Kidvanta
by Swasthya Saathi Healthcare LLP · AIIMS Alumni Initiative

Privacy Policy

How the Kidvanta app collects, uses, and protects your child's health data through the Swasthya Saathi School Health Screening Programme.
Last updated: May 2025  ·  Version 2.0

📱 com.aiims.swasthyasaathi 📋 DPDP Act 2023 🔒 HIPAA-aligned 🏥 AIIMS Alumni Doctors ☁️ AWS Mumbai (ap-south-1)
7 Screening Domains 📏 Anthropometry 🩺 General Pediatric 👁 Vision 👂 ENT & Hearing 🦷 Dental 🧠 Mental Health* 🥗 Nutrition
⚠️  Important Disclaimer — Screening is NOT Diagnosis
01
About This Policy
इस नीति के बारे में

This Privacy Policy explains how Swasthya Saathi Healthcare LLP ("we", "us", "our"), operating as the AIIMS Alumni Initiative and delivering services through the Kidvanta platform, collects, uses, stores, and protects personal data when you use the Kidvanta mobile application (com.aiims.swasthyasaathi), the administrative dashboard, or participate in a Swasthya Saathi school health camp.

This policy is fully compliant with the Digital Personal Data Protection (DPDP) Act, 2023 (India) and meets the requirements of the Google Play Store and Apple App Store for apps handling health and children's data.

ℹ️ By installing and using the Kidvanta app, or by signing a consent form at a health camp, you confirm you have read and agree to this Privacy Policy. Parents and guardians consenting on behalf of a child confirm their legal authority to do so.
02
Who We Are
हम कौन हैं

Swasthya Saathi Healthcare LLP is India's first preventive healthcare programme for schools, delivering comprehensive, painless health screenings directly to school campuses — conducted by AIIMS Alumni-trained doctors following WHO, AAP, and IAP guidelines. The Kidvanta app is our digital platform serving doctors, parents, and school administrators.

Detail Information
Legal Entity Swasthya Saathi Healthcare LLP
Platform Name Kidvanta
Initiative AIIMS Alumni Health Initiative
App Package com.aiims.swasthyasaathi
Website www.swasthyasaathi.org
Governing Law DPDP Act, 2023 (India)
Data Storage Region AWS ap-south-1 — Mumbai, India
Service Coverage Chhattisgarh, Rajasthan & schools across India
Support Email app.swasthyasaathi@gmail.com
Phone +91 9905012304
03
Data We Collect
हम कौन सा डेटा एकत्र करते हैं

Parent / Guardian

Child / Student — collected at health camp

📏
Anthropometry
Height, Weight, BMI, Head Circumference
🩺
General Pediatric
Vitals: Pulse, BP, SpO2
👁️
Vision
Acuity, Colour Blindness, Refractive Error
👂
ENT & Hearing
Ear, Nose, Throat + PTA
🦷
Dental
Oral camera examination findings
🧠
Mental Health*
SDQ — separate consent required
🥗
Nutrition
Dietary assessment data

Doctors & Healthcare Staff

School & Camp Administrators

Automatically Collected

🚫 We do NOT collect: Aadhaar numbers · financial / payment information · biometric identifiers (fingerprints, face scans) · precise GPS/location · contact list or call history · photos from your camera roll · any data not listed above.
04
App Permissions & Why We Need Them
ऐप अनुमतियाँ और उनकी आवश्यकता

The Kidvanta app requests the following device permissions. We only request permissions that are essential for the app's core functionality:

Permission Why It Is Needed When Requested
Camera Scan student QR code barcodes at camp check-in. No photos are taken or stored. When doctor opens the QR scanner screen
Internet Communicate with the Kidvanta backend API (AWS Mumbai) to submit and retrieve health records. Always (required for app to function)
Notifications Deliver in-app alerts about health report availability and camp updates to parents. On first app launch (optional, can be denied)
Secure Storage Store your encrypted login session token locally on the device so you stay logged in. At login (uses platform SecureStore, not external storage)
The app does not access your microphone, contacts, call logs, photos/gallery, precise location, or background location at any time.
05
How We Use Your Data
आपके डेटा का उपयोग
Purpose Data Used
OTP-based authentication Mobile number, session tokens
Conduct and record health screenings at camp Child health data, doctor assignment, camp data
Generate and deliver health report to parent via app Child health data, parent contact
Generate OPD voucher for flagged conditions (select packages only) Triage flag, child identity, package type
WhatsApp / digital notification of report availability and follow-up recommendations Mobile number, triage status
Parent pre-screening questionnaire Parent responses, child profile
Share flag status and aggregate stats with school's DAP (see Section 7) Flag status, school-level aggregates only
6-month follow-up and repeat camp management Child identity, previous triage report
Anonymous, aggregated internal research to improve screening protocols De-identified aggregate data only — individual never identifiable
Platform operation, debugging, and improvement Crash logs, anonymous usage metrics
Legal and regulatory compliance Audit logs, access records
📢 We do NOT use your data for advertising, targeted marketing, or profiling. We do NOT sell personal data to any third party.
06
Data Sharing with Third Parties
तृतीय पक्षों के साथ डेटा साझाकरण

We share data only in the following strictly limited circumstances:

Recipient Data Shared Purpose Safeguard
Amazon Web Services (AWS ap-south-1) All platform data Hosting, database, storage, KMS encryption Data Processing Agreement; data never leaves India
MSG91 (SMS gateway) Mobile number only OTP delivery Number used solely for SMS; not retained beyond delivery
WhatsApp Business API Mobile number, notification text Health report delivery and follow-up reminders Used only with explicit consent on the consent form
School DAP Flag status, aggregate stats only Institutional health coordination (see Section 7) No detailed clinical data; no mental health data; no full report
Empanelled Hospitals Referral coordination data (where OPD voucher applicable) Follow-up consultation facilitation Only for flagged cases; commercial arrangement disclosed in Section 12
Legal / Regulatory Authorities As required by law Compliance with court orders or government directives Only when legally compelled; minimum necessary data
⚠️ We do NOT sell, rent, or barter personal data. We do NOT share data with advertisers, data brokers, or social media platforms.
07
Sharing with the School's Designated Authorised Person (DAP)
स्कूल के नामित अधिकृत व्यक्ति के साथ साझाकरण

Each school appoints a Designated Authorised Person (DAP) — the Principal, School Owner, or Health Coordinator — as the institutional contact for student health matters. The following strict data boundaries apply:

✓ Shared with DAP ✗ Never Shared with DAP
Overall flag status only: Green / Yellow / Red Detailed clinical findings or raw test scores
Generic referral recommendation ("Follow up with a doctor") Full individual health report (parent-only access via app)
School-level aggregate health statistics Mental health (SDQ) data — governed by separate consent form
🔒 The full health report is accessible only to the parent/guardian through the Kidvanta app. Detailed clinical data is never shared with the school.
08
Children's Privacy
बच्चों की गोपनीयता

The Kidvanta app is purpose-built to screen school-going children. All child health data is classified as sensitive personal data under the DPDP Act, 2023 and receives the highest level of protection on our platform.

🗑️ Parents may request deletion of their child's data at any time by emailing app.swasthyasaathi@gmail.com.
09
Data Security
डेटा सुरक्षा
Security Layer Implementation
Encryption in transit TLS 1.2+ enforced on all connections. Plain HTTP rejected at the load balancer.
Encryption at rest Health fields (PHI/PII) encrypted with AES-256-GCM. Keys managed by AWS KMS (ap-south-1).
Authentication OTP-based login. JWT access tokens (1-hour TTL). Session tokens stored in device SecureStore (encrypted).
Role-based access control RBAC enforced — each user role sees only their permitted data scope.
Database isolation PostgreSQL Row-Level Security (RLS) enforces data separation at the DB layer.
Infrastructure AWS ap-south-1 private VPC. RDS and ElastiCache not publicly accessible.
WAF protection AWS Web Application Firewall guards against SQL injection, XSS, and common exploits.
Audit logging All data access and mutations logged with timestamp, user ID, and action type. Retained 2 years.

If you suspect unauthorised access to your account, contact us immediately: app.swasthyasaathi@gmail.com or +91 9905012304.

10
Data Retention
डेटा प्रतिधारण अवधि
Data Type Retention Period Deletion Method
Child personal health records 3 years from date of screening Permanent deletion; or earlier on parent request
Parent / guardian account Duration of account + 1 year Deleted on account closure request
Doctor / admin accounts Duration of affiliation + 2 years Deleted after offboarding confirmation
Physical consent forms 3 years (secure storage by school) Shredded by school coordinator
OTP session tokens 10 minutes (auto-expired) Automatic Redis TTL expiry
HTTP access logs 30 days Automatic rotation
Audit logs 2 years Secure deletion
Anonymised aggregate research data Indefinitely No personal identifiers present

On receipt of a verified deletion request, personal data is permanently removed from primary databases and all backup copies within 30 days.

11
Your Rights under the DPDP Act, 2023
DPDP अधिनियम 2023 के तहत आपके अधिकार
📂
Access / पहुंच

Request a copy of all personal data we hold about you or your child.

✏️
Correction / सुधार

Request correction of any inaccurate or incomplete data.

🗑️
Erasure / विलोपन

Request permanent deletion of your child's personal data, subject to legal retention obligations.

↩️
Withdraw Consent

Withdraw consent at any time. Does not affect processing already carried out.

🔔
Grievance / शिकायत

File a complaint with our Data Protection Officer. We respond within 30 days.

👤
Nomination / नामांकन

Nominate another person to exercise data rights on your behalf.

To exercise any right, email app.swasthyasaathi@gmail.com with subject line "Data Rights Request — [your name]". We respond within 30 days as required by the DPDP Act, 2023.

If unsatisfied with our response, you may escalate to the Data Protection Board of India once established under the DPDP Act, 2023.

12
OPD Vouchers & Hospital Referrals
OPD वाउचर और अस्पताल रेफरल
⚠️ Please read carefully before acting on any referral generated by the Kidvanta app.
13
Photography & Promotional Content
फोटोग्राफी और प्रचार सामग्री

Photographs or video clips may be taken during health camps for use in Swasthya Saathi's promotional materials and public health awareness campaigns.

Photography consent is entirely optional and is collected separately on the consent form. Your child receives identical screening quality regardless of your choice. You may withdraw photography consent at any time by emailing app.swasthyasaathi@gmail.com.
14
Cookies, Device Storage & Tracking
कुकीज़ और डिवाइस स्टोरेज
15
Changes to This Policy
इस नीति में परिवर्तन

When we update this Privacy Policy, we will:

Continued use of the Kidvanta app after notification of changes constitutes acceptance of the updated policy. If you disagree with any changes, you may contact us to withdraw consent and request data deletion.

16
Contact Us & Data Protection Office
हमसे संपर्क करें

For privacy queries, data rights requests, consent withdrawal, or any concern about your data:

Kidvanta — Data Protection Office
🏢 Swasthya Saathi Healthcare LLP  ·  AIIMS Alumni Health Initiative
📍 Based in Chhattisgarh & Rajasthan — serving schools across India
⏱ We aim to respond to all data rights requests within 30 days as required by the DPDP Act, 2023
`;