Legal

Privacy Policy

What personal and health information AIYOU collects, why we collect it, how we use and share it, and your rights under Indian and UK law.

Effective date: 1 January 2026  ·  Last updated: 13 May 2026
Version: 2.0
Data controllers: AIYOU Solutions Private Limited (India), and AIYOU Ltd (UK) — acting jointly for users in their respective jurisdictions.
This policy is published in English. Translations into Indian regional languages are made available in the AIYOU app; in case of conflict, the English version prevails.

Contents

  1. Who we are
  2. Scope of this policy
  3. Information we collect
  4. Legal bases for processing
  5. How we use your information
  6. Voice and health data
  7. Automated decision-making
  8. Cookies and similar technologies
  9. Sharing and disclosure
  10. International data transfers
  11. Storage and retention periods
  12. Your rights
  13. How to exercise your rights
  14. Children's privacy
  15. Security measures
  16. Data breach notification
  17. Updates to this policy
  18. Grievance officer
  19. Complaints to regulators
  20. Contact us

1. Who we are

AIYOU Solutions Private Limited ("AIYOU Solutions", "we", "us", or "our") is the primary operating company. It is incorporated under the Companies Act 2013 with the Ministry of Corporate Affairs, Government of India (CIN: U86201AP2025PTC119893), with its registered office at Medpolis 801, AMTZ Campus, Pragati Maidan, VM Steel Project S.O., Visakhapatnam – 530031, Andhra Pradesh, India. AIYOU is a Government of India DPIIT-recognised startup and a registered MSME under the Udyam scheme.

Our UK entity, AIYOU Ltd (Company No. 16158977, registered at Flat 36, Brecon House, 22 Taywood Road, UB5 6GU, Northolt, London, United Kingdom), is the controller for users in the United Kingdom and the European Economic Area, and is responsible for our 5 design patent applications filed with the UK Design Registry.

The AIYOU trademark is registered with the Government of India Trade Marks Registry under Class 44 (TM No. 5940213).

2. Scope of this policy

This Privacy Policy applies to personal data we process when you:

  • Visit aiyousolutions.com or any associated subdomain.
  • Download, register for, or use the AIYOU mobile or web app.
  • Book a consultation, order medication, or schedule a lab test through AIYOU.
  • Contact our customer support or grievance officer.
  • Apply for a job, partnership, or investor relationship with us.

It does not cover the practices of independent healthcare providers, pharmacies, or laboratories who deliver services to you. Those parties are independent data controllers and have their own privacy notices.

3. Information we collect

3.1 Information you provide

  • Identity and account data — full name, date of birth, gender, photograph, preferred language, and (where lawfully required for healthcare services) government identification.
  • Contact data — email address, phone number, residential address, emergency contact.
  • Health and clinical data — symptoms, medical history, allergies, current medications, family history, vaccination records, lifestyle factors, lab and imaging reports, prescriptions, and any free-text notes you share.
  • Voice data — audio recordings of your interactions with the voice symptom checker and the transcripts derived from those recordings.
  • Payment data — billing address and payment confirmation references. Full card numbers are processed by licensed payment gateways and never stored by AIYOU.
  • Communications — messages and attachments you send to support, feedback, and survey responses.

3.2 Information collected automatically

  • Device and technical data — IP address, device type, operating system, app version, language, time zone, mobile network, advertising identifiers (only where you have consented).
  • Usage data — pages and features used, time spent, click and scroll behaviour, navigation paths, referral source.
  • Location data — approximate location derived from IP, and precise location only with your in-app permission (for example, to find nearby doctors).
  • Logs — diagnostic logs, error reports, and security events.

3.3 Information from third parties

  • Verified doctors, hospitals, pharmacies, and labs who add consultation notes, prescriptions, dispensing records, or lab reports to your file with your authorisation.
  • Identity-verification, fraud-prevention, and KYC providers, where legally required.
  • Public sources, where you have made information publicly available (for example, on a professional registry).

