Privacy Policy

Last updated: November 10, 2025

My Health - Gheware ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our health and fitness tracking application.

Note: This Privacy Policy covers how we handle your personal data. For information about how we use cookies and similar technologies, please see our Cookie Policy.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you sign in with Google, we collect your name, email address, and profile picture.
• Strava Data: When you connect your Strava account, we access your activities, statistics, and profile information.

1.2 Automatically Collected Information

• Health Data: CGM glucose readings from Utsah device via Google Fit integration
• Activity Data: Fitness activities, statistics, and performance metrics from Strava
• Usage Information: Log data, device information, and analytics about how you use our service
• Cookies and Tracking: We use cookies and similar technologies as described in our Cookie Policy

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our health dashboard service
• Display your fitness activities and health metrics
• Generate personalized insights and recommendations
• Analyze trends in your health and fitness data
• Improve and optimize our service
• Communicate with you about your account and our services

3. Data Storage and Security

3.1 Data Storage

We store your data using Google Cloud Firestore, a secure cloud database service. Your activity data and health metrics are encrypted in transit and at rest.

3.2 Security Measures

• OAuth 2.0 authentication for secure sign-in
• Encrypted data transmission using HTTPS
• Secure token management and automatic token refresh
• Access controls and authentication requirements

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With Your Consent: We may share information when you explicitly authorize us to do so
• Service Providers: We use Google Cloud Platform and Firestore for hosting and data storage
• Legal Requirements: We may disclose information if required by law or to protect our rights

5. Third-Party Services

Our application integrates with the following third-party services:

• Google OAuth: For authentication and sign-in
• Google Fit API: For accessing CGM glucose data from Utsah device
• Strava API: For accessing fitness activities and statistics
• Google Cloud Firestore: For secure data storage
• Google Analytics: For usage analytics (only with your consent - see our Cookie Policy)

These services have their own privacy policies, and we encourage you to review them:

• Google Privacy Policy: https://policies.google.com/privacy
• Strava Privacy Policy: https://www.strava.com/legal/privacy

5.1 Google Analytics

We use Google Analytics to understand how users interact with our service. This helps us improve the user experience and identify issues. Google Analytics uses cookies to collect anonymous usage data such as:

• Pages visited and time spent on each page
• Browser type and device information (anonymized)
• Feature usage patterns
• IP addresses (anonymized for privacy)

Important: Google Analytics is only loaded if you provide consent through our cookie consent banner. You can withdraw consent at any time through our Cookie Policy page. We do not track your health data (glucose readings, activities, sleep data) through Google Analytics.

6. Your Rights and Choices

6.1 Access and Control

You have the right to:

• Access your personal data and health information
• Request correction of inaccurate data
• Request deletion of your data
• Disconnect your Strava account at any time
• Revoke Google Fit API access
• Manage cookie preferences and withdraw analytics consent (see Cookie Policy)
• Opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on

6.2 Data Retention

We retain different types of data for varying periods based on legal requirements, service needs, and user preferences:

Account and Profile Data

• User Account: Retained for the lifetime of your account. Deleted within 30 days of account deletion request.
• Profile Information: Name, email, profile picture retained while account is active.
• Authentication Data: OAuth tokens refreshed automatically, expired tokens deleted immediately.
• Terms Acceptance: Retained for legal compliance (minimum 6 years as per Indian law).

Health and Activity Data

• CGM Glucose Data: Retained indefinitely unless you request deletion. You can delete specific date ranges or all CGM data via Settings.
• Strava Activities (Cache): 24 hours for performance optimization, refreshed automatically.
• Strava Activities (Historical): Retained for the lifetime of your account or until you disconnect Strava.
• Sleep Data: Retained for 90 days on a rolling basis. Older sleep sessions automatically deleted.
• AI Insights: Retained for 12 months. Automatically deleted after expiry.
• Nutrition & Medicine Logs: Retained for the lifetime of your account. You can delete individual logs anytime.

System and Operational Data

• Application Logs: Retained for 30 days for debugging and security monitoring.
• Audit Logs: Retained for 6 months for compliance and security purposes.
• Payment Records: Retained for 7 years as required by Indian tax law.
• Analytics Data: Google Analytics retention set to 14 months (only if you consented).

