Privacy Policy
Effective Date: October 1, 2021
Last updated on: September 9, 2025
​
This Privacy Policy (“Policy”) applies to the use of the upBeat® applications (“Platform”) available on:
• Android: Google Play Store
• iOS: Apple App Store
• Website: www.monitrahealth.com
​
​1. GENERAL
1.1. The Platform is operated by Monitra Healthcare Private Limited (“We”, “Our”, “Us”). For the purpose of this Policy,
wherever the context so requires, “you”, “yourself”, or “user” shall mean any person who accesses or uses the Platform.
1.2. We are committed to protecting and respecting your privacy in accordance with applicable data protection laws, including:
(a) The Information Technology Act, 2000 (India)
(b) The Digital Personal Data Protection Act, 2023 (DPDPA) (India) and the rules framed pursuant thereto.
(c) The General Data Protection Regulation (GDPR) (EU)
(d) The Health Insurance Portability and Accountability Act (HIPAA) (USA), where applicable.
1.3. We collect and process Personal Information to analyze, deliver, improve, and personalize our health-related services through the Platform.
1.4. All employees, partners, and third parties working with or for us must adhere to this Policy. Sensitive personally
identifiable information (PII) or protected health information (PHI) will only be processed under appropriate confidentiality and data protection agreements.
​​
2. HOW WE COLLECT THE INFORMATION
2.1. We collect personal and health-related data through the following means:
(a) Direct from you - when you provide information on the Platform.
(b) Through interactions with us – including business communications, support requests, and other exchanges between Monitra and you.
(c) From third parties - such as health monitoring devices, carriers, wearable sensors, healthcare providers, or marketing partners.
(d) Automatically – via technologies such as device identifiers, IP addresses, cookies, log files, usage statistics, browsing patterns, and similar technologies that capture information during your use of the Platform.
​​
3. INFORMATION WE COLLECT
3.1. To access certain features or parts of the Platform, you may be required to register and create an account on the Platform (“Account”). You may be required to provide certain information that can be used to identify you or in relation to which information you are identifiable (“Personal Information”) at the time of registration, which may include:
(a) Name
(b) Phone number
(c) Email address
(d) Age
(e) Gender
(f) Health and session data you enter or authorize
(g) Location
3.2. Depending on your interaction with the Platform, we may collect:
(a) Device information (e.g., OS, IP address, access times, mobile type, battery status)
(b) Application activity logs
(c) Cookies (subject to consent) for improving the experience
(d) Any information considered PII or PHI under HIPAA.
3.3. We may, with your prior consent, use your photograph or video recordings for testimonials in connection with the Platform and services provided through the Platform.
4. HOW WE USE INFORMATION
​​
4.1. We process your Personal Information:
(a) When you have consented to the use of your Personal Information in a particular way;
(b) For certain legitimate uses, which you acknowledge and agree are purposes for which you are voluntarily providing your Personal Information. These include:
(i) Providing the services requested by you, or to respond to your inquiries, whether related to our services or general queries. In other words, so we can perform our contract with you or take steps at your request before entering into one.
(ii) Delivering, personalizing, and improving our services and health insights
(iii) For research and analysis
(iv) Processing transactions and communicating with you
(v) Providing customer support
(vi) Ensuring regulatory and legal compliance
(vii) Analysing and improving the safety and security of our Platform, including implementing and enhancing security measures and protections, and protecting against fraud, spam, abuse, and security threats
(viii) Operating the Platform and providing you with communications, including in respect of our products and services and those of our affiliates and group entities.
(ix) Sharing your Personal Information with third-party service providers that assist us in delivering and improving our services.
(x) Verifying your identity and the connected device, and securing your Account details.
4.2. In circumstances other than those described herein, we will ask for your affirmative consent for the processing of your Personal Information.
4.3. For PHI, we comply with HIPAA rules around minimum necessary use, access control, and patient rights.
5. DATA SHARE OR TRANSFER
5.1. We may transfer or share your personal or health data under strict protocols:
(a) With your consent, or as required to fulfill a service
(b) With internal teams, subsidiaries, service providers, or vendors under data processing agreements and confidentiality obligations.
(c) With legal or regulatory authorities when required
(d) To prevent fraud, security breaches, unauthorized access, threats, or other unlawful activities.
(e) During mergers, acquisitions, or business restructuring, with safeguards in place
(f) In emergencies, to protect your life or safety
(g) For cross-border transfers, where data may be stored or processed outside your jurisdiction, subject to adequate safeguards consistent with the DPDPA and other applicable laws.
5.2. For all data transfers, we ensure GDPR-compliant mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions.
​
6. COOKIES AND OTHER TRACKING TECHNOLOGIES
6.1. The Platform may use cookies and similar tools to collect information (e.g., IP addresses, device/browser details, usage patterns).
6.2. Cookies and other tracking technologies may be used for:
(a) Session and basket management
(b) Security enhancements
(c) Usage analytics and research
(d) Personalization of content and experience
(e) remembering choices you make (such as user/Account name, email address, phone number, etc.)
(f) verifying your identity and device,
6.3. You can manage cookie preferences through your mobile or browser settings. Disabling cookies may impact some Website features.
6.4. Third-party service providers or advertisers integrated into the Platform may also use such technologies in connection with their services. In such cases, the use of such technologies will be governed by their respective privacy policies, and not by us.
7. DATA SECURITY
7.1. We restrict access to Personal Information to our employees, contractors, and agents and only allow access to those who need to know that information in order to process it on our behalf. It is clarified that this condition shall not apply to publicly available information, in relation to you, on the Platform.
7.2. We maintain high standards for protecting your data, including:
(a) Encryption in transit and at rest using Google Cloud’s managed security framework.
(b) Encryption:
(i) At Rest: AES-256 is used by default to encrypt all data files, backups, temporary files, and transaction logs. By default, encryption keys are managed by Google (Google-managed encryption keys, GMEK). Optionally, Customer-managed encryption keys (CMEK) from Cloud Key Management Service (Cloud KMS) may be used to give you additional control over key lifecycle (create, rotate, revoke, destroy).
(ii) In Transit: All client-to-database connections are encrypted using TLS 1.3 (or TLS 1.2 as a fallback) to ensure secure communication over the network.
(iii) Compliance Alignment: This encryption framework supports HIPAA, GDPR, and India’s DPDPA, ensuring that PHI/PII is always safeguarded.
(c) SSL encryption over TLS 1.2 or 1.3 for application-level data transmission.
(d) Secure, access-controlled servers for data storage.
(e) Periodic security audits and vulnerability assessments.
(f) Training and awareness for employees on HIPAA, GDPR, and DPDP compliance.
(g) Limited access to PHI/PII based on the minimum necessary principle.
7.3. Information gathered by us is stored securely using several information security applications. However, security is always relative, and we cannot guarantee that our security measures are absolute and cannot be breached. Data, which is transmitted over the internet, is inherently exposed to security risks or threats.
8. DATA RETENTION AND DESENSITIZATION
8.1. In accordance with DPDPA and globally recognized privacy principles (including GDPR and HIPAA):
(a) Patient Identifiable Information Retention (Name, Phone Number)
(i) We retain PII such as name and phone number only for as long as it is necessary to fulfill the purposes for which it was collected (such as monitoring, support, or reporting).
(ii) By default, this information is retained for a maximum of 3 years from the date of your last interaction with the upBeat® application, unless a longer period is required under applicable healthcare or legal obligations.
(iii) You may request deletion earlier by contacting our Data Protection Officer, subject to applicable medical record retention laws.
(iv) Encryption During Retention: While retained, PII/PHI is stored in AlloyDB and encrypted using AES-256 at rest and TLS 1.2/1.3 in transit. Google-managed encryption keys (GMEK) are applied by default, and customer-managed encryption keys (CMEK) may be used to further enhance compliance with HIPAA, GDPR, and DPDPA.
