Table of Contents
DhanVriddhi Capital LLC ("we," "us," "our," or "Company") is a limited liability company organized under the laws of the State of Tennessee, United States. We are the data controller and operator of HiShona (also accessible as HiShona at hishona.com), a progressive web application (PWA) designed to help parents, guardians, and authorized caregivers record and track their child's health, development, and daily activities.
Service: HiShona Baby Tracker (hishona.com)
Data Controller: DhanVriddhi Capital LLC, State of Tennessee, United States
Privacy Officer / Grievance Officer: Ashish Sharma, Founder & Privacy Officer
Privacy Contact: privacy@hishona.com or via in-app feedback form (Settings → Send Feedback)
Postal: DhanVriddhi Capital LLC, c/o Registered Agent, State of Tennessee [FILL IN — TN registered agent address pending]
This Privacy Policy ("Policy") describes what personal information and health data we collect through HiShona, why we collect it, how we use, store, secure, and protect it, your rights regarding your data, and our obligations under applicable data protection laws.
This Policy applies to all persons who use HiShona:
This Policy does not apply to residents of the EU, EEA, or UK, who are not authorized to use HiShona. Access from those regions is blocked at the infrastructure level.
This is the core data in HiShona. All of it is entered voluntarily by you. None of it is collected automatically or inferred.
| Data Category | Specific Fields | Purpose |
|---|---|---|
| Child Profile | Name, date of birth, gender, country, measurement units | Account setup; personalize growth charts and developmental guides |
| Feeding Logs | Feed type, duration, volume (ml), side, timestamp, caregiver, notes | Track feeding history; calculate daily intake; predict next feed |
| Pump Logs | Pump side, volume (ml), timestamp, caregiver, notes | Track breast milk expression separately from direct feeds |
| Diaper Logs | Type (wet/dirty/mixed), timestamp, caregiver, notes | Track diaper output history |
| Sleep Logs | Start time, end time, duration (calculated), caregiver, notes | Track sleep patterns and daily totals |
| Growth Measurements | Weight, height/length, head circumference, date, notes | Track growth over time; display percentile charts |
| Mood / Behavior | Mood rating, behavioral notes, timestamp | Track behavioral patterns |
| Vaccine Records | Vaccine name, date administered, custom vaccines | Track immunization history for reference |
| Doctor Appointments | Appointment date, notes | Track upcoming and past healthcare visits |
HiShona requires Google Sign-In for authentication. We do not offer email/password login and do not collect passwords. We receive from Google's OAuth flow: Google User ID (unique identifier for account linking — not shared with any third party); email address (for account recovery and legal notifications only); display name (used to label caregiver entries); and profile picture URL (display purposes only). We do not have access to your Google password or any other Google services.
When you sign in, we generate a secure session token (32-character cryptographic hex string) stored in device localStorage and our DynamoDB sessions table. Session tokens expire automatically after thirty (30) days. Upon sign-out, tokens are immediately revoked.
When you accept these Terms and this Privacy Policy, we record: acceptance timestamp (ISO 8601 UTC); Terms version; device user agent (up to 200 characters); device timezone; and individual checkbox states. This record is retained for seven (7) years for legal compliance even after account deletion.
When you generate or use an invite code, we record: invite code value; creation timestamp; associated babyId; acceptance timestamp and accepting user's Google ID (when used); and revocation timestamp (if revoked).
If you submit feedback, we collect: message text; submission timestamp; and optionally your account email if you include it. Retained for two (2) years.
Google Analytics is used on the public hishona.com landing page (not inside the authenticated app). No analytics SDK has access to child health data or authenticated user data.
To be explicit: HiShona does NOT collect precise geolocation or GPS data; camera, microphone, or sensor data; the child's email address, phone number, or social media identifiers; advertising identifiers (IDFA, GAID); third-party tracking cookies or pixels inside the authenticated app; behavioral tracking across other apps or websites; or financial or payment information (HiShona is free; Ko-fi donations are processed directly by Ko-fi, not HiShona). IP addresses are captured only in AWS CloudFront logs for security purposes, retained 90 days.
