Legal

Privacy Policy

Last updated: May 2026

1. Introduction

OneHealth ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the OneHealth mobile application ("App") and website. It applies to all users — consumers (patients) and healthcare providers (doctors).

By creating an account or using the App, you agree to the practices described in this policy.

2. Information We Collect

We collect information directly from you and automatically through your use of the App.

2a. Information you provide

  • Account information: full name, email address, phone number, date of birth, and profile photo.
  • Health information: lab reports you upload, medical conditions, allergies, past procedures, appointment history, consultation notes, medication records, and investigation records associated with your account or family members you manage.
  • Family member information: names, relationships, and health records of family members you add to your account.
  • Documents and media: photos and PDF files you upload (e.g. lab reports, medical documents) shared within consultations.
  • Chat messages: real-time messages exchanged between you and your doctor through the in-app chat.
  • Payment information: appointment fees and billing records. OneHealth does not use an online payment gateway. All appointment fees are collected in cash directly at the point of care. We do not collect, store, or process any card or bank account details.
  • Doctor professional information (for registered doctors): SLMC registration number, specialisation, clinic name, address, and schedule details.

2b. Information collected automatically

  • Device information: device model, operating system version, and unique device identifiers.
  • Usage data: features used, pages visited, session duration, and interaction patterns within the App.
  • Location data: your approximate or precise location, used to search for doctors by location. Location is only accessed with your permission.
  • Push notification tokens: a device token used to deliver health tips and message notifications to your device.

3. App Permissions and Why We Need Them

The OneHealth App may request the following device permissions:

  • Location (precise or approximate): used to search for doctors by location. We do not track your location in the background or share it with third parties.
  • Camera and photo/file access: used when you upload medical documents such as lab reports or photos during a consultation. Files are uploaded securely to our cloud storage.
  • Push notifications: used to send you health tips and messages from your doctor. You can disable notifications at any time in your device settings.
  • Internet access: required for all core app functionality including booking appointments, real-time chat, and viewing health records.

You may deny any of these permissions. Some features (e.g. location-based search) will not be available if the relevant permission is denied.

4. How We Use Your Information

  • To create and manage your account and authenticate your identity securely.
  • To enable appointment booking, scheduling, and management between patients and doctors.
  • To store and display your personal health records, consultation history, medication records, and investigation records within the App.
  • To facilitate real-time chat and communication between patients and doctors.
  • To enable family member management and shared health records within a family group.
  • To power doctor search and discovery using your location and specialisation preferences.
  • To send health tips and message notifications via push notification.
  • To record appointment fee information for billing history purposes. All payments are collected in cash; no card or online payment data is processed.
  • To improve the App, diagnose technical issues, and develop new features based on usage patterns.
  • To comply with applicable laws and legal obligations.

5. Health Data — Special Category Information

We collect and process sensitive health information including lab results, diagnoses, medication records, investigation records, medical conditions, allergies, and procedures. These are recorded by your doctor within the platform as part of your care — OneHealth does not issue standalone prescriptions. This data is collected solely to provide you with the healthcare coordination services within the OneHealth platform.

Health data is visible only to you, the doctors you are subscribed to, and the doctor assistants they have authorised. We do not use your health data for advertising, profiling, or sale to third parties.

By using the App and entering your health information, you agree to this processing as necessary to receive the healthcare coordination services provided by OneHealth. If you wish to have your data removed, you may request account deletion at any time (see Section 8).

6. Sharing of Information

We do not sell your personal information. We share data only in the following circumstances:

  • With your doctor and their practice: your appointment details, health records you have uploaded, and chat messages are shared with the doctor(s) you are subscribed to, as necessary to provide care.
  • With cloud infrastructure providers: we use Amazon Web Services (AWS) for secure data storage, authentication (AWS Cognito), file storage (Amazon S3), and computing. AWS processes data on our behalf under strict confidentiality agreements.
  • With search infrastructure (Algolia): doctor profile information is indexed by Algolia to power in-app doctor search. Patient health data is never shared with Algolia.
  • With push notification services (Firebase): your device push notification token is shared with Google Firebase to deliver appointment and message notifications to your device.
  • With legal authorities: when required by applicable law, court order, or to protect the safety and rights of our users or the public.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) for all data exchanged between the App and our servers.
  • Encryption at rest for data stored in our cloud infrastructure.
  • Role-based access controls so that only authorised personnel and systems can access your data.
  • Secure authentication via AWS Cognito with JWT-based session management.
  • Presigned, time-limited URLs for all uploaded documents and media files.

No method of transmission over the internet is 100% secure. We will notify you promptly if we become aware of a data breach that affects your information.

8. Account Deletion and Data Removal

You have the right to request deletion of your account and all associated personal data, or removal of specific data only, at any time.

To submit a deletion request, visit our Account & Data Deletion page. We will confirm receipt within 2 business days and complete your request within 30 days.

Note: Full account deletion will permanently remove access to your health records and consultation history. We recommend saving any important records before submitting a deletion request. Certain data such as appointment fee records may be retained as required by applicable law.

9. Data Retention

We retain your personal data for as long as your account is active. If your account is inactive for an extended period or you request deletion, your data will be removed in accordance with Section 8 above. Certain records may be retained longer where required by applicable law.

10. Your Rights

You have the following rights regarding your personal data:

  • Right to access: request a copy of the personal data we hold about you.
  • Right to correction: request correction of inaccurate or incomplete data.
  • Right to deletion: request deletion of your data as described in Section 8.
  • Right to data portability: request your data in a structured, commonly used format.
  • Right to withdraw consent: revoke device permissions (location, camera, push notifications) at any time through your device settings.
  • Right to object: object to processing of your data for purposes beyond service delivery.

To exercise any of these rights, contact us at hello@oasisonehealth.com. We will respond within 30 days.

11. Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Contract: processing necessary to provide the services you have signed up for (account management, appointment booking, health record storage).
  • Consent: device-level permissions you grant to the App — location, camera, and push notifications. You may withdraw any of these permissions at any time through your device settings.
  • Legitimate interests: improving our platform, preventing fraud, and ensuring platform security, where these interests are not overridden by your rights.
  • Legal obligation: retaining records as required by applicable Sri Lankan law and any other laws that apply to our users.

12. Third-Party Services

OneHealth uses the following third-party services to operate the platform. Each provider processes data subject to their own privacy policies:

  • Amazon Web Services (AWS): cloud infrastructure, authentication (Cognito), database storage (DynamoDB), file storage (S3), and push delivery.
  • Algolia: doctor search and indexing. Only doctor profile data is indexed.
  • Google Firebase: push notification delivery to the mobile app.
  • AWS Location Service: geolocation services for doctor and clinic discovery.

13. Children's Privacy

The OneHealth App is intended for users aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18 without verifiable parental or guardian consent. Family members (including minors) may be added to an adult account by the account holder, who assumes full responsibility for their data. If you believe a minor's data has been collected without consent, contact us immediately at hello@oasisonehealth.com.

14. Cookies

Our website uses cookies to improve your browsing experience and analyse site traffic. You can control cookie settings through your browser preferences. The mobile App does not use browser cookies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a revised date, and where appropriate, via in-app notification or email.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: