Privacy
Privacy Policy
Last updated: 2026-06-03
Applies to siyarawellness.com and the Siyara mobile app (iOS & Android, bundle ID com.siyarawellness.app).
Siyara Physiotherapy & Wellness ("Siyara", "we", "us", "our") operates a physiotherapy clinic and wellness studio at Pavani Encore, 1st Floor, Nanakramguda, Hyderabad, Telangana, India, together with the website at siyarawellness.com and a native mobile app on iOS and Android. This policy explains what information we collect, why we collect it, how we use and protect it, and what choices and rights you have.
We process personal data under the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, and follow medical record-keeping norms applicable to a physiotherapy practice in India. We are the Data Fiduciary for the information you provide directly to us; our infrastructure vendors (listed below) act as Data Processors on our instructions.
Quick summary
- We collect what we need to book your visits, deliver clinical care, and run your wellness classes.
- We never sell your data, never share it with advertisers, and do not track you across other apps or websites.
- Your account and most of your data can be deleted from inside the app at My profile — or by following the public guide at /account-deletion if you can no longer sign in.
- Clinical and financial records are retained for the minimum periods Indian law requires, then deleted.
- Questions or complaints: support@siyarawellness.com.
1. Information we collect
We collect only what we need for the services you sign up for. The exact set depends on whether you book a physiotherapy visit, join a wellness class, buy a class pack, or use the mobile app.
Identity & contact information
- Full name
- Date of birth (clinic patients only — for clinical assessments)
- Sex / gender (clinic patients only — for clinical assessments)
- Email address
- Phone number (mobile, in E.164 format e.g.
+919876543210) - Postal address (clinic patients only, for medical records)
- Emergency contact name and phone (clinic patients only, optional)
Account information
- Email address (your login identifier)
- Password — stored only as an Argon2 hash; we never see, store, or transmit your plaintext password
- Account creation date and last login timestamp
- One-time email-verification codes (6-digit, expire in 10 minutes, then deleted)
Health information
- Your stated reason for visit and chief complaint
- Allergies, current medication, and relevant medical history you disclose at intake
- Clinical notes, assessments, treatment plans, and progress notes recorded by your physiotherapist
- Lab reports, scans, prescriptions, and other documents you or your clinician upload to your chart
- Wellness metrics (weight, blood pressure, flexibility scores, etc.) recorded by our wellness team
- Doctor comments on wellness metrics
Booking and usage information
- Physiotherapy appointment date, time, and assigned clinician
- Wellness class bookings, attendance, waitlist position, and cancellations
- Free-intro grants and refer-a-friend status
- Online order history for class packs and memberships
Payment information
Payments are processed by PhonePe Payment Gateway (PhonePe Private Limited). We do not see, receive, or store your full card number, CVV, UPI PIN, or bank account number — those go directly to PhonePe under PCI-DSS rules. From PhonePe we receive only:
- A PhonePe transaction ID and a payment status (paid / failed / refunded)
- The payment method category (UPI, card, net-banking) — never the underlying details
- The amount and timestamp of the transaction
PhonePe's own privacy practices are governed by their privacy policy at phonepe.com/privacy-policy.
Device, app, and technical information
- IP address (logged on every request for security and abuse prevention)
- User agent (browser or app version) and operating system
- Push notification token (only if you grant push permission on the mobile app)
- Approximate timezone (used for displaying times correctly; default Asia/Kolkata)
- Session cookie (a single signed cookie that keeps you logged in for 8 hours; expires after 5 minutes of inactivity for staff sessions)
- Operational and audit logs (login attempts, password changes, sensitive data access)
Mobile app permissions
The Siyara mobile app requests these permissions only when you actively use the corresponding feature:
- Camera — to scan and upload medical reports from the "My reports" screen. Images are sent only to your own private chart on our server; we do not access the camera in the background.
- Push notifications — to send appointment reminders, class confirmations, and waitlist promotions. You can revoke this at any time in your device's Settings.
- Biometric (Face ID / Touch ID / fingerprint) — optional convenience for unlocking the app without re-typing your password. The biometric template never leaves your device; we only receive a yes/no signal that the local biometric check succeeded.
The app does not request location, contacts, microphone, calendar, photo library (beyond the camera scanner you trigger explicitly), or any tracking permissions.
2. How we use your information
- Provide care. Schedule appointments, run your physiotherapy treatment plan, manage your wellness class credits, and share progress with you.
- Operate the service. Authenticate logins, prevent abuse, send appointment and class confirmations, send 24-hour reminders, and offer alternative classes when we have to cancel a session.
- Process payments. Initiate checkouts with PhonePe, reconcile webhooks, grant class-pack entitlements, and issue receipts.
- Refer-a-friend rewards. Track that a member's referral code was used by a new guest, and grant the referrer a complimentary class pack after the referee completes their intro.
- Communicate with you. Transactional emails (confirmations, receipts, password resets), optional SMS, optional WhatsApp messages, and optional push notifications. We do not send marketing emails without your explicit opt-in.
- Comply with law. Maintain clinical records, tax invoices, and audit trails for the periods Indian law requires.
- Improve safety. Detect failed logins, suspicious activity, and accidental data exposure; the audit log lets us investigate any concern you report.
We do not sell your personal information. We do not share it with advertisers, data brokers, or social networks. We do not profile you for behavioural advertising. We do not use your data to train AI or machine-learning models.
