When you use Aarogya Setu (App), some personal information is collected
from and about you. We are committed to protecting the security of this information and
information collected, the manner in which it collected, by whom as well as the purposes
be revised from time to time and you will be notified of all such changes. In order to use
from time to time.
1. INFORMATION COLLECTED AND MANNER OF COLLECTION
When you register on the App, the following information is collected from you and
stored securely on a server operated and managed by the Government of India
(Server) – (i) name; (ii) phone number; (iii) age; (iv) sex; (v)
profession; and (vi) countries visited in the last 30 days. This information will be
stored on the Server and a unique digital id (DiD) will be pushed to
your App. The DiD will thereafter be used to identify you in all subsequent App
related transactions and will be associated with any data or information uploaded from
the App to the Server. At registration, your location details are also captured and
uploaded to the Server.
When two registered users come within Bluetooth range of each other, their Apps will
automatically exchange DiDs and record the time and GPS location at which the contact
took place. The information that is collected from your App will be securely stored on
the mobile device of the other registered user and will not be accessible by such
other user. In the event such other registered user tests positive for COVID-19, this
information will be securely uploaded from his/her mobile device and stored on the
Each time you complete a self-assessment test the App will collect your location data
and upload it along with the results of your self-assessment and your DiD to the
The App continuously collects your location data and stores securely on your mobile
device, a record of all the places you have been at 15 minute intervals. This
information will only be uploaded to the Server along with your DiD, (i) if you test
positive for COVID-19; and/or (ii) if your self-declared symptoms indicate that you
are likely to be infected with COVID-19; and/or (iii) if the result of your
self-assessment test is either YELLOW or ORANGE. For the avoidance of doubt, this
information will NOT be uploaded to the Server if you are not unwell of if the result
of your self-assessment test is GREEN.
If you have tested positive for COVID-19 or if there is a high likelihood of you being
infected, you have the option to press the Report button on the App which will allow
you to either request a test or report that you have tested positive for COVID-19.
When you press the Report button the data collected under Clauses 1(b) and (d) and
securely stored on your device will be uploaded to the Server with your consent.
2. USE OF INFORMATION
The personal information collected from you at the time of registration under Clause
1(a) above, will be stored on the Server and only be used by the Government of India
in anonymized, aggregated datasets for the purpose of generating reports, heat maps
and other statistical visualisations for the purpose of the management of COVID-19 in
the country or to provide you general notifications pertaining to COVID-19 as may be
required. Your DiD will only be co-related with your personal information in order to
communicate to you the probability that you have been infected with COVID-19 and/or to
provide persons carrying out medical and administrative interventions necessary in
relation to COVID-19, the information they might need about you in order to carry out
The information collected from any other user’s mobile device and uploaded and stored
on the Server in accordance with Clause 1(b) will be used to calculate your
probability of having been infected with COVID-19.
The information collected under Clause 1(c) will be used by the Government of India to
evaluate, based on the self-assessment tests and the GPS locations from where they are
being uploaded, whether a disease cluster is developing at any geographic location.
The information collected under Clause 1(d) and securely uploaded and stored on the
Server will, in the event you have tested positive for COVID-19, be used to map the
places you visited over the past 30 days in order to identify the locations that need
to be sanitised and where people need to be more deeply tested and identify emerging
areas where infection outbreaks are likely to occur. Where, in order to more
accurately map the places you visited and/or the persons who need to be deeply tested,
your personal information is required, the DiD associated with the information
collected under Clause 1(d) will be co-related with your personal information
collected under Clause 1(a).
The information securely uploaded and stored on the Server under Clause 1(e) will be
used to calculate the probability of those who have come in contact with you being
infected with COVID-19.
The information collected under Clause 1 will not be used for any purpose other than
those mentioned in this Clause 2.
All personal information collected from you under Clause 1(a) at the time of
registration will be retained for as long as your account remains in existence and if
any medical or administrative interventions have been commenced under Clause 2,
subject to Clause 3(b) below, for such period thereafter as is required for such
interventions to be completed.
All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be
retained on the mobile device for a period of 30 days from the date of collection
after which, if it has not already been uploaded to the Server, will be purged from
the App. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) and
uploaded to the Server will, to the extent that such information relates to people who
have not tested positive for COVID-19, will be purged from the Server 45 days after
being uploaded. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) of
persons who have tested positive for COVID-19 will be purged from the Server 60 days
after such persons have been declared cured of COVID-19.
Nothing set out herein shall apply to the anonymized, aggregated datasets generated by
the personal data of registered users of the App or any reports, heat maps or other
visualization created using such datasets. Nothing set out herein shall apply to
medical reports, diagnoses or other medical information generated by medical
professionals in the course of treatment.
As a registered user, you have the right to access your profile at any time to add,
remove or modify any registration information that you have supplied.
You cannot manage the communications that you receive from us or how you receive them.
If you no longer wish to receive communications from us, you may cancel your
registration. If you cancel your registration, all the information you had provided to
us will be deleted after the expiry of 30 days from the date of such cancellation.
5. DATA SECURITY
The App is equipped with standard security features to protect the confidentiality and
security of your information. Data is encrypted in transit as well as at rest. Personal
information provided at the time of registration is encrypted before being uploaded to
the cloud where it is stored in a secure encrypted server. Personal information that is
stored in the Apps of other registered users that you come in contact with is securely
encrypted and are incapable of being accessed by such user.
6. DISCLOSURES AND TRANSFER
Save as otherwise set out in Clause 2 with respect to information provided to persons
carrying out medical and administrative interventions necessary in relation to COVID-19,
no personal information collected by the App will disclosed or transferred to any third
address them to the Grievance Officer whose name and address are as follows: Mr. R S
Mani, Deputy Director General (DDG) NIC (firstname.lastname@example.org)