🔒 Privacy Policy

WeCare Privacy Policy

A full, transparent account of how we collect, use, protect, and retain your personal and health data across every platform.

📅 Effective: June 2026 📱 iOS · Android · Web 🏥 Healthcare Grade
Compliant with:
🇪🇺 GDPR
🇺🇸 CCPA / CPRA
🇮🇳 DPDPA 2023
🍎 Apple App Store
▶ Google Play
📋 HIPAA-Adjacent
👶 COPPA
Plain-language summary: We collect your name, contact details, and healthcare records to provide our services. We do not sell your data. Health records are kept for 7 years as required by law. You can request deletion of your account data at any time. This policy applies to our iOS app, Android app, and website.

1 Introduction

WeCare Healthcare ("WeCare", "we", "our", or "us") operates the WeCare mobile application for iOS and Android, and the website at we-care.life (collectively, the "Platform"). We are committed to respecting and protecting the privacy of all users — patients, doctors, nurses, hospital administrators, and visitors alike.

This Privacy Policy explains in full detail:

  • What personal data we collect and why
  • How we use, store, and protect your data
  • How long we retain each category of data
  • Who we share your data with
  • Your rights and how to exercise them
  • How to contact us or our Data Protection Officer

By creating an account or using the Platform, you confirm that you have read and understood this policy. If you do not agree with any part of it, please discontinue use of the Platform.

2 Scope & Applicability

This Privacy Policy applies to:

  • WeCare iOS Application — distributed via the Apple App Store
  • WeCare Android Application — distributed via the Google Play Store
  • WeCare Website — accessible at we-care.life and all subdomains
  • WeCare Provider Application — used by medical professionals and hospital admins
  • APIs and Backend Services — that power all of the above

This policy does not apply to third-party websites or services linked from our Platform. We encourage you to review the privacy policies of any third parties you interact with.

3 Data We Collect

We collect only the minimum data necessary to deliver our services. The categories below describe everything we may collect.

3.1 — Data You Provide Directly

  • Identity Data: Full name, date of birth, gender, profile photo
  • Contact Data: Email address, mobile phone number, home address
  • Authentication Data: Password (hashed & salted — never stored in plain text), OTP codes
  • Health & Medical Data: Medical history, symptoms, appointment notes, prescription records, diagnostic reports uploaded by you or your care team
  • Provider Data: Professional qualifications, license numbers, specialty, availability schedule (for doctors and nurses)
  • Payment Data: Payment method type, last 4 digits, billing address. Full card numbers are handled exclusively by our PCI-DSS compliant payment processor and are never stored on our servers.
  • Support Communications: Messages sent to our support team, feedback, and reviews

3.2 — Data Collected Automatically

  • Device Identifiers: Device model, operating system version, unique device ID, advertising identifier (IDFA / GAID) — only if you grant permission
  • Log Data: IP address, browser type, pages visited, timestamps, crash reports, and error logs
  • Location Data: Approximate location (city/region) derived from IP address for fraud prevention. Precise GPS location is only collected if you explicitly grant permission in the app (used to find nearby providers).
  • Usage Data: Feature interactions, tap events, session duration, and navigation patterns (anonymized)
  • Camera / Photo Library: Only accessed when you choose to upload a profile photo or medical document. No silent background access.
  • Contacts: We do not access your contacts.
  • Microphone: We do not access your microphone.

3.3 — Data from Third Parties

  • Social Login Providers: If you sign in with Google or Apple, we receive your name, email, and provider user ID. We do not receive your social media posts, friends list, or any other data.
  • Apple Sign In: We respect Apple's requirement to allow users to hide their email address. If you use "Hide My Email", we store Apple's relay address.
  • Payment Processors: Transaction confirmation, payment status, and fraud-risk scores from our payment gateway.
ℹ️
We do not collect sensitive personal attributes such as race, ethnicity, political opinions, religious beliefs, or trade union membership. Health data collected is used solely to facilitate your medical care.

4 How We Use Your Data

Every use of your data has a clear, specific purpose:

4.1 — Service Delivery

  • Creating and managing your user account
  • Matching patients with appropriate doctors, nurses, and hospital services
  • Facilitating appointment booking, room reservations, and equipment rental
  • Processing payments and issuing receipts
  • Enabling in-app chat between patients and care providers
  • Displaying provider analytics and earnings to healthcare professionals

4.2 — Safety & Security

  • Verifying your identity during registration and login (OTP / email verification)
  • Detecting and preventing fraud, abuse, and unauthorized access
  • Monitoring for suspicious activity patterns
  • Sending critical security alerts (e.g., new login from unrecognized device)

4.3 — Communication

  • Sending appointment confirmation, reminder, and cancellation notifications
  • Delivering booking status updates and payment receipts
  • Responding to your support requests within 72 hours
  • Sending optional marketing emails (only with your explicit opt-in consent)

4.4 — Platform Improvement

  • Analyzing anonymized, aggregated usage patterns to improve the user experience
  • Diagnosing technical bugs and performance issues from crash reports
  • A/B testing new features on an opt-in basis

4.5 — Legal & Compliance

  • Complying with applicable laws, court orders, and regulatory requirements
  • Maintaining medical records as mandated by the Indian Medical Council Act
  • Resolving disputes and enforcing our Terms of Service
We do not use your data for: automated profiling that produces legal effects, selling your personal data to advertisers, training third-party AI models, or any purpose not listed in this policy.

5 Legal Basis for Processing (GDPR Article 6)

For users in the European Economic Area (EEA) and United Kingdom, our processing is based on the following lawful grounds:

  • Contract Performance (Art. 6(1)(b)): Processing your name, contact details, and booking information to fulfil your appointment and service requests.
  • Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform analytics, provided these do not override your fundamental rights.
  • Legal Obligation (Art. 6(1)(c)): Retaining medical and financial records as required by law.
  • Consent (Art. 6(1)(a)): Sending marketing communications, using precise GPS location, and optional analytics. You may withdraw consent at any time.
  • Vital Interests (Art. 6(1)(d)): Processing health data in emergency medical situations where consent cannot be obtained.
  • Special Category Health Data (Art. 9(2)(h)): Processing medical and health data for the purpose of providing healthcare services by qualified medical professionals, subject to professional secrecy obligations.

6 Data Retention

We retain your data for the minimum period required to fulfil the purpose for which it was collected, comply with legal obligations, and resolve disputes. The table below specifies exact retention periods for every data category:

Data Category Retention Period Reason / Legal Basis
Account & Profile Data
Name, email, phone, photo
Active account + 30 days post-deletion Service delivery
Health & Medical Records
Diagnoses, appointment notes, prescriptions
7 years from last appointment Legal obligation
Payment & Transaction Data
Receipts, payment status, amounts
5 years Legal obligation
Authentication Logs
Login timestamps, IP addresses
12 months Legitimate interest
Chat & Support Messages 2 years Legitimate interest
Crash Reports & Error Logs 90 days Legitimate interest
Usage Analytics (anonymized) Indefinite Legitimate interest
Marketing Consent Records Until withdrawn + 3 years Legal obligation
Backup Copies
All categories above
Maximum 90 days after deletion Operational
Regulatory Investigation Data Duration of investigation + 1 year Legal obligation
⚠️
Even after your account is deleted, medical records required by law (7 years) cannot be immediately erased. These records will be anonymized to the greatest extent possible while still meeting legal retention requirements.

You may request early deletion of any non-legally-mandated data by emailing privacy@we-care.life. We will respond within 30 days and confirm what data was deleted and what must be retained under law.

7 Data Sharing & Third Parties

We do not sell, rent, or trade your personal data — ever. We share data only in the limited circumstances below:

7.1 — Healthcare Providers

Your health information is shared with the specific doctor, nurse, or hospital you have booked an appointment with. This sharing is necessary to deliver your care and is subject to their professional confidentiality obligations.

