Privacy Policy for AMDHA

Last updated: September 24, 2024

Welcome to AMDHA

Alpha MD Private Limited is committed to protecting the privacy and security of the personal data of the users of our AMDHA mobile application and website. Your privacy is of utmost importance to us. This Privacy Policy outlines who we are and how we collect, store, use, disclose, safeguard and/or share (‘process’) your personal health information when you use our health application AMDHA available at AMDHA – Apps on Google Play

This Policy also explains, what are your rights and how you can exercise your data protection rights.

Please read this notice carefully. This shall help you to make more informed decisions while registering and creating an AMDHA account. By using our app, you agree to the terms of this policy.

Our name and contact details

Alpha MD Private Limited, 19, Unique Industrial Estate, Off V S Marg, Prabhadevi, Mumbai – 400025.

Questions or Concerns? Reading this privacy policy will help you understand your privacy rights and choices. If you still have any questions or concerns, please contact our Data Protection Officer, Ms. Nishi Sharma at the email address nishi.sharma@alphamd.com

To contact Alpha MD’s Support Team: https://www.alphamd.com/connect-us

Further information about Alpha MD is available via our website: https://alphamd.com/

What we do  

AMDHA is a healthcare technology platform that aims to improve patient’s experience and care outcomes. We aim to bring you your health records at one place, and for you to control who sees these records. AMDHA provides real-time patient health information to doctors, which helps them make informed decisions about their patients’ care. The platform also enables self-care by giving patients access to their health information, which empowers them to take a more active role in managing their own health. It facilitates communication between healthcare providers and patients, reducing the risk of hospital readmissions and improving patient satisfaction.

Along with the patients, the AMDHA Service can be used by three other types of users:

1. Carers (Refers to friends, family or anyone you choose to give access to your AMDHA Account)


2. Professionals (
Refers to people working for organisations who have been given access to AMDHA Records because they help to deliver your care. These people have had their identity and qualifications verified, for example, doctors and nurses, and have been trained in handling confidential patient information)


3. Organisations (
Refers to the customers of AMDHA that have information about you and that you can choose to trust to see your records, for example, hospitals or GPs)

1. What information do we collect?

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. We guarantee that we will collect and process users’ personal information in accordance with our privacy policy and applicable laws and regulations.

The personal information that we collect depends on the context of your interaction with us and the type of user.

A). Health and Care Professionals and Organisations

AMDHA is a platform providing real-time patient health information to doctors and nurses, and to those have been trained in handling confidential patient information, thus helping them to make informed decisions about their patients’ care. If you are working for a healthcare organization that uses AMDHA, we receive information about you in three ways:

  • AMDHA account registration – when you sign up, or are signed up by admin
  • Use of the AMDHA platform 
  • When you contact us directly, for example via email

Your Healthcare professional is accountable for how your information is used in our platform (i.e., they are the “Data Fiduciary”). They either provide us with information, or instruct us to collect this on their behalf, and instruct us how to use it. In such case, Alpha MD therefore operates as a “Data Processor” on behalf of your Healthcare professional and we hold a legal agreement with them that sets out what we do with the data and how we keep it safe and secure.

When an account is created for a professional OR organization within AMDHA, the following information about you is collected:

First name, Middle name, Last name, Gender, Email address, Mobile number and Date of Birth.

We also collect various types of health data while using our application, including:

Lab and Vitals, Medications, Any files, reports and scans, Appointment information, Caregiver details, Medical History, Blood Group and Patient bills

Besides these we also collect data specific to therapeutic condition and the program assigned to the user.

We use this information to create and maintain your account within the AMDHA platform.

If you contact us for support in relation to your use of the AMDHA platform we will use the information you provide to us to respond to your enquiry and to assist you.

B). Patients

The platform enables self-care by giving patients access to their health information, which empowers them to take a more active role in managing their own health. If you are a patient, we receive information about you in two ways:

  • Via healthcare professional or organisations who use the AMDHA platform.
  • If you contact us directly, for example through our email

When an account is created by you within AMDHA, the following information about you is collected:

Personal Information Provided by You. Included in Section 1A

Sensitive information. When necessary, with your consent or as otherwise permitted by applicable law, we may process the following categories:

  • Health data (may include health history, medical conditions, symptoms, medications, fitness data, nutritional information, any other health-related data you provide)

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

When your health or care provider uses the AMDHA platform to communicate with you we will also collect information regarding your medical conditions, diagnoses, treatment plans, diet, medicines, medical tests, lifestyle, and voice recordings.

