Back to Therapyy

DISHA Compliance

Compliant

Effective date: 1 January 2026

Our Commitment: Therapyy is built from the ground up with health data security as a foundational principle, not an afterthought. This document explains how we meet India's health data protection standards to protect the most sensitive data our families trust us with — their children's health records.

1. Overview

The Digital Information Security in Healthcare Act (DISHA) establishes the regulatory framework for protecting digital health data in India. As a digital health platform serving families of children with neurodevelopmental needs, Therapyy handles sensitive personal health information and is committed to full compliance with DISHA guidelines, the Digital Personal Data Protection Act 2023 (DPDPA), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, the IT Act 2000, and the Mental Healthcare Act 2017.

2. Regulatory Scope

The following regulatory frameworks govern our data practices:

Digital Information Security in Healthcare Act (DISHA)

DISHA governs the collection, storage, transmission, and use of digital health data in India. It establishes the rights of health data principals (patients and their guardians) and the obligations of digital health service providers.

Digital Personal Data Protection Act 2023 (DPDPA)

India's comprehensive personal data protection law governs how we collect, process, and store personal data. As a Data Fiduciary under the DPDPA, we are required to process personal data only for lawful purposes with appropriate consent, implement reasonable security measures, and facilitate data principal rights including access, correction, and erasure.

IT (SPDI) Rules 2011

These rules specify the security practices for handling sensitive personal data including health records, financial information, and biometric data. We maintain security practices as prescribed under Rule 8 of these Rules.

Mental Healthcare Act 2017

Where our platform serves children with mental health conditions, we comply with the confidentiality provisions of the Mental Healthcare Act 2017, including restrictions on disclosure of mental health records without patient consent.

3. Health Data We Handle

Therapyy processes the following categories of health-related data:

📋

Developmental Records

Assessment results, developmental milestone tracking, diagnostic information shared by parents

📝

Session Notes

Clinical notes and goal progress records created by therapists during or after sessions

🎯

Therapy Goals

Individualized therapy goals, target behaviors, and progress data stored in GrowthVault

🔊

Session Recordings

Video and voice session content transmitted through Twilio (not stored by Therapyy)

💊

Medical History

Diagnoses, medications, and comorbidities voluntarily shared by parents in the child's profile

📊

AI Insights

AI-generated summaries derived from session notes and developmental trends

4. Consent Framework

We operate on an explicit, informed, and revocable consent model:

  • Explicit consent is obtained before any health data is collected, clearly explaining the purpose of collection and who may access it
  • Granular consent allows parents to control which therapists can view their child's GrowthVault records
  • Purpose limitation means data collected for therapy cannot be used for any other purpose, including research or advertising, without fresh consent
  • Right to withdraw means consent can be revoked at any time, and data deleted within 30 days of withdrawal
  • No consent bundling — we never make health data sharing a condition of accessing the Platform

5. Data Security Measures

Encryption

  • All data is encrypted in transit using TLS 1.3 or higher
  • Health records stored in GrowthVault are encrypted at rest using AES-256
  • Database backups are encrypted with a separate key from production data

Infrastructure Security

  • Platform hosted on Vercel (frontend) and Railway (backend), both with SOC 2 compliance
  • Database hosted on Railway with automated encrypted backups
  • Network-level access controls restrict database access to backend services only
  • Redis cache used for session and OTP data with appropriate TTLs, never for persistent health data

Application Security

  • JWT-based authentication with short expiry windows
  • Rate limiting on all API endpoints to prevent brute-force attacks
  • PII Shield active in all chat sessions to prevent inadvertent sharing of contact information
  • SQL injection protection via Prisma ORM parameterized queries
  • CSRF protection on all state-changing endpoints

6. Access Controls

Access to health data is governed by strict role-based controls:

  • Parents can view and manage all data relating to their child, grant or revoke therapist access, and request full data export or deletion
  • Therapists can only access health records of children for whom they have an active booking or have been explicitly granted access by the parent
  • Supervisors can access records only for therapists under their supervision, with explicit parent consent
  • Admin staff operate under the principle of least privilege and access health data only when required for support purposes, with all access logged
  • AI systems process session notes to generate summaries, with no human access by third-party AI providers to identifiable health records

7. Special Protections for Children

As a platform dedicated to children's healthcare, we apply enhanced protections beyond standard DISHA requirements:

  • Children cannot create accounts or access the Platform directly
  • All consent is provided by the parent or legal guardian
  • Health data relating to a child is never used for advertising, profiling, or marketing of any kind
  • Children's data is never shared with third parties except as required for direct therapy delivery
  • Data retention for minors defaults to deletion at the earlier of account closure or when the child turns 18, unless the parent explicitly requests retention
  • Any safeguarding concerns identified by therapists are handled in accordance with the Protection of Children from Sexual Offences Act 2012 (POCSO) and child protection guidelines

8. Audit and Accountability

  • All access to health records is logged with timestamps, user identity, and action taken
  • Logs are retained for a minimum of 3 years in compliance with DISHA requirements
  • Admin access to health data triggers automatic alerts to our Data Protection Officer
  • We conduct internal security reviews on a quarterly basis
  • Third-party penetration testing is conducted at least annually

9. Breach Response

In the event of a data breach affecting health records:

  • Affected users will be notified within 72 hours of the breach being identified
  • Notification will include a description of the data affected, likely consequences, and measures taken
  • We will report qualifying breaches to the relevant authorities as required under DPDPA 2023
  • A full incident report will be published within 30 days of breach resolution

10. Your Rights Under DISHA and DPDPA

As a data principal (or the parent of a child data principal), you have the following rights:

  • Right to Access: Request a copy of all personal and health data we hold about you or your child
  • Right to Correction: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data, subject to legal retention requirements
  • Right to Portability: Receive your child's GrowthVault data in a machine-readable format
  • Right to Restrict Processing: Object to or restrict certain uses of your data
  • Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise any of these rights, contact our Data Protection Officer at privacy@therapyy.in. We will respond within 30 days.

11. Contact Our Data Officer

Data Protection Officer

Therapyy

Email: privacy@therapyy.in

For general support: Contact Form