7.2 — Service Providers & Sub-processors

We engage third-party companies that process data on our behalf under strict Data Processing Agreements (DPAs):

Provider Purpose Data Shared Privacy Policy
Twilio SMS OTP delivery Mobile number View ↗
Payment Gateway Payment processing Amount, payment token Provider policy applies
Cloud Hosting (AWS / similar) Secure data storage All encrypted app data ISO 27001 certified
Firebase Crashlytics Crash & error reporting Anonymized crash logs View ↗
Google (Sign In) Social authentication Name, email (if using Google Sign In) View ↗
Apple (Sign In) Social authentication Name, email or relay address View ↗

7.3 — Legal Disclosures

We may disclose your data to courts, regulators, or law enforcement if required by a valid court order, subpoena, or applicable law. We will notify you of such requests unless legally prohibited from doing so.

7.4 — Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred to the acquiring entity. We will notify you at least 30 days before such a transfer and give you the opportunity to delete your account beforehand.

🚫
We explicitly never: sell your data to advertisers, share your health data with insurance companies for underwriting, allow third parties to access your data for their own marketing, or share data with your employer without your explicit consent.

8 Data Security

We implement a multi-layered security architecture to protect your data:

8.1 — Technical Measures

  • Encryption in Transit: All data is encrypted using TLS 1.2+ / HTTPS on all connections. No plain-text API communication is permitted.
  • Encryption at Rest: Database records containing personal and health data are encrypted using AES-256 at rest.
  • Password Security: Passwords are hashed using bcrypt with a unique salt. They are never stored or logged in plain text.
  • JWT Authentication: API sessions use signed JSON Web Tokens with short expiry windows, minimizing the impact of token theft.
  • Certificate Pinning: Mobile apps implement SSL certificate pinning to prevent man-in-the-middle attacks.
  • Input Validation & SQL Injection Prevention: All user inputs are validated and parameterized queries are used throughout.

8.2 — Organisational Measures

  • Access to production data is restricted to authorized personnel on a need-to-know basis
  • All staff with data access undergo annual privacy and security training
  • We conduct periodic third-party security audits and penetration tests
  • We maintain a written incident response plan
  • Subprocessors are vetted and bound by Data Processing Agreements

8.3 — Breach Notification

In the event of a data breach affecting your personal data, we will:

  1. Notify the relevant Data Protection Authority within 72 hours of becoming aware (as required by GDPR Article 33)
  2. Notify affected users without undue delay if the breach poses a high risk to their rights
  3. Provide full details of the breach, the data affected, and steps taken

9 International Data Transfers

Your data is primarily stored on servers located in India. However, some sub-processors (listed in Section 7) may process data in other jurisdictions. For any such transfers involving EEA data, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU-approved transfer mechanisms are in place with all international sub-processors handling EEA data.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions made by the European Commission.
  • DPDPA Compliance: Cross-border transfers of Indian user data comply with the Digital Personal Data Protection Act 2023 requirements and any Rules issued thereunder.

10 Cookies & Tracking Technologies

Our website uses cookies. Our mobile apps do not use browser cookies but may use equivalent device-based identifiers where you have granted permission.

10.1 — Cookie Categories

  • Strictly Necessary Cookies: Required for the website to function (session management, CSRF protection, load balancing). Cannot be disabled. No consent required.
  • Functional Cookies: Remember your preferences (language, timezone, display settings). Enabled by default; can be disabled without affecting core functionality.
  • Analytics Cookies: Collect anonymized data about how you use our website (pages visited, time spent). Require your consent. You may opt out at any time.
  • Marketing Cookies: We do not use marketing or advertising cookies on our platform.

10.2 — Managing Cookies

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair platform functionality. To opt out of analytics, use the cookie preference panel accessible via the "Cookie Settings" link in our website footer.

