DPDP Act 2023 · India-first

Privacy Policy

Plain-English description of what Kavach collects, why, where it lives, and who can touch it. We treat your health data the way we'd want ours treated.

EFFECTIVE1 June 2026 VERSION1.1 JURISDICTIONIndia · DPDP Act 2023 CONTACT[email protected]

01Who we are

Kavach (कवच) is built by Axivon AI — an India-first health technology company with offices in Bengaluru and Redmond. The legal entity is [FOUNDER CONFIRM: full registered legal name, e.g. "Axivon AI Private Limited"], incorporated in India under the Companies Act, 2013, CIN [FOUNDER CONFIRM: CIN], with its registered office at [FOUNDER CONFIRM: full registered address, Bengaluru, Karnataka, PIN]. Axivon AI is the Data Fiduciary for personal data processed through Kavach as defined by India's Digital Personal Data Protection Act 2023 (DPDP Act) and its implementing Rules of 2025. This Privacy Policy also serves as the privacy notice required under the Information Technology Act, 2000 read with the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (SPDI Rules).

For the purposes of this policy, "we" / "us" / "our" means Axivon AI; "you" means any person who signs up for, installs, or uses Kavach; "the App" means the Kavach mobile application and the Axivon AI web surfaces that support it.

02What we collect

We collect the minimum data needed to run the product. Every category below has a corresponding purpose in §03 — if you can't see why we'd need a field, we don't ask for it.

Identity

Phone number (E.164 format) — required for OTP login and as your primary account identifier.
Email address — optional during early-access waitlist; used for invite delivery, account recovery, transactional notifications.
Display name and optional avatar initial — shown on your own screens; never shown to other users.
Date of birth / age band, sex assigned at birth — used to display the appropriate published reference range alongside lab values you log, and to apply age-context filters to Sutra's conversation scope (e.g., preventing the assistant from discussing pediatric topics for adult users).

Health data (the sensitive stuff)

Lab reports — values you scan or enter (HbA1c, lipid panel, TSH, CBC, LFT, KFT, etc.), date of test, lab name when present on the report.
Vitals — blood pressure, glucose readings (manual or CGM-integrated), weight, oxygen saturation.
Activity and lifestyle — steps, workouts, sleep duration, water intake, food logs (name + grams + nutrition).
Health conditions — active conditions you manually enter in the App, or health-related terms that appear as text in documents you upload. OCR-extracted text is stored as-is for your reference; Kavach does not perform clinical interpretation or diagnostic classification of report content.
Medications — name, dose, schedule, start/stop dates that you enter or that appear in documents you scan.
Document images — photographs of lab reports, prescriptions, discharge summaries you scan into the App. Stored on our servers in access-controlled storage; protected by full-disk encryption at the infrastructure level. Not shared with any third party.
Chat history with Sutra — your messages to our in-app AI assistant and its replies, plus an internal "rolling summary" we use for memory continuity.
Notes and tags you add to records.
Derived signals we generate from the data above — your Kavach Score (a composite well-being indicator), Sutra insights and "Sutra cards," daily-energy and activity summaries, and food-personalization signals. These are computed from your own data and are visible only to you.
Doctor Bridge access events — when you share a clinical summary via Doctor Bridge, we log the time of access and the IP-class of the recipient device so you can see who opened your link. See §08 of the Terms of Service.

Device and usage

App version, OS version, device timezone (IANA name) — for build-quality telemetry and correct day-boundary math (no GPS, no precise location).
Crash reports and error stacks — automatically scrubbed of personal data before submission to our error tracker.
Feature usage events — which screens you visited, which actions you completed (not what you typed). Used to find broken flows; never sold.
IP address at the moment of API request — used for rate limiting and abuse defense; retained ≤30 days.

What we do NOT collect

Never

No precise GPS location · No microphone audio (we use the OS's on-device speech-to-text) · No camera roll scanning · No contact list · No SMS reading beyond the OTP we send · No advertising identifiers · No biometric template (the fingerprint/face check happens entirely on your phone, never reaches our servers).

03Why we collect it

Under DPDP Act §6, we operate on the lawful ground of consent for everything except routine app function (§7 legitimate uses). Each category below maps to a specific product purpose.

