Privacy Policy

Last updated: March 2026

AIWO Privacy Policy

Overview - Which Part Applies to You

AIWO ("we", "us", "our") operates two distinct services. Because the data involved is very different, this policy is organised into two tracks plus a set of shared provisions. Read the track that matches how you use AIWO.

If you… Read Covers
Shop on aiwo.com, place orders, or receive our marketing on email / WhatsApp Part 1 — AIWO Kart Kart E-commerce, orders, website analytics, advertising, WhatsApp
Use the AIWO LifeOS app or services on aiwohealth.com (health records, VIVA, wearables, care team) Part 2 — AIWO LifeOS LifeOS Health data, AI assistant, Apple Health, protocols, care team
Want to know your rights, security, breach, transfers, or contacts Part 3 — Provisions Common to Both Rights, children, security, breach, international transfers, contact
The one line that matters most about advertising: AIWO Kart shopping and website data may be used for advertising on Meta and Google (with your consent, see §1.5). AIWO LifeOS health data — lab reports, Apple Health data, VIVA conversations, protocols, supplements — is never used for advertising, marketing, profiling, or AI training, under any circumstances.

This policy is governed by Indian law, principally the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000 and its rules. By using either service you consent to the practices described in the relevant track. If you do not agree, please discontinue use of that service.

Index
  1. Overview — which part applies to you

Part 1 — AIWO Kart aiwo.com

  1. Scope
  2. Information we collect
  3. How we use your information
  4. Legal basis for processing
  5. Advertising & marketing
  6. Cookies
  7. Data sharing & disclosure
  8. Data retention
  9. Kart data protection contact

Part 2 — AIWO LifeOS aiwohealth.com

  1. At a glance
  2. Who we are & scope
  3. Data we collect
  4. How we use your data
  5. AI processing — VIVA, Wellness Index, report analysis
  6. Your care team
  7. Data sharing & third parties
  8. Storage, security & retention
  9. Apple HealthKit — required disclosures
  10. LifeOS data protection contact

Part 3 — Common to Both

  1. Your rights under the DPDP Act
  2. Children's privacy
  3. Security
  4. Breach notification
  5. International transfers
  6. Changes to this policy
  7. Contact & grievance officers
  8. Version history

Part 1 — AIWO Kart aiwo.com

Applies to shopping, orders, the aiwo.com website, and our email / WhatsApp communications. This part does not cover health data in the LifeOS app — see Part 2.

1.1 Scope

This part applies when you visit aiwo.com, make a purchase, engage with our WhatsApp communications, or participate in our community programmes — including AIWO Women, AIWO Founders Circle, and AIWO Influence.

1.2 Information We Collect

1.2.1 Information you provide directly

  • Full name, email address, phone number, and delivery address (when placing an order or registering)
  • Date of birth and gender (for personalised wellness recommendations)
  • Payment information — processed securely through third-party payment gateways; AIWO does not store card details
  • Health goals and wellness preferences shared during onboarding or diagnostics
  • Communications you send us via email, WhatsApp, or contact forms

1.2.2 Information collected automatically

  • IP address, browser type, and device information
  • Pages visited, time spent, and interaction data on aiwo.com
  • Cookies and tracking pixels (see §1.6)
  • Referral source (how you found our website)

1.2.3 Information from third parties

  • Purchase and behavioural data from our Shopify store
  • Campaign engagement data from Meta Ads (Facebook/Instagram) and Google Ads
  • WhatsApp message interaction data via WATI (our WhatsApp Business API provider)
  • Influencer campaign data from our AIWO Influence programme

1.3 How We Use Your Information

  • Processing and fulfilling orders, including shipping notifications and delivery updates
  • Sending transactional communications (order confirmations, invoices, tracking updates)
  • Personalising your experience and recommending relevant products or programmes
  • Sending marketing communications via email and WhatsApp — only with your consent
  • Running and optimising targeted advertising on Meta and Google platforms (see §1.5)
  • Analysing website usage to improve user experience
  • Managing community participation in AIWO Women, AIWO Founders Circle, and AIWO Influence
  • Complying with Indian law, including FSSAI and GST obligations
  • Fraud detection, security monitoring, and abuse prevention

1.4 Legal Basis for Processing

  • Contractual necessity: to fulfil orders and provide services you have purchased
  • Legitimate interest: to improve our products, services, and marketing effectiveness
  • Consent: for marketing communications and optional data collection; you may withdraw consent at any time
  • Legal obligation: where required by Indian law or regulatory authorities

1.5 Advertising & Marketing

With your consent, AIWO uses your Kart shopping and website data to deliver and measure advertising on Meta (Facebook/Instagram) and Google, and to send marketing on email and WhatsApp. Data shared with advertising platforms is limited to anonymised and hashed data only. You can opt out at any time — click Unsubscribe in any email, reply STOP on WhatsApp, or manage cookie consent in your browser (see §1.6).

