contacts (“CareCircle Members”).

When you invite a CareCircle Member or grant them access to specific records:
• You are the sole authoriser of such sharing and remain responsible for what you choose to share.
• The recipient may view, download, or use the shared information, and Carevie is not responsible for how a CareCircle Member subsequently uses or discloses information you have shared with them.
• You may revoke a CareCircle Member's access at any time through the Platform, but content already viewed or downloaded by them may not be recoverable.
• We maintain audit records of CareCircle access grants and revocations to support security and accountability.

11.2 Tokenised share links

In addition to CareCircle, the Platform may allow you to generate a tokenised share link that grants access to specific records or a specific profile to any person who possesses the link. This feature is designed for sharing with parties who do not have a Carevie account (for example, a treating doctor or hospital).

When you generate a share link, you acknowledge that:
• Anyone who obtains the link — whether or not they were the intended recipient — may access the content the link points to, until the link is revoked or expires;
• You are responsible for sharing the link only with the intended recipient and through a reasonably secure channel;
• You may revoke a share link at any time through the Platform, but content already viewed or downloaded by a recipient prior to revocation may not be recoverable; and
Carevie maintains audit records of link creations, accesses, and revocations to support security and accountability.

12. Child profiles & minors

The Platform is intended for use by individuals who are at least eighteen (18) years of age. We do not knowingly create accounts for, or solicit personal data from, individuals under 18 in their own name.

A registered adult User who is a parent or lawful guardian may create a “Child Profile” under their account to manage health records for a Child in their care. By creating a Child Profile, you:
• Confirm that you are the parent or lawful guardian of the Child and have the authority to provide consent on the Child's behalf as required under Section 9 of the DPDP Act;
• Provide verifiable parental consent for the processing of the Child's personal and health data strictly for the purpose of using the Platform to organise and store such records;
• Acknowledge that we will not undertake tracking, behavioural monitoring, targeted advertising, or any other processing detrimental to the Child's well-being; and
• Accept responsibility for the accuracy of any information entered for the Child Profile and for deletion of the Child Profile when the Child reaches the age of majority or when no longer required.

If you believe a Child has provided personal data to us in violation of this Policy, please contact us immediately and we will take steps to delete the information.

13. Cross-border data transfers

Your personal data, including health records, is primarily stored on Supabase database infrastructure. Our website and backend application server (including AI processing workloads) are hosted on DigitalOcean. Rate-limiting counters are processed through Upstash.

When you use AI-powered features (such as report summarisation or prescription auto-fill), the relevant content may be transmitted to OpenAI and Google (Gemini) servers, which may be located outside India, including in the United States. Such transfers are made through encrypted API calls. The DPDP Act permits transfers of personal data outside India to any country except those specifically notified by the Central Government as restricted. By using AI-powered features, you provide explicit consent to such cross-border processing.

14. Security measures

We implement reasonable security practices and procedures consistent with the SPDI Rules and Section 8 of the DPDP Act. These include:

• Encryption of data in transit using industry-standard Transport Layer Security (TLS 1.2 or higher);
• Encryption of data at rest using AES-256 encryption on our database and storage infrastructure;
• OTP-based authentication for account access;
• Role-based and least-privilege access controls for internal personnel;
• Network-level safeguards including firewalls and access restriction policies;
• Logging, monitoring, and periodic review of access events;
• Secure software development practices and regular updating of dependencies; and
• Periodic review of security practices.

Despite our best efforts, no method of transmission over the internet or electronic storage is one hundred percent secure. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Users in accordance with the requirements of the DPDP Act.

15. Data retention & deletion

We retain your personal data only for as long as is necessary for the purposes for which it was collected:

Account and health data: Retained for as long as your account remains active. The data you upload is stored under your control unless you explicitly delete it through the Platform.
Account deletion — 30-day recovery window: When you delete your account, your account is placed in a deactivated state for thirty (30) days. During this window, your account is hidden from CareCircle Members and share-link recipients, AI processing and notifications are suspended, and your data is not used for any active purpose. If you wish to restore your account during this window, you may do so by logging in to the Platform with your registered mobile number and OTP and clicking the “Restore Account” button. This will reactivate your account with your data intact.
After 30 days — permanent deletion: At the end of the 30-day recovery window, your personal and health data (including all uploaded records, onboarding responses, identity and contact data, CareCircle relationships, share-link history, and chat-assistant history) is permanently deleted from our active systems.
Residual retention after permanent deletion: After permanent deletion, we retain a minimal record consisting of your registered mobile phone number and the IP address(es) associated with your account, solely for the purposes of (a) preventing fraud, abuse, and re-registration of accounts that were suspended or terminated for violation of our Terms; (b) maintaining the integrity of our security, rate-limiting, and OTP-throttling systems; and (c) complying with our obligations under applicable law. This residual data is not used for marketing, profiling, AI processing, or any purpose unrelated to security and fraud-prevention, and is processed on the basis of the “legitimate uses” recognised under Section 7 of the DPDP Act.
Backups: Encrypted backup copies may persist for a limited additional period (typically not exceeding 90 days) consistent with our backup retention cycles, after which they are purged.
Legal retention: We may retain certain information for longer where required by law, for the establishment, exercise, or defence of legal claims, or for security and fraud-prevention purposes.

You may delete your account at any time from within the Platform (Settings → Delete Account) or by emailing us at support@carevie.in.

16. Your rights under the DPDP Act

As a Data Principal under the DPDP Act, you have the following rights in relation to your personal data:

• Right to access: Obtain a summary of the personal data we process about you and the identities of all Data Fiduciaries and Data Processors with whom your personal data has been shared.
• Right to correction and erasure: Request correction of inaccurate or misleading personal data, completion of incomplete data, updating of out-of-date data, and erasure of personal data that is no longer necessary for the purpose for which it was processed.
• Right to grievance redressal: Raise concerns about our handling of your personal data with our Grievance Officer (see Section 18).
• Right to nominate: Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Right to withdraw consent: Withdraw consent previously given for the processing of your personal data, at any time.

To exercise any of these rights, please contact us at support@carevie.in. We will respond to your request within the timelines prescribed under applicable law. If you remain dissatisfied with our response, you may approach the Data Protection Board of India.

17. Cookies and tracking

The Platform uses cookies and similar technologies for authentication, security, performance, and analytics purposes. For a detailed description of the categories of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

18. Grievance redressal

In accordance with Rule 5(9) of the SPDI Rules, Rule 3(2) of the IT Rules 2021, and Section 8(9) of the DPDP Act, PROBOX Infotech Private Limited has designated the following Grievance Officer to address questions, complaints, or grievances regarding the processing of your personal data:

Name: [GRIEVANCE OFFICER NAME]
Designation: Grievance Officer
Entity: PROBOX Infotech Private Limited
Email: support@carevie.in
Address: [REGISTERED OFFICE ADDRESS], India

The Grievance Officer will acknowledge receipt of your complaint within forty-eight (48) hours and will endeavour to resolve it within fifteen (15) days from the date of receipt, in accordance with the applicable rules. If you remain dissatisfied with the response, you may approach the Data Protection Board of India.

19. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. The “Last Updated” date at the top of this page indicates when this Policy was last revised. Where changes are material, we will provide additional notice through the Platform or by other reasonable means. Your continued use of the Platform after such updates constitutes your acceptance of the revised Policy.

20. Contact us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

PROBOX Infotech Private Limited
Email: support@carevie.in
Grievance: support@carevie.in
Address: [REGISTERED OFFICE ADDRESS], India