We process personal data only where we have a lawful basis to do so. Under the Indian Digital Personal Data Protection Act 2023 ("DPDP Act"), the Information Technology Act 2000 and rules made under it, the UK GDPR and the Data Protection Act 2018, our lawful bases are:

  • Consent — for processing of voice samples for model improvement, marketing emails, optional features, and non-essential cookies. You can withdraw consent at any time.
  • Performance of a contract — to deliver the services you sign up for, including consultations, prescription handling, and record storage.
  • Legitimate interests — to keep the service secure, prevent fraud, improve our products, and run our business, where these interests are not overridden by your rights.
  • Legal obligation — to comply with healthcare, taxation, anti-money-laundering, and other regulatory obligations in India and the UK.
  • Vital interests — in genuine emergencies where processing health data is necessary to protect your life or the life of another.
  • Public interest in public health (UK GDPR Article 9(2)(i)) — where lawful and proportionate, for example to participate in public-health reporting required by law.

5. How we use your information

  • Operate and maintain the AIYOU app, website, and underlying voice AI.
  • Provide the symptom checker, doctor consultations, digital pharmacy, and lab booking.
  • Keep accurate, longitudinal medical records that you can access across consultations.
  • Send transactional communications (appointment confirmations, prescription updates, security alerts).
  • Provide customer support and resolve disputes.
  • Improve voice and language recognition — only on de-identified or aggregated data, or with your explicit and separate consent.
  • Conduct internal research, statistical analysis, and quality assurance.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.
  • Comply with our legal obligations and respond to lawful requests from public authorities.
  • Send optional marketing communications — only with your prior, opt-in consent, with a clear opt-out in every message.

6. Voice and health data

Health information, voice recordings, and transcripts are treated as sensitive personal data ("special category data" under UK GDPR; "sensitive personal data or information" under Indian IT rules). We apply heightened safeguards including:

  • End-to-end encryption in transit and AES-256 encryption at rest.
  • Role-based access control with the principle of least privilege.
  • Audit logging of access to any clinical record.
  • Multi-factor authentication for staff accounts with access to health data.
  • Pseudonymisation and de-identification for analytics and product improvement.

We do not sell health data, voice recordings, or transcripts. We do not use individual health data for advertising. We do not share voice recordings with model-training partners outside our group without separate, explicit consent.

7. Automated decision-making

The AIYOU symptom checker uses automated processing to suggest possible explanations and next steps. These suggestions are decision-support outputs, not legally binding decisions, and do not by themselves produce legal or similarly significant effects on you. A qualified healthcare professional remains responsible for any clinical decision. You can ask for human review of any output you believe is materially incorrect by contacting aiyou@aiyousolutions.com.

8. Cookies and similar technologies

Our website uses a limited set of cookies and similar technologies. We ask for your consent before loading non-essential cookies. Full details — including categories, providers, and how to change your preferences — are in our Cookie Policy.

9. Sharing and disclosure

We share personal data only as described below, on a need-to-know basis, and under written agreements that restrict use of the data to the purposes we specify.

  • Healthcare providers you choose — doctors, hospitals, pharmacies, and labs you book through the platform receive only the data needed to deliver care.
  • Processors and sub-processors — cloud hosting providers (within India and the UK/EEA), secure storage, telecommunications, video-consultation platforms, payment gateways, identity verification, customer support tools, and analytics providers.
  • Group companies — AIYOU Solutions Private Limited and AIYOU Ltd, under intra-group data-transfer agreements.
  • Professional advisors — auditors, lawyers, insurers, where reasonably necessary.
  • Government and regulatory authorities — when required by law, court order, or to protect users or the public.
  • Business transfers — in the event of a merger, acquisition, reorganisation, or sale of assets, with continuing protection of your data and reasonable notice to you.

A list of our current third-party processors is available on request from the grievance officer.

10. International data transfers

Indian users' personal and health data is stored on servers located in India, in line with the data-localisation expectations of the DPDP Act and sectoral guidance. Where data is transferred from India to the UK (or another jurisdiction) for the purpose of intra-group operations, design and IP filings, or back-up, we use Standard Contractual Clauses and equivalent contractual safeguards permitted under Indian law.

For users in the UK and EEA, data is held in the UK or EEA where reasonably practicable. Transfers to India or other third countries are made under the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses, or adequacy decisions, supplemented by transfer impact assessments.