Child health and development data (§3.1) is collected solely to provide the core functionality of HiShona: displaying your child's health history, generating summaries and trends, providing data export, and enabling data sync across your devices.
Account data (§3.2) and session tokens (§3.3) are collected to authenticate your identity, maintain your signed-in session, prevent unauthorized access to your child's data, and enable caregiver sharing via invite codes.
Legal acceptance records (§3.4) are collected to demonstrate compliance with COPPA, applicable privacy laws, and other legal obligations, and to maintain an audit trail of consent.
Any analysis of usage data is performed only on anonymized, aggregated data from which all personally identifying information has been stripped. We never identify you or your child individually in such analysis. We do not build behavioral profiles or predictive models from your data.
We may create aggregated and de-identified statistical information ("Derived Data") that cannot reasonably be linked to you, your child, or your household. Derived Data is created using techniques that meet applicable de-identification standards (including Cal. Civ. Code § 1798.140), subject to: (i) technical safeguards prohibiting re-identification; (ii) business processes to prevent inadvertent release; and (iii) our public commitment never to attempt re-identification. DhanVriddhi Capital LLC owns Derived Data and may in the future license or sell it for research or commercial purposes, subject to:
Because HiShona is not offered in the EU, EEA, or UK, our processing is governed by U.S. federal law, U.S. state privacy laws, and the laws of Canada, Australia, India, and other applicable jurisdictions outside the EU/EEA/UK. We process your information based on:
For any use of your or your child's information not described in this Policy, we will obtain your separate consent before that use begins.
All data you enter in HiShona is stored on your device using browser localStorage. This data is accessible only to you through your device and browser. It is protected by your device's operating system security model.
When you sign in with Google, HiShona automatically enables cloud backup and sync. Your data is encrypted and uploaded to Amazon Web Services (AWS) Simple Storage Service (S3) in the us-east-1 (N. Virginia, United States) region every time you save a log entry. All data is: encrypted at rest (AES-256); encrypted in transit (TLS 1.2+); isolated per child in its own S3 folder (babies/{babyId}/); and accessible only by authorized HiShona infrastructure (our AWS Lambda functions).
We use AWS DynamoDB (us-east-1) to store: the shona_users table (Google User ID, email, display name, associated baby IDs, account creation timestamp); and the shona_sessions table (hashed session tokens, 30-day TTL with automatic deletion, associated Google User ID).
Your data is not stored with, transmitted to, or processed by: Facebook, advertising networks, analytics providers inside the authenticated app, email marketing services, crash reporters, or any third party other than AWS (S3, DynamoDB, Lambda as described above) and Google (OAuth authentication handshake only).
You have full access to all User Data in your account at all times through the HiShona app.
If you share an invite code, the recipient receives read and write access to your child's records. You are solely responsible for who you share invite codes with. You can revoke access at any time (Settings → Invite Code → New Code). DhanVriddhi Capital LLC is not liable for any misuse or unauthorized access by invited persons.
Our authorized personnel may access your data only for: providing technical support you have requested; debugging confirmed technical issues affecting your account; responding to lawful legal requests; investigating credible child safety concerns; and performing security audits. All access is logged and limited to the minimum required for the purpose.
We share your data with the following sub-processors solely to operate HiShona. Both are contractually prohibited from using your data for their own purposes.
| Sub-Processor | Purpose | Region | Data Received |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud storage, compute, API gateway, CDN | us-east-1 (N. Virginia, USA) | All app data (encrypted). AWS Privacy Policy: aws.amazon.com/privacy. AWS DPA: aws.amazon.com/agreement/data-processing. |
| Google LLC | OAuth 2.0 authentication only | Google infrastructure | Authentication signals only. Google does NOT receive child health data. Google Privacy Policy: policies.google.com/privacy. |
We may disclose your data if required by a valid subpoena, court order, or warrant; if necessary to protect child safety in an emergency; or if required by applicable child protection laws. We will notify you of any government request for your data, except where legally prohibited, and will narrow any disclosure to the minimum required.
