Privacy Policy
Last Updated: 21st January 2025
Tofi Technologies Pvt. Ltd. ('Tofi Technologies,' 'we,' 'us,' or 'our') respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website and mobile applications (collectively, the 'Portal' or 'Services'). By accessing or using the Portal, you agree to this Privacy Policy and our Terms of Use. If you do not agree with the terms of this Privacy Policy, please do not access the Portal.
1. Introduction
This Privacy Policy applies to all users of the Portal, including healthcare providers and patients ('User,' 'you,' or 'your'). It explains how we handle your personal data and ensures transparency regarding our practices.
2. Consent
By using the Portal and providing your personal information, you expressly consent to the collection, use, processing, and disclosure of your personal data as described in this Privacy Policy. If you do not agree, you have the right not to use the Portal.
3. Information We Collect
3.1 Personal Data
"Personal Data" means any information relating to an identified or identifiable natural person. We may collect the following categories of Personal Data:
Identity Data:Name, date of birth, gender, and other identifiers.
Contact Data:Address, email address, telephone numbers.
Health Data:Medical records, medical history, physical, psychological, and mental health conditions.
Financial Data:Payment card details, transaction information.
Technical Data:Internet protocol (IP) address, login data, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.
Usage Data:Information about how you use our Portal and Services.
Marketing and Communications Data:Your preferences in receiving marketing from us and our third parties.
3.2 Sensitive Personal Data
Certain categories of Personal Data are considered sensitive and require higher levels of protection. This may include information about your health, biometric data, and other sensitive information.
3.3 Non-Personal Data
We may collect non-personal data that does not identify you directly. This information is used for statistical purposes and to improve our Services.
4. How We Collect Your Data
We use different methods to collect data from and about you, including:
Direct Interactions
You may provide us with your Identity, Contact, and Health Data by filling in forms or by corresponding with us.
Automated Technologies
As you interact with our Portal, we may automatically collect Technical Data about your equipment, browsing actions, and patterns through cookies, web beacons, and other technologies.
Third Parties or Public Sources
We may receive Personal Data about you from third parties, such as healthcare providers, payment processors, analytics providers, and publicly available sources.
5. How We Use Your Personal Data
We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
To Provide Services:To register you as a user, facilitate healthcare services, and manage payments.
For Legitimate Interests:To manage our relationship with you, including notifying you about changes to our terms or privacy policy.
To Comply with Legal Obligations:To comply with legal and regulatory requirements.Purposes for Which We Will Use Your Personal Data
Service Delivery:Providing you with healthcare services, including appointment scheduling, teleconsultations, and personalized health insights.
Communication:Sending you service-related communications, including confirmations, invoices, technical notices, updates, security alerts, and support.
Marketing:We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what may be of interest to you. We will obtain your express opt-in consent before sending any promotional communications. (Google user data is never used for marketing purposes.)
6. Disclosure of Your Personal Data
We may share your Personal Data with the parties set out below for the purposes described in this Privacy Policy:
Service Providers:Third parties who provide IT and system administration services, and other services necessary to operate our business.
Professional Advisers:Lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
Regulatory Authorities:Government bodies and law enforcement agencies to comply with legal obligations or valid legal processes.
Third Parties in Business Transfers:In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred to the acquiring entity.
With Your Consent:We may disclose your Personal Data to third parties when you have expressly consented to such disclosure.
We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes.
7. International Data Transfers
Your Personal Data may be transferred to and processed in countries other than the country in which you are resident. By using our Services, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.
Data Protection Standards
We implement appropriate safeguards to ensure your data receives an adequate level of protection in the recipient country.
Security Measures
We employ encryption, access controls, and monitoring systems to protect your data during international transfers.
Important Notice
By continuing to use our Services, you acknowledge and agree that your Personal Data may be transferred and processed in countries with different data protection standards than your home country.
