Privacy Policy

Last Updated: July 16, 2026

This Privacy Policy ("Policy") describes the manner in which Aayu ("we", "our", "us") collects, uses, processes, stores, discloses, and protects personal data of users ("you", "your") in connection with its application, website, platform, and related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Policy and consent to the practices described herein.

This Policy is issued in compliance with applicable data protection frameworks, including the Digital Personal Data Protection Act, 2023 (India) and the Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (United Arab Emirates), together with any rules or regulations made thereunder.

1. Collection of Personal Data

Aayu may collect and process the following categories of personal data:

  • Identification and account data: including your name, contact number, email address, login credentials, and related information.
  • Sensitive personal data (health data): including medical history, diagnostic results, treatment details, prescriptions, laboratory records, and other health-related information voluntarily uploaded or provided by you.
  • Technical and usage data: including device identifiers, IP address, operating system, browser type, geolocation data (if enabled), and analytics relating to your interaction with the Services.
  • Communication data: including inquiries, feedback, and records of interactions with Aayu for support or service-related purposes.

2. Google User Data

Aayu offers Google Sign-In as an authentication method through the Google OAuth platform. When you choose to sign in with Google, we request access to a limited set of data from your Google Account, with your consent. This section describes how we access, use, store, and share that Google user data.

Data we access. When you sign in with Google, we access the following Google user data:

  • Basic profile information: your name and profile picture.
  • Email address: the email address associated with your Google Account.
  • Google Account identifier: a unique ID that Google assigns to your account and that we use to recognize you across sessions.

How we use this data. We use this Google user data solely to create and authenticate your Aayu account, to recognize you when you return, and to communicate with you about your account. We do not use Google user data for advertising, and we do not use it to develop, improve, or train generalized artificial intelligence or machine learning models.

How we store and retain it. Google user data is stored on our secured infrastructure, encrypted in transit and at rest, and retained only for as long as your account remains active or as needed to provide the Services. When you delete your account, this data is deleted in accordance with the "Retention of Data" and "Your Rights" sections below.

How we share it. We do not sell Google user data, and we do not share it with third parties except with infrastructure and service providers acting on our behalf to operate the Services, or where disclosure is required by applicable law.

Limited Use. Aayu's use and transfer of information received from Google APIs to any other application will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3. Legal Basis and Consent

Processing of personal data is carried out in accordance with the DPDP Act, the UAE PDPL, and other applicable laws. Aayu may process data based on one or more of the following grounds:

  • Consent: Your explicit, informed consent, particularly for sensitive personal data such as medical records.
  • Contractual necessity: Where processing is required to provide the Services you have requested.
  • Legal obligation: Where processing is required to comply with applicable laws.
  • Legitimate interests: Where processing is necessary for security, fraud prevention, and service improvement, provided such interests are not overridden by your fundamental rights.

Consent, once given, may be withdrawn at any time by contacting us at the details below, without affecting the lawfulness of processing carried out before such withdrawal.

4. Purpose of Processing

Personal data is collected and processed strictly for the following purposes:

  • • Registering, authenticating, and managing your account.
  • • Structuring, securing, storing, and retrieving your medical records.
  • • Enabling authorized access to your data, subject to your consent.
  • • Improving, personalizing, and developing the Services.
  • • Ensuring system security, fraud detection, and misuse prevention.
  • • Providing customer service, communication, and notifications regarding the Services.
  • • Complying with legal, regulatory, or judicial obligations.

5. AI Processing of Your Health Data

To convert your uploaded medical records into structured digital health data and to generate summaries and insights from your health information (your "Aayu AI Report"), Aayu uses AI models on Google Cloud's Gemini Enterprise Agent Platform. Your medical records are not used by Google to train or improve its AI models.

When you upload a medical document such as a laboratory report, prescription, or discharge summary, that document is transmitted over an encrypted connection to Google Cloud, where it is read by these AI services to extract its contents. Health information already in your record, such as diagnoses, medications, and laboratory or vital values, together with profile details you provide, such as age, sex, and known conditions, may also be processed by the same services to generate summaries and health insights shown in the app.

An uploaded document is sent for AI processing only after you give explicit consent in the app at the time of upload. If you do not consent, the document is not uploaded and nothing is sent. You can review each AI-generated result in the app before it is saved to your record.

Google acts as our data processor for this purpose and handles your data in accordance with the Google Cloud Data Processing Addendum and the enterprise terms governing our use of Google Cloud.

We do not sell your personal data, and we do not share it with any third-party AI provider for that provider's own use. Google Cloud is the AI data processor for the Services and processes your data solely on our behalf.

AI-generated content can contain mistakes. Always review AI-generated results in the app, and refer to the Medical Disclaimer for the limits of the information the Services provide.

6. Retention of Data

Aayu shall retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required under applicable law. Health and medical data shall be retained strictly for the duration required to provide the Services or comply with legal obligations. Upon account deletion or a valid request for erasure, Aayu shall delete or anonymize personal data, except where continued retention is mandated by law.

7. Disclosure and Transfer of Data

Aayu may disclose personal data in limited circumstances, including to:

  • • Third-party service providers engaged for hosting, storage, analytics, communication, or technical support, subject to strict contractual safeguards — including Google Cloud, on whose encrypted storage your uploaded medical documents are held and which provides the AI processing described in Section 5, and Amazon Web Services, which hosts our services and databases, where your structured health data is stored in encrypted form.
  • • Healthcare professionals or institutions, but only with your explicit consent.
  • • Governmental, regulatory, or judicial authorities, where disclosure is required by applicable law.

Where data is transferred outside India or the United Arab Emirates, Aayu shall ensure that appropriate safeguards, including standard contractual clauses or equivalent measures, are in place to guarantee adequate protection.

8. Security of Processing

Aayu employs appropriate organizational and technical measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, strict access controls, regular monitoring and audits, and adherence to the principles of privacy by design and privacy by default. Sensitive personal data is processed with enhanced safeguards to protect confidentiality, integrity, and availability.

9. Your Rights

You retain the following rights under applicable laws:

  • • Right to access and obtain a copy of your personal data.
  • • Right to correct inaccurate or incomplete data.
  • • Right to deletion of personal data, subject to legal limitations.
  • • Right to restrict or object to processing in certain circumstances.
  • • Right to withdraw consent at any time, where processing is based on consent.
  • • Right to data portability, where technically feasible.
  • • Right to lodge a complaint with the competent data protection authority in India or the United Arab Emirates.

10. Amendments

Aayu reserves the right to amend or update this Policy at its discretion and at any time. Any material changes will be communicated by appropriate means, including publication on our website or in-app notifications. Continued use of the Services following such changes shall constitute your acceptance of the revised Policy.

11. Contact

For all questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, you may contact Aayu at:

Have questions about our Privacy Policy or data practices?

Contact Us