When you use AarogyaSetu(App), some personal information is collected from and about you. We are committed to protecting the security of this information and safeguarding your privacy. This privacy policy sets out the details of the personal information collected, the manner in which it collected, by whom as well as the purposes for which it is used. At registration you accepted the terms of this Privacy Policy and your use of the App signifies your continued acceptance thereof. This Privacy Policy may be revised from time to time and you will be notified of all such changes. In order to use the App, you will be required to consent to both the terms of the Privacy Policy and the Aarogyasetu Data Access and Knowledge Sharing Protocol (Available at : https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf), as revised from time to time.

INFORMATION COLLECTED AND MANNER OF COLLECTION

(a) When you register on the App, the following information is collected from you and stored securely on a server operated and managed by the Government of India (Server) – (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days.This information will be stored on theServer and a unique digital id (DiD) will be pushed to your App. The DiD will thereafter be used to identify you in all subsequent App related transactions and will be associated with any data or information uploaded from the App to the Server.At registration, your location details are also captured and uploaded to the Server.

(b) When two registered users come within Bluetooth range of each other, their Apps will automatically exchange DiDs and record the time and GPS location at which the contact took place. The information that is collected from your App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for COVID-19, this information will be securely uploaded from his/her mobile device and stored on the Server.

(c) Each time you complete a self-assessment test the App will collect your location data and upload it along with the results of your self-assessment and your DiD to the Server.

(d) The App continuously collects your location data and stores securely on your mobile device, a record of all the places you have been at 15 minute intervals. This information will only be uploaded to the Server along with yourDiD, (i) if you test positive for COVID-19; and/or (ii) if your self-declared symptoms indicate that you are likely to be infected with COVID-19.

(e) If you have tested positive for COVID-19 or if there is a high likelihood of you being infected, you have the option to press the Report button on the App which will allow you to either request a test or report that you have tested positive for COVID-19. The back end server analyses the bluetooth contacts uploaded by registered users who have tested positive for COVID-19. If you have come in contact with such persons, based on the contacts uploaded from their mobile devices your risk level will be appropriately updated. At your sole option, you can also get more refined contact tracing results by pressing the Report button/Upload data button and agreeing to upload contact data from your mobile device to the Server. In such event the data collected under Clauses 1(b) and (d) and securely stored on your device will be uploaded to the Server with your consent.When you press the Report button/Upload data button and/or agree to upload your data to refine contact tracing results, the data collected under Clauses 1(b) and (d) and securely stored on your device will be uploaded to the Server with your consent.

(f) The App shall collect the name, age, gender, phone number, address and ID Proof information of the user, for the purpose of registration for COVID-19 vaccination. The registration for COVID-19 vaccination is optional and the data shall be collected with user’s consent, if the user opts for registration with covid-19 vaccination through Aarogyasetu App.

(g) The App shall facilitate the verification of the User identity through the Aadhaar Number of the user for the purpose of registration for COVID-19 vaccination. The Aadhaar number shall not be stored by Aarogyasetu App.

(h) The App shall facilitate the download and caching of COVID-19 vaccination certificate, through authentication of beneficiary’s mobile number and beneficiary ID.

USE OF INFORMATION

(a) The personal information collected from you at the time of registration under Clause 1(a) above, will be stored on the Server and only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to carry out such interventions.

(b) The information collected from any other user’s mobile device and uploaded and stored on the Server in accordance with Clause 1(b) will be used to calculate your probability of having been infected with COVID-19.

(c) The information collected under Clause 1(c) will be used by the Government of India to evaluate, based on the self-assessment tests and the GPS locations from where they are being uploaded, whether a disease cluster is developing at any geographic location.

(d) The information collected under Clause 1(d) and securely uploaded and stored on theServer will, in the event you have tested positive for COVID-19, be used to map the places you visited over the past 30 days in order to identifythe locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur. Where, in order to more accurately map the places you visited and/or the persons who need to be deeply tested, your personal information is required, the DiD associated with the information collected under Clause 1(d) will be co-related with your personal information collected under Clause 1(a).

(e) The information securely uploaded and stored on the Server under Clause 1(e) will be used to calculate the probability of those who have come in contact with you being infected with COVID-19.

(f) The information collected under Clause 1(f), 1(g) and 1 (h), shall be used for the purpose of facilitating the registration for COVID-19 vaccination and for facilitating the download and caching of vaccination certificate.

(h) The information collected under Clause 1 will not be used for any purpose other than those mentioned in this Clause 2.

RETENTION

(a) All personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and if any medical or administrative interventions have been commenced under Clause 2, subject to Clause 3(b) below, for such period thereafter as is required for such interventions to be completed.

(b) All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.

(c) Nothing set out herein shall apply to the anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets. Nothing set out herein shall apply to medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

RIGHTS

(a) As a registered user, you have the right to access your profile at any time to add, remove or modify any registration information that you have supplied.

(b) You cannot manage the communications that you receive from us or how you receive them.If you no longer wish to use the App you are free to delete the App. Please note that deleting the app will delete all the information collected and stored on your phone but will not delete any information stored on the cloud. If you wish to delete the registration information referred to in Clause 1(a) and stored on the backend servers, you may cancel your registration. Once you confirm that you want to cancel registration, all the information you had provided to us under Clause 1(a) will be deleted after the expiry of 30 days from the date of such cancellation.

DATA SECURITY

The App is equipped with standard security featuresto protect the confidentiality and security of your information. Data is encrypted in transit as well as at rest. Personal information provided at the time of registration is encrypted before being uploaded to the cloud where it is stored in a secure encrypted server. Personal information that is stored in the Apps of other registered users that you come in contact with is securely encrypted and are incapable of being accessed by such user.

DISCLOSURES AND TRANSFER

You have the option to generate a QR code of your current health status that can then be displayed on your phone so that anyone with a compatible QR code reader will be able to verify your current health status by scanning the QR code. The App can also receive requests for updates of your health status from third parties with whom you work or otherwise regularly interact. You will have the option to either accept or reject these update requests. If you accept the update request, information about your current health status will be disclosed to such person in accordance with the terms of the request that you consented to.

Save as otherwise set out in this Clause 6 as well as in Clause 2 above with respect to information provided to persons carrying out medical and administrative interventions necessary in relation to COVID-19, no personal information collected by the App will be disclosed or transferred to any third party.

GRIEVANCES

If you have any concerns or questions in relation to this Privacy Policy, you may address them to the Grievance Officer whose name and address are as follows: Mr. R S Mani, Deputy Director General (DDG) NIC (support[dot]aarogyasetu[at]gov[dot]in)