Privacy Policy

Effective Date: May 2026 

Our Commitment to You

Carenexs is built on trust. The personal and health information you share with us is among the most sensitive data that exists. We collect it solely to provide, improve, and coordinate your care — never to sell, rent, or exploit it for commercial advertising or profiling. This Privacy Statement explains clearly and simply what we collect, why, who we share it with, and the rights you hold over your own information.

Compliant with: Digital Personal Data Protection Act 2023 (India) | DPDP Rules 2025 | IT Act 2000 & SPDI Rules 2011 | GDPR (as best practice)

1. Who We Are: Carenexs (referred to as "Carenexs", "we", "our", or "us") is an elderly care platform headquartered in Kochi, Kerala, India. We provide a holistic, technology-enabled care coordination service covering health, functional wellbeing, social engagement, environmental safety, and psychological support for elderly individuals and their families and guardians.

Legal Entity: Carenexs Health and Wellbeing Solutions Private Limited

Registered Address: XXX, Kochi, Kerala, India

Data Fiduciary (DPDPA 2023): Carenexs is the Data Fiduciary responsible for determining the purpose and means of processing your personal data under the DPDPA 2023

Data Controller (GDPR): Carenexs acts as Data Controller under GDPR where applicable to EU/EEA-resident users

Contact: Data Protection Officer: privacy@Carenexs.com, Grievance Officer (IT Act / DPDPA): grievance@Carenexs.com, Security Contact: security@Carenexs.com, General Enquiries: mail@Carenexs.com

App Stores: Available on Google Play Store (Android) and Apple App Store (iOS)

2. Scope and Applicability: This Privacy Statement applies to all personal data collected through the Carenexs mobile application (Android and iOS), the Carenexs web portal at Carenexs.com and its associated portals, email and text communications, in‑app messages and other electronic interactions with Carenexs, remote physiological and safety‑monitoring devices paired with the platform, assessments, care plans, activity logs and check‑ins completed within the app, as well as any Carenexs‑integrated third‑party services for which you have provided explicit consent. This Statement covers (a) elderly members enrolled on the Carenexs platform, (b) guardians, care‑circle members, and authorised representatives who access the platform on a member’s behalf, and (c) Client Advisors (CAs) and professional care partners who access member data in their care‑delivery role.

 3. Personal Data We Collect: We collect only the minimum personal data necessary to provide safe, personalised care — consistent with the data minimisation principle under both the DPDPA 2023 and GDPR.

3.1 Identity and Contact Information: We collect only the identity and contact information necessary to create your account, verify your profile, and deliver personalised care. This includes your name, date of birth, gender, optional photograph, home address, district and PIN code, mobile number, email address, emergency contact details, and—where voluntarily provided—your ABHA number. We also record your language and accessibility preferences to ensure that communication and support are tailored to your needs.

3.2 Health and Medical Information: We process health and medical information that is essential for safe care delivery. This category is classified as Sensitive Personal Data under the IT (SPDI) Rules 2011 and Special Category Data under GDPR, and therefore receives the highest level of protection. It may include chronic conditions, diagnoses, medical history, medication details, vital signs (entered manually or via paired devices), functional assessment scores across all care domains, wellbeing and screening results, symptom logs, laboratory records, incident reports, and frailty or mobility indicators. This information is used solely for care and never for advertising or profiling.

3.3 Health Information from Connected Third‑Party Services: With your explicit consent, Carenexs may connect to third‑party health applications and devices—such as Apple Health, Android Health Connect, or laboratory services—to import specific health data that supports your care. This may include heart rate, sleep and activity information, blood oxygen levels, respiratory rate, height, weight, and authorised laboratory results. Unless you choose to enable cloud storage, biometric data imported from these services is processed locally on your device and is not stored on Carenexs servers.

3.4 Care Plan and Activity Data: We collect information related to your personalised care plan, including your goals, target scores, review milestones, daily check‑in responses, wellbeing indicators, activity notes, weekly schedules, appointment records, and reminder preferences. We may also process your responses to surveys or quality‑assurance questionnaires to improve the care experience and service quality.

3.5 Support Network and Guardian Data: To enable coordinated care, we collect information about your support network, including the names, contact details, and relationships of guardians, care‑circle members, or any individuals you nominate. We also record the access permissions you grant to these individuals, along with data from social‑support assessments that help us understand the strength and structure of your care environment.

3.6 Technical and Device Data: For security, service delivery, and quality improvement, we collect technical and device information such as device type, operating system, app version, IP address, browser type (for web access), session identifiers, usage patterns, approximate district‑level location for service matching, Bluetooth identifiers for paired devices, crash reports, and technical error logs. We also process subscription‑related transactional data; however, Carenexs does not store payment card numbers, and payments made through the Apple App Store are handled under Apple’s own privacy policy.

3.7 Inferences: We may generate limited inferences from the data described above—such as risk indicators derived from assessment scores or patterns observed in your care‑related information—to support clinical decision‑making and strengthen your personalised care plan. These inferences are used strictly within the care‑coordination process and are never shared externally for commercial, marketing, or profiling purposes.

Note: Carenexs does not collect social media profile data, financial information beyond subscription‑related payments, or biometric identifiers such as fingerprints or facial scans. Device‑level biometric authentication (e.g., Face ID or fingerprint unlock) is processed entirely on your device and is never accessible to Carenexs. We also do not collect data from individuals under the age of 18, except where they are included as part of a member’s Care Circle.

4. How We Collect Your Personal Data

4.1 Directly From You We collect personal data directly from you when you register for the Carenexs service and create your profile, complete assessments, enter care‑plan information, or submit daily check‑ins within the app. We also receive information when you contact us by phone, email, or through in‑app support, when you respond to quality‑assurance surveys, and when you use the family‑sharing features to invite relatives to view your care records.

4.2 Automatically Through the App and Connected Devices Certain data is collected automatically as you use the Carenexs app, including the technical and device information described in Section 3.6. We also receive health readings from any monitoring devices you have paired—such as blood pressure monitors, glucometers, or wearables—and Health Information imported from third‑party health apps where you have granted explicit permission. In addition, we collect approximate district‑level location data to help match you with appropriate care partners.

4.3 From Third Parties We may receive information from your care partners—such as doctors, home‑nursing agencies, or diagnostic centres—when you request a service referral and authorise the sharing of relevant data. We may also receive information from family members or guardians listed on your Carenexs account when they provide details on your behalf.

Note You have full control over whether family members can access your care records. The app allows you to invite specific individuals to view your information so they can track your progress and support your care. You may revoke access for any person at any time through the app’s Privacy Controls, and each family member will only see the information within the permissions you have granted.

5. How We Use Your Personal Data: We use your personal data only for specific, legitimate purposes connected to your care and the safe operation of the Carenexs platform. Your information is never used for advertising, commercial profiling, or sold to any third party.

5.1 Providing and Coordinating Your Care (Lawful Basis: Consent): We use your data to conduct your multi‑domain assessment, determine your care segment, and create your personalised care plan. Your information enables Guardians, Care Circle members, and Client Advisors to monitor your wellbeing, review your goals, and escalate care when needed. We use your data to send medication reminders, appointment notifications, and check‑in prompts to you and your authorised guardians, and to notify your family circle when a risk‑based alert is triggered. Your data also allows us to connect you with appropriate care and service partners, track your progress over time, respond to your requests for information or services, fulfil obligations under any care service contracts, and inform you of important updates to the app, the service, or this Privacy Statement.

5.2 Safety and Emergency Response (Lawful Basis: Vital Interest / Legal Obligation): We process your data to generate automated risk alerts when assessments or incidents indicate immediate care needs. Where there is a risk to life, we may share relevant health information with emergency services or healthcare providers, including without prior consent where permitted or required by law. We may also use your data to investigate suspected fraud, misconduct, or unlawful activity on the platform.

5.3 Internal Quality Improvement and Analytics (Lawful Basis: Legitimate Interest — Anonymised)

For internal improvement, Carenexs uses only anonymised and aggregated data that cannot identify you. This de‑identified information helps us analyse care‑outcome trends, improve assessment tools, refine alert algorithms and care‑plan templates, and generate internal reports for quality control, clinical governance, service design, and partner performance reviews. It is also used to train and validate predictive models—such as hospitalisation‑risk indicators—and to understand app‑usage patterns to enhance the user experience. Note: Health Information imported from third‑party apps is never used for advertising or marketing. If you enable the AI‑powered response feature, anonymised Health Information may be processed by our third‑party AI technology partners solely to provide that feature, and only at your direction. You may disable this feature at any time.

5.4 Legal and Regulatory Compliance (Lawful Basis: Legal Obligation): We process your data to comply with applicable laws and regulations, including the DPDPA 2023, DPDP Rules 2025, IT Act 2000, SPDI Rules 2011, and relevant healthcare requirements. We may use your information to respond to lawful orders from courts, the Data Protection Board of India, or other competent authorities, and to maintain records required for clinical governance, patient safety, and audit purposes.

6. Consent

6.1 How We Obtain Consent : Carenexs obtains free, informed, specific, and unambiguous consent before collecting any personal data, in accordance with the DPDPA 2023. At registration, we present a clear, plain‑language consent notice in English and Malayalam and explain the purpose of each category of data before seeking your agreement. We do not pre‑tick consent boxes, bundle consent for unrelated purposes, or make consent a condition for services where another lawful basis is more appropriate. We maintain a timestamped, verifiable record of your consent and any changes you make, and we may use online click‑through agreements or in‑person/telephone confirmation where written consent is not practicable.

6.2 Guardian Consent: Where an elderly member has a guardian or authorised representative, the guardian may provide consent on the member’s behalf in line with the DPDP Rules 2025. Carenexs documents guardian consent with enhanced verification, always seeks to respect the member’s own expressed preferences, and conducts annual consent reviews for members whose decision‑making capacity may change over time.

6.3 Withdrawing Consent: You may withdraw your consent at any time without penalty by using the Privacy Controls in the app or by emailing privacy@Carenexs.com with the subject line Consent Withdrawal. Withdrawal takes effect within 30 days. If withdrawing consent affects our ability to provide core care‑coordination services, we will explain the implications before completing your request. Continued use of the app after an updated Privacy Statement becomes effective constitutes acceptance of the updated terms, except where material changes affect your rights—in which case we will seek renewed, affirmative consent.

7. Who We Share Your Data With: Carenexs does not sell or rent your personal data to any third party under any circumstances. Sharing is strictly limited to specific categories, always with appropriate safeguards in place.

7.1 Within Carenexs: Your data may be accessed by Client Advisors assigned to your care, limited to what is necessary for care management; by the clinical governance team for quality review using pseudonymised data where possible; and by the technical team for maintenance and security, with access restricted to system logs and never to your health content.

7.2 Your Family and Guardian Circle: Guardians and Care Circle members you have explicitly authorised may receive your care summary, check‑in updates, medication reminders, and incident notifications. You or your guardian control the scope of access through the app’s Privacy Controls. Care Circle members do not receive full clinical assessment data unless you specifically grant this permission.

7.3 Care Partners and Service Providers: We share only the minimum necessary care‑plan information with professional care partners when you have actively requested or accepted a service referral. All partners operate under a Data Processing Agreement (DPA) that prohibits any use of your data beyond delivering the requested service.

7.4 Technology Service Providers (Data Processors): Carenexs uses trusted technology providers who act solely on our instructions and are contractually bound to process only what we direct, retain data only as long as necessary, and delete or return data upon termination. These include our India‑based cloud infrastructure provider, push‑notification service, independent payment gateway (Carenexs does not store card details), analytics platform receiving only anonymised data, and third‑party AI providers used exclusively for optional AI‑powered features with anonymised Health Information.

7.5 Research and Development Partners: We may share anonymised data with partners who support service development and improvement. These partners are bound by non‑disclosure obligations and may not use the data for any other purpose.

7.6 Corporate Transactions: If Carenexs undergoes a financing event, reorganisation, merger, acquisition, or sale of all or part of the business, your personal data may be transferred to the relevant parties under strict confidentiality obligations. You will be notified of the transaction and your options before any transfer takes effect.

7.7 Legal Disclosure: We may disclose personal data without consent only when required by a court order, the Data Protection Board of India, or another competent authority; when necessary to prevent or respond to a life‑threatening emergency; or when needed to protect our rights, property, or safety—or the safety of others—in connection with legal claims or fraud prevention.

8. Datastorage

8.1 Storage Within India

In accordance with India’s DPDPA 2023 and national data‑localisation requirements, all personal data of Carenexs members is stored on secure servers located within India, and all primary data processing takes place within India. Contact and profile information, care assessments, and all non‑biometric user‑generated data are stored using secure India‑based cloud hosting. Health Information imported from connected devices is processed locally on your device by default; unless you enable cloud sync, Carenexs does not store imported biometric Health Information on its servers. Aggregated and anonymised analytics data may be retained for product improvement, fraud prevention, and quality analytics, as it cannot reasonably be used to identify you.

8.2 Cross‑Border Transfers

If any processing involves service providers whose backup or infrastructure includes locations outside India, Carenexs ensures that such transfers occur only to countries formally recognised by the Central Government as providing adequate protection, or under contractual safeguards equivalent to GDPR Standard Contractual Clauses (SCCs). This section will be updated if the primary storage location changes.

9. Data Security

9.1 Technical Safeguards

Carenexs uses multiple layers of technical protection to secure your data. All data in transit is encrypted using TLS 1.3 or higher, and all data at rest is encrypted using AES‑256. Health data is stored in a separately secured tier with restricted access controls. Multi‑factor authentication is required for all Client Advisor logins, and device‑level biometric authentication is supported for member access. Automated security scanning and annual penetration testing are conducted, session tokens expire after inactivity, and system architecture is continuously monitored for vulnerabilities.

9.2 Organisational Safeguards

Access to personal data is granted strictly on a need‑to‑know basis through role‑based access controls. All staff with data access undergo data‑protection training at onboarding and annually, and are bound by confidentiality obligations with disciplinary consequences for breaches. Third‑party vendors undergo security assessments before engagement, and internal audits of access logs are conducted quarterly to ensure compliance.

9.3 Your Responsibilities

The security of your account also depends on you. You are responsible for keeping your Carenexs password or PIN confidential and not sharing it with others. If you suspect that your account has been compromised, you should contact us immediately at security@Carenexs.com or contact@Carenexs.com.

9.4 Security Incident Notification

10. How Long We Keep Your Data

Carenexs retains personal data only for the minimum period necessary to fulfil the purposes for which it was collected and in accordance with applicable legal and healthcare‑record requirements. Active member data is retained for the full duration of membership and for seven years after service termination, consistent with Indian healthcare norms. Incident records are kept for seven years from the date of the incident, and assessment records are retained for seven years from the last assessment unless you request deletion, subject to legal obligations. Daily check‑in logs are stored for three years, although aggregated trends may be kept longer in anonymised form. Contact and profile information is retained while your account remains active and for a reasonable period thereafter to resolve outstanding obligations or disputes. Consent records are maintained for the full membership period plus seven years as evidence of lawful processing. Technical and session logs are retained for 90 days for security monitoring and debugging. If you submit a deletion request, eligible data will be deleted within 30 days unless legal retention requirements apply, in which case you will be informed. Anonymised analytics data, which cannot be linked to any individual, may be retained indefinitely. Requests to delete Health Information may be submitted at any time to contact@Carenexs.com.

11. Your Rights Over Your Personal Data

Under the DPDPA 2023 and, where applicable, the GDPR, you have several rights regarding your personal data, and Carenexs will respond to all valid requests within 30 days at no charge. You have the Right to Access, allowing you to request a copy of all personal data we hold about you, the purposes for which it is used, and any sharing that has occurred. You may exercise this by emailing privacy@Carenexs.com with the subject Data Access Request. You have the Right to Correction to update inaccurate or incomplete information, which you may do directly in the app or by contacting us; corrections are completed within seven working days. The Right to Erasure allows you to request deletion of your data, subject to legal retention obligations, by emailing Erasure Request to the same address. Through the Right to Data Portability, you may request your data in a machine‑readable format (PDF or JSON) for transfer to another service. You may also exercise the Right to Restrict Processing for specific purposes, such as analytics, using the app’s Privacy Controls or by contacting us.

