Privacy Policy


Effective Date: September 2025


Legal entities covered: Vansh Care, Inc. and applicable affiliates/subsidiaries (“Vansh”, “we”, “us”, “our”).


1) Scope

This Privacy Policy describes how Vansh collects, uses, discloses, and safeguards Personal Data when you: (a) access our websites, apps, and AI caregiver tools; (b) create an account; (c) communicate with us; or (d) integrate third‑party accounts or devices.

This Policy applies globally unless a more specific regional notice or contract (e.g., a DPA) prevails.


2) Key Definitions

Personal Data (or Personal Information): information that identifies or can reasonably be linked to an identified or identifiable person.


Sensitive Personal Data: includes health data, precise geolocation, biometric identifiers/templates, genetic data, children’s data, financial account credentials, government IDs, and other categories as defined by applicable law.


De‑identified / Aggregated Data: data that cannot reasonably be used to identify a person.


3) Who We Are; Our Role

3.1 Controller. For our direct‑to‑consumer offerings, Vansh is the Controller/Business of your Personal Data.

3.2 Processor. For enterprise customers, Vansh may act as a Processor/Service Provider under a separate Data Processing Addendum (DPA). In those cases, the enterprise customer is the Controller/Business.

3.3 Representations. If you enter information about other individuals (e.g., care recipients or family members), you represent you are authorized to provide such information and have provided all legally required notices and consents.


4) Categories of Data We Collect

We collect the following categories (depending on your use of the services):

Account & Identity Data – name, email, phone, account credentials, profile photo, language, preferences.


Care Context Data (you choose what to share) – symptoms, routines, notes, schedules, care tasks, communications with our tools, non‑diagnostic well‑being indicators.


Communications – messages with support, feedback, survey responses, call/chat recordings where permitted by law (notice given at collection).


Device/Usage Data – IP address, device identifiers, app/browser version, timestamps, pages/features used, crash logs, performance, referring URLs.


Location Data – city/region (approximate from IP). Precise location only if you enable it.


Marketing & Cookies Data – preferences, opt‑in/opt‑out, campaign metrics, cookies/SDKs/beacons (see §10).


Payment & Commercial Data – transaction records, limited card/billing details via our payment provider(s); we do not store full card numbers.


Third‑Party Data Sources – if you connect third‑party accounts (e.g., calendars, messaging apps, health devices), we receive information as authorized by you and the third‑party’s terms.


Inferences – derived insights (e.g., predicted preferences) to personalize your experience.


Security & Integrity Data – logs, signals, and metadata used for fraud, abuse, and platform safety.


We do not require Social Security numbers, national IDs, or government identifiers for ordinary use.


5) Purposes of Processing & Legal Bases

We process Personal Data to:

Provide Services – operate core features, accounts, and integrations. (GDPR legal bases: contract performance; legitimate interests.)


Personalize & Improve – adapt recommendations; develop new features; quality assurance; analytics. (Legitimate interests; consent where required.)


AI Functionality – enable model prompts/responses; detect prompt abuse; safety filtering; human‑in‑the‑loop quality review where necessary. (Legitimate interests; explicit consent for Sensitive Personal Data where required.)


Security & Abuse Prevention – authenticate users, detect fraud/misuse, protect against harms. (Legitimate interests; legal obligation.)


Compliance & Enforcement – meet legal/regulatory requirements; respond to lawful requests; enforce terms; protect rights and safety. (Legal obligation; legitimate interests.)


Marketing & Communications – send service announcements; optional marketing with opt‑out/opt‑in as required. (Legitimate interests or consent.)


Research & Statistics – use de‑identified or aggregated data for research, statistics, and AI improvement. (Outside scope of privacy laws once de‑identified; otherwise legitimate interests/consent.)

Mergers/Transactions – support corporate reorganization, financing, or acquisition. (Legitimate interests; legal obligation.)


Sensitive Personal Data (e.g., health‑related content you choose to enter) is processed only as permitted by law. Where required (e.g., GDPR Art. 9, PIPL sensitive, DPDP significant harm risk), we obtain explicit consent or rely on other recognized legal bases (public interest in health, establishment/exercise of legal claims, or vital interests).


6) Automated Decision‑Making

Vansh’s core features are assistive. We do not make solely automated decisions that produce legal or similarly significant effects without human involvement. If this changes, we will provide required notices and rights (e.g., request human review, contest the decision).


7) Disclosures of Personal Data

We disclose Personal Data to:


Service Providers / Processors – hosting, cloud AI providers, analytics, support, communications, payment processing, security, and professional advisors, bound by confidentiality and data protection terms.


