Privacy Policy

Healui ("Healui", "we", "us", or "our") operates an AI-native electronic medical records (EMR) platform and marketplace built for physiotherapy clinics and practitioners. This Privacy Policy explains how we handle your information when you use the Healui Clinic mobile application, our websites and web applications (including app.healui.com), the patient care portal, our marketplace, and any communications we send you (including over WhatsApp).

For the personal data we process, Healui acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable Indian law. Where a clinic or physiotherapist uses Healui to deliver care, they direct the processing of their patients’ clinical records, and Healui processes that data on their behalf to provide the service.

By using Healui, you agree to the practices described in this Policy. If you do not agree, please do not use the platform.

We collect the following categories of information:

Identity and contact information

• Your name, mobile phone number, and (where provided) email address.
• Address — your service or home address and billing address, where you provide them for home visits or invoicing.
• Account and profile details, including your role (patient, physiotherapist, clinic staff, or administrator).

Health and clinical information

• Clinical records created during your care, including symptoms, assessments, conditions, diagnoses, treatment plans, prescriptions, session notes, and outcome measures (PROMs).
• Information you provide during screening or intake, including responses to questionnaires and body-map or pain inputs.
• Voice recordings or dictation, where you or your physiotherapist use voice features to capture clinical notes.

Documents, images, and video consultations

• Documents and images you or your clinic upload, such as imaging results, referrals, prescriptions, and profile photos.
• Camera and microphone access during video consultations (teleconsultation), used to connect you with your physiotherapist in real time. We do not access your device’s GPS location.

Usage, device, and technical information

• Device type, operating system, app version, and identifiers needed to operate the mobile app.
• Log and usage data, such as features used and approximate activity times, used to keep the service secure and reliable.

Billing information

• Invoices, payment status, and session-pack records associated with your care. Healui does not store full card or bank credentials; payments are handled by our payment partners.

We use your information to:

• Authenticate you and secure your account (we verify your identity using a one-time passcode sent to your phone).
• Provide physiotherapy care, including scheduling, clinical documentation, treatment planning, and outcome tracking.
• Enable video consultations (teleconsultation) and voice-assisted clinical documentation.
• Generate and deliver your care plan, appointment reminders, and follow-up prompts.
• Produce invoices and manage billing for the care you receive.
• Operate, maintain, secure, and improve the platform.
• Comply with legal, regulatory, and record-keeping obligations.

We process your personal data on the basis of your consent and, where applicable, to perform the services you or your clinic have requested, and to meet legal obligations.

Healui includes AI features that assist physiotherapists — for example, by suggesting differential diagnoses, drafting treatment plans, and helping convert voice notes into structured clinical documentation. These features are a clinical copilot: they assist the physiotherapist, who reviews, edits, and remains responsible for every clinical decision. The AI does not make decisions about your care on its own.

To provide these features, relevant clinical information may be processed by trusted third-party AI providers. Where this happens:

• We share only the information reasonably necessary to generate the assistance requested.
• We work with providers that offer data-protection commitments, and we seek arrangements under which your data is not used to train their general-purpose models and is not retained beyond what is needed to return a result.
• A qualified physiotherapist reviews AI-generated output before it is relied upon for your care.

Some of these AI providers may process data outside India. See "Cross-Border Data Transfers" below.

With your consent, we use WhatsApp to send you appointment reminders, intake links, care-plan notifications, and follow-up prompts. WhatsApp messages are delivered through the WhatsApp/Meta platform, which processes message metadata under its own terms.

We are deliberate about what appears in a WhatsApp message. Sensitive clinical details are not placed in the message body. Instead, we send a secure link that opens your care plan only after you enter a one-time access code, and the link expires after a limited period. This keeps your health information behind an additional layer of verification rather than in the message itself.

You can ask us to stop sending WhatsApp messages at any time by contacting us using the details below.

We share your information only as needed to operate the service:

• With your treating physiotherapist and clinic, so they can provide and manage your care.
• With service providers who help us run the platform — including cloud hosting and file storage, authentication, WhatsApp/Meta messaging, and the AI providers described above — acting on our instructions under confidentiality obligations.
• For legal reasons, where required to comply with applicable law, regulation, legal process, or enforceable governmental request, or to protect the rights, safety, and security of users and the public.
• In connection with a business transfer, such as a merger or acquisition, subject to this Policy.

We do not sell your personal or health information.

We apply technical and organisational measures designed to protect your information, including:

• Encryption of data in transit using industry-standard transport security (TLS/HTTPS).
• Phone-based one-time-passcode authentication for account access.
• Care-plan links protected by an additional access code, automatic expiry, and lockout after repeated incorrect attempts.
• Time-limited, signed links for viewing documents, generated only on demand.
• Access controls that limit clinical records to the treating clinicians and authorised staff involved in your care.

No method of transmission or storage is completely secure, but we work to protect your information and to continually improve our safeguards.

Some of our service providers — including certain cloud, infrastructure, and AI providers — may store or process information on servers located outside India. Where we transfer personal data internationally, we take steps to ensure it remains protected consistent with this Policy and applicable law, including limiting the data shared and selecting providers that offer appropriate data-protection commitments.

By using Healui and consenting to the AI-assisted and communication features described above, you acknowledge that your information may be processed in this way.

Subject to applicable law, including the DPDP Act, you have the right to:

• Access — request a summary of the personal data we process about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Erasure — ask us to delete your personal data, subject to legal and clinical record-keeping requirements.
• Withdraw consent — withdraw any consent you have given, without affecting processing already carried out.
• Grievance redressal — raise a concern about how your data is handled (see below).
• Nominate — nominate another individual to exercise your rights in the event of death or incapacity.

To exercise any of these rights, contact us using the details below. We may need to verify your identity before acting on a request. Note that clinical records may be subject to mandatory retention periods that limit immediate deletion.

We collect and process your information based on the consent you provide when you sign up, receive care, or agree to our communications. You may withdraw your consent at any time by contacting us. Withdrawing consent may limit or prevent our ability to provide some or all of the service, and does not affect processing already performed or processing required by law.

We retain your information for as long as needed to provide the service and for as long as required to meet legal, regulatory, accounting, and clinical record-keeping obligations. When information is no longer required, we delete or anonymise it.

Where care is provided to a child or a person who cannot provide consent on their own behalf, we process their information only with the consent of a parent or lawful guardian, and in connection with the care being delivered. If you believe a child’s information has been provided to us without appropriate consent, please contact us.

If you have any concern or complaint about how your personal data is handled, you may contact our Grievance Officer:

• Grievance Officer, Healui
• Email — grievance@healui.com

We will acknowledge and address your concern within the timelines required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the effective date above and, where appropriate, notify you. Your continued use of Healui after an update constitutes acceptance of the revised Policy.

For any questions about this Privacy Policy or our data practices, contact us:

• Email — grievance@healui.com
• Website — https://healui.com