Privacy Notice

Last updated: 2026-05-02 · Working draft. Contact our grievance officer

1. Who we are

Asha is operated as a working-title product under the Asha team as the Data Fiduciary (per DPDPA s.2(i)). Contact for data-protection matters: grievance@withasha.com.

2. What this Notice covers

This Notice describes how we collect, process, store, share, and protect your personal data when you use the Asha mobile application, the Asha website at withasha.com, and any related services. It complies with India's Digital Personal Data Protection Act 2023 (DPDPA), the Information Technology Act 2000, and the Sensitive Personal Data or Information Rules 2011 (SPDI Rules).

3. Categories of data we collect

Category	Examples	Source
Identity	Name, email address, phone number (optional)	You provide at signup
Health-context	Symptoms, treatments, test results, recommendations from your treating physician. What you describe to Asha during a consult	You provide during use
Family member context	Names, relationships, ages of family members on whose behalf you may consult	You provide
Voice content	Audio of you speaking to the AI persona during a consult	Captured during voice mode; not persisted on our servers
Device + usage	Device type, OS version, anonymous app analytics	Automatically

4. Purposes for which we process your data

Operating the Asha service. Generating second-opinion guidance from your case description.
Authentication + account integrity. Verifying your identity and securing your account.
Service improvement. Diagnosing bugs, improving the AI panel's reasoning. Data used for improvement is de-identified.
Communicating with you. Service notifications, security alerts.
Legal and regulatory compliance. Meeting our obligations under Indian law.

5. Lawful basis for processing

We rely on your consent (DPDPA s.6) for all processing of your personal data. We obtain consent at signup for service operation, and again before each new processing purpose where required.

6. Data sharing

We share your personal data with the following processors solely as necessary to operate Asha:

An AI inference provider. Generates the AI panel's reasoning. Identifiable details are redacted before any call.
A real-time avatar and voice provider. Provides the avatar voice loop. Voice content is processed in-session and not persisted on Asha's servers.
A managed database and storage provider. Your case data, family member context, and consult history. Hosted in Singapore (ap-southeast-1).
An error-tracking provider. Operational error reports with PHI scrubbing. No user-supplied health text is sent.
An uptime-monitoring provider. Service availability checks. No personal data.
A managed backend-hosting provider. Our backend service runs in Mumbai, India.

Specific vendor names are not disclosed publicly as part of our security posture. Each processor is contractually bound to data-protection obligations consistent with the DPDPA, IT Act, and SPDI Rules. We are happy to disclose specific vendors to data-protection authorities, regulators, or your legal counsel on request to grievance@withasha.com.

7. Cross-border transfer

Some of the above processors operate outside India. Per DPDPA s.16, we transfer personal data only to jurisdictions permitted by the Central Government from time to time. Where any specific destination is later restricted by Government notification, we will revise this Notice and our vendor list accordingly.

8. Retention

We retain your data for as long as your account is active plus a reasonable period after deletion for legal-compliance purposes. Specific retention windows by category will be published before public launch. Health-context records can be deleted on request via your account settings.

9. Your rights as a Data Principal (DPDPA Chapter III)

Right to access the personal data we hold about you.
Right to correct inaccurate or incomplete data.
Right to erasure (subject to legal retention obligations).
Right to grievance redressal through our designated officer.
Right to nominate another individual in case of incapacity or death.
Right to withdraw consent at any time, without affecting prior lawful processing.

Exercise these rights by emailing grievance@withasha.com. We will respond within timelines specified by the DPDPA Rules.

10. Children

Asha is not designed for users under 18. The signup flow asks you to confirm you are 18 or older. Pediatric consults are conducted by an adult parent or guardian on behalf of a child. We do not knowingly collect personal data directly from children under 18.

11. Security

We implement reasonable security practices aligned with the SPDI Rules and ISO 27001 controls (formal certification is in progress at the time of this Notice). Specific measures include: encryption in transit (HTTPS) and at rest, on-device PHI redaction before any external API call, role-based access controls, error-tracking with PHI scrubbing, and a documented breach-response runbook.

12. Grievance Officer

If you have any concerns about how your personal data is being handled, please contact our designated grievance officer:

the Asha team
Email: grievance@withasha.com

We will acknowledge your grievance within 24 hours and respond substantively within timelines specified by the DPDPA Rules.

13. Changes to this Notice

We will notify you of material changes via the email associated with your account. The "Last updated" date above reflects the most recent revision.

- End of Notice -