We do not use your data for automated decision-making that produces legal effects or significantly affects you or your child. HiShona's predictive features (feeding/sleep averages) are statistical computations only — they are not automated decisions within the meaning of applicable privacy law.
HiShona is subject to the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. ("COPPA"), and the FTC's Rules at 16 C.F.R. Part 312, as amended by the 2025 Final Rule amendments (effective June 23, 2025; full compliance deadline April 22, 2026). We collect personal information about children under 13 solely from their adult parents or guardians, who are the exclusive account holders. Children do not directly use or interact with HiShona.
We obtain verifiable parental consent using the email-plus method authorized by 16 C.F.R. § 312.5(b)(2)(vi). This method is permissible because HiShona makes zero disclosures of children's personal information to third parties for non-integral purposes — no advertising, no AI training, no data brokering. Specifically:
Important: The Google Sign-In authentication is used for identity verification and account security only — it does not constitute or substitute for verifiable parental consent under COPPA. If we ever begin disclosing children's personal information to third parties for non-integral purposes, we will adopt a more robust FTC-recognized VPC method (such as government-ID matching or knowledge-based authentication) before doing so.
We collect health and developmental information about children under 13 only after obtaining verifiable parental consent. The specific categories are detailed in §3.1. We do NOT collect: the child's email address or phone number; social media accounts or persistent identifiers linked directly to the child; precise geolocation data about the child; audio or video recordings of the child; or any data that allows us to contact the child directly.
In compliance with the 2025 COPPA Final Rule amendments, we retain children's personal information only as long as reasonably necessary for the specific purpose for which it was collected. We do not retain children's personal information indefinitely. See §13 for the complete retention schedule. The specific purpose for each data category is described in §3.1.
We do not permit any third party to collect personal information about children through HiShona. We use no cookies, tracking pixels, or third-party SDKs inside the authenticated app that collect data about children. No behavioral or targeted advertising is directed at or based on child data.
As the parent or legal guardian, you may exercise the following rights at any time by contacting privacy@hishona.com or via the in-app feedback form. We will verify your identity and respond within thirty (30) days.
The information you record in HiShona — including feeding history, growth measurements, sleep data, vaccine records, and developmental milestones — constitutes "health data" or "health information" under applicable law. Although DhanVriddhi Capital LLC is not a HIPAA covered entity, we treat all health data with equivalent or greater protections.
HiShona is a personal health record application subject to the FTC Health Breach Notification Rule, 16 C.F.R. Part 318. In the event of a breach of unsecured personal health record data, DhanVriddhi Capital LLC will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery; notify the FTC on the same timeline; and notify prominent media outlets in states where 500 or more residents are affected.
DhanVriddhi Capital LLC maintains a written information security program proportionate to our size and the sensitivity of the data we hold. Security Coordinator: Ashish Sharma, Founder & Privacy Officer (privacy@hishona.com). The program includes: encryption in transit and at rest; role-based access controls; session token management; annual risk assessment; and sub-processor oversight. No third-party SDKs receive child health data.
We collect only the specific health data fields needed to provide each feature of HiShona, as documented in §3.1. We do not collect health data in advance of a feature need, and we do not collect health data about any person other than the child named in your account.
Aggregated and de-identified data, created and maintained as described in §4.5, may be used for service improvement, statistical research, and feature development. Any future use beyond these internal purposes will be preceded by an updated Privacy Policy and, where required by applicable law (including Washington MHMDA RCW 19.373.070), separate signed authorization.
This applies to every data type in HiShona: feeding logs, milk volume data, pump logs, diaper records, sleep tracking, growth measurements and percentile calculations, vaccine schedules, developmental guides, mood logs, next-feed predictions, and doctor appointment reminders. None of these features constitute medical advice, clinical guidance, or a substitute for professional healthcare. Always consult your child's pediatrician.
