1. INFORMATION COLLECTED AND MANNER OF COLLECTION

1. When you register on the App, the following information is collected from you and stored securely on a server operated and managed by the Government of India (Server) – (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days. This information will be stored on the Server and a unique digital id (DiD) will be pushed to your App. The DiD will thereafter be used to identify you in all subsequent App related transactions and will be associated with any data or information uploaded from the App to the Server. At registration, your location details are also captured and uploaded to the Server.
2. When two registered users come within Bluetooth range of each other, their Apps will automatically exchange DiDs and record the time and GPS location at which the contact took place. The information that is collected from your App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for COVID-19, this information will be securely uploaded from his/her mobile device and stored on the Server.
3. Each time you complete a self-assessment test the App will collect your location data and upload it along with the results of your self-assessment and your DiD to the Server.
4. The App continuously collects your location data and stores securely on your mobile device, a record of all the places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (i) if you test positive for COVID-19; and/or (ii) if your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) if the result of your self-assessment test is either YELLOW or ORANGE. For the avoidance of doubt, this information will NOT be uploaded to the Server if you are not unwell of if the result of your self-assessment test is GREEN.
5. If you have tested positive for COVID-19 or if there is a high likelihood of you being infected, you have the option to press the Report button on the App which will allow you to either request a test or report that you have tested positive for COVID-19. When you press the Report button the data collected under Clauses 1(b) and (d) and securely stored on your device will be uploaded to the Server with your consent.

2. USE OF INFORMATION

1. The personal information collected from you at the time of registration under Clause 1(a) above, will be stored on the Server and only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to carry out such interventions.
2. The information collected from any other user’s mobile device and uploaded and stored on the Server in accordance with Clause 1(b) will be used to calculate your probability of having been infected with COVID-19.
3. The information collected under Clause 1(c) will be used by the Government of India to evaluate, based on the self-assessment tests and the GPS locations from where they are being uploaded, whether a disease cluster is developing at any geographic location.
4. The information collected under Clause 1(d) and securely uploaded and stored on the Server will, in the event you have tested positive for COVID-19, be used to map the places you visited over the past 30 days in order to identify the locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur. Where, in order to more accurately map the places you visited and/or the persons who need to be deeply tested, your personal information is required, the DiD associated with the information collected under Clause 1(d) will be co-related with your personal information collected under Clause 1(a).
5. The information securely uploaded and stored on the Server under Clause 1(e) will be used to calculate the probability of those who have come in contact with you being infected with COVID-19.
6. The information collected under Clause 1 will not be used for any purpose other than those mentioned in this Clause 2.

3. RETENTION

1. All personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and if any medical or administrative interventions have been commenced under Clause 2, subject to Clause 3(b) below, for such period thereafter as is required for such interventions to be completed.
2. All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
3. Nothing set out herein shall apply to the anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets. Nothing set out herein shall apply to medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

4. RIGHTS

1. As a registered user, you have the right to access your profile at any time to add, remove or modify any registration information that you have supplied.
2. You cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.

5. DATA SECURITY

The App is equipped with standard security features to protect the confidentiality and security of your information. Data is encrypted in transit as well as at rest. Personal information provided at the time of registration is encrypted before being uploaded to the cloud where it is stored in a secure encrypted server. Personal information that is stored in the Apps of other registered users that you come in contact with is securely encrypted and are incapable of being accessed by such user.

6. DISCLOSURES AND TRANSFER

Save as otherwise set out in Clause 2 with respect to information provided to persons carrying out medical and administrative interventions necessary in relation to COVID-19, no personal information collected by the App will disclosed or transferred to any third party.

7. GRIEVANCES

If you have any concerns or questions in relation to this Privacy Policy, you may address them to the Grievance Officer whose name and address are as follows: Mr. R S Mani, Deputy Director General (DDG) NIC (support.aarogyasetu@gov.in)