How the Kidvanta app collects, uses, and protects your child's health data
through the Swasthya Saathi School Health Screening Programme.
Last updated: May 2025
· Version 2.0
This Privacy Policy explains how Swasthya Saathi Healthcare LLP ("we", "us", "our"),
operating as the AIIMS Alumni Initiative and delivering services through the
Kidvanta platform, collects, uses, stores, and protects personal data when you
use the Kidvanta mobile application (com.aiims.swasthyasaathi), the administrative
dashboard, or participate in a Swasthya Saathi school health camp.
This policy is fully compliant with the Digital Personal Data Protection (DPDP) Act, 2023 (India) and meets the requirements of the Google Play Store and Apple App Store for apps handling health and children's data.
Swasthya Saathi Healthcare LLP is India's first preventive healthcare programme for schools, delivering comprehensive, painless health screenings directly to school campuses — conducted by AIIMS Alumni-trained doctors following WHO, AAP, and IAP guidelines. The Kidvanta app is our digital platform serving doctors, parents, and school administrators.
| Detail | Information |
|---|---|
| Legal Entity | Swasthya Saathi Healthcare LLP |
| Platform Name | Kidvanta |
| Initiative | AIIMS Alumni Health Initiative |
| App Package | com.aiims.swasthyasaathi |
| Website | www.swasthyasaathi.org |
| Governing Law | DPDP Act, 2023 (India) |
| Data Storage Region | AWS ap-south-1 — Mumbai, India |
| Service Coverage | Chhattisgarh, Rajasthan & schools across India |
| Support Email | app.swasthyasaathi@gmail.com |
| Phone | +91 9905012304 |
The Kidvanta app requests the following device permissions. We only request permissions that are essential for the app's core functionality:
| Permission | Why It Is Needed | When Requested |
|---|---|---|
| Camera | Scan student QR code barcodes at camp check-in. No photos are taken or stored. | When doctor opens the QR scanner screen |
| Internet | Communicate with the Kidvanta backend API (AWS Mumbai) to submit and retrieve health records. | Always (required for app to function) |
| Notifications | Deliver in-app alerts about health report availability and camp updates to parents. | On first app launch (optional, can be denied) |
| Secure Storage | Store your encrypted login session token locally on the device so you stay logged in. | At login (uses platform SecureStore, not external storage) |
| Purpose | Data Used |
|---|---|
| OTP-based authentication | Mobile number, session tokens |
| Conduct and record health screenings at camp | Child health data, doctor assignment, camp data |
| Generate and deliver health report to parent via app | Child health data, parent contact |
| Generate OPD voucher for flagged conditions (select packages only) | Triage flag, child identity, package type |
| WhatsApp / digital notification of report availability and follow-up recommendations | Mobile number, triage status |
| Parent pre-screening questionnaire | Parent responses, child profile |
| Share flag status and aggregate stats with school's DAP (see Section 7) | Flag status, school-level aggregates only |
| 6-month follow-up and repeat camp management | Child identity, previous triage report |
| Anonymous, aggregated internal research to improve screening protocols | De-identified aggregate data only — individual never identifiable |
| Platform operation, debugging, and improvement | Crash logs, anonymous usage metrics |
| Legal and regulatory compliance | Audit logs, access records |
We share data only in the following strictly limited circumstances:
| Recipient | Data Shared | Purpose | Safeguard |
|---|---|---|---|
| Amazon Web Services (AWS ap-south-1) | All platform data | Hosting, database, storage, KMS encryption | Data Processing Agreement; data never leaves India |
| MSG91 (SMS gateway) | Mobile number only | OTP delivery | Number used solely for SMS; not retained beyond delivery |
| WhatsApp Business API | Mobile number, notification text | Health report delivery and follow-up reminders | Used only with explicit consent on the consent form |
| School DAP | Flag status, aggregate stats only | Institutional health coordination (see Section 7) | No detailed clinical data; no mental health data; no full report |
| Empanelled Hospitals | Referral coordination data (where OPD voucher applicable) | Follow-up consultation facilitation | Only for flagged cases; commercial arrangement disclosed in Section 12 |
| Legal / Regulatory Authorities | As required by law | Compliance with court orders or government directives | Only when legally compelled; minimum necessary data |
Each school appoints a Designated Authorised Person (DAP) — the Principal, School Owner, or Health Coordinator — as the institutional contact for student health matters. The following strict data boundaries apply:
| ✓ Shared with DAP | ✗ Never Shared with DAP |
|---|---|
| Overall flag status only: Green / Yellow / Red | Detailed clinical findings or raw test scores |
| Generic referral recommendation ("Follow up with a doctor") | Full individual health report (parent-only access via app) |
| School-level aggregate health statistics | Mental health (SDQ) data — governed by separate consent form |
The Kidvanta app is purpose-built to screen school-going children. All child health data is classified as sensitive personal data under the DPDP Act, 2023 and receives the highest level of protection on our platform.