The Washington My Health My Data Act imposes specific requirements on entities that collect consumer health data. If you are located in Washington State, a standalone Consumer Health Data Privacy Policy meeting the requirements of RCW 19.373.020 is available at hishona.com/wa-health-privacy.html. Your rights include: confirming whether we collect your health data; accessing a list of specific types collected; obtaining a portable copy; requesting deletion; withdrawing consent; and a private right of action for violations. We do not sell consumer health data. We do not implement geofences around healthcare facilities.
If you are located in Texas, we comply with Texas health privacy requirements applicable to non-covered entities. We do not sell or share your health data for commercial purposes. You have the right to access, correct, and request deletion via privacy@hishona.com.
Under the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.), we maintain the confidentiality of medical information and do not disclose it without your authorization except as required by law. California residents also have rights under CCPA/CPRA as described in §14.2.
HiShona uses Google Sign-In as its exclusive authentication method. You authenticate directly with Google using your existing Google Account. DhanVriddhi Capital LLC never sees your Google password.
After you authorize HiShona, Google's OAuth flow provides us with a signed JWT containing: your Google User ID (sub claim); email address; display name; and profile picture URL. We verify the JWT signature using Google's public keys. No other Google account data is accessed. Google does not receive your child's health data.
We store your Google User ID, email, display name, and profile picture URL in device localStorage (for display and session management) and AWS DynamoDB (to link your Google identity to your baby's S3 data folder). This data is deleted when you delete your account.
You may revoke HiShona's access to your Google account at any time by visiting myaccount.google.com/permissions, finding "HiShona" in the list, and clicking "Remove Access." Note that revoking Google access will prevent you from signing in.
DhanVriddhi Capital LLC uses Amazon Web Services (AWS) as a data processor for cloud storage and compute. AWS processes your data only on our instructions and is contractually prohibited from using your data for AWS's own purposes. AWS's obligations are governed by the AWS Customer Agreement and AWS Data Processing Addendum (aws.amazon.com/agreement).
AWS maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and other certifications. AWS S3 provides server-side encryption (AES-256), encryption in transit (TLS), and redundant storage.
When you delete your account, your data is permanently deleted from AWS S3 and DynamoDB within thirty (30) days. Legal acceptance records are anonymized and retained for seven (7) years per legal compliance requirements.
We retain each category of data only as long as necessary for the purpose it was collected, or as required by law. This schedule satisfies the COPPA 2025 written data retention policy requirement.
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Baby health and development data (feeds, diapers, sleep, growth, vaccines, moods, pump logs) | Until account deletion or deletion request | Account deletion or explicit request; inactive account deletion at 12 months |
| Child profile data (name, DOB, gender, country) | Until account deletion or deletion request | Account deletion or explicit request |
| Google account data (User ID, email, display name, picture URL) | Until account deletion | Account deletion; also removed if Google access is revoked |
| Session tokens (DynamoDB) | 30 days from creation (automatic TTL expiry) | Automatic expiry or sign-out, whichever comes first |
| Invite code records | Until revoked or account deleted | Revocation or account deletion |
| Legal acceptance records | 7 years from acceptance date (anonymized after account deletion) | Anonymized at account deletion; fully purged after 7-year legal hold |
| Feedback submissions | 2 years from submission | Automatic deletion after 2 years |
| CloudFront and server access logs | 90 days | Automatic deletion after 90 days |
| Inactive accounts | 12 months of inactivity | Permanent deletion after 12 months of inactivity (with 60 days' advance notice) |
To delete your HiShona account and all associated data:
Upon account deletion: your access is immediately terminated; your data is deleted from active systems within thirty (30) days; legal acceptance records are anonymized and retained for seven (7) years; all other data is permanently deleted. Deletion is irreversible.
Accounts inactive for twelve (12) consecutive months may be permanently deleted. An account is "inactive" if no user has signed in or recorded any data during that period. We will provide sixty (60) days' advance notice before deletion of an inactive account. To keep your account active, sign in at least once every twelve (12) months.
