Privacy Policy

HealAll is an invite-only mutual-aid platform connecting people across India who need help with people who can offer it. We operate at healallindia.com.

Contact: anupamkumar.nith@gmail.com

Information you provide directly

• Account details: Full name, phone number, email address, city, age range
• Roles: Whether you are seeking help, offering help, or both
• Invite code: Used to verify you were invited to join
• Profile information: Bio, skills, avatar image (optional)
• Posts & messages: Help requests, comments, and direct messages you create

Information from Google (if you sign in with Google)

When you choose “Sign in with Google”, Google sends us a signed ID token containing the scopes we request. We request only the following non-sensitive OpenID Connect scopes:

• openid — confirms your Google account identity
• email — your Google account email address
• profile — your display name and (optionally) profile picture URL

From the ID token we store:

• Your verified Google email
• Your display name (used as your HealAll name on first sign-up)
• A unique Google subject identifier (sub) used only to link your Google account to your HealAll account on subsequent sign-ins

We do not receive your Google password and we do not request access to Google Drive, Gmail, Calendar, Contacts, or any other Google product. We do not use Google Sign-In to send you marketing or transfer your data to third parties.

Automatically collected information

• IP address and browser/device type (for security and rate limiting)
• Pages visited and actions taken within the platform (for service improvement)

• Account creation and authentication — verify identity via OTP or Google OAuth
• Platform functionality — match help seekers with helpers, display your profile and posts
• Communications — send OTP codes, welcome emails, and important service updates
• Safety and moderation — detect fraud, prevent abuse, enforce community guidelines
• Legal compliance — comply with applicable Indian law

We do not sell your personal data. We do not use your data for advertising.

We share data only with:

• Other users — your name, city, roles, and posts are visible to other HealAll members. Email and phone are hidden by default; you can choose to share them in privacy settings.
• Service providers — we use third-party services to operate the platform:
  • Neon (PostgreSQL database hosting, EU region)
  • Upstash (Redis caching)
  • Amazon Web Services (S3 object storage for media uploads, ap-south-1 region)
  • Resend (transactional email delivery)
  • MSG91 (SMS OTP delivery for Indian phone numbers)
  • Google (OAuth authentication; ID-token-only flow)
  • Vercel (frontend hosting + CDN)
  • Railway (backend hosting)
  • Sentry (error monitoring; no personally identifiable payloads are sent)
  All providers are contractually bound to protect your data.
• Law enforcement — only when required by valid legal process under Indian law.

• Data is stored on servers located in cloud infrastructure with encryption at rest and in transit (TLS)
• Passwords are never stored — we use OTP-based authentication
• Access tokens use short-lived JWTs (15 minutes); refresh tokens are stored as hashed values
• We implement rate limiting and abuse detection to protect accounts

• Account data is retained while your account is active
• OTP codes expire within 10 minutes and are deleted after use
• If you request account deletion, we delete your personal data within 30 days, except where retention is required by law

You have the right to:

• Access — request a copy of data we hold about you
• Correction — update incorrect information via your profile settings
• Deletion — request account and data deletion by emailing us
• Portability — request your data in a machine-readable format
• Withdraw consent — stop using the platform at any time

To exercise these rights, email anupamkumar.nith@gmail.com.

HealAll is available to users aged 13 and above. Users aged 13–17 must have parental consent. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us immediately.

We use one essential cookie and one localStorage entry:

• healall_refresh — an httpOnly, secure cookie storing your refresh token. Cannot be read by JavaScript.
• healall-auth (localStorage) — stores your access token and basic profile information on your device for session persistence. Cleared on logout.

We do not use tracking, analytics, or advertising cookies.

We may update this policy. We will notify users via email for material changes. Continued use of HealAll after changes constitutes acceptance of the updated policy.

Questions or concerns about this policy: anupamkumar.nith@gmail.com

We aim to respond within 7 business days.