Your data, your rights, our commitments.

Kinsu Health ("Kinsu", "we", "us") is built on a simple principle: your family's health data is yours. This policy explains what we collect, where it lives, and the rights you have under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").

Last updated: 22 April 2026 · Effective from: launch date

1. Who we are

Kinsu AI Labs is an Indian technology company headquartered in India. We operate the Kinsu Health Android application and the website at kinsu.health. For the purposes of the DPDP Act, we are the Data Fiduciary. You are the Data Principal.

2. What data we collect

We collect only what we need, and we tell you why at the point of collection.

Data you provide

Account basics: name, mobile number, email (only if you opt in).
Health records: prescriptions, lab reports, X-rays, vitals, medications, vaccination records, routines.
Family members: profile information for dependants or caregivers you add.
Emergency info: blood group, allergies, emergency contacts (only if you fill the Medical ID).

Data we generate

App usage diagnostics: crash logs, anonymised app version / device model. You can turn this off.
AI-derived summaries: generated on your device. Not sent to our servers.

What we do not collect

Precise location.
Contact list, photo library, or SMS content beyond what you explicitly attach.
Data about anyone who is not in your Kinsu family vault.

3. Where your data lives

Kinsu is offline-first. By default, your records are stored in an encrypted database on your Android device.

Cloud sync is opt-in, per category. You can enable sync for Records but not Medications, or for one family member but not another. Synced data is encrypted in transit (TLS 1.3) and at rest (AES-256). Our cloud storage is hosted in India.

AI runs on your device. Our AI engine, Sparrow, is designed to run on-device. Your health data is not sent to our servers, to model providers, or to any third-party cloud for AI processing.

4. Why we process your data (purposes)

To provide the app's core features — vault, medications, vitals, family care, SOS, routines, AI insights.
To sync your data across your devices if you enable cloud sync.
To notify you about updates to Kinsu — and only Kinsu — if you joined the waitlist or consented.
To diagnose and fix technical issues (if you opt in to diagnostics).
To comply with Indian law, including when required by a court or the Data Protection Board.

We do not use your health data to train AI models, to profile you for advertising, or to sell to anyone.

5. Consent and how to change it

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. In Kinsu, consent is granular across five categories:

Medical records (reports, prescriptions)
Vitals (BP, sugar, SpO₂, weight, pulse)
Medications (dosages, reminders)
Family sharing (per relationship)
AI insights (on-device processing)

You can change any consent at any time via Settings → Privacy → Consents. Withdrawal takes effect immediately. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.

6. Your rights under the DPDP Act

Right to access

You can export every piece of data associated with your account in a machine-readable format. Settings → Privacy → Export my data.

Right to correction

You can edit any record you've added. For account basics, contact the DPO.

Right to erasure

One tap in Settings → Privacy → Delete my account erases everything permanently. No retention, no undo. Cloud copies are deleted within 30 days from all backup systems.

Right to nominee

You may nominate a family member to inherit access to your vault in the event of your death or legal incapacity. Settings → Privacy → Nominee.

Right to grievance redressal

If we fall short, contact our Data Protection Officer (see §10 below). If unresolved within 30 days, you may escalate to the Data Protection Board of India.

7. How long we retain your data

Active accounts: as long as the account exists.
After deletion: removed from live systems within 24 hours; removed from all backups within 30 days.
Diagnostic logs: 90 days, then deleted.
Waitlist email: until you ask us to remove it, or 24 months after our public launch — whichever comes first.

8. Sharing and disclosure

We do not sell, rent, or trade your personal data. Ever.

We share data only in these narrow cases:

Processors you've explicitly enabled: for example, cloud sync uses our hosting provider in India. We maintain a current list at kinsu.health/processors.
Legal compliance: when required by a valid order from an Indian court or a competent authority.
Protection of rights: to protect the safety of a user or the public.

9. Children and minors

Kinsu is designed for adults to manage their families' health, including minors' records. A parent or legal guardian must set up the account and provide consent on behalf of any minor. We do not knowingly process any data provided directly by a child under 18 without parental consent.

10. Contact — Data Protection Officer

Kinsu has a named DPO. The email below goes to a human.

Email: dpo@kinsu.health
Response SLA: within 7 working days, per DPDP Act requirements.
Postal address: Kinsu AI Labs, India. (Full postal address on request by email.)

11. Security

We take reasonable and appropriate technical and organisational measures to protect your data — encryption in transit and at rest, code review, access controls, incident response. No system is absolutely secure; we don't pretend otherwise. If a personal data breach occurs, we will notify affected users and the Data Protection Board as required by law.

12. Changes to this policy

If we change this policy materially, we will notify you in-app and by email (if we have one for you) at least 14 days before the change takes effect. The latest version is always at kinsu.health/privacy.

13. Governing law

This policy is governed by the laws of India. Disputes fall under the exclusive jurisdiction of the courts at Bengaluru, Karnataka, India.

This policy is written to be read. If anything here is unclear, that's a bug — email the DPO and we'll fix it.