If you contact us for support in relation to your use of the AMDHA platform we will use any information you provide to us to respond to your enquiry and to assist you.

User will get consent page immediately after setting up password at the first the time. Without excepting required consents user will not be able to proceed further.

You may give, manage, review or withdraw your consent to the Data Fiduciary through a Consent Manager. Email address of our Consent Manager registered with Data Protection Board of India is pratima.kotian@alphamd.com

Information automatically collected. We automatically collect certain information when you visit, use or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device or usage information, such as:

  • IP address
  • Browser and device characteristics
  • Operating system
  • Pages visited
  • Time spent on the app and other technical information

This information is primarily needed to maintain security and operation of our Services, and for our internal analytics and reporting purposes.

2. How do we process your information?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts – We may process your information so you can create and log in to your account, as well as keep your account in working order.

  • To respond to user enquiries / offer support to users – We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.

  • To send administrative information to you – We may process your information to send you details about our product, updates, changes to our terms and policies, and other similar information.

  • To request feedback – We may process your information when necessary to request feedback and to contact you about your use of our Services.

  • Provide, maintain, and improve our health application

  • Analyse app usage and performance to enhance your experience

  • To send you marketing and promotional communications – We may process your information when necessary for our marketing purposes, if this is in accordance with the consent provided. You can opt out of our marketing emails, including newsletters and promotional materials at any time. For more information, see ‘WHAT ARE YOUR PRIVACY RIGHTS?’ below.

  • To save or protect an individual’s vital interest – We may process your information when necessary to save or protect an individual’s or third party’s vital interest, such as to prevent harm.

3. Information disclosure and further use 

We do not use, disclose, sell or rent your information to anyone except as described in this Privacy Policy. If you send us a request for help you are likely to tell us your name and email address. We will only use this information to provide the help you have requested.

We may share your data with third party vendors, service providers, contractors
who perform services on our behalf and require access to such information to do that work. We give those organisations access only to the minimum personal information (for example, IP address or email address) to attain the objective or help you with your queries. They are bound by a contract and a duty of confidentiality to help safeguard your personal information.

The third parties we may share personal information with are as follows:

  • Cloud Computing Service Provider (Amazon Web Services – AWS and Microsoft Azure)
  • Allow Users to Connect to their Third-Party Accounts (Gmail account, Yahoo account etc.)
  • Data Backup and Security (Google One Drive Backup)
  • Functionality and Infrastructure Optimisation (Flairlabs Pvt. Ltd.)
  • Google Analytics, or any other Analytical Tool 

We may also need to share your information in the following scenarios:

  • For Legal Compliance: We may disclose your information if required to do so by law or in response to legal processes or government requests.
  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or portion of our business to another company.

  • Business Partners – We may share your personal information with our business partners to offer you certain products, services or promotions.

4. Lawful Basis 

  • Organization-contributed information (AMDHA Record)
    To find out the legal bases for an Organisation that provided your information, you should check their privacy notice.

Organisations providing data are responsible for:

The quality of the information uploaded to AMDHA including the correct privacy labels are with the associated information.

  • Providing access to those in the Organisation who require it

  • Patient-contributed information (AMDHA Account)
    Once you create your AMDHA Account, ALPHA MD is the controller for the information you contribute and relies on the following legal bases:

    Processing under legitimate interests. Processing occurs only after you have voluntarily registered, given consent and you have added information to your AMDHA Account. Your interests, rights and freedoms continue to be protected.
  • Processing that is necessary for the provision of care. ALPHA MD ensures patient information is available to providers, relatives and/or carers to support the delivery of care, as well as assisting the patient to access care services.

    5. Do we use Cookies or other Tracking Technologies?

    We use cookies and similar tracking technologies (Pixels or web beacons) to enhance your experience on our application, maintain the security of our app, prevent crashes and assist with basic functions.

    Specific information about how we use such technologies, type of cookie used, expiry periods and how you can refuse certain cookies is set out in our ‘Cookie Policy.’

    6. How do we keep your information safe? 

    We have put in place appropriate administrative, technical, and physical security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, destroyed, or accessed without authorisation. These safeguards vary based on the sensitivity of the information that we collect and store.

    These measures include confidentiality agreements with third parties, secure development practices, security due diligence of service providers, and ISO 27001-based organisational security policies. We have also put in place procedures to deal with any suspected personal data breaches and will notify you any applicable regulator of a breach where we are legally required to do so. Our security measures are tested at least annually to standards set by the UK National Cyber Security Centre.