11. Storage and retention periods

We retain personal data only as long as necessary for the purposes set out in this policy, and for the periods required by law.

  • Account data — for the lifetime of your account, plus up to 12 months after closure for legal-compliance purposes.
  • Medical records — retained in line with applicable healthcare retention rules: at least 3 years from the date of the last consultation for outpatient records (Indian Medical Council guidance), and up to 8 years where indicated by law or clinical need. UK-side records follow NHS Records Management Code guidance where applicable.
  • Voice recordings — kept only as long as needed to provide and improve the service; raw audio is deleted within 12 months of capture unless you have specifically asked us to retain it.
  • Billing and tax records — at least 8 years, as required by Indian tax and company law.
  • Marketing data — until you withdraw consent or opt out.
  • Security and audit logs — typically 12–24 months, longer if there is an ongoing investigation.

12. Your rights

Depending on where you live, you have the following rights:

  • Right to access a copy of the personal data we hold about you, along with information about how we process it.
  • Right to correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"), subject to legal retention requirements.
  • Right to restrict certain types of processing.
  • Right to object to processing based on legitimate interests or for direct marketing.
  • Right to portability — to receive your data in a structured, commonly-used, machine-readable format.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to nominate another person to exercise your rights on your behalf in the event of death or incapacity (DPDP Act).
  • Right not to be subject to solely automated decisions producing legal or similarly significant effects on you.
  • Right to complain to a supervisory authority (see section 19).

13. How to exercise your rights

You can exercise most rights directly from the AIYOU app in Settings → Privacy. You can also email aiyou@aiyousolutions.com or write to the grievance officer at the address below. We will respond within 30 days (extendable by a further 30 days where the request is complex). Where we cannot fully satisfy your request, we will tell you why and explain what you can do next.

14. Children's privacy

The AIYOU app is intended for users aged 18 and over. Where a parent or legal guardian uses AIYOU to manage healthcare on behalf of a minor, the guardian must provide verifiable consent and is responsible for accurate, lawful use of the child's data. We do not knowingly create accounts directly for children. If we learn that we have collected personal data from a child without proper guardian consent, we will delete the data without undue delay.

15. Security measures

We implement administrative, technical, and physical safeguards proportionate to the sensitivity of the data we handle, including:

  • ISO/IEC 27001-aligned information security management.
  • Regular vulnerability scans, penetration testing, and code review.
  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Strict identity, access, and key management.
  • Mandatory staff training on data protection and clinical confidentiality.
  • Vendor risk assessments and contractual safeguards with all processors.
  • Documented incident-response and business-continuity plans.

No system can be guaranteed perfectly secure. We work continuously to reduce risk and respond quickly to incidents.

16. Data breach notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay — and in any event within 72 hours of becoming aware of it, where required by applicable law.

17. Updates to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you in-app, by email, and by prominent notice on this website at least 30 days before the new version takes effect. The "Version" and "Last updated" labels at the top of the page record each revision.

18. Grievance officer

In accordance with the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the DPDP Act 2023, our Grievance Officer can be contacted as follows:

Grievance Officer — AIYOU Solutions Private Limited
Medpolis 801, AMTZ Campus, Pragati Maidan,
VM Steel Project S.O., Visakhapatnam – 530031,
Andhra Pradesh, India.
Email: aiyou@aiyousolutions.com (subject line: "Grievance — Privacy")
Acknowledgement within 48 hours; resolution within 30 days of receipt.

19. Complaints to regulators

If you are not satisfied with our response, you have the right to complain to the relevant supervisory authority:

  • India — Data Protection Board of India (once operational under the DPDP Act 2023).
  • United Kingdom — Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. ico.org.uk.

20. Contact us

For any privacy question, request, or concern not covered above, contact us at:

AIYOU Solutions Private Limited
Medpolis 801, AMTZ Campus, Pragati Maidan,
VM Steel Project S.O., Visakhapatnam – 530031,
Andhra Pradesh, India.
Email: aiyou@aiyousolutions.com

AIYOU Ltd (UK)
Flat 36, Brecon House, 22 Taywood Road, UB5 6GU,
Northolt, London, United Kingdom.