10.3 — Do Not Track (DNT)

Our website respects the Do Not Track browser signal. When DNT is enabled, we disable all non-essential analytics tracking for your session.

11 Push Notifications

Our mobile apps may send push notifications to your device. These notifications include:

  • Transactional Notifications (default on): Appointment reminders, booking confirmations, cancellations, and payment receipts. These are essential service notifications.
  • Promotional Notifications (opt-in only): Health tips, new feature announcements, and offers. Only sent if you explicitly grant permission.

You can manage all notification preferences:

  • iOS: Settings → Notifications → WeCare
  • Android: Settings → Apps → WeCare → Notifications
  • In-App: Profile → Notifications settings

Disabling transactional notifications may cause you to miss critical appointment information. We recommend keeping them enabled.

📱
Apple App Tracking Transparency (ATT): On iOS 14.5 and later, we will ask for your permission before accessing the Advertising Identifier (IDFA). If you decline, we will not track you across other apps or websites for advertising purposes.

12 Health & Sensitive Data

Health data is the most sensitive category of data we handle and is subject to additional protections beyond those described elsewhere in this policy.

12.1 — How Health Data is Used

  • Health information is used exclusively to facilitate your medical appointments, care coordination, and service delivery
  • Your health data is shared only with the specific healthcare provider you have booked with
  • We do not use health data to profile you, make automated decisions about you, or derive inferences for non-medical purposes
  • We do not sell or license health data to insurers, pharmaceutical companies, or data brokers

12.2 — Healthcare Professional Access

Doctors and nurses on our platform are bound by professional confidentiality obligations under applicable medical laws. Their access to patient data is logged and audited. Unauthorized access is subject to immediate account termination and potential legal action.

12.3 — Apple HealthKit / Google Health Connect

Our app does not currently integrate with Apple HealthKit or Google Health Connect. If we introduce this feature in the future, we will update this policy and request explicit permission before accessing any health sensor data.

13 Children's Privacy

Our Platform is designed for users aged 13 and above (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 13.

  • If you are under 13, you must not use this Platform or provide any personal information to us
  • If a parent or guardian believes their child has provided us with personal information, they should contact us immediately at privacy@we-care.life
  • Upon verification, we will delete all such data within 5 business days
  • In jurisdictions where the age of digital consent is higher than 13 (e.g., 16 in some EU member states), the higher age applies
  • For users between 13–18, parental consent is recommended for healthcare-related bookings
⚠️
We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent provisions under GDPR and the Indian DPDPA regarding minors.

14 Your Privacy Rights

Regardless of your location, you have the following rights. We respond to all verifiable requests within 30 days.

📋

Right to Access

Request a full copy of the personal data we hold about you in a readable format.

✏️

Right to Correction

Request correction of inaccurate or incomplete personal data. Update most data directly in the app.

🗑️

Right to Erasure

Request deletion of your data. Subject to mandatory legal retention obligations (see Section 6).

📦

Data Portability

Receive your data in a structured, machine-readable format (JSON or CSV) to transfer elsewhere.

⏸️

Right to Restrict

Request that we restrict processing of your data while a dispute about accuracy or lawfulness is resolved.

🙅

Right to Object

Object to processing based on legitimate interests or direct marketing at any time.

🤖

Automated Decisions

Right not to be subject to solely automated decisions that significantly affect you without human review.

↩️

Withdraw Consent

Withdraw any previously given consent at any time without affecting prior processing.

How to Exercise Your Rights

  • In-App: Profile → Account Details for name/email changes; Profile → Privacy & Security for password and account deletion
  • By Email: Send a request to privacy@we-care.life with the subject "Privacy Rights Request"
  • Response Time: We acknowledge within 5 days and complete requests within 30 days (extendable to 60 days for complex requests with notice)
  • Identity Verification: We may ask you to verify your identity to protect against fraudulent requests

If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority — for example, the Data Protection Board of India, the Information Commissioner's Office (ICO) in the UK, or your EU member state's supervisory authority.