8. Data Security
We have implemented appropriate security measures to prevent your Personal Data from being accidentally lost, used, accessed in an unauthorized manner, altered, or disclosed. These measures include:
Encryption
Securing data in transit and at rest.
Access Controls
Limiting access to your Personal Data to authorized personnel who need to know.
Regular Monitoring
Monitoring our systems for potential vulnerabilities and attacks.
Important Security NoticeDespite these measures, the transmission of information via the internet is not completely secure, and we cannot guarantee the security of your data transmitted to our Portal.
9. Data Retention
We will retain your Personal Data only for as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements.
Legal Obligations
We may retain your data for longer periods if required by law.
Business Purposes
For internal analysis, fraud prevention, or improving safety.
Data Deletion Policy
When we have no ongoing legitimate business need to process your Personal Data, we will delete or anonymize it.
10. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your Personal Data, including:
Right to Access
Request access to your Personal Data and receive a copy of the Personal Data we hold about you.
Right to Rectification
Request correction of any incomplete or inaccurate Personal Data we hold about you.
Right to Erasure
Request erasure of your Personal Data in certain circumstances. You can also request to delete your account by emailing us at team@hecco.ai
Right to Object
Object to processing of your Personal Data in certain circumstances.
How to Exercise Your Rights
If you wish to exercise any of these rights, please contact us at
team@hecco.ai . We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data.
11. Cookies and Similar Technologies
We use cookies and similar tracking technologies to track activity on our Portal and hold certain information.
Essential Cookies
Required for the operation of our Portal. They enable basic functions like page navigation and access to secure areas.
Analytics Cookies
Help us understand how visitors interact with our Portal by collecting and reporting information anonymously.
12. Children's Privacy
Our Portal is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.If you are a parent or guardian and believe we may have collected information about your child, please contact us immediately.
13. Third-Party Links
Our Portal may contain links to third-party websites, plug-ins, and applications. Clicking on those links may allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.
14. Changes to Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by:
Sending you an email notification of changes
Posting a notice on our Portal
Your continued use of our Portal following the posting of changes constitutes your acceptance of such changes.
15. Contact Information
If you have any questions about this Privacy Policy or our privacy practices, please contact our Data Protection Officer:
Address
TOFI Technologies Pvt. Ltd.
235 BINNAMANGALA, 2ND FLR
13TH CROSS ROAD 2ND STAGE
BANGALORE NORTH
INDIRANAGAR
BANGALORE-560038
KARNATAKA
16. Compliance with Laws
We comply with applicable data protection laws, including but not limited to:
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
to the extent they apply to us.
17. Limitation of Liability
To the fullest extent permitted by law, Tofi Technologies Pvt. Ltd. shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from:
Your access to or use of or inability to access or use the Portal;
Any conduct or content of any third party on the Portal;
Unauthorized access, use, or alteration of your transmissions or content.
18. Disclaimer
The Portal and all its content are provided on an "as is" and "as available" basis without any warranties of any kind. We do not warrant that the Portal will be uninterrupted, error-free, or secure.
You use the Portal at your own risk.
19. Indemnification
You agree to indemnify, defend, and hold harmless Tofi Technologies Pvt. Ltd., its affiliates, officers, directors, employees, agents, and licensors from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses, or fees arising out of or relating to:
Your violation of this Privacy Policy
Your use of the Portal
20. Governing Law and Jurisdiction
This Privacy Policy shall be governed by and construed in accordance with the laws of [Insert Jurisdiction], without regard to its conflict of law principles.
Any disputes arising under or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in [Insert Jurisdiction].
21. Force Majeure
We shall not be liable for any failure to perform our obligations under this Privacy Policy if such failure results from circumstances beyond our reasonable control, including but not limited to:
Acts of God
Natural disasters
War, terrorism, civil unrest
Pandemics
Governmental actions
22. Severability
If any provision of this Privacy Policy is held invalid or unenforceable, such provision shall be deemed modified to the extent necessary to make it valid and enforceable. The remaining provisions shall remain in full force and effect.