After account deletion, we retain only: anonymized legal acceptance records (7-year legal hold, all personal identifiers removed); aggregated and anonymized usage statistics (no personal identifiers); and server security logs (90 days, then auto-deleted).
To exercise any right listed in this Section, contact us at privacy@hishona.com or via Settings → Send Feedback. Include your account email address and a description of your request. We will verify your identity and respond within the applicable legal deadline. We do not charge a fee for the first two (2) rights requests per year.
Under COPPA (15 U.S.C. § 6501 et seq.), parents and guardians have the right to review, correct, delete, and withdraw consent for all personal information collected about their child. See §8.6 for detailed procedures.
If you are a California consumer, you have rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and the California Privacy Rights Act:
If you are a Virginia resident (Va. Code § 59.1-571 et seq.), you have the right to confirm whether we process your personal data; access your personal data; correct inaccurate personal data; delete personal data; obtain a portable copy of your data; and opt out of profiling and targeted advertising (HiShona does not conduct either). We respond within forty-five (45) days, with a possible thirty (30) day extension. You may appeal a denial by re-submitting with "VCDPA Appeal" in the subject. If dissatisfied, contact the Virginia AG's Consumer Protection Section.
If you are a Colorado resident (C.R.S. § 6-1-1301 et seq.), you have the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising and sale (HiShona does neither). We respond within forty-five (45) days. Appeal a denial by re-submitting with "CPA Appeal." If dissatisfied, contact the Colorado AG's office.
Tennessee residents have rights under the Tennessee Information Protection Act (effective July 1, 2025) to access, correct, delete, and obtain a copy of personal data. Submit requests to privacy@hishona.com. If dissatisfied, contact the Tennessee AG's Division of Consumer Affairs.
Washington State residents have rights under the My Health My Data Act (RCW 19.373). See the standalone Washington Consumer Health Data Privacy Policy for full details. Rights include: confirming data collection; accessing health data; deleting health data; withdrawing consent; and a private right of action for violations.
Residents of Texas (TDPSA), Connecticut (CTDPA), Oregon, Montana, Iowa, Indiana, Delaware, and other states with comprehensive privacy laws have rights under those laws. Submit requests to privacy@hishona.com and we will respond in accordance with applicable law.
If you are located in Canada, you have the right under PIPEDA (and applicable provincial laws) to access, correct, and request deletion of personal information. Quebec residents additionally have rights under Law 25, including data portability (in force since September 22, 2024). Submit requests to privacy@hishona.com. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca (Tel: 1-800-282-1376) or, for Quebec residents, with the Commission d'accès à l'information (CAI).
If you are located in Australia, you have rights under the Privacy Act 1988 (as amended) to access (APP 12) and correct (APP 13) personal information we hold about you. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. See §22 for the full Australia Privacy Notice.
If you are located in India, you have rights under the Digital Personal Data Protection Act 2023 (§§ 11–14) to access, correct, erase, and nominate a representative. You may also lodge a complaint with the Data Protection Board of India. See §21 for the full India DPDP Notice. Our Grievance Officer is Ashish Sharma (privacy@hishona.com); we respond to grievances within thirty (30) days.
HiShona is operated from the United States by DhanVriddhi Capital LLC, a Tennessee-based company. All cloud infrastructure is located in the us-east-1 (N. Virginia, United States) AWS region. If you are located outside the United States, your personal data will be transferred to and processed in the United States.
For users located in Canada (including Quebec), personal data is transferred to and processed in the United States. Quebec residents' personal data crosses outside Quebec to AWS US infrastructure. We have conducted a Privacy Impact Assessment (PIA) regarding this cross-border transfer, as required by Quebec Law 25. The PIA assessed the adequacy of protections at the destination (AWS US-East-1) and found that contractual and technical safeguards (AWS Data Processing Addendum, AES-256 encryption, TLS in transit) provide adequate protection. Records of the PIA are maintained by the Privacy Officer.
For Australian users, personal information is disclosed overseas to recipients located in the United States (AWS US-East-1). Under Australian Privacy Principle 8, DhanVriddhi Capital LLC remains accountable for the handling of this information by AWS, which is bound by contractual obligations equivalent to the APPs. AWS maintains ISO 27001, SOC 2, and other certifications.
For Indian users, personal data may be transferred to the United States under the DPDP Act 2023. The Government of India has not yet published a list of restricted countries; transfers to AWS US-East-1 are permissible under the current framework.
If you are concerned about international data transfers and prefer data to remain on your device only: note that HiShona requires Google Sign-In and automatic cloud sync to function. If you wish to limit cloud sync, please contact privacy@hishona.com to discuss options.
A "data breach" is the unauthorized access, disclosure, alteration, or destruction of personal data, including through hacking, cyberattack, insider threat, lost/stolen device, misconfigured security, or ransomware.
As a personal health record service, HiShona is subject to the FTC Health Breach Notification Rule. In the event of a breach affecting personal health record data: we will notify affected individuals within sixty (60) calendar days; we will notify the FTC within the same period; if 500 or more individuals in a state are affected, we will notify prominent media in that state; for breaches affecting fewer than 500 individuals, we will log and report to the FTC annually.
We comply with all applicable state breach notification laws, including:
For breaches posing a "real risk of significant harm" to Canadian residents, we will notify affected users and the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible. For Quebec residents, we will notify affected individuals and the Commission d'accès à l'information (CAI) as soon as possible.
For eligible data breaches affecting Australian residents (those likely to result in serious harm), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable after completing our assessment.
For any personal data breach affecting Indian users, we will notify the Data Protection Board of India in accordance with applicable DPDP Rules.
If a breach affects your personal data, we will notify you without unreasonable delay by in-app notification and email. The notice will describe: the nature of the breach; the types of data involved; the steps we are taking; and recommended protective actions you can take.
We collect only the data necessary to provide HiShona's features. We do not: track children's location or real-time movement; monitor children through cameras, microphones, or sensors; create behavioral profiles or predictive models of children; use children's data for advertising, marketing, or any commercial purpose; or share children's data with third parties for commercial purposes.
HiShona contains no advertising. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children. We do not profile children. This applies globally, including for users covered by India DPDPA § 9(3).
Parents and guardians have: full visibility into all data collected; ability to delete any or all data at any time; ability to export data in portable format at any time; ability to revoke caregiver access codes; and the right to delete the entire account and all associated data.
HiShona has no advertising, in-app purchases (beyond the optional voluntary Ko-fi donation link), or commercial incentives designed to exploit or engage children. HiShona has no chat, messaging, or social features. We do not collect the child's email address, phone number, or any contact information. We maintain no public profiles for children.
DhanVriddhi Capital LLC may modify this Privacy Policy at any time. For material changes, we will update the Policy with a new version number and date, provide notice via in-app notification or email, and where required by applicable law (including COPPA), obtain your affirmative re-consent. We will provide at least 30 days' advance notice before any material change to data practices.
Material changes include changes to: what data we collect; how we use data; who we share data with; retention periods; or your rights. Non-material changes include grammar corrections, formatting, clarifications that don't affect your rights, or addition of supervisory authority contact details.
We maintain previous versions of this Policy. If you wish to review the version you accepted when creating your account, contact privacy@hishona.com.
Privacy Officer & Grievance Officer: Ashish Sharma, Founder & Privacy Officer
Email: privacy@hishona.com (preferred for rights requests)
In-App: Settings → Send Feedback (select "Privacy Request")
Postal: DhanVriddhi Capital LLC, Attn: Privacy, State of Tennessee, United States
[FILL IN — TN registered agent address pending]
Legal Entity: DhanVriddhi Capital LLC
State of Formation: Tennessee, United States
Response Time: Thirty (30) days for most requests; forty-five (45) days for CCPA, Colorado CPA, and VCDPA requests.