15 California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

  • Right to Know: Know the categories of personal information we collect, the purposes for which it is used, and with whom it is shared
  • Right to Delete: Request deletion of personal information we have collected about you
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale / Sharing: We do not sell or share California residents' personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
  • Right to Limit Sensitive Personal Information: Limit how we use and disclose sensitive personal information, including health data
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights

Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request once per year, free of charge, a list of third parties to whom we disclosed personal information for direct marketing. We do not engage in such disclosure. Contact privacy@we-care.life to confirm.

16 India Privacy Rights (DPDPA 2023)

As a service operating in India, we comply with the Digital Personal Data Protection Act 2023 (DPDPA). Indian users ("Data Principals") have the following rights:

  • Right to Information: Know what personal data we process and the purposes of processing
  • Right to Correction & Erasure: Request correction of inaccurate data and deletion of data no longer needed
  • Right to Grievance Redressal: File a complaint with our Grievance Officer (see Section 19) within the timelines prescribed
  • Right to Nominate: Nominate a representative to exercise these rights on your behalf in the event of death or incapacity
  • Consent-Based Processing: Where we rely on consent as the lawful basis, consent is obtained before collection, is specific to each purpose, and is withdrawable at any time

Consent Manager: We do not currently use a Consent Manager as defined under the DPDPA. If Consent Manager regulations require us to register or integrate one, we will update this policy accordingly.

Grievance Officer (India): As required by the DPDPA and IT Act, our designated Grievance Officer can be reached at grievance@we-care.life. Grievances will be acknowledged within 24 hours and resolved within 30 days.

17 Account Deletion

You may delete your WeCare account at any time. We provide a self-service deletion option directly in the app:

  1. Open the WeCare app and go to Profile
  2. Tap Privacy & Security
  3. Scroll to Delete Account and confirm with your password

Alternatively, email privacy@we-care.life with subject "Account Deletion Request".

What Happens When You Delete Your Account

  • Your profile, name, email, phone number, and photo are permanently deleted within 30 days
  • Any active bookings will be cancelled and you will receive a refund per our cancellation policy
  • Health records are retained for 7 years as required by law (anonymized to the maximum extent possible)
  • Payment transaction records are retained for 5 years for tax compliance
  • Backup copies containing your data are purged within 90 days of the deletion confirmation
  • You will receive an email confirming what was deleted and what was retained and why
ℹ️
Account deletion is irreversible. Once processed, your account cannot be reactivated. If you wish to use WeCare in the future, you will need to create a new account.

18 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

  • The "Last Updated" date at the top of the policy will be revised
  • For material changes (changes that meaningfully affect your rights or how we use your data), we will notify you via email and/or a prominent in-app notification at least 30 days before the change takes effect
  • For minor changes (typo fixes, clarifications, non-material additions), we will update the policy without advance individual notice
  • Your continued use of the Platform after the effective date constitutes acceptance of the updated policy
  • If you do not accept material changes, you may delete your account before the effective date

We recommend reviewing this policy periodically. A version history is available on request by emailing privacy@we-care.life.

19 Contact Us & Data Protection Officer

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact us through any of the following channels. We are committed to responding promptly and transparently.

✉️

Privacy Requests

privacy@we-care.life
For data access, deletion, correction, and rights requests.

⚖️

Grievance Officer (India)

grievance@we-care.life
As required under IT Act & DPDPA 2023.
Response within 30 days.

🔒

Security Issues

security@we-care.life
To report a vulnerability or suspected data breach. We practice responsible disclosure.

🏢

Registered Address

WeCare Healthcare Technologies
Medical District, India
contact@we-care.life

Response Commitments

  • Acknowledgement: Within 24–72 hours of receiving your request
  • Full Response: Within 30 days (extendable to 60 days for complex requests, with written notice)
  • Data Breach Notification: Within 72 hours to regulators; without undue delay to affected users
  • Grievance Resolution (India): Within 30 days as required by DPDPA