Strict boundary: Kart advertising never draws on AIWO LifeOS health data. Lab reports, Apple Health data, VIVA conversations, protocols, and supplement records (Part 2) are walled off from all advertising and marketing systems.

1.6 Cookies

Our website uses cookies and similar tracking technologies to enhance browsing, analyse traffic, and personalise content and advertisements.

  • Essential cookies: necessary for the site to function (shopping cart, session management)
  • Analytics cookies: to understand how visitors use the website (Google Analytics)
  • Marketing cookies: to deliver relevant ads on Meta and Google platforms

You may manage or disable cookies through your browser settings. Disabling certain cookies may affect website functionality.

1.7 Data Sharing & Disclosure

1.7.1 Third-party service providers

We share data with trusted third parties only as necessary to deliver our services:

  • Logistics partners (order fulfilment and delivery)
  • Payment gateways (Razorpay, PhonePe, or equivalent — secure transaction processing)
  • Shopify (e-commerce platform)
  • WATI (WhatsApp Business messaging)
  • Meta Platforms and Google (advertising — anonymised and hashed data only)
  • Email marketing platforms
  • Diagnostic and health service providers (for AIWO Health programmes, with explicit consent)

1.7.2 We do not sell your data

AIWO does not sell, rent, or trade your personal information to any third party for their independent marketing purposes.

1.7.3 Legal disclosures

We may disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of AIWO, our customers, or others.

1.8 Data Retention

Data type Retention
Order and transaction data 7 years (Indian tax law)
Account and profile data Until you request deletion, or 2 years of inactivity
Marketing communications data Until consent is withdrawn
WhatsApp interaction data 12 months

1.9 Kart Data Protection Contact

  • Name: Hemalatha
  • Designation: Data Protection Officer — AIWO Kart
  • Email: privacy@aiwo.com
  • Address: AIWO, Chennai, Tamil Nadu, India
  • Response time: within 30 days of receipt

Part 2 — AIWO LifeOS aiwohealth.com

Applies to the AIWO LifeOS mobile application (iOS), its backend services, and aiwohealth.com. AIWO LifeOS is currently invite-only, available exclusively to registered AIWO clients.

2.0 At a Glance

We do not sell your personal data. Not to anyone. Not in aggregate. Not de-identified. Not ever.
We do not use health data for advertising. Your lab reports, Apple Health data, supplement logs, and VIVA conversations are never used for ad targeting or behavioural marketing.
Stored in India. Your records, VIVA chat history, goals, and metrics live on servers in India. To answer a VIVA question, de-identified content briefly transits to third-party AI model providers — see §2.5.
You can revoke consent at any time. The Privacy & Consents ledger inside the app lets you grant or withdraw consent for HealthKit, AI model improvement, research, and marketing — independently and instantly.
You own what you upload. Your lab reports, goals, and VIVA chats remain yours. We hold a limited licence to process them so we can serve you.
AIWO LifeOS is invite-only. The app is currently available exclusively to registered AIWO clients. We do not run open consumer signups in v1.

This summary is for orientation. The detailed sections below govern in case of any difference in interpretation.

2.1 Who We Are & Scope

AIWO Limited operates the AIWO LifeOS platform, which combines AI-assisted analysis of health records, integration with wearables and Apple Health, supplement and protocol tracking, goal management, and a managed care-team workflow into a single mobile application (the "Services").

This part applies to: all users of the AIWO LifeOS iOS app; visitors to aiwohealth.com and its subdomains; individuals whose data is shared with AIWO by a registered client (e.g., an emergency contact); and healthcare professionals and care-team members operating within AIWO.

It does not govern: third-party services reached through links inside the app (external pharmacies, labs — they have their own policies); data processed by Apple itself when you use HealthKit or iOS; or content you share publicly in the AIWO Community, which other users in your group may see (§2.3.8).

