Data concerning health Storing and Deleting Policy

Data concerning health Storing and Deleting Policy was published and entered into force: March 5, 2025.

This Data concerning health Processing Procedure (hereinafter referred to as the “Procedure”) describes the rules, methods and techniques for processing and recording Data concerning health.

References to the words “You” or “Your” (or words similar in content) means the User, depending on the context of the Data concerning health Storing and Deleting Policy.

References to “we”, “our” or “us” (or similar words) means the DeHealth Company.

The Data concerning health Storing and Deleting Policy describes the methods and means of storing Data concerning health of Users by the Company.

The procedure specifies the Server on which the User Data is stored.

By storing Data, we mean placing it on the Server and ensuring its security.

We are grateful to you for your cooperation with the Company.

  1. DEFINITION 
    1. User is any person who installs the App to receive Services for the purpose of monitoring their health.
    2. Personal Data is any information that is in the public domain, allowing you to directly or indirectly identify the User. For example, first name, last name, phone number, IP address.
    3. Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
    4. Data is a common name for Personal Data and Data concerning health
    5. DeHealth company (hereinafter referred to as the "Company" or "DeHealth") is a DEHEALTH TECHNOLOGIES, INC, registered at 1049 El Monte Avenue, Ste C #846,
Mountain View, CA 94040, United States, EIN: 36-5099713, which provides Services to Users.
    6. DeHealth application (hereinafter referred to as the "App") is a service created so that the User can check the state of his health and monitor the change in his health.
    7. Controller means a natural or legal person, government agency, institution or other body that independently determines the purposes and means of processing Personal Data.
    8. Processor means a natural or legal person, public authority, agency or other body processing Personal Data on behalf of and on behalf of the Controller.
    9. Server is specialized equipment that is designed to store information and service users and databases.
  2. GENERAL PROVISION
    1. The Company does not process Data concerning health for the purpose of identifying the User, but uses it solely for the purposes and in the ways specified in the Privacy Policy.
    2. By storing Data, we mean a set of actions aimed at preserving the Data until it is deleted.
    3. The Company stores the Data relying on Art. 32 of the General Data Protection Regulation.
    4. In the event of a situation in which there is a possibility of loss of Data, we make every effort to avoid it.
  3. STORAGE OF DATA
    1. The Company stores hashes of each individual field of User information in the blockchain. This ensures that any operation of adding or changing Data was performed exclusively by the User. For each field of information (for example, weight, height, blood type), a unique hash is created and written to a decentralized storage. To confirm the authenticity of the changes, the Company can provide a hash function that allows you to reproduce the hash in the presence of the original data, which makes it possible to check whether the data has not been changed by third parties.
    2. The Company does not store Data concerning health after the end of interaction with Users.
    3. The Company stores Data concerning health until the end of interaction with Users, or until a request to delete Data concerning health is received from any of them.
    4. The Company periodically checks the safety of Data concerning health and keeps records of its relevance.
    5. Data concerning health is stored in a form that allows identifying the User, no longer than is necessary for the purposes for which Data concerning health is processed.
    6. The Company does not store Data concerning health for the purpose of identifying Users.
    7. When interacting with Users, the Company is forced to identify them in accordance with the necessary and reasonable methods of interaction, but such identification is carried out exclusively with the help of Personal Data.
    8. The Company has the right to store a minimum amount of Personal Data to confirm the fact of the existence of a relationship. By the minimum amount of Personal Data, we mean statistical information that is publicly available.
    9. The Company does not store categories of Personal Data after the end of the relationship with Employees and/or Counterparties, the disclosure of which may cause them any damage.
    10. The Company has the right to store Personal Data to protect its interests: in the event of a request from government and/or supervisory authorities, legal proceedings.
    11. The Company has the right to store Personal Data of Counterparties that relate to: mutual settlements, taxation, confidential information, special terms of the contract.
    12. The Company can check the relevance of Personal Data at the User's request.
    13. The Company has the right to store Data using encryption and/or pseudonymization and/or minimization and/or pseudo-minimization of Personal Data.
    14. The Company ensures the security of Data during its use and storage using the auth:sanctum function for authentication of API users.
    15. The Company uses MySQL relational databases to store Data. Data is protected with regular backups and controlled access.