    Once you create an AMDHA Account, you are in control of who can access your record and what they can see. The law may override your wishes, e.g., a court order stipulates access by another individual or authority, or in other very rare exceptional circumstances. You can edit or hide information you have added until it has been viewed by a healthcare professional. After a Professional has viewed, it may be retained by the Organisation.

    You cannot edit or hide information others have added. If you would like to change or hide information that has been added by an Organisation about you, for example, if it is incorrect, you must contact that Organisation to request this (Refer Section 7 ‘WHAT ARE YOUR PERSONAL DATA RIGHTS?’). All of your AMDHA data is held securely and is encrypted in storage and in transit.

    AMDHA platform continuously strive and has established compliance with India’s Digital Personal Data Protection Act, 2023. This act provides a framework for data protection, transparency, and accountability, ensuring that users have control over their personal data and that the organization handle it responsibly.

    However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee or promise that hackers, cybercriminals or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal or modify your information.

    7. What are your personal data rights? 

    Where Alpha MD acts as the Data Fiduciary, we will respect your rights under data protection law. We verify all requests through email before actioning them and reserve the right to deny a request where we are unable to verify your identity satisfactorily. This also applies to requests submitted on your behalf by someone else.

    • Access – you have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the personal data we process. 
    • Rectification – you have the right to ask us to rectify any of your personal data that you think is inaccurate or incomplete or not updated. This right always applies. You can modify your basic personal information through the following path:

    AMDHA App Dashboard More Profile

    • Erasure – you have the right to ask us to erase your personal data where it is no longer required for purpose for which it was collected, or you withdraw your prior consent to us processing it and we have no other legal ground for processing it, or it is being processed unlawfully, or when it must be erased to comply with a legal obligation, or it is being used for direct marketing purposes where we have no legitimate grounds for us doing so. 

    • Restriction – you have the right to ask us to restrict the processing of your personal data where it is inaccurate (allowing us to verify the accuracy), or it is being processed unlawfully (and you want us to stop processing rather than erasing it), or where you have objected to us processing it while we’re verifying whether we have legitimate grounds for processing, or it is no longer required for purpose for which it was collected and you want us to keep it for the establishment, exercise or defence of legal claims. 
    • Portability – this only applies to personal data you have given us. You have the right to ask us to transfer the information you provided us from one organisation to another or give it to you. This only applies if we are processing personal data based on your consent or as part of a contract, or in talks with you about entering into a contract and the processing is automated. 
    • Objection – you have the right to object to processing your personal data if we are using legitimate interests as our lawful basis for processing, or it is being used for direct marketing.
    • Withdrawing consent – you can withdraw your consent that you have previously given to us for one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case. 
    • Grievance redressal – you shall have the right to have readily available means of grievance redressal in respect of any act or observance of any omission to execute obligations by Alpha MD in relation to the personal data processing or the exercise of your rights under the provisions of Act. 

    You have the right to complain to Data Protection Board of India, only after exhausting this opportunity of grievance redressal with Alpha MD.

    • Nominate – you shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of your death or incapacity, shall exercise your rights. 
    • Delete or hide your AMDHA account, if required / Retention of AMDHA records – This is a complex area of data protection law. Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected or until you ask us to delete it. Your AMDHA Record will only be deleted if the Organisations provide this instruction to ALPHA MD. This is because Professionals may make decisions about your care based on information in your AMDHA Record. This is a similar case to your doctor maintaining records about you for the future safety of your care.

    In general, to comply with the legal obligations in maintaining accurate health records, the following occurs:

      • ALPHA MD does not delete AMDHA Records unless an Organisation asks, normally 8 years after it was last accessed by the Organisation. Where multiple Organisations contribute to your AMDHA Record, each Organisation will need to provide a deletion instruction for data where they are a controller of e.g., Organisation A cannot request deletion of data contributed by Organisation B.
      • Where an Organisation ceases the contract with ALPHA MD, unregistered AMDHA Records that have not been accessed by an Organisation will be deleted within 30 days of contract cessation.
      • Where an Organisation ceases the contract with ALPHA MD, registered AMDHA Records will be retained or deleted at the discretion of the Organisation. Where AMDHA Records are retained, a retention-only contract will be established.
      • ALPHA MD does not delete your AMDHA Account unless you ask, and then we can only delete information that you have added that has not been viewed by a Professional.
      • We do not retain or share face data. This is a Software Development Kit (SDK) based integration, data is not stored at Alpha MD’s end. As for the signal that gets generated, this is a deidentified signal without any identifiable information and we are the data processor entity not a data storage entity. Once the data is processed, we compute the vitals and the data gets deleted.

    If you have any questions or comments about your privacy rights, you may email us at nishi.sharma@alphamd.com

    8. What are your Duties?

    With the rights, comes the duties. We encourage you to perform the following duties:

    • Not to impersonate another person while providing personal data for a specified purpose. 
    • Not to suppress any material information while providing personal data for a specified purpose. 
    • Not to register a false or frivolous complaint or grievance with Alpha MD or Supervisory Authority. 
    • Furnish only verifiably authentic information, while exercising right to rectification or erasure. 

    9. Supplementary material 

      We ensure that your personal data is:

      • Processed lawfully, fairly and in a transparent manner. 
      • Collected only for specified, explicit and legitimate purposes. 
      • Collected is adequate, relevant, and limited to what is necessary in relation to the services that we are providing you. This means we collect the minimum amount of personal data that we need to deliver an individual element of the service (Data minimisation). 
      • Accurate, consistent, and complete i.e. kept up to date. 
      • Not kept in a form which allows for you to be identified for longer than is necessary. 

      10. Emergency care

      In an emergency, Professionals may override the limitation you have put on access to your information. This is called ‘Break the Glass’. When they do this, they must declare the reason they have for accessing your record. AMDHA records this action, and the Organisation reviews it. Break the Glass is only for emergencies when you may lack the capacity to consent (e.g., if you are unconscious) and when (in the Professional’s clinical judgement) it is in your vital interest that the Professional sees your record.

      11. Do you perform Cross-border data transfers outside India? 

      AMDHA do not transfer your data to countries under India’s “negative list”. Where appropriate, cross-border transfers of Personal Data of individuals outside India, are performed using lawful transfer mechanisms pursuant to DPDP. These agreements also incorporate the protections and requirements provided for under Chapter IV of the DPDP.

      12. How processing of Child’s data is carried out? 

      We adopt a range of measures to try to ensure that no information is knowingly solicited from individuals who do not meet the minimum age of 18 (or other applicable age based on your jurisdiction).

      Processing of any personal data of a child or a person with disability, is done through verifiable consent of the parent or lawful guardian. No processing shall be done to cause any detrimental effect on the well-being of your child. Also, AMDHA does not undertake tracking or behavioral monitoring or targeted advertising directed at your child.

      13. What is the Grievance Redressal Mechanism? 

      AMDHA takes your data protection questions and concerns seriously, and we are committed to resolving complaints about our collection or use of your data in a time bound manner. If you believe your data protection rights have been infringed, we encourage you to contact us by sending an email to info@alphamd.com. The Grievance Officer shall redress grievances   expeditiously and within 7 days from the date of receipt of grievance. 

      When a privacy question or access request is received, we have adedicated teamwhich triages the contacts and seeks to address the specific concern or query which you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. If you are unsatisfied with the reply received, you may refer your complaint to the Data Protection Board of India. If you ask us, we will endeavor to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

      14. Audits 

      Data protection and security practices and procedures employed are audited on a regular basis through an independent auditor. The audit of reasonable security practices and procedures is carried out by an auditor at least once a year or as and when AMDHA or a person on its behalf undertake significant upgradation of processes and resources.

      15. Data Protection Impact Assessment (DPIA) 

      This includes identifying and assessing all risks and threats that may affect the data and thereby protecting the data confidentiality via undertaking necessary steps as may be deemed to be considered necessary. This DPIA has been carried out at the start of this major project involving the use of personal data as it has the potential to result in significant change to existing processes.

      16. How can you Contact Us about this Notice?

      If you have any questions or comments about this Notice, you may contact our Data Protection Officer (DPO) by email at nishi.sharma@alphamd.com or contact us by post at:

      Alpha MD Private Limited

      Data Protection Officer

      19, Unique Industrial Estate, Off V S Marg,

      Prabhadevi, Mumbai – 400025

      India

      17. Changes to This Privacy Notice

      We may update our Privacy Notice from time to time. The updated version will be indicated by an updated ‘Revised’ date at the top of this privacy notice. We will notify you of any changes either by prominently posting a notice of such changes or directly send you a notification about the new version. This may further trigger re-consenting of users before continued use of the app (if consent was the lawful basis).

      We encourage you to review this Privacy Policy periodically to be informed of how we are protecting your information.