| Security Layer | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all connections. Plain HTTP rejected at the load balancer. |
| Encryption at rest | Health fields (PHI/PII) encrypted with AES-256-GCM. Keys managed by AWS KMS (ap-south-1). |
| Authentication | OTP-based login. JWT access tokens (1-hour TTL). Session tokens stored in device SecureStore (encrypted). |
| Role-based access control | RBAC enforced — each user role sees only their permitted data scope. |
| Database isolation | PostgreSQL Row-Level Security (RLS) enforces data separation at the DB layer. |
| Infrastructure | AWS ap-south-1 private VPC. RDS and ElastiCache not publicly accessible. |
| WAF protection | AWS Web Application Firewall guards against SQL injection, XSS, and common exploits. |
| Audit logging | All data access and mutations logged with timestamp, user ID, and action type. Retained 2 years. |
If you suspect unauthorised access to your account, contact us immediately: app.swasthyasaathi@gmail.com or +91 9905012304.
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Child personal health records | 3 years from date of screening | Permanent deletion; or earlier on parent request |
| Parent / guardian account | Duration of account + 1 year | Deleted on account closure request |
| Doctor / admin accounts | Duration of affiliation + 2 years | Deleted after offboarding confirmation |
| Physical consent forms | 3 years (secure storage by school) | Shredded by school coordinator |
| OTP session tokens | 10 minutes (auto-expired) | Automatic Redis TTL expiry |
| HTTP access logs | 30 days | Automatic rotation |
| Audit logs | 2 years | Secure deletion |
| Anonymised aggregate research data | Indefinitely | No personal identifiers present |
On receipt of a verified deletion request, personal data is permanently removed from primary databases and all backup copies within 30 days.
Request a copy of all personal data we hold about you or your child.
Request correction of any inaccurate or incomplete data.
Request permanent deletion of your child's personal data, subject to legal retention obligations.
Withdraw consent at any time. Does not affect processing already carried out.
File a complaint with our Data Protection Officer. We respond within 30 days.
Nominate another person to exercise data rights on your behalf.
To exercise any right, email app.swasthyasaathi@gmail.com with subject line "Data Rights Request — [your name]". We respond within 30 days as required by the DPDP Act, 2023.
If unsatisfied with our response, you may escalate to the Data Protection Board of India once established under the DPDP Act, 2023.
Photographs or video clips may be taken during health camps for use in Swasthya Saathi's promotional materials and public health awareness campaigns.
HttpOnly, Secure, SameSite=Strict
session cookie maintains your login. No tracking or advertising cookies are used.
When we update this Privacy Policy, we will:
Continued use of the Kidvanta app after notification of changes constitutes acceptance of the updated policy. If you disagree with any changes, you may contact us to withdraw consent and request data deletion.
For privacy queries, data rights requests, consent withdrawal, or any concern about your data: