WeCare Privacy Policy
A full, transparent account of how we collect, use, protect, and retain your personal and health data across every platform.
1 Introduction
WeCare Healthcare ("WeCare", "we", "our", or "us") operates the WeCare mobile application for iOS and Android, and the website at we-care.life (collectively, the "Platform"). We are committed to respecting and protecting the privacy of all users — patients, doctors, nurses, hospital administrators, and visitors alike.
This Privacy Policy explains in full detail:
- What personal data we collect and why
- How we use, store, and protect your data
- How long we retain each category of data
- Who we share your data with
- Your rights and how to exercise them
- How to contact us or our Data Protection Officer
By creating an account or using the Platform, you confirm that you have read and understood this policy. If you do not agree with any part of it, please discontinue use of the Platform.
2 Scope & Applicability
This Privacy Policy applies to:
- WeCare iOS Application — distributed via the Apple App Store
- WeCare Android Application — distributed via the Google Play Store
- WeCare Website — accessible at we-care.life and all subdomains
- WeCare Provider Application — used by medical professionals and hospital admins
- APIs and Backend Services — that power all of the above
This policy does not apply to third-party websites or services linked from our Platform. We encourage you to review the privacy policies of any third parties you interact with.
3 Data We Collect
We collect only the minimum data necessary to deliver our services. The categories below describe everything we may collect.
3.1 — Data You Provide Directly
- Identity Data: Full name, date of birth, gender, profile photo
- Contact Data: Email address, mobile phone number, home address
- Authentication Data: Password (hashed & salted — never stored in plain text), OTP codes
- Health & Medical Data: Medical history, symptoms, appointment notes, prescription records, diagnostic reports uploaded by you or your care team
- Provider Data: Professional qualifications, license numbers, specialty, availability schedule (for doctors and nurses)
- Payment Data: Payment method type, last 4 digits, billing address. Full card numbers are handled exclusively by our PCI-DSS compliant payment processor and are never stored on our servers.
- Support Communications: Messages sent to our support team, feedback, and reviews
3.2 — Data Collected Automatically
- Device Identifiers: Device model, operating system version, unique device ID, advertising identifier (IDFA / GAID) — only if you grant permission
- Log Data: IP address, browser type, pages visited, timestamps, crash reports, and error logs
- Location Data: Approximate location (city/region) derived from IP address for fraud prevention. Precise GPS location is only collected if you explicitly grant permission in the app (used to find nearby providers).
- Usage Data: Feature interactions, tap events, session duration, and navigation patterns (anonymized)
- Camera / Photo Library: Only accessed when you choose to upload a profile photo or medical document. No silent background access.
- Contacts: We do not access your contacts.
- Microphone: We do not access your microphone.
3.3 — Data from Third Parties
- Social Login Providers: If you sign in with Google or Apple, we receive your name, email, and provider user ID. We do not receive your social media posts, friends list, or any other data.
- Apple Sign In: We respect Apple's requirement to allow users to hide their email address. If you use "Hide My Email", we store Apple's relay address.
- Payment Processors: Transaction confirmation, payment status, and fraud-risk scores from our payment gateway.
4 How We Use Your Data
Every use of your data has a clear, specific purpose:
4.1 — Service Delivery
- Creating and managing your user account
- Matching patients with appropriate doctors, nurses, and hospital services
- Facilitating appointment booking, room reservations, and equipment rental
- Processing payments and issuing receipts
- Enabling in-app chat between patients and care providers
- Displaying provider analytics and earnings to healthcare professionals
4.2 — Safety & Security
- Verifying your identity during registration and login (OTP / email verification)
- Detecting and preventing fraud, abuse, and unauthorized access
- Monitoring for suspicious activity patterns
- Sending critical security alerts (e.g., new login from unrecognized device)
4.3 — Communication
- Sending appointment confirmation, reminder, and cancellation notifications
- Delivering booking status updates and payment receipts
- Responding to your support requests within 72 hours
- Sending optional marketing emails (only with your explicit opt-in consent)
4.4 — Platform Improvement
- Analyzing anonymized, aggregated usage patterns to improve the user experience
- Diagnosing technical bugs and performance issues from crash reports
- A/B testing new features on an opt-in basis
4.5 — Legal & Compliance
- Complying with applicable laws, court orders, and regulatory requirements
- Maintaining medical records as mandated by the Indian Medical Council Act
- Resolving disputes and enforcing our Terms of Service
5 Legal Basis for Processing (GDPR Article 6)
For users in the European Economic Area (EEA) and United Kingdom, our processing is based on the following lawful grounds:
- Contract Performance (Art. 6(1)(b)): Processing your name, contact details, and booking information to fulfil your appointment and service requests.
- Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform analytics, provided these do not override your fundamental rights.
- Legal Obligation (Art. 6(1)(c)): Retaining medical and financial records as required by law.
- Consent (Art. 6(1)(a)): Sending marketing communications, using precise GPS location, and optional analytics. You may withdraw consent at any time.
- Vital Interests (Art. 6(1)(d)): Processing health data in emergency medical situations where consent cannot be obtained.
- Special Category Health Data (Art. 9(2)(h)): Processing medical and health data for the purpose of providing healthcare services by qualified medical professionals, subject to professional secrecy obligations.
6 Data Retention
We retain your data for the minimum period required to fulfil the purpose for which it was collected, comply with legal obligations, and resolve disputes. The table below specifies exact retention periods for every data category:
| Data Category | Retention Period | Reason / Legal Basis |
|---|---|---|
| Account & Profile Data Name, email, phone, photo |
Active account + 30 days post-deletion |
Service delivery
Permanently purged 30 days after account deletion request
|
| Health & Medical Records Diagnoses, appointment notes, prescriptions |
7 years from last appointment |
Legal obligation
Indian Medical Council Act 1956; Clinical Establishments Act 2010
|
| Payment & Transaction Data Receipts, payment status, amounts |
5 years |
Legal obligation
Income Tax Act; RBI Digital Payment Guidelines
|
| Authentication Logs Login timestamps, IP addresses |
12 months |
Legitimate interest
Security monitoring & fraud detection
|
| Chat & Support Messages | 2 years |
Legitimate interest
Dispute resolution & quality assurance
|
| Crash Reports & Error Logs | 90 days |
Legitimate interest
Bug fixing & platform stability
|
| Usage Analytics (anonymized) | Indefinite |
Legitimate interest
Cannot be linked to any individual; used for platform improvement only
|
| Marketing Consent Records | Until withdrawn + 3 years |
Legal obligation
Proof of consent required by GDPR & DPDPA
|
| Backup Copies All categories above |
Maximum 90 days after deletion |
Operational
Encrypted backups are purged on a rolling 90-day cycle
|
| Regulatory Investigation Data | Duration of investigation + 1 year |
Legal obligation
Regulatory compliance
|
You may request early deletion of any non-legally-mandated data by emailing privacy@we-care.life. We will respond within 30 days and confirm what data was deleted and what must be retained under law.
7 Data Sharing & Third Parties
We do not sell, rent, or trade your personal data — ever. We share data only in the limited circumstances below:
7.1 — Healthcare Providers
Your health information is shared with the specific doctor, nurse, or hospital you have booked an appointment with. This sharing is necessary to deliver your care and is subject to their professional confidentiality obligations.
7.2 — Service Providers & Sub-processors
We engage third-party companies that process data on our behalf under strict Data Processing Agreements (DPAs):
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Twilio | SMS OTP delivery | Mobile number | View ↗ |
| Payment Gateway | Payment processing | Amount, payment token | Provider policy applies |
| Cloud Hosting (AWS / similar) | Secure data storage | All encrypted app data | ISO 27001 certified |
| Firebase Crashlytics | Crash & error reporting | Anonymized crash logs | View ↗ |
| Google (Sign In) | Social authentication | Name, email (if using Google Sign In) | View ↗ |
| Apple (Sign In) | Social authentication | Name, email or relay address | View ↗ |
7.3 — Legal Disclosures
We may disclose your data to courts, regulators, or law enforcement if required by a valid court order, subpoena, or applicable law. We will notify you of such requests unless legally prohibited from doing so.
7.4 — Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred to the acquiring entity. We will notify you at least 30 days before such a transfer and give you the opportunity to delete your account beforehand.
8 Data Security
We implement a multi-layered security architecture to protect your data:
8.1 — Technical Measures
- Encryption in Transit: All data is encrypted using TLS 1.2+ / HTTPS on all connections. No plain-text API communication is permitted.
- Encryption at Rest: Database records containing personal and health data are encrypted using AES-256 at rest.
- Password Security: Passwords are hashed using bcrypt with a unique salt. They are never stored or logged in plain text.
- JWT Authentication: API sessions use signed JSON Web Tokens with short expiry windows, minimizing the impact of token theft.
- Certificate Pinning: Mobile apps implement SSL certificate pinning to prevent man-in-the-middle attacks.
- Input Validation & SQL Injection Prevention: All user inputs are validated and parameterized queries are used throughout.
8.2 — Organisational Measures
- Access to production data is restricted to authorized personnel on a need-to-know basis
- All staff with data access undergo annual privacy and security training
- We conduct periodic third-party security audits and penetration tests
- We maintain a written incident response plan
- Subprocessors are vetted and bound by Data Processing Agreements
8.3 — Breach Notification
In the event of a data breach affecting your personal data, we will:
- Notify the relevant Data Protection Authority within 72 hours of becoming aware (as required by GDPR Article 33)
- Notify affected users without undue delay if the breach poses a high risk to their rights
- Provide full details of the breach, the data affected, and steps taken
9 International Data Transfers
Your data is primarily stored on servers located in India. However, some sub-processors (listed in Section 7) may process data in other jurisdictions. For any such transfers involving EEA data, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved transfer mechanisms are in place with all international sub-processors handling EEA data.
- Adequacy Decisions: Where applicable, we rely on adequacy decisions made by the European Commission.
- DPDPA Compliance: Cross-border transfers of Indian user data comply with the Digital Personal Data Protection Act 2023 requirements and any Rules issued thereunder.
10 Cookies & Tracking Technologies
Our website uses cookies. Our mobile apps do not use browser cookies but may use equivalent device-based identifiers where you have granted permission.
10.1 — Cookie Categories
- Strictly Necessary Cookies: Required for the website to function (session management, CSRF protection, load balancing). Cannot be disabled. No consent required.
- Functional Cookies: Remember your preferences (language, timezone, display settings). Enabled by default; can be disabled without affecting core functionality.
- Analytics Cookies: Collect anonymized data about how you use our website (pages visited, time spent). Require your consent. You may opt out at any time.
- Marketing Cookies: We do not use marketing or advertising cookies on our platform.
10.2 — Managing Cookies
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair platform functionality. To opt out of analytics, use the cookie preference panel accessible via the "Cookie Settings" link in our website footer.
10.3 — Do Not Track (DNT)
Our website respects the Do Not Track browser signal. When DNT is enabled, we disable all non-essential analytics tracking for your session.
11 Push Notifications
Our mobile apps may send push notifications to your device. These notifications include:
- Transactional Notifications (default on): Appointment reminders, booking confirmations, cancellations, and payment receipts. These are essential service notifications.
- Promotional Notifications (opt-in only): Health tips, new feature announcements, and offers. Only sent if you explicitly grant permission.
You can manage all notification preferences:
- iOS: Settings → Notifications → WeCare
- Android: Settings → Apps → WeCare → Notifications
- In-App: Profile → Notifications settings
Disabling transactional notifications may cause you to miss critical appointment information. We recommend keeping them enabled.
12 Health & Sensitive Data
Health data is the most sensitive category of data we handle and is subject to additional protections beyond those described elsewhere in this policy.
12.1 — How Health Data is Used
- Health information is used exclusively to facilitate your medical appointments, care coordination, and service delivery
- Your health data is shared only with the specific healthcare provider you have booked with
- We do not use health data to profile you, make automated decisions about you, or derive inferences for non-medical purposes
- We do not sell or license health data to insurers, pharmaceutical companies, or data brokers
12.2 — Healthcare Professional Access
Doctors and nurses on our platform are bound by professional confidentiality obligations under applicable medical laws. Their access to patient data is logged and audited. Unauthorized access is subject to immediate account termination and potential legal action.
12.3 — Apple HealthKit / Google Health Connect
Our app does not currently integrate with Apple HealthKit or Google Health Connect. If we introduce this feature in the future, we will update this policy and request explicit permission before accessing any health sensor data.
13 Children's Privacy
Our Platform is designed for users aged 13 and above (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 13.
- If you are under 13, you must not use this Platform or provide any personal information to us
- If a parent or guardian believes their child has provided us with personal information, they should contact us immediately at privacy@we-care.life
- Upon verification, we will delete all such data within 5 business days
- In jurisdictions where the age of digital consent is higher than 13 (e.g., 16 in some EU member states), the higher age applies
- For users between 13–18, parental consent is recommended for healthcare-related bookings
14 Your Privacy Rights
Regardless of your location, you have the following rights. We respond to all verifiable requests within 30 days.
Right to Access
Request a full copy of the personal data we hold about you in a readable format.
Right to Correction
Request correction of inaccurate or incomplete personal data. Update most data directly in the app.
Right to Erasure
Request deletion of your data. Subject to mandatory legal retention obligations (see Section 6).
Data Portability
Receive your data in a structured, machine-readable format (JSON or CSV) to transfer elsewhere.