Temporary and Cache Data

• Data Export Files: Deleted automatically 7 days after generation.
• Deletion Requests: Processed within 30 days, request records retained for 90 days for audit.
• Session Tokens: Expired after 30 days of inactivity.
• Redis Cache: TTL-based, automatically expired (varies by data type).

User Control Over Retention

You have control over your data retention:

• Delete specific CGM data by date range
• Delete all sleep data (Settings → Sleep → Delete All Sleep Data)
• Delete nutrition/medicine logs individually
• Disconnect integrations (Strava, Google Fit) to stop new data collection
• Request complete account deletion (all data deleted within 30 days)
• Export your data anytime in JSON format (available for 7 days)

Data Storage Location

All your data is stored in Google Cloud Firestore in the Mumbai, India (asia-south1) data center, ensuring compliance with Indian data localization requirements under the Digital Personal Data Protection Act, 2023.

7. Legal Compliance

7.1 GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw cookie consent at any time without affecting data already processed

Our legal basis for processing your data includes: (a) your consent (for cookies and analytics), (b) contractual necessity (to provide our services), and (c) legitimate interests (to improve our service and ensure security).

7.2 India IT Act Compliance (Indian Users)

We comply with India's Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. We also adhere to the Digital Personal Data Protection Act, 2023.

We implement reasonable security practices to protect your sensitive personal information, including health data. Your consent is obtained before collecting any sensitive data, and you have the right to review and update your information at any time.

7.3 Grievance Redressal Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Redressal Officer to address your concerns regarding data protection and privacy.

Filing a Grievance

You may file a grievance if you have concerns about:

• Privacy violations or unauthorized data access
• Data security breaches or incidents
• Incorrect or inaccurate personal data
• Difficulty exercising your rights (access, deletion, export)
• Non-compliance with our Privacy Policy
• Any other data protection concerns

Grievance Process

1. Submit: Send your complaint to privacy@gheware.com with subject "Grievance: [Brief Description]"
2. Acknowledgment: You will receive an acknowledgment within 24 hours with a reference number
3. Investigation: We will investigate your complaint thoroughly
4. Resolution: You will receive a resolution within 30 days of filing the complaint
5. Escalation: If unsatisfied, you may escalate to CERT-In or appropriate regulatory authorities

Regulatory Contacts (India)

If your grievance is not resolved satisfactorily, you may contact:

• CERT-In (Indian Computer Emergency Response Team): cert-in.org.in
• Ministry of Electronics & IT: meity.gov.in
• Data Protection Board (DPDP Act): As per provisions of the Digital Personal Data Protection Act, 2023

8. Data Breach Notification

In the unlikely event of a data breach that may affect your personal data, we are committed to transparency and timely notification.

8.1 Our Breach Response Process

• Detection: We continuously monitor our systems for security incidents
• Assessment: Upon detecting a breach, we immediately assess the scope and impact
• Containment: We take immediate steps to contain the breach and prevent further unauthorized access
• Notification: We notify affected users within 72 hours of becoming aware of the breach
• Regulatory Reporting: We report to CERT-In and other authorities as required by law
• Remediation: We implement measures to prevent similar breaches in the future

8.2 What We Will Tell You

If your data is affected by a breach, we will notify you via email with:

• Nature of the breach and data affected
• Approximate date and time of the breach
• Potential consequences and risks
• Measures we have taken to address the breach
• Recommended actions you should take
• Contact information for questions

8.3 Your Rights After a Breach

If your data is compromised in a breach, you have the right to:

• Request detailed information about the breach
• Request immediate account security measures (password reset, 2FA)
• Request account deletion if you no longer wish to use the service
• File a complaint with the Grievance Officer or regulatory authorities
• Seek legal remedies as per applicable law

8.4 Reporting a Suspected Breach

If you suspect unauthorized access to your account or a security vulnerability, please report immediately to security@gheware.com or privacy@gheware.com.

9. Children's Privacy

Our service is not intended for children under 13 years of age (or under 18 in some jurisdictions). We do not knowingly collect personal information from children. If you are a parent or guardian and believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Significant changes will be communicated through email or a prominent notice on our website.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

• Email: privacy@gheware.com
• Data Protection Officer: Rajesh Gheware
• Website: https://health.gheware.com

Related Policies

• Cookie Policy - Learn about how we use cookies and tracking technologies
• Terms of Service - Our terms and conditions

← Back to Home