(b) ECG and Health Data Desensitization
(i) Raw or detailed ECG and similar clinical data are pseudonymized at the time of upload and are automatically desensitized (i.e., anonymized or stripped of identifiable markers) after 3 years from the session date, unless explicitly required for clinical or legal purposes.
(ii) Post this period, data is retained only in anonymized form for medical research, analytics, or system improvement, and cannot be traced back to any individual.
8.2. We will comply within reasonable timeframes as mandated by the DPDPA and GDPR (if applicable in relation to your data).
9. YOUR RIGHTS UNDER THE DPDPA
9.1. You may exercise the following rights by emailing a request to info@monitrahealth.com
(a) Withdrawal of consent
(i) You are entitled to withdraw consent for the processing of your Personal Information. Withdrawal of consent with respect to all or any part of your Personal Information may result in immediate withdrawal of your eligibility to avail the services provided by us on the Platform.
(ii) Your withdrawal of consent shall not operate to cause us to cease any processing of Personal Information that is necessary for compliance with applicable law or the order of a court/executive authority, or purposes for which non-consensual processing is permitted under applicable laws.
(b) Deletion of Personal Information
(i) You may also contact us to delete any Personal Information that you have provided to us.
(ii) Please note that where you request the deletion of your Personal Information, we may retain such records and elements of your Personal Information as are necessary for compliance with applicable law or the order of a court/executive authority, or which may be retained by us for purposes for which non-consensual processing is permitted under applicable law.
(iii) We shall delete Personal Information when it is no longer necessary for the purpose for which it was collected, or when the data retention period prescribed by applicable law has expired, whichever is later, unless its retention is required to comply with a legal obligation.
(c) Other Rights: You are entitled to seek:
(i) a summary of your Personal Information being processed by us and the processing activities being undertaken by us;
(ii) the identity of persons with whom your Personal Information has been shared by us and the nature of Personal Information shared with such persons; and
(iii) access, correction, completion, and updates to the Personal Information stored with us,
(iv) any additional information on how we handle your Personal Information and any requests in relation thereto, not specifically covered elsewhere in this Policy. We retain the right to examine your request for additional information in relation to how we handle your Personal Information, to ensure that your request is in accordance with applicable law. We also retain the right to reject any such request made by you in accordance with applicable law, including, if such request is, without limitation, manifestly unfounded and without a demonstrable intention to exercise your right to access information, or a misuse of your right to request additional information. Please note that certain information or requests for information that may be sought by you, which are in furtherance of your lawful right to access your data, may involve, without limitation, disclosure of Personal Information of a third party, and/or information which is subject to confidentiality/non-disclosure obligations under law or contract. In such cases, we will inform you of any impediments to the disclosure of information requested by you in our response to your request.
10. YOUR RIGHTS UNDER GDPR AND HIPAA
10.1. To the extent available to you as per GDPR or HIPAA, you have the right to:
(a) Access, correct, or delete your personal data
(b) Request restriction or objection to processing
(c) Receive a copy of your data (data portability)
(d) Revoke consent at any time
(e) File a complaint with the appropriate supervisory authority (GDPR), or request an accounting of disclosures (HIPAA)
10.2. You can exercise these rights by contacting us at the details below.
11. MOBILE APP PERMISSIONS DISCLOSURE
11.1. To ensure optimal performance of the upBeat® application on Android and iOS, we may request access to certain device permissions. These permissions are necessary to deliver core health monitoring features and provide you with a seamless user experience. We only request the permissions we need, and your data is handled securely in accordance with this Privacy Policy.
(a) Bluetooth
(i) Purpose: To connect and sync with wearable or external ECG monitoring devices in real-time.
(ii) Usage: Only when the app is active, or background monitoring is explicitly enabled by the user.
(iii) Note: We do not use Bluetooth for tracking or any unrelated purpose.
(b) Location (Android Specific – for Bluetooth scanning)
(i) Purpose: Required by Android OS to perform Bluetooth scanning.
(ii) Usage: Location access is not used to track your location. It is only used to support Bluetooth Low Energy (BLE) connections for your medical devices.
(c) Camera
(i) Purpose: To enable profile image upload or to scan device QR codes for pairing.