2.2 Data We Collect

We collect only the data necessary to deliver the Services. Each category explains what we collect, why, and the legal basis under the DPDP Act.

2.2.1 Account & profile data

Field Purpose Legal basis
Name Account identification, personalisation Consent
Email address Authentication, service communications Consent
Mobile phone number OTP verification, urgent notifications Consent
Date of birth Age verification (18+), age-appropriate insights Consent
Sex assigned at birth Reference ranges for biomarker analysis Consent
Height, weight Body composition metrics, Wellness Index inputs Consent
Address Logistics for at-home services and lab collection Consent
Profile photo or initials Display in app Consent

You may leave height, weight, address, and other optional fields blank — the app still functions with reduced personalisation.

2.2.2 Health records you upload

When you upload a blood test report, diagnostic scan, or prescription, we collect: the document file itself (PDF or image); biomarkers and values automatically extracted from it; and metadata (upload date, source, document type, your annotations). These records are treated as sensitive personal data under the DPDP Act and receive the highest level of protection we offer.

2.2.3 Apple HealthKit data

When you connect Apple Health, we read only the categories you authorise in the iOS permission dialog, which may include: step count and daily activity; active and resting calories; sleep duration and stages; heart rate (resting, walking, workout); heart rate variability (HRV); blood oxygen (SpO₂); body weight and BMI where present; and other categories you explicitly authorise.

Apple HealthKit data is used solely to compute your Wellness Index, populate your daily metrics, and provide personalised insights inside the app. We do not use it for advertising, share it with data brokers, sell it, or use it for any purpose conflicting with Apple's HealthKit & Health Records API Guidelines. You may revoke access any time via iPhone Settings → Privacy & Security → Health → AIWO or AIWO Settings → Privacy & Consents; revocation is immediate. See §2.8 for the full required disclosures.

2.2.4 VIVA conversations

VIVA is AIWO's named AI wellness assistant. VIVA accepts text input only — voice input is not a feature of AIWO. We collect your questions and conversation history, the context VIVA used to answer (which reports, metrics, or goals were referenced), and feedback you give on responses. VIVA conversations are private to you and visible only to you and — where you choose — your assigned care team; they are not shared with other users. Responses are powered by third-party large language models with strict de-identification before any content leaves AIWO (see §2.5). You may delete individual conversations or your entire history any time via VIVA → Menu → Conversation History; deletion is irreversible.

2.2.5 Protocols & adherence data

From My Protocols: medications, supplements, or interventions on your protocol; scheduled doses and dosage details; your adherence record (Took / Skipped / Missed and when); and aggregated adherence over time. Adherence is sensitive personal data and is visible to your assigned care team as part of clinical follow-up (see §2.6).

2.2.6 Supplement inventory

From My Supplements: supplements, vitamins, injections, or interventions in your inventory; stock levels and reorder thresholds; intake history (shared with Protocols); and any reorder requests. We do not share inventory data with advertisers or supplement brands. If you reorder through AIWO, the fulfilment partner receives only the data needed to process that order.

2.2.7 Goal-tracking data

From My Goals: goal category (Biomarker, Fitness, Body Composition, Recovery, Lifestyle); target value, unit, date, notes; progress over time including the underlying metric source; and status (active, achieved, abandoned). Goals are visible to your assigned care team by default, as indicated when you create a goal. You may delete any goal at any time.

2.2.8 Community activity (when you participate)

If you use Community (Challenges, Health Feed, Expert Sessions): challenges you join and participation data; posts, comments, and reactions; Expert Session attendance and questions; and anonymised metrics that may appear on leaderboards.

Posts you make in Community are visible to other AIWO users in your community. Do not include personally identifying details, medical record numbers, or contact information. You can delete your own posts at any time. Community participation is optional.

2.2.9 Appointments, consultations & prescriptions

When you book a consultation, scan, or service: the service type; selected provider, date, time, and any notes you share at booking; outcomes including prescriptions or dietitian recommendations; and post-consultation follow-up shared with your care team.

Diet Consultations: Nutritionist guidance provided through AIWO is wellness coaching, not medical treatment, and is not a substitute for advice from a registered medical practitioner.

2.2.10 In-app inbox & notifications

To deliver reminders and care-team messages we retain: notification content; delivery and read status; your per-channel preferences (push, in-app, email); and the Apple Push Notification service token for your device. Inbox messages older than 90 days are auto-archived; you may delete any message earlier.

