Legal
Privacy Policy
Last updated: 13 June 2026 · Version 1.0
This Privacy Policy explains how Zosh Health & Wellness (“Zosh”, “we”, “us”) collects, uses, stores, shares, and protects your personal data when you use zosh.health and app.zosh.health (the “Service”). We act as the Data Fiduciary for your personal data and process it in line with India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”).
1. Who we are & how to reach us
The Service is operated by Zosh Health & Wellness (registered entity and address details to be published once incorporation formalities are complete). We currently serve users in India and may operate in additional countries; country-specific notices will be published here as we do. For any privacy question or to exercise your rights, email privacy@zosh.health, or contact our Grievance Officer (details below).
2. The data we collect
- Account & identity: your name, email address, and authentication identifiers, handled through our authentication provider.
- Health information you provide: validated sleep-questionnaire responses (e.g. ISI, Epworth, PSS), sleep-diary entries, thought records, and any sleep-study or medical reports you choose to upload.
- Usage & device data: pages viewed, actions taken, approximate location/IP address, and device and browser type, collected through privacy-respecting product analytics.
3. Why we use it, and our legal basis
We use your data to deliver and personalise your CBT-I (cognitive behavioural therapy for insomnia) programme, generate insights, provide support, keep the Service secure, and meet legal obligations. Our legal basis is your consent (and, where applicable, the legitimate uses permitted by the DPDP Act). We practise purpose limitation and data minimisation, and you may withdraw consent at any time (see “Your rights”).
4. Health & sensitive data
Sleep and mental-health information is sensitive. We handle it with heightened care, encrypt it, and limit access to what is needed to deliver your care.
5. How we store and protect your data
- Database: PostgreSQL (Neon), hosted in the AWS Asia Pacific (Singapore) region.
- File storage: Cloudflare R2 in private buckets, reachable only through short-lived signed links.
- Authentication: a dedicated identity provider that manages sign-in securely.
- Encryption: in transit (TLS) and at rest; certain assessment responses are additionally encrypted at the field level (AES-256-GCM).
- Access controls: least-privilege access, role-based permissions, and activity logging.
6. When we share data
We do not sell your personal data. We share it only with:
- Service providers (processors) who help run the Service under confidentiality and data-processing obligations — including authentication, database hosting, file storage, product analytics, transactional email, and payments.
- Clinicians / care providers — if you book a consultation or are matched to a provider, relevant information is shared to deliver that care.
- Legal & safety — where required by law, or to protect the rights and safety of you, others, or Zosh.
7. International transfers
Your data may be processed or stored outside India (for example, in Singapore). Where this happens, we take steps so your data stays protected and only transfer to jurisdictions permitted under applicable law.
8. How long we keep it
We retain your data while your account is active and as needed to provide the Service and meet legal obligations. After that — or on a valid erasure request — we delete or anonymise it, unless we are legally required to keep it for longer.
9. Your rights under the DPDP Act
You have the right to:
- access a summary of the personal data we hold and how we process it;
- correct, complete, or update your data;
- erase your data;
- withdraw consent as easily as you gave it;
- raise a grievance and have it addressed; and
- nominate another person to exercise your rights if you die or are incapacitated.
10. Children’s data
The Service is intended for adults (18+). Where a pathway is used on behalf of a person under 18, we require the verifiable consent of a parent or lawful guardian, and we do not carry out tracking or targeted advertising directed at children.
11. Cookies & analytics
We use essential cookies for sign-in and sessions, and analytics to understand and improve the Service. You can control non-essential cookies through your browser settings.
12. Data breaches
In the event of a personal-data breach, we will notify the Data Protection Board of India and affected users as required by the DPDP Act.
13. Grievance Officer
Name: [Grievance Officer Name]
Email: grievance@zosh.health
We acknowledge and address grievances within the timeframe required by law.
Email: grievance@zosh.health
We acknowledge and address grievances within the timeframe required by law.
14. Changes to this Policy
We may update this Policy from time to time. For material changes we will notify you and, where required, seek your fresh consent.
15. Contact
General questions: hello@zosh.health. For how this relates to your care, see our Terms of Service.
This Policy describes how we handle your data; it is not medical advice. Zosh is not a substitute for professional medical care or an emergency service.