This Privacy Officer designation satisfies the requirements of Quebec Law 25 (Privacy Officer publication obligation), India DPDPA (Grievance Officer designation), and best practice under PIPEDA and Australia APP 1.4.
Washington State residents have rights under the My Health My Data Act (RCW 19.373) with respect to the consumer health data HiShona collects. Consumer health data collected includes: feeding logs (breast/formula/pump volumes), sleep duration and timing, diaper output, growth measurements (weight, length, head circumference), developmental milestones, vaccine records, mood logs, and doctor appointment records.
We do not sell consumer health data. Any future change to this practice would require a separate, signed authorization complying with RCW 19.373.070 before it takes effect.
We do not implement geofences around healthcare facilities (RCW 19.373.030).
To exercise your Washington MHMDA rights (confirm collection, access, delete, withdraw consent, obtain list of third-party recipients), contact privacy@hishona.com. We respond within forty-five (45) days. There is no fee for the first two (2) requests per year. You may appeal denials within thirty (30) days by re-submitting with "MHMDA Appeal" in the subject. MHMDA violations are per-se violations of the Washington Consumer Protection Act, enforceable by private action with treble damages up to $25,000 per violation plus attorneys' fees.
We collect the data categories described in §3.1 and §3.2 above. All data is collected directly from the parent or guardian who creates the account. No data is collected directly from the child.
Personal data is processed solely to provide the HiShona baby tracking service as described in §4.1. We do not process data for advertising, profiling, behavioral monitoring, or targeted marketing.
Under the DPDPA, a "child" means any individual who has not completed the age of 18 years. All data about children entered into HiShona is entered by the parent or guardian (the Data Principal), not by the child directly. We require verifiable parental/guardian consent for all accounts that contain data of a person under 18. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children, as prohibited by DPDPA § 9(3). We do not create behavioral profiles or predictive models of children.
Grievance Officer: Ashish Sharma, Founder & Privacy Officer
Email: privacy@hishona.com
Response Time: Thirty (30) days from receipt of grievance
Escalation: If your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India in accordance with DPDPA § 20.
This Privacy Policy is currently available in English. We are committed to making it available in other Eighth Schedule languages of India upon request. To request a translation, contact privacy@hishona.com.
We collect and hold the personal information described in §3.1 and §3.2 above, including health information (feeding, sleep, growth, vaccines, developmental milestones) and account information (name, email). Health information is sensitive information under the Privacy Act.
All personal information is collected directly from you (the parent or guardian) when you enter it into HiShona. It is held on device localStorage and encrypted in AWS S3 (us-east-1, United States) as described in §6.
Personal information is collected and used solely to provide the HiShona baby tracking service as described in §4. We do not use or disclose personal information for secondary purposes without your consent. Health information is not used for marketing, behavioral profiling, or commercial purposes.
You may access all personal information held about you directly within the HiShona app, or by requesting a data export (JSON or CSV) via privacy@hishona.com within thirty (30) days. You may correct inaccurate information directly in the app or by contacting privacy@hishona.com. We respond to access and correction requests within thirty (30) days.
To lodge a complaint about how we have handled your personal information, contact privacy@hishona.com. We will investigate and respond within thirty (30) days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Personal information is held by DhanVriddhi Capital LLC and disclosed to AWS (as sub-processor) in the United States (us-east-1). We remain accountable for the handling of your information by AWS as if we were handling it ourselves, pursuant to APP 8. AWS maintains contractual obligations and technical safeguards equivalent to the APPs.
HiShona's predictive features (next-feed and next-sleep averages) are statistical computations only. They are not automated decisions that significantly affect your rights or interests within the meaning of the Privacy Act (as amended). No automated decision-making using your data produces legal or significant effects on you.
From June 10, 2025, Australian law provides a statutory tort for serious invasions of privacy (Privacy and Other Legislation Amendment Act 2024). DhanVriddhi Capital LLC is committed to handling your personal information in a manner that respects your reasonable expectation of privacy. We collect only what is necessary, use it only for the stated purposes, and do not misuse or disclose it inappropriately.