2.2.11 Device & diagnostic data

Collected automatically for security, debugging, and performance: device model, OS version, app version; anonymised crash logs and telemetry; IP address (security and abuse prevention, not location tracking); and anonymised, aggregate session events. We do not link device-diagnostic data back to your identity for analytics or advertising.

2.2.12 What we do not collect

In v1 we do not: collect precise background GPS; access your microphone (no voice input); access your camera except when you actively use a feature that requires it (e.g., document scan); collect your contacts, photo library, or calendar; use third-party advertising SDKs; use cross-app or cross-site tracking; or collect financial information beyond what your payment processor handles — we never see your card numbers.

2.3 How We Use Your Data

2.3.1 Service delivery

Purpose Data used
Computing your Wellness Index Lab reports, Apple Health metrics, goals, protocol adherence
Generating VIVA responses Your reports, Apple Health data, profile, conversation history
Tracking adherence and supplement inventory Self-logged adherence, reminder schedules
Surfacing biomarker trends and goal progress Lab reports, manual logs, wearable data, goal entries
Coordinating appointments and prescriptions Profile, care-team assignments, booking history
Sending reminders and notifications Notification preferences, schedule data

2.3.2 Improving the service

Diagnosing crashes (anonymised); measuring feature usage at aggregate level only — never individual-level; improving VIVA's accuracy and safety (see opt-out in §2.5.4).

2.3.3 Communications

Transactional (appointment confirmations, reminders, prescription notifications, security alerts); service (policy updates, feature announcements — opt out via Settings → Notifications); wellness content (educational material — opt out).

2.3.4 What we do not do

We do not use your personal data — and never your health data — for advertising, behavioural advertising, retargeting, or look-alike audiences; commercial profiling outside the Services; sale to data brokers, insurers, or employers; training third-party AI models under any circumstances (see §2.5.3); or any purpose not described in this policy.

2.4 AI Processing — VIVA, Wellness Index & Report Analysis

AIWO uses AI in three places: VIVA (chat assistant), the Wellness Index (composite score), and automated biomarker extraction from uploaded reports.

2.4.1 What AI does and does not do

Informational only. Nothing VIVA says, no Wellness Index value, and no report analysis is a medical diagnosis, prognosis, or treatment recommendation.
No consequential automation. We do not use AI to make automated decisions with legal, financial, or significant health consequences without human review.
AI cannot replace your clinician. Always consult a qualified, registered medical professional for medical decisions. In emergencies, contact emergency services directly.
AI may be wrong. VIVA can make mistakes. The Wellness Index is a model output, not a clinical metric. Use AI insights as a starting point for conversation with your physician, never as a final word.

2.4.2 Data used by our AI systems

Your uploaded lab reports and extracted biomarkers; synced Apple Health data; your goals, protocols, and adherence; and your VIVA history within the current account. Processing happens partly on AIWO's own infrastructure in India and partly through third-party LLM providers (§2.5.3).

2.4.3 Third-party AI model providers & de-identification

VIVA's responses are powered by large language models operated by third-party providers — currently Anthropic (Claude family) and OpenAI (GPT family). We may add or change providers; the protections below apply regardless of provider.

Removed before any data leaves AIWO: your name, email, phone number, precise date of birth (only approximate age retained where clinically relevant), physical address, profile photo, and AIWO account identifier. In their place we attach an opaque, rotating session identifier that maintains continuity within a single chat but cannot be linked back to you outside AIWO's systems.

Transmitted: the content of your message to VIVA; the minimum clinical/wellness context needed to answer (e.g., relevant biomarker values, recent metrics, active goal targets) referenced as values and categories, never tied to your name; and sufficient anonymous conversational context for continuity. We do not transmit raw lab report files, raw HealthKit exports, community posts, your physician's identity, or your profile.

A practical caveat: our de-identification operates on metadata and profile fields — it does not rewrite the body of your chat messages. If you type personal details directly into a message ("Hi, I'm [Name]…"), those words travel in the message body as you typed them. Treat VIVA like any AI assistant — share what's necessary, avoid pasting irrelevant personal details.

Contractual protections at the provider: no training on AIWO's data; zero data retention beyond processing (content held only long enough to generate a response and run automated safety checks); confidentiality; SOC 2 Type II and ISO 27001 certified controls; and sub-processor restrictions. These providers may operate infrastructure outside India, primarily the United States; de-identification is applied before any request leaves AIWO. The persistent record of your conversation is stored back on AIWO's servers in India — only the transient in-flight request is processed by the provider.