Integration Partners – only when you connect them.


Affiliates – for operations consistent with this Policy.


Legal/Compliance – to comply with law, enforce terms, respond to lawful requests, or protect safety, rights, property, or security.


Corporate Transactions – to buyers/successors in mergers, acquisitions, reorganizations, bankruptcy, or similar events.

With Your Direction – where you instruct us to share.

We do not sell Personal Data as “sale” is defined under many privacy laws. Where “share” for cross‑context behavioral advertising is legally distinct (e.g., under CPRA), we either do not “share” or we will provide a “Do Not Sell or Share” control where applicable.


8) Security


We implement reasonable and appropriate technical and organizational measures, which may include: encryption in transit and at rest; key management; network segmentation; least‑privilege access; SSO/MFA for staff; code review; logging/monitoring; vulnerability management; employee training; incident response.


No system can be guaranteed 100% secure. To the maximum extent permitted by law, we disclaim liability for unauthorized access arising from factors beyond our reasonable control.


9) Cookies, SDKs, and Tracking


We use strictly necessary cookies/SDKs to run the service. With consent where required, we may use analytics and functional technologies; and advertising technologies if/when adopted.


You can manage preferences via:

our Cookie Banner/Settings (for EEA/UK/others requiring opt‑in),


your browser/device settings, and


industry tools where available.

We honor Global Privacy Control (GPC) signals where legally required.


10) Data Retention

We retain Personal Data only as long as necessary for the purposes in §5, to comply with law, resolve disputes, and enforce agreements, then delete or reliably de‑identify it. Illustrative defaults (subject to change and legal holds):


Category

Typical Retention

Account data

For the account lifetime + up to 24 months

Care context entries

User‑controlled; by default for account lifetime + up to 24 months

Logs & telemetry

12–24 months (shorter where feasible)

Support tickets

Up to 36 months

Marketing/subscription records

Until opt‑out + 24 months

Backups

Per backup cycle (e.g., 30–90 days)


11) Children

Our consumer services are not directed to children under 16 (or higher age of consent per local law). We do not knowingly collect children’s data without parental/guardian consent where required. If you believe a child provided data without appropriate consent, contact us to remove it.


12) AI Model Improvement; Human Review

We may use de‑identified data to improve algorithms and models.

We do not use your content to train third‑party foundation models in a way that allows those providers to use your identifiable content for their own purposes.


We may conduct human review of interactions for safety, debugging, and quality under confidentiality and access controls.

Where required by law or for Sensitive Personal Data, we seek explicit consent or provide opt‑out mechanisms consistent with regional rules.


13) Your Rights & Controls


Depending on jurisdiction, you may have rights to: access, rectify, erase, restrict, object, port, withdraw consent, and appeal a decision on your request; and to not be discriminated against for exercising rights.


Submit requests at: info@vansh.care.


Verification. We may verify identity (e.g., email confirmation; reasonable additional information; signed declaration). Authorized Agents: where permitted (e.g., California), agents must provide proof of authorization and we may still ask the consumer to verify identity.


Appeals (US states like CO/VA/CT, etc.): If we deny a request, you can appeal by replying to our decision email. We will respond within the legally required timeframe and inform you of further recourse.


14) Third‑Party Links & Integrations

Our services may link to third‑party websites or allow you to connect third‑party services. We are not responsible for their privacy practices. Review their policies before enabling integrations.


15) HIPAA and Health Disclaimers

Vansh is not a medical provider and generally not a HIPAA “covered entity.” We act as a Business Associate only if a separate, executed BAA is in place with an enterprise healthcare customer. Absent a BAA, do not upload Protected Health Information (PHI) intended to be regulated by HIPAA.


16) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via email, in‑app notice, or website banner. Continued use of the services after the effective date constitutes acceptance of the updated Policy.


17) De‑Identification Commitments

Where we maintain de‑identified data, we:

(a) take reasonable measures to ensure it cannot be associated with a person;

(b) publicly commit not to re‑identify (except to test effectiveness of de‑identification or as required by law); and

(c) require recipients to do the same.


18) Data Minimization & Purpose Limitation

We implement policies to collect only what is needed, use it only for stated purposes, and limit access internally on a need‑to‑know basis.


19) Incident Response & Notifications

We maintain an incident response program. If a breach creates a risk to individuals, we will provide notifications as required by law (e.g., GDPR 72‑hour controller notification to supervisory authority, consumer notifications under U.S. state breach laws).


20) Contact

Primary Contact / Data Rights: info@vansh.care


21) How This Policy Interacts with Other Terms

This Policy is incorporated by reference into our Terms of Use.