Data	Purpose	Lawful basis (DPDP)
Phone, OTP	Authenticate you on each device	Consent + §7(a) provision of service
Email	Send confirmation + invite + transactional mail	Consent
Lab reports, vitals, meds	Build your longitudinal timeline; flag values outside reference range; surface trends to you	Explicit consent (sensitive personal data)
Food, steps, sleep	Personalize daily intelligence; CGM × meal correlations	Consent
Chat with Sutra	Generate responses; maintain rolling memory for continuity	Consent
Doctor Bridge link	Share a clinical summary with a doctor of your choosing	Consent (revocable; time-limited)
Crash reports, usage events	Diagnose bugs; prioritize the next feature	§7(g) legitimate use (debug, security)
IP address	Abuse prevention, rate limiting	§7(g) legitimate use
Aggregate, de-identified statistics	Product analytics ("median HbA1c across users", feature adoption); never used for advertising or sold	Consent (covered by the §11 IP license in the Terms of Service)

04Who we share with

The default is nobody. The exceptions below are the only third parties any of your data touches, each under a signed Data Processing Agreement (DPA) limiting them to the purpose listed.

Processor	What they receive	Purpose	Region
Resend	Your email address + the email body we send you	Transactional and invite mail delivery	US (Resend-side)
Twilio / equivalent	Your phone number + the OTP digits	SMS OTP delivery in India	IN
OpenAI (current LLM)	The specific chat prompt + relevant context snippets for your message	Generate Sutra chat replies and extract structured fields from scanned reports. No long-term retention by OpenAI under our enterprise DPA (zero data retention enabled).	US
NVIDIA NIM (planned)	Same as above	Same as above, on India-region NVIDIA infrastructure. Migration target through our NVIDIA Inception membership.	IN target
Cloudflare	Network metadata (IP, request headers) at the edge	DDoS protection, secure tunnel termination	Edge (cached in India)
Sentry	Crash stack traces (PII-scrubbed before send)	Error tracking	EU
Google ML Kit (on-device)	Image bytes of a document during OCR	Text recognition for scanned reports. Runs entirely on your phone; no data is sent to Google from this layer.	On-device

We never

Sell your data · Share it with advertisers · Use it to train third-party models · Hand it to insurers, employers, or marketers. Government / law-enforcement requests: only on receipt of valid Indian legal process, narrowest possible response, and we'll notify you unless legally prohibited.

05How AI uses your data

Kavach's AI features fall into three layers; each treats your data differently.

Layer 1 · Deterministic rules (on-device or on our servers)

Display of lab values alongside their published reference ranges for your personal reference; age-context filters that scope what topics the Sutra assistant will engage with; deterministic safety gates that prevent the assistant from generating dosing, drug-interaction, or diagnostic content. No external service is called. Your data never leaves our perimeter for this layer. These rules are presentation and conversation-scope rules — they do not constitute clinical decision support, do not diagnose any condition, and do not recommend medications or doses.

Layer 2 · On-device AI

Document detection and on-device OCR (Google ML Kit) for the first pass of a scanned report. Runs entirely on your phone. No data leaves the device.

Layer 3 · Cloud LLM (Sutra chat, advanced vision)

When the deterministic layers can't answer, we send the specific prompt and a curated context window (only the fields relevant to your question) to a vetted LLM provider (currently OpenAI; migrating to NVIDIA NIM). The provider returns a response which our safety layer filters before showing it to you.

We do not send your entire history; we send only the slice the prompt needs.
Our enterprise contract with OpenAI has zero data retention enabled — your prompts are not stored on their side and are not used to train any model.
Every cloud-LLM call is logged on our side in an audit table (hash of prompt, provider, latency, token cost) so we can answer "what did you send and when?" with full fidelity.
Sutra never tells you to change your medication dose, stop taking a drug, or self-diagnose. 9 hard-coded output gates + 6 input gates + 48 unit tests enforce this on every reply.

06Where your data lives

Your primary record — labs, vitals, meds, chat history, document images — is stored on Axivon AI infrastructure located in India. Stored data does not leave India.

Cross-border transfers happen only for the limited processor purposes in §04. Specifically: (a) the contents of an individual prompt and a curated context window for it are transferred to OpenAI in the United States for the duration of an LLM inference call, under our enterprise DPA with zero data retention enabled; (b) transactional email metadata is transferred to Resend in the United States; (c) crash telemetry is transferred to Sentry in the European Union. Each destination is a country that has not been restricted by the Central Government under DPDP Act §16(1) read with DPDP Rules 2025, Rule 12 (the cross-border transfer rule). Each transfer is governed by a signed Data Processing Agreement with the recipient. The planned migration of LLM inference to NVIDIA NIM in India will eliminate the OpenAI transfer entirely.