23. Entire Agreement
This Privacy Policy, together with our Terms of Use, constitutes the entire agreement between you and Tofi Technologies Pvt. Ltd. regarding your use of the Portal and supersedes any prior agreements.
24. No Waiver
Our failure to enforce any right or provision of this Privacy Policy will not be deemed a waiver of such right or provision.
25. Assignment
You may not assign your rights or obligations under this Privacy Policy without our prior written consent. We may assign our rights and obligations to any affiliate or in connection with a merger, acquisition, or sale of assets.
26. Specific Permissions and Disclosures
26.1 Camera and Audio Permissions
We require access to your device's camera and microphone to facilitate teleconsultations and enable you to upload medical records. Teleconsultations may be recorded by healthcare professionals for legal or medical purposes.You will be notified if the session is being recorded. You can disable camera and microphone access at any time through your device settings; however, this may limit your ability to use certain features.
26.2 File Access
We request permission to access your device's storage to allow you to upload and save medical records. We do not access any files other than those you explicitly select. You have full control over whether to share these records with healthcare professionals.
26.3 Image Capture
We require permission to use images or capture images from your device's camera for updating profile photos, uploading images as medical records, or utilizing certain features like heart rate measurement. We only save images when you explicitly choose to save them within the Tofi.Ai app.
26.4 Location Data Usage
We use location data to provide location-based services, such as showing relevant results for booking vaccination slots. We do not save or use your location data for any other purposes. You can disable location services at any time through your device settings.
26.5 Google Account Emails (Gmail)
With your explicit consent, you may connect your Gmail account to the Portal. We will securely access and analyze emails and attachments from healthcare providers for managing appointments and consolidating medical records.We will not use or transfer your Gmail data for serving ads or any purposes other than providing the Services you have authorized.You can de-link your Gmail account or delete your information at any time by contacting us at{" "}
privacy@tofi.ai .Compliance with Google API Services User Data PolicyOur use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
26.6 Health Connect Permissions
Our use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements.
🧠 Use of Health Connect Data
Hecco integrates with Health Connect by Android to provide personalized, AI-powered health insights. We only access health data types that are essential to improve your care experience, generate smart timelines, and support chronic condition management.
Below is a detailed breakdown of the data types we access and how we use them:
🔥 ActiveCaloriesBurned
We use your active calorie data to track energy burned during workouts. This helps our AI agents evaluate activity patterns, suggest personalized goals, and provide insight into chronic health management.
🔥 TotalCaloriesBurned
We analyze your total calorie expenditure (resting + active) to offer complete lifestyle feedback, including trends that relate to nutrition, fatigue, or weight management.
📏 Distance
Distance data helps track how far you walk, run, or cycle. It supports our AI in understanding mobility patterns, especially for senior users or those recovering from illness.
👣 Steps
Your step count fuels your daily activity tracking, helping you stay consistent and reach personalized wellness goals across your health journey.
👟 StepsCadence
We use cadence (steps per minute) to detect walking rhythm changes, which can be useful for identifying mobility issues, especially in elderly users.
🚴 CyclingPedalingCadence
Pedaling cadence provides insights into workout quality and endurance. This helps our AI recommend training adjustments and recognize performance shifts.
🏋️ ExerciseSession
We use workout session data (like duration and type) to correlate activity with changes in vitals or symptoms, providing smarter recommendations.
😴 SleepSession
Sleep data allows us to understand your rest quality and offer insights for recovery, stress, or chronic fatigue. It also helps identify disruptions linked to health conditions.
❤️ HeartRate
Real-time and historical heart rate help monitor cardiovascular stress, detect irregularities, and optimize activity levels.
🧘 RestingHeartRate
Your resting heart rate provides a key health baseline. Changes over time can signal stress, illness, or overtraining—and help our AI personalize care suggestions.
🫁 OxygenSaturation
We monitor blood oxygen trends to support respiratory health, identify risks (e.g. sleep apnea), and provide early alerts for abnormal drops.