Although Carenexs does not sell or share personal data for commercial purposes, you retain the Right to Opt Out of Sale or Sharing. You may also withdraw consent at any time under the Right to Withdraw Consent, as described in Section 6.3. The Right to Nominate allows you to designate another individual to exercise your rights in the event of death or incapacity. If a request is denied or limited, you may use the Right to Appeal by emailing grievance@Carenexs.com with the subject Decision Appeal. Under GDPR, you also have the Right to Object to processing based on legitimate interests, including internal analytics. Finally, you have the Right to Grievance Redressal, enabling you to lodge a complaint if you believe your data rights have been violated; unresolved concerns may be escalated to the Data Protection Board of India.

Note: Guardians and authorised representatives may exercise these rights on behalf of the elderly member they support. Verification of identity and authorisation will be required before any action is taken.

12. Special Protections for Elderly Members and Vulnerable Users

12.1 Accessibility and Comprehension

Carenexs provides enhanced accessibility measures to ensure elderly members and vulnerable users can understand and manage their privacy choices. All privacy communications are written in plain language and available in both English and Malayalam. Members who require assistance may request a verbal explanation from their Client Advisor at any time. The app supports voice‑based consent mechanisms for users with low literacy or visual impairments, and all in‑app privacy controls use large text, high‑contrast design, and simple language to support ease of use.

12.2 Guardian Oversight

A guardian may be designated at enrolment to receive privacy notices and exercise data rights on behalf of the member. Carenexs maintains a register of guardian authorisations, which is reviewed at least annually. Even when a guardian is appointed, the member’s own expressed preferences will always be respected wherever possible.

12.3 Dementia and Cognitive Impairment

For members living with dementia or significant cognitive impairment, guardian consent is mandatory and documented with enhanced verification. The app’s carer mode ensures that cognitively impaired members are not required to navigate complex consent flows independently. Regular consent reviews are conducted for members whose decision‑making capacity may change over time.

12.4 No Data from Minors

The Carenexs app is intended only for adults aged 18 and above and their adult carers. We do not knowingly collect data from anyone under 18. If we become aware that data from a minor has been collected, it will be deleted immediately. Concerns may be reported to privacy@Carenexs.com.

13. Cookies, App Analytics, and Tracking

13.1 Mobile App

The Carenexs mobile app does not use advertising cookies or cross‑app tracking. We use only limited first‑party session data to keep you securely logged in, remember your language and accessibility preferences, and diagnose technical issues through anonymised crash reports.

13.2 Web Portal

The Carenexs web portal uses browser cookies to maintain login sessions, remember preferences, and collect anonymised traffic analytics. You may configure your browser to refuse cookies, although some portal features may not function correctly without them.

13.3 Internal Analytics

We use internal analytics to understand app usage in aggregate—such as which features are most used and where users encounter difficulty. This information is collected at the aggregate level, is not linked to individual identities, and is not shared with any external analytics provider capable of identifying you.

13.4 Third‑Party SDKs

The app may include third‑party SDKs for crash reporting and push notifications. These tools are configured to collect only technical identifiers and never health content. A current list of SDKs and their data practices is available on request at privacy@Carenexs.com.

13.5 No Third‑Party Advertising Trackers

Carenexs does not use third‑party advertising trackers, retargeting pixels, or web beacons. We do not share your activity data with advertising networks.

14. Third‑Party Links and Services

The Carenexs app and portal may contain links to third‑party websites or services, such as care‑partner portals or health‑information resources. Carenexs is not responsible for the content, privacy practices, or security of these external services, and their privacy policies govern any data you share with them directly. Where third‑party services are integrated into the Carenexs platform with your consent—such as laboratory result providers—the data shared is strictly limited to what is necessary for that specific integration, as described in Sections 3.3 and 7.4.