If you do not wish to use third-party AI: VIVA is optional. The rest of the app (Health records, Wearable Data, Protocols, Supplements, Goals, Community, Appointments) functions independently of VIVA.

2.4.4 Model improvement & your opt-out

Separately, AIWO may use de-identified, aggregated data to improve the accuracy and safety of our own internal models. You may opt out at any time via Settings → Privacy & Consents → AI Model Improvement; opt-out is immediate, with no penalty. This is separate from §2.5.3 — the "no training on customer data" rule at third-party providers applies regardless of this setting.

2.5 Your Care Team — Physician & Dietitian Access

AIWO is a managed wellness service. When you become a client you are matched with a care team that may include registered medical practitioners, dietitians, and wellness coordinators.

2.5.1 What your care team sees

By default, ongoing visibility into: your profile and contact details; uploaded lab reports and biomarker history; Wellness Index and components; goals and progress; protocols and adherence; supplement inventory and reorder activity; appointments, consultation notes, and prescriptions they issue; and connected Apple Health data. This is what makes the "managed" part work — your physician can review trends ahead of a consultation.

2.5.2 What your care team does not see

Your VIVA conversations are private to you by default — you may share a specific conversation from inside it, but the team has no standing access to your full chat history. Community posts, reactions, and challenge participation are not surfaced to your care team in clinical context.

2.5.3 Limiting or revoking access

You may restrict the data your care team sees via Settings → Privacy & Consents → Care Team Access. Some features (Wellness Index review, prescription issuance, follow-up scheduling) depend on specific categories; restricting those will limit those features but not the rest of the app. If you end your subscription, care-team access ends, subject to the retention schedule in §2.7.

2.6 Data Sharing & Third Parties

We share the minimum necessary, with named categories of recipients, for specific purposes. We do not sell your data and do not share your health data with advertisers.

Recipient Purpose Data categories Location
Cloud infrastructure provider Encrypted hosting of account and health data All categories, encrypted at rest Servers in India
Third-party AI model providers (Anthropic, OpenAI) Generating VIVA responses VIVA message content + minimum clinical context; direct identifiers stripped (§2.5.3) United States; enterprise API terms — no training, zero retention beyond processing
AIWO internal AI processing Biomarker extraction, Wellness Index Lab reports, HealthKit data, goals Servers in India
Healthcare professionals in your care team Clinical guidance, prescriptions, follow-up See §2.6.1 India
Diagnostic labs & pharmacy partners Scan bookings, prescription deliveries, reorders Only data needed for that transaction India
Payment processor Processing payments for services and reorders Transaction data only — no health data India
Push notification service Delivering reminders Device push tokens, notification payloads Apple (APNs)
Communication service providers OTPs, transactional email/SMS Phone, email, message content India
Auditors and legal advisors Statutory audits, legal counsel Limited to engagement scope, under confidentiality India

We maintain Data Processing Agreements with each processor, with binding obligations on confidentiality, security, breach notification, and DPDP Act compliance.

2.6.1 What we never share

Your identifiable health data with insurers, employers, marketers, or data brokers — no exceptions; Apple HealthKit data with any third party for advertising; identifiable health records with any AI training pipeline; any data in response to advertising-network requests; any data with research partners without your specific separate consent (§2.6.2).

2.6.2 Research data sharing — opt-in only

AIWO may participate in research collaborations with academic, clinical, or scientific institutions. No identifiable data is shared for research without your specific, separate opt-in, offered as a distinct toggle in Settings → Privacy & Consents → Research — never bundled with core service consent. You can withdraw any time; data already contributed to a closed study cannot be retrieved but is anonymised at source.

2.6.3 Legal & regulatory disclosures

We may disclose data when required by a binding order of a competent Indian court; a lawful demand from a regulator including the Data Protection Board of India; Indian statutory obligations under the IT Act and DPDP Act; or a genuine, immediate threat to life or safety. Where legally permitted, we will notify you before disclosure. We do not provide bulk, backdoor, or standing access to any entity.

2.6.4 Business transfers

In a merger, acquisition, reorganisation, or asset sale, personal data may transfer to the successor, bound by the same protections (or a stricter equivalent). We will notify you in advance; if you do not accept the successor's terms you may delete your account before the transfer takes effect.