Right to Restrict
Request that we restrict processing of your data while a dispute about accuracy or lawfulness is resolved.
Right to Object
Object to processing based on legitimate interests or direct marketing at any time.
Automated Decisions
Right not to be subject to solely automated decisions that significantly affect you without human review.
Withdraw Consent
Withdraw any previously given consent at any time without affecting prior processing.
How to Exercise Your Rights
- In-App: Profile → Account Details for name/email changes; Profile → Privacy & Security for password and account deletion
- By Email: Send a request to privacy@we-care.life with the subject "Privacy Rights Request"
- Response Time: We acknowledge within 5 days and complete requests within 30 days (extendable to 60 days for complex requests with notice)
- Identity Verification: We may ask you to verify your identity to protect against fraudulent requests
If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority — for example, the Data Protection Board of India, the Information Commissioner's Office (ICO) in the UK, or your EU member state's supervisory authority.
15 California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:
- Right to Know: Know the categories of personal information we collect, the purposes for which it is used, and with whom it is shared
- Right to Delete: Request deletion of personal information we have collected about you
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale / Sharing: We do not sell or share California residents' personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
- Right to Limit Sensitive Personal Information: Limit how we use and disclose sensitive personal information, including health data
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights
Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request once per year, free of charge, a list of third parties to whom we disclosed personal information for direct marketing. We do not engage in such disclosure. Contact privacy@we-care.life to confirm.
16 India Privacy Rights (DPDPA 2023)
As a service operating in India, we comply with the Digital Personal Data Protection Act 2023 (DPDPA). Indian users ("Data Principals") have the following rights:
- Right to Information: Know what personal data we process and the purposes of processing
- Right to Correction & Erasure: Request correction of inaccurate data and deletion of data no longer needed
- Right to Grievance Redressal: File a complaint with our Grievance Officer (see Section 19) within the timelines prescribed
- Right to Nominate: Nominate a representative to exercise these rights on your behalf in the event of death or incapacity
- Consent-Based Processing: Where we rely on consent as the lawful basis, consent is obtained before collection, is specific to each purpose, and is withdrawable at any time
Consent Manager: We do not currently use a Consent Manager as defined under the DPDPA. If Consent Manager regulations require us to register or integrate one, we will update this policy accordingly.
Grievance Officer (India): As required by the DPDPA and IT Act, our designated Grievance Officer can be reached at grievance@we-care.life. Grievances will be acknowledged within 24 hours and resolved within 30 days.
17 Account Deletion
You may delete your WeCare account at any time. We provide a self-service deletion option directly in the app:
- Open the WeCare app and go to Profile
- Tap Privacy & Security
- Scroll to Delete Account and confirm with your password
Alternatively, email privacy@we-care.life with subject "Account Deletion Request".
What Happens When You Delete Your Account
- Your profile, name, email, phone number, and photo are permanently deleted within 30 days
- Any active bookings will be cancelled and you will receive a refund per our cancellation policy
- Health records are retained for 7 years as required by law (anonymized to the maximum extent possible)
- Payment transaction records are retained for 5 years for tax compliance
- Backup copies containing your data are purged within 90 days of the deletion confirmation
- You will receive an email confirming what was deleted and what was retained and why
18 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:
- The "Last Updated" date at the top of the policy will be revised
- For material changes (changes that meaningfully affect your rights or how we use your data), we will notify you via email and/or a prominent in-app notification at least 30 days before the change takes effect
- For minor changes (typo fixes, clarifications, non-material additions), we will update the policy without advance individual notice
- Your continued use of the Platform after the effective date constitutes acceptance of the updated policy
- If you do not accept material changes, you may delete your account before the effective date
We recommend reviewing this policy periodically. A version history is available on request by emailing privacy@we-care.life.
19 Contact Us & Data Protection Officer
If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact us through any of the following channels. We are committed to responding promptly and transparently.
Privacy Requests
privacy@we-care.life
For data access, deletion, correction, and rights requests.
Grievance Officer (India)
grievance@we-care.life
As required under IT Act & DPDPA 2023.
Response within 30 days.
Security Issues
security@we-care.life
To report a vulnerability or suspected data breach. We practice responsible disclosure.
Registered Address
WeCare Healthcare Technologies
Medical District, India
contact@we-care.life
Response Commitments
- Acknowledgement: Within 24–72 hours of receiving your request
- Full Response: Within 30 days (extendable to 60 days for complex requests, with written notice)
- Data Breach Notification: Within 72 hours to regulators; without undue delay to affected users
- Grievance Resolution (India): Within 30 days as required by DPDPA