07How long we keep it

Active account: retained for as long as your account is active.
OTP codes: retained for ≤10 minutes; auto-purged.
IP and request logs: ≤30 days, then rotated.
Crash reports: ≤90 days.
Account deletion: hard-delete from primary storage within 30 days of your verified deletion request. We do not currently operate a separate redundant backup of the production database, so deletion within this window is final.
AI call audit log: for each cloud-LLM call we keep a one-row audit record (prompt hash, provider name, latency, token cost — no prompt content, no response content) for up to 90 days, after which it is purged.
Doctor Bridge access log: retained for as long as your account is active so you can see who has opened your shared links, and purged at account deletion per the rules above.
Legal hold: if we receive valid Indian legal process for specific records, we retain only those records until the matter is resolved.

08Your rights under DPDP

The DPDP Act 2023 grants you the following rights with respect to data Axivon AI holds about you. To exercise any of them, write to [email protected] from the email or phone associated with your account. We respond within 30 days.

Right to access — a complete export of every record we hold about you, in machine-readable JSON.
Right to correction — fix or update any field you can't change yourself in the App.
Right to erasure — delete your account and all associated records (subject to §07 retention windows for backups).
Right to withdraw consent — for any optional processing (e.g., Sutra chat, food logging) at any time, from the in-app Settings > Privacy controls (granular per-pipeline toggles) or by email to [email protected]. Withdrawal is as easy as the original consent. The product may degrade gracefully for the affected pipeline but core record storage continues to work.
Right to grievance redressal — see §14 for our Grievance Officer.
Right to nominate — designate another person to exercise your rights in case of your death or incapacity.

Axivon AI has not been notified by the Central Government as a Significant Data Fiduciary under DPDP Act §10. We will update this section if that status changes.

09Children

Kavach is strictly for users aged 18 and above. We do not currently operate a parental-consent pathway, and we do not knowingly collect personal data from any individual under 18. Account creation requires self-declaration of age at sign-up; accounts identified as belonging to a person under 18 will be terminated and the associated data deleted. We do not knowingly process the personal data of any person with a disability who has a lawful guardian, in violation of DPDP Act §9(1). If you are a parent or guardian and you believe your child has created an account, please contact us at [email protected] and we will delete the account and its data within 7 days of verification.

10Security

For the full technical detail, see our Security page. Headlines:

AES-256 full-disk encryption at rest on the storage volumes that hold the production database and uploaded document images. AES-256-GCM application-layer encryption for designated highly sensitive fields (currently: third-party CGM service credentials). We will expand application-layer field encryption to additional sensitive columns and disclose the scope here when that work ships.
TLS 1.3 for everything in transit.
OTP + JWT + optional biometric on cold start.
9 output gates + 6 input gates + 48 unit tests on the AI safety layer.
Suppression list honored on every outbound email.
Audit log of every AI call (prompt hash, provider, latency, cost — no content).

11Cookies and analytics

The Kavach mobile app does not use cookies (it's a native app). Our marketing website (axivon.ai) uses one first-party functional cookie set by Cloudflare for traffic security, and may use a privacy-preserving analytics ping (no third-party tracking pixel, no advertising network). The App itself reports anonymous usage events as described in §02.

12Changes to this policy

When we make a material change, we (a) bump the version above, (b) update the effective date, and (c) email account holders before the change takes effect. The current version is always live at axivon.ai/privacy.

13Personal-data breach notification

If Axivon AI experiences a personal-data breach — meaning any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to your personal data — we will notify you and the Data Protection Board of India in the manner and within the timelines required by DPDP Act §8(6) and DPDP Rules 2025, Rule 7, without undue delay.

Our notice to you will, to the extent then known, describe:

The nature and circumstances of the breach;
The categories of personal data and approximate number of records affected;
The likely consequences for you;
The measures we have taken and are taking to contain and remediate the breach;
The steps you can take to protect yourself;
Contact details for further information.

Notification will be delivered by in-app message and to the email or phone number on your account. The Security page documents our breach incident-response sequence.

14Grievance officer

For any concerns about how Axivon AI handles your personal data, please contact our designated Grievance Officer:

DPDP §13 grievance officer

Sivam Mupparaju
Grievance Officer & Data Protection Officer
Axivon AI · [FOUNDER CONFIRM: full registered office address, Bengaluru, Karnataka, PIN] · India
[email protected] · [email protected]

We will acknowledge your grievance within 3 working days of receipt and provide a substantive response within 30 days, as required by DPDP Rules 2025 and the SPDI Rules, 2011.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India under DPDP Act §27, via the Board's portal at https://dpboard.gov.in once available. You also retain your statutory rights under the Consumer Protection Act, 2019, including the right to approach the appropriate District Consumer Disputes Redressal Commission.