(ii) Usage: Only accessed with user initiation. No images or videos are recorded or stored without your consent.
(d) Storage / Media Access
(i) Purpose: To securely download and store ECG reports or health summaries as PDF files for offline access or sharing.
(ii) Usage: The app does not access your photos or files unless explicitly initiated by you (e.g., choosing a file to upload or download).
(e) Phone / Device Info (Read Phone State)
(i) Purpose: For security checks, analytics, and troubleshooting, we may access non-sensitive device metadata (e.g., OS version, device ID, crash logs, battery).
(ii) Usage: No personal call logs or SMS content is accessed or stored.
​
12. CHANGES TO THIS POLICY
We may update this Policy periodically. Your continued use of the app signifies your acceptance of any updates. Major changes will be communicated in-app or via email where appropriate. This Privacy Policy was last updated on September 9, 2025.
​
13. GRIEVANCE REDRESSAL
13.1. In the event you have any complaints or grievances in respect of our processing of your Personal Information, such complaints or grievances can be sent by email to:
Data Protection Officer
Name: Sashank Bhogu
Email : sashank[dot]bhogu[at]monitrahealth[dot]com
Address: Monitra Healthcare Private Limited,
T-Hub Foundation (T-Hub 2.0),
7th Floor, Plot No 1/C, Sy No 83/1, Raidurgam,
Knowledge City Rd, Panmaktha,
Hyderabad, Telangana 500081, India
13.2. Any complaint or grievance raised by you must include the following information:
(a) Your name and contact details: name, address, contact number, and email address;
(b) Description of the complaint or grievance in relation to which such complaint or grievance is made;
(c) A statement under penalty of perjury that the information provided in the complaint or grievance is accurate; and
(d) Your signature
13.3. We will endeavour to acknowledge each request and respond to your request within forty-eight (48) hours, or such other timeline as provided by applicable law.
13.4. By using our services, you agree to this Privacy Policy, including the terms applicable under the IT Act, DPDPA, GDPR, and HIPAA.
14. FINANCIAL AND LEGAL PROVISIONS
14.1. Change of Control: In the event that ownership or control of the Platform was to change, your Personal Information may be shared, disclosed, or transferred. You hereby grant consent and permission to us for the disclosure and transfer of Personal Information to such third parties. It is clarified that such third parties shall be bound by the terms of this Agreement in respect of the processing of your Personal Information. Any processing of Personal Information inconsistent with the terms of this Policy shall only be undertaken with your prior consent.
14.2. Limitation of Liability: This Policy is only a description of our operation regarding your Personal Information.
WE DO NOT WARRANT THAT OUR PLATFORM, ITS SERVERS, OR EMAILS SENT BY IT OR ON ITS BEHALF ARE VIRUS-FREE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM THE USE OF ITS PLATFORM, INCLUDING, BUT NOT LIMITED TO COMPENSATORY, DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, EXEMPLARY AND CONSEQUENTIAL DAMAGES, LOSS OF DATA, GOODWILL, BUSINESS OPPORTUNITY, INCOME OR PROFIT, LOSS OF OR DAMAGE TO PROPERTY AND CLAIMS OF THIRD PARTIES.
IN THE EVENT OF ANY PERSONAL INFORMATION BREACH, WE SHALL INFORM THE AFFECTED USERS IN THE MANNER PRESCRIBED UNDER APPLICABLE LAW.
14.3. Children and Persons with Disability: The products or services offered on our Platform are not intended for purchase directly by children. If you are a child under the age of 18, you may only use the Platform under the supervision and with the verifiable consent of a parent or legal guardian. If you are a person with disability, you may only use the Platform with the verifiable consent of your legal guardian. We do not engage in tracking or behavioural monitoring of children or targeted advertising directed at children.
14.4. Applicable Law and Jurisdiction: This Policy shall be governed by and construed in accordance with the laws of India. Further, it is irrevocably and unconditionally agreed that the courts of Hyderabad, India shall have exclusive jurisdiction to entertain any proceedings in relation to any disputes arising out of the same.
​​​​​​
​​