🔐 How We Handle Your Health Data
All data is stored securely and handled in compliance with privacy and medical data guidelines.
We do not sell or share your data with third parties.
You can revoke data access at any time via the Health Connect settings on your device.
For questions, write to us at team@hecco.ai.
27. Gmail API Access and Use
We treat your Personal Data as confidential and do not disclose it to unauthorized third parties. We implement reasonable security practices to safeguard your data.
Hecco.AI integrates with the Google Gmail API to help users automatically sync health-related emails (such as lab reports, prescriptions, medical appointments, and insurance documents) into their Hecco account for a unified health record. This section explains how we access, use, and protect your Gmail data in compliance with Google’s API Services User Data Policy.
i. What Gmail Data We Access
Hecco uses the following Gmail API scopes:
Non-sensitive scopes:
View your basic Google account information (e.g., name, email)
See and manage your email labels
Test identity and access management permissions
Sensitive scopes (used only when the add-on is active):
View your email message metadata (such as sender, subject, timestamp)
View the full content of your email messages
Restricted scope:
View your Gmail messages and settings to fetch relevant health-related emails (e.g., lab results, doctor appointments, prescriptions)
ii. How We Use Gmail Data
We use Gmail access to:
Automatically identify and extract health-related emails from your inbox (e.g., lab reports, health insurance e-cards, doctor correspondence)
Display this information inside the Hecco App so that you have a consolidated view of your medical records
Tag or label such emails (e.g., “Synced to Hecco”) to help you distinguish them in Gmail
We do not access or use your Gmail data for any other purpose, including advertising or user profiling.
iii. How We Store and Protect Gmail Data
Health-related email content (if extracted) is encrypted in transit and at rest
We follow industry best practices for data security and access control, including OAuth 2.0 authentication, role-based access, and regular audits
We do not store your full email inbox—only health-relevant email messages and metadata are selectively parsed and retained
All access is governed by user consent and is revocable at any time
iv. Data Sharing and Disclosure
We do not share, sell, or transfer your Gmail data to third parties, except:
To comply with legal obligations (if required by law)
With your explicit consent
With service providers under strict confidentiality and data protection agreements (e.g., for cloud storage)
v. User Control and Data Deletion
You may revoke our access to your Gmail account at any time via your Google Account Permissions
You may request deletion of any synced Gmail data from your Hecco App account by contacting support at team@hecco.ai
You can also manage and delete synced health emails within the Hecco App directly
vi. Compliance with Google Policies
Hecco’s use of Gmail data adheres to:
Google API Services User Data Policy
OAuth 2.0 Policies
Gmail’s restricted and sensitive scope requirements, including limited use, data minimization, and no advertising or profiling
vii.Limited Use Disclosure
Hecco.AI’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
28. Confidentiality
We treat your Personal Data as confidential and do not disclose it to unauthorized third parties. We implement reasonable security practices to safeguard your data.
However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
29. Opt-Out
You may opt out of receiving promotional communications from us by following the unsubscribe instructions provided in those communications or by contacting us at{" "}
privacy@tofi.ai .
Please note that you may not opt out of Service-related communications, which are necessary for us to provide the Services.
30. User Responsibilities
You are responsible for maintaining the confidentiality of your account credentials and for restricting access to your devices. You agree to accept responsibility for all activities that occur under your account.
31. Feedback and Testimonials
Any feedback, suggestions, or testimonials you provide to us may be used for any purpose, including marketing and promotional purposes, without any obligation to you.
31. Third-Party Services
Our Services may include integrations or links to third-party services. We are not responsible for the privacy practices of these third parties. Your use of such services is subject to their respective privacy policies.
32. Compliance with Laws
We comply with applicable data protection laws, including but not limited to:
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
to the extent they apply to us.
By using Tofi.Ai, you acknowledge that you have read, understood, and agree to all the terms and conditions of this Privacy Policy. If you do not agree, please discontinue the use of our Services.