2.7 Storage, Security & Retention

2.7.1 Where your data lives

All sensitive personal data — health records, Apple HealthKit data, VIVA history, protocols, goals, biomarkers, supplement records — is stored on cloud infrastructure physically located in India. For VIVA query processing, de-identified in-flight content transits to third-party AI providers outside India (§2.5.3); the persistent record is stored back in India. A limited subset of operational data (push tokens, anonymised crash diagnostics) may transit outside India where necessary, under contractual safeguards.

2.7.2 Security controls

Control Implementation
Encryption in transit TLS 1.2 or higher for all client-server and server-server traffic
Encryption at rest AES-256 for all stored health data
Access control Role-based, least-privilege; MFA required for all staff with access to personal data
De-identification layer Automated stripping of direct identifiers before any third-party AI request
Care-team access logging Every access to a patient record is logged with timestamp and reason where applicable
Application security Annual third-party security review and remediation cycle
Vulnerability disclosure Responsible disclosure programme — report to security@aiwo.com
Incident response Documented breach response runbook with DPB notification protocol

2.7.3 Retention schedule

Data type Retention
Account and profile data 3 years after account closure, then deleted
Uploaded health records and lab reports 7 years after upload or account closure (whichever is later)
Apple HealthKit data synced into AIWO 24 months rolling for raw daily metrics; lifetime of account for derived trends and Wellness Index history
VIVA conversation history 12 months rolling, unless you delete earlier
Protocol and supplement adherence logs Lifetime of account, then deleted on closure
Goals (achieved and abandoned) Lifetime of account, then deleted on closure
Community posts and comments Until you delete them, or 3 years after account closure
Notification and inbox messages 90 days from delivery, auto-archived
Anonymised usage analytics Indefinite (no personal identifiers retained)
Audit logs (access to your records) 5 years from the access event

On deletion or account closure we delete or anonymise your data within 30 days, subject to legal retention obligations (e.g., mandatory health-record retention).

2.8 Apple HealthKit — Required Specific Disclosures

This section is required by Apple's HealthKit Guidelines and is reproduced in full so it is not buried. Data obtained from Apple HealthKit and any Apple Health Records API:

  • Will be used only to provide and improve health and fitness features within AIWO — to compute your Wellness Index, populate your daily metrics, contextualise VIVA's responses, and track goal progress
  • Will not be used for advertising, marketing, retargeting, or behavioural profiling for commercial purposes
  • Will not be shared with third parties for any prohibited purpose above
  • Will not be disclosed to data brokers, advertising networks, or any third party for advertising or marketing
  • Will not be used for any purpose inconsistent with Apple's HealthKit & Health Records API Guidelines

Where relevant HealthKit metrics form part of the context sent to third-party AI providers to answer a VIVA query (e.g., a recent resting heart rate value), that transmission follows the de-identification process in §2.5.3 — direct identifiers are removed before the request leaves AIWO, and the content is processed under enterprise API terms that prohibit training and require zero retention beyond processing. You may revoke HealthKit access via iPhone Settings → Privacy & Security → Health → AIWO. Revocation does not delete data already synced; to delete that, use AIWO Settings → Privacy & Consents → Delete HealthKit data or close your account.

2.9 LifeOS Data Protection Contact

  • Name: Sasi Varna Kumar
  • Designation: Data Protection Officer — AIWO LifeOS
  • Email: privacy@aiwo.com
  • Address: AIWO Limited, 85, Santhome High Rd, MRC Nagar, Raja Annamalaipuram, Chennai, Tamil Nadu 600028
  • Response times: acknowledged within 72 hours; substantive response or resolution within 30 days

Part 3 — Provisions Common to Both Services

These provisions apply to both AIWO Kart and AIWO LifeOS.

3.1 Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right What it means at AIWO
Access Request a copy of the personal data we hold about you, in a portable format. Available via in-app data export (LifeOS) or by request to the relevant officer.
Correction & Updation Correct inaccurate or incomplete data through Settings → My Profile (LifeOS) or by request for fields you cannot edit yourself.
Erasure Request deletion of your personal data and/or account; processed within 30 days, subject to legal retention obligations.
Withdraw Consent Opt out of marketing any time (Unsubscribe in email, STOP on WhatsApp). In LifeOS, withdraw consent for HealthKit, AI model improvement, research, marketing, or specific care-team categories via Settings → Privacy & Consents. Withdrawal does not affect the lawfulness of processing before withdrawal.
Portability Request your data in a structured, commonly used format.
Grievance Redressal Lodge a complaint with our officers (§3.7). Acknowledged within 72 hours and resolved within 30 days.
Nomination Nominate another individual to exercise your rights in case of death or incapacity. Contact the relevant officer to register a nomination.

To exercise any right, use in-app controls where available or email privacy@aiwo.com. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with the Data Protection Board of India; we encourage you to contact us first so we can resolve concerns directly.

3.2 Children's Privacy

AIWO's products and services are intended for individuals 18 years of age or older. We do not knowingly collect personal data from individuals under 18 without verifiable consent from a parent or legal guardian. If we discover we have collected data from a minor without such consent, we will delete it promptly and terminate the associated account. Parents or guardians who believe their child has provided data should contact privacy@aiwo.com immediately. Any future expansion to a family or paediatric programme would be implemented under a separate consent framework meeting the DPDP Act's requirements for children's data, including verifiable parental consent and restrictions on tracking and behavioural monitoring.

3.3 Security

AIWO implements industry-standard security measures across both services, including SSL/TLS encryption for all data in transit; AES-256 encryption at rest for health data; secure, access-controlled storage; role-based, least-privilege access with MFA for staff handling personal data; regular security audits of our systems and third-party integrations; and a documented incident-response runbook. No method of transmission over the internet is 100% secure; we encourage strong passwords and immediate notification of any suspected unauthorised account activity. Report vulnerabilities to security@aiwo.com.

3.4 Breach Notification

If we become aware of a personal data breach reasonably likely to result in risk to your rights, we will: (1) notify the Data Protection Board of India in accordance with DPDP Act timelines; (2) notify affected users without undue delay, with the nature of the breach, categories of data involved, likely consequences, and the steps we are taking; and (3) document the incident, root cause, and remediation in our internal incident log. Our breach-response SOP is reviewed annually and after any material incident.

3.5 International Transfers

Storage: all sensitive personal data — health records, Apple HealthKit data, VIVA history, biomarkers, protocols, goals, supplement records — is stored within India. For international Kart customers, order and account data may be transferred to and processed in India, where AIWO's servers and providers operate.

VIVA query processing: the content of VIVA queries, with direct identifiers stripped (§2.5.3), is transmitted to third-party AI model providers (currently Anthropic and OpenAI) operating infrastructure outside India, primarily the United States. This is necessary for VIVA to answer your question; it is encrypted in transit, subject to enterprise API terms prohibiting training and requiring zero retention beyond processing, and the persistent conversation record is stored back in India.

Operational data: a limited subset may transit outside India (e.g., push notifications via Apple's APNs), with contractual safeguards, encryption in transit, and minimisation. We do not transfer personal data to any jurisdiction notified by the Central Government of India as restricted under the DPDP Act.

3.6 Changes to This Policy

We may update this policy to reflect changes in our practices, technology, or applicable law. We will notify you of material changes by posting the updated policy at https://aiwo.com/pages/privacy-policy with a clear effective date and version number, and — for LifeOS — via in-app notification at least 15 days before the change takes effect and via email to the address on your account. For changes that require fresh consent under the DPDP Act (a new data category, a new processing purpose, or a change in third-party AI providers that materially changes the protections in §2.5.3), we will request your explicit consent before the change applies to you. Continued use after the effective date of a non-consent change constitutes acceptance of the updated policy.

3.7 Contact & Grievance Officers

As required by the DPDP Act, we make named individuals available to receive your queries and complaints.

Service Officer Email
AIWO Kart (aiwo.com) Hemalatha, Data Protection Officer privacy@aiwo.com
AIWO LifeOS (aiwohealth.com) Sasi Varna Kumar, Data Protection Officer privacy@aiwo.com
  • Address: AIWO, Chennai, Tamil Nadu, India
  • Security vulnerability reports: security@aiwo.com
  • General support: support@aiwo.com (not for privacy or data-rights requests - use privacy@aiwo.com for those)
  • Response times: acknowledged within 72 hours; substantive response or resolution within 30 days

You also have the right to lodge a complaint with the Data Protection Board of India if you are dissatisfied with our handling of your data or grievance.

© AIWO Limited. All rights reserved. This policy is published at https://aiwo.com/pages/privacy-policy and is the controlling version.