15. Legal Framework and Regulatory Compliance

Carenexs complies with all applicable data‑protection and healthcare‑information laws. Under the DPDPA 2023, Carenexs acts as the Data Fiduciary and adheres to requirements on consent, notice, data‑principal rights, breach reporting, and cross‑border transfers. The DPDP Rules 2025—including provisions on consent managers (effective November 2026), verifiable guardian consent, breach‑notification timelines, and protections for vulnerable users—are fully reflected in this Statement. The IT Act 2000 and SPDI Rules 2011 continue to apply during phased DPDPA implementation and classify health information as Sensitive Personal Data, requiring enhanced security and consent safeguards. Carenexs also aligns with Ayushman Bharat Digital Mission (ABDM) standards; members may voluntarily link their ABHA number, and no data is shared with the ABDM ecosystem without explicit consent. GDPR principles—such as data minimisation, purpose limitation, accountability, portability, and the right to object—are applied as best practice, particularly for EU/EEA‑resident users. The grievance‑redressal process complies with the Consumer Protection Act 2019, ensuring members have clear avenues for raising concerns

16. How to Contact Us and Raise a Complaint

16.1  Contact Details

Data Protection Officer: privacy@Carenexs.com , Grievance Officer: grievance@Carenexs.com  |   Response within 30 days, Security / Breach Reporting< security@Carenexs.com

General Queries

contact@Carenexs.com

Postal Address

[Data Protection Officer], Carenexs, [Full Registered Address], Kerala, India

In-App Support

'Help & Privacy' section within the app

16.2  Grievance Redressal Process

•        Step 1: Email grievance@Carenexs.com. We will acknowledge within 3 working days and respond in full within 30 days.

•        Step 2: If you are not satisfied with our response, you may escalate to the Data Protection Board of India at the contact details published by MeitY (Ministry of Electronics and Information Technology).

•        Step 3: EU/EEA residents may also lodge a complaint with their local Data Protection Authority.

17. Changes to This Privacy Statement

We may update this Privacy Statement to reflect changes in law, our services, or our data practices. When we make material changes:

•        We will notify you via push notification or in-app banner at least 14 days before changes take effect

•        The updated Statement will be posted in the app's 'Privacy & Legal' section with a clearly visible version number and effective date

•        For significant changes affecting your rights (e.g., a new sharing arrangement), we will seek renewed, affirmative consent before those changes apply to your data

The current version number and effective date are shown in the document header and footer. If you have any questions about changes, contact privacy@Carenexs.com.

18. Key Definitions

Category

Details

Data Fiduciary (DPDPA)

An entity that determines the purpose and means of processing personal data. Carenexs is the Data Fiduciary.

Data Principal (DPDPA)

The individual to whom the personal data relates — the elderly member or carer.

Data Controller (GDPR)

Equivalent to Data Fiduciary — the entity that determines how personal data is processed.

Data Processor

A third party that processes personal data solely on behalf of Carenexs under a Data Processing Agreement.

Personal Data

Any data that can identify an individual directly or indirectly.

Sensitive Personal Data (SPDI Rules)

Includes passwords, financial information, health and medical records, biometrics, and sexual orientation — requires enhanced security and explicit consent.

Special Category Data (GDPR)

Data on health, mental health, religious beliefs, racial origin, etc. — requires explicit consent to process.

Health Information

Biometric and physiological data imported from third-party health apps or connected devices, as described in Section 3.3.

Consent

Free, specific, informed, and unambiguous agreement to data processing, expressed through a clear affirmative action (never silence or pre-ticked boxes).

Care Circle

A family member or any other person explicitly designated by the elderly member or their guardian to assist in the assessment, care planning, care, and monitoring of the elderly person’s care

Guardian

A person legally or formally authorised to act on behalf of an elderly member who lacks full capacity to act independently.

Processing

Any operation performed on personal data: collection, storage, use, disclosure, or deletion.

Anonymised Data

Data from which all identifying information has been irreversibly removed, such that no individual can be identified.

DPDPA

Digital Personal Data Protection Act, 2023 (India).

DPDP Rules

Digital Personal Data Protection Rules, 2025 (India).

GDPR

General Data Protection Regulation (EU) 2016/679.

CCM

Care Coordination Manager — a Carenexs professional responsible for coordinating a member's care plan.

ABHA

Ayushman Bharat Health Account — India's national digital health ID.

ABDM

Ayushman Bharat Digital Mission — India's national digital health ecosystem.