3. Third-party service providers (sub-processors)
We rely on the following vendors to deliver the service. Each is bound by contract to use your data only on our instructions and to protect it with industry-standard safeguards:
| Vendor | Purpose | Data shared |
|---|---|---|
Supabase (Mumbai, ap-south-1) |
PostgreSQL database hosting (India region) | All structured personal and health data |
Vercel (Mumbai, bom1) |
Web application hosting (India region) | Request metadata; no persistent storage of personal data |
| PhonePe Private Limited | Payment processing (UPI / cards / net-banking) | Name, email, phone, order amount |
| Resend (email delivery) | Transactional email (confirmations, receipts, password resets) | Email address, message contents |
| Twilio | SMS and WhatsApp messages (optional) | Phone number, message contents |
| Firebase Cloud Messaging (Google) | Push notifications to iOS and Android devices | Push notification token, message contents |
| Apple & Google | App distribution via App Store and Play Store | Subject to Apple / Google's own privacy policies; we receive only anonymised install and crash reports |
4. Where your information is stored
Personal data is stored in our PostgreSQL database hosted by Supabase in the Mumbai (ap-south-1) region. Application servers run on Vercel in the Mumbai (bom1) region. Document uploads (lab reports, scans) are stored in object storage in the same region.
All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Database backups are encrypted and retained for 30 days. Access to production data is limited to authorised Siyara staff under role-based access control, with every privileged action recorded in an append-only audit log.
For some operational purposes (e.g. push notification delivery via Firebase) data may transit through systems outside India. We rely on the standard contractual safeguards each vendor publishes for international transfer.
5. How long we keep your information
- Account login data: until you delete your account.
- Clinical records: retained for at least 3 years after your last visit, in line with Indian medical record-keeping norms. Records of minors are retained until 3 years after they turn 18.
- Financial records (invoices, receipts, tax records): retained for at least 8 years as required by the Indian Income Tax Act.
- Wellness class bookings and attendance: retained for 2 years for service quality and dispute resolution, then deleted.
- Audit and access logs: retained for 2 years.
- Email verification codes: deleted within 10 minutes of issue or 24 hours, whichever is sooner.
- Backups: rolling 30-day window. Deleted data may persist in backups for up to 30 days before being overwritten.
When you delete your account, we immediately remove your login credentials and decouple your member identity from any future visits. Records that Indian law requires us to retain (clinical and financial) are kept in isolated archival storage with limited access until the retention period ends, then permanently deleted.
6. Your rights
Under the DPDP Act, 2023, you have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate or out-of-date personal data.
- Erase your account and the personal data we hold (subject to legal retention obligations described above).
- Withdraw consent to optional channels (push, SMS, WhatsApp) at any time.
- Nominate another person to exercise your rights in case of death or incapacity.
- Grievance redressal — contact our Grievance Officer (below); if you remain unsatisfied, you can escalate to the Data Protection Board of India.
7. How to exercise your rights
- View and update your profile at My profile.
- Delete your account from My profile, or follow the public guide at /account-deletion (which also explains the email-request path for users who can no longer sign in). Deletion is immediate for login credentials; legally retained data follows the retention schedule above.
- Opt out of push notifications from your device's Settings app (iOS: Settings → Notifications → Siyara; Android: long-press the app icon → Notifications).
- Opt out of SMS or WhatsApp by replying STOP or by emailing us.
- For any other request, email support@siyarawellness.com with the subject line "Privacy" and we will respond within 30 days.
8. Grievance Officer
In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000, you can reach our Grievance Officer at the address below:
Grievance Officer
Krishna Yalamanchili, Director — Operations
Siyara Physiotherapy & Wellness
Pavani Encore, 1st Floor, Nanakramguda
Hyderabad, Telangana, India
Email: support@siyarawellness.com (subject: "Privacy Grievance")
Phone: +91 78420 41889
We acknowledge grievances within 7 working days and aim to resolve them within 30 days.
9. Security
- All traffic to and from siyarawellness.com is encrypted via TLS (HTTPS).
- Passwords are hashed with Argon2 (memory-hard, salted, per-user); we never store or log plaintext passwords.
- Login attempts are rate-limited per IP to deter brute force.
- Staff sessions auto-expire after 5 minutes of inactivity; member sessions expire after 8 hours.
- Every staff action on a patient chart or sensitive record is logged with the actor, timestamp, and a before/after snapshot.
- The native app supports biometric unlock so you can avoid re-typing your password on shared networks.
No system can guarantee absolute security. If you ever suspect your account has been accessed without authorisation, email us immediately at support@siyarawellness.com and we will lock the account and investigate.
10. Cookies and tracking
We use a single signed session cookie (siyara_session) to
keep you logged in. We do not use third-party tracking
cookies, advertising pixels, or behavioural analytics. We do not
participate in cross-site or cross-app advertising networks.
The mobile app does not use Apple's App Tracking Transparency framework because we do not track. The corresponding Apple App Privacy label reads "Data Not Linked to You: None / Data Linked to You: limited to Contact Info, Health & Fitness, User Content, Identifiers / Data Used to Track You: None".
11. Children
The service is not directed to children under 18 in any unsupervised capacity. Patients of any age can be treated at the clinic, but sign-up, app access, and online interactions for minors must go through a parent or guardian's account, and the parent or guardian is responsible for the data they share with us.
12. Changes to this policy
We may update this page as the service evolves, as new vendors are added, or as Indian privacy law changes. The "Last updated" date at the top always reflects the most recent revision. Material changes will be flagged in-app the next time you log in.
13. Governing law
This privacy policy is governed by the laws of India. Any dispute relating to it will be subject to the exclusive jurisdiction of the courts at Hyderabad, Telangana.
14. Contact us
Siyara Physiotherapy & Wellness
Pavani Encore, 1st Floor, Nanakramguda
Hyderabad, Telangana, India
Email: support@siyarawellness.com
Phone: +91 78420 41889