    16. To protect Data, the Company monitors traffic using AWS GuardDuty and IDS/IPS solutions such as Snort for traffic analysis.
    17. The company integrates a SIEM system to collect and correlate logs, detect suspicious activity through AWS CloudTrail.
    18. The Сompany uses Avast antivirus with automatic system scanning, using AI to detect threats and regularly update virus databases, including monthly scanning of laptops/computers and Servers for virus vulnerabilities, attacks, etc.
    19. Employees undergo annual cybersecurity certification and adhere to NIST policies on restricting access to Data. Each employee signs a non-disclosure agreement (NDA) and a cybersecurity compliance obligation.
    20. Developed Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). Include the organization of access to backup systems in the event of an emergency/disaster, support of critical services and systems to minimize interruptions in the Company's work.
  4. DELETION OF DATA
    1. By deletion of Data we mean - deletion of all Data from the Server and/or from written media.
    2. The Company deletes Data in the following cases:
      1. upon receipt of a deletion request;
      2. termination of the relationship with the Processor;
      3. expiration of the Data storage validity period.
    3. The Company has the right not to delete Personal Data in the event of a company reorganization, a merger of the Company with another company, or any other changes in the Company's structure, but the Company receives additional consent from the User not to delete Data concerning health.
    4. The Company does not delete Personal Data in the event of a Server change, but receives consent from the User not to delete Data concerning health.
  5. SERVER
    1. To store Data, the Company uses a Server located in the Digital Ocean data center.
    2. You can familiarize yourself with the structure and guarantees provided by the data center by visiting the website: https://www.digitalocean.com/ 
    3. The data is stored on the Server of the Digital Ocean data center in accordance with the General Data Protection Regulation/ CCPA Privacy and the internal documentation of the data center. You can familiarize yourself with the internal documentation of the data center by following the link: https://www.digitalocean.com/legal/privacy-policy 
    4. The Company transfers Data to the data center based on the contract concluded between them.
    5. The Company also uses Docker containers to store Data, servers can be placed on cloud platforms (for example, AWS or Google Cloud).
    6. The Servers are located on AWS in the availability zone (Availability Zone). Data is protected by encryption using KMS (Key Management Service), Amazon EBS (Elastic Block Store) with automatic data backup is used for data storage. Access to Servers is restricted via VPN and MFA.
    7. The Company has the right to change the Server at any time by concluding a contract with a company that provides information services for storing Data.
    8. The Company has the right to change the Server without additional notification of such changes to the User.
  6. LIABILITY
    1. The Company shall not be liable for the storage of Personal Data if it is impossible to delete it.
    2. The Company shall not be liable if the User provides knowingly false Data.
    3. The Company shall not be liable if the Data is disclosed by the Processor.
    4. The Company shall not be liable for the disclosure and/or loss of Data if this occurred as a result of events that the Company could not influence in any way.
    5. The Сompany has developed an incident response plan (Incident Response Plan) in accordance with the NIST SP 800-61 protocol, which includes the creation of incident response teams (CIRT), restriction of access to compromised systems, rapid notification of relevant persons and analysis of root causes (Root Cause Analysis).
    6. The Data disaster recovery plan is based on the NIST SP 800-34 protocol, includes established RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Employee training is regularly conducted with data loss recovery testing in various scenarios, including cyber attacks.
    7. The Company shall not be liable in the event of disclosure and/or leakage of Data due to the fault of the data center.
  7. CHANGES TO PRIVACY POLICY
    1. We have the right to periodically make changes to the Data concerning health Storing and Deleting Policy for the security of Data, and to comply with the requirements of the laws of England and Wales.
    2. The User must familiarize himself with the new terms of the Data concerning health Storing and Deleting Policy and DeHealth is not responsible if the User has not familiarized himself with the new terms of the Data concerning health Storing and Deleting Policy.
    3. DeHealth will update the modification date of the current version of the Data concerning health Storing and Deleting Policy in the “Updated” line at the top of the document.
    4. Our electronic copies of the Data concerning health Storing and Deleting Policy are deemed to be correct, complete, valid, legally binding and in effect at the time of your visit to the App.
  8. CONTACTS
    1. The User has the right to contact the Company support service at: [email protected] to ensure his rights, in accordance with the terms of this Data concerning health Storing and Deleting Policy, or in case of violation of his rights, or to leave feedback or ask a question.