Privacy Policy

Ally Health ("Ally," "we," "us," or "our") is operated by Terrace Tech Labs. We build preventive health intelligence tools that help you understand your lab reports, track biomarkers over time, and connect wearable data — all in one place.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act) of India. It applies to all users of the Ally Health mobile application, website (ally.health), and related services.

By using Ally, you consent to the collection and processing of your data as described in this policy. If you do not agree, please do not use our services.

1. Data We Collect

We collect only the data necessary to deliver and improve our services. Here is what we collect and why:

1.1 Account and Authentication Data

• Anonymous authentication: When you first open Ally, we create an anonymous account using Firebase Authentication. This generates a unique user ID but does not collect your name, email, or phone number.
• Google Sign-In: If you choose to sign in with Google, we receive your name, email address, and profile photo from Google. We use this to personalize your experience and enable account recovery.

1.2 Health and Lab Report Data

• Lab reports: When you upload a lab report (PDF or image), our AI extracts biomarker values, reference ranges, and test dates. The original file is deleted from our servers after parsing. We retain only the structured, extracted data (e.g., "HbA1c: 5.7%") linked to your account.
• Health profile: Information you voluntarily provide such as age, gender, health goals, and medical conditions to personalize your experience.
• AI chat conversations: Questions you ask our AI chatbot and the responses generated, stored to maintain conversation history and improve response quality.

1.3 Wearable and Device Data

• Apple HealthKit: With your explicit permission, we read health metrics such as heart rate, steps, sleep data, and activity data from Apple Health. We do not write data back to HealthKit.
• Google Health Connect: With your explicit permission, we read similar health and fitness metrics from Google Health Connect.
• Wearable data is used only to provide you with combined insights alongside your lab data. We never access wearable data without your active, per-category permission.

1.4 Usage and Technical Data

• Device type, operating system version, and app version for compatibility and debugging.
• Crash logs and performance data to identify and fix issues.
• We do not collect GPS location, contacts, call logs, SMS, or browsing history.

2. How We Use Your Data

We process your data for the following purposes:

• AI-powered analysis: Your lab report data and wearable metrics are processed by AI models (Google Gemini and MedGemma) to generate health summaries, trend analysis, and educational content about your biomarkers.
• Personalization: Your health profile and historical data personalize the insights and content you see.
• Chatbot responses: Your questions and health context are sent to our AI models to generate relevant, personalized responses.
• Product improvement: Aggregated, de-identified usage patterns help us improve features and user experience.
• Communications: If you provide an email address, we may send you important service updates, security alerts, or product announcements. You can opt out of non-essential communications at any time.

3. AI Processing and Third-Party Services

To deliver our services, we share certain data with trusted third-party service providers. Each provider processes data solely on our behalf and under contractual obligations to protect your data:

When your data is sent to Google AI services for analysis, it is processed under Google's Cloud data processing terms. Google does not use data sent via its API services to train its general models.

4. Data Storage and Security

4.1 Where Your Data Is Stored

Your data is stored on Google Cloud infrastructure via Firebase. Our primary database and storage are hosted in Google Cloud regions that may include servers in India and the United States. By using Ally, you consent to the transfer and storage of your data in these regions.

We recognize that the DPDP Act may impose data localization requirements in the future. We will comply with any such requirements as they come into effect and update this policy accordingly.

4.2 How We Protect Your Data

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest in Firebase is encrypted using AES-256.
• Firebase Security Rules restrict data access so that each user can only read and write their own data.
• Original lab report files are deleted from storage after AI parsing is complete. We do not retain the original documents.
• Access to production systems is restricted to authorized personnel with role-based access controls.

4.3 Data Breach Response

In the event of a data breach affecting your personal data, we will notify the Data Protection Board of India and affected users as required under the DPDP Act, without unreasonable delay.

5. Data Retention and Deletion

• Original lab report files are deleted immediately after parsing is complete. Only the extracted, structured biomarker data is retained.
• Account and health data are retained for as long as your account is active and you want to use the service.
• You can delete your account and all associated data at any time from within the app. Upon account deletion, we will erase all your personal data from our systems within 30 days, except where we are legally required to retain certain records.
• If your account has been inactive for more than 24 months, we may notify you and, if we do not hear from you, delete your data.

6. Your Rights Under the DPDP Act

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to Access: You can request a summary of the personal data we hold about you and how it is being processed. Most of this is directly visible within the app.
• Right to Correction: You can request correction of inaccurate or incomplete personal data. You can edit your health profile directly in the app, or contact us for other corrections.
• Right to Erasure: You can request deletion of your personal data. You can delete your account from the app, or contact us and we will process the deletion within 30 days.
• Right to Grievance Redressal: If you have a complaint about how we handle your data, you can contact us. If you are unsatisfied with our response, you may approach the Data Protection Board of India.
• Right to Nominate: In the event of your death or incapacity, your nominated individual may exercise your rights on your behalf, as provided under the DPDP Act.

To exercise any of these rights, email us at support@ally.health. We will respond within 30 days.

7. Consent and Withdrawal

We process your personal data based on your consent, which you provide when you create an account, upload lab reports, connect wearable devices, or use our AI chatbot.

You can withdraw your consent at any time by deleting your account or by emailing us. Withdrawal of consent will not affect the lawfulness of processing done before the withdrawal. If you withdraw consent, we will stop processing your data, but we may retain certain records as required by applicable law.

8. Children's Data

Ally Health is designed for adults. We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, please do not use Ally or provide any personal data.

If we become aware that we have collected personal data from a child without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@ally.health.

9. Cookies and Tracking

Our website (ally.health) may use essential cookies for authentication and basic functionality. We do not use third-party advertising cookies or cross-site tracking pixels.

Our mobile app does not use cookies. Analytics data, if collected, is aggregated and de-identified.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via the app or email (if we have your email address) before the changes take effect.
• Where required by the DPDP Act, obtain your renewed consent for any new processing activities.

11. Grievance Officer and Contact

In accordance with the DPDP Act, we have designated a Grievance Officer to address your concerns about data privacy. For any questions, requests, or complaints related to this Privacy Policy or your personal data:

We will acknowledge your request within 48 hours and aim to resolve it within 30 days. If you are not satisfied with our response, you have the right to approach the Data Protection Board of India.

12. Governing Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000 (as amended). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of courts in Bangalore, India.