Home

Legal

Privacy Policy

Effective date: June 9, 2026

Depth is the intelligence layer for your body. You upload your blood-test reports; we read them, score them, and hand back a clear briefing on what actually matters. To do that, we handle some of the most sensitive data you own — your health record. This policy explains, in plain language, what we collect, why we collect it, who we share it with, where it lives, and the rights you have over it. We have tried not to hide anything important behind vague words.

This policy is operated by Raghav Dua and Prithvish Baidya ("Depth", "we", "us", "our"), the company behind depth.fit and the Depth application. By creating an account or using Depth, you agree to the practices described here.

1. Scope

This policy covers the Depth website, application, and related services (together, the "Service"). It applies to everyone who creates a Depth account or uploads data to us. Depth is for adults only — you must be 18 or older to use it. We do not knowingly collect data from children. See section 11.

2. The data we collect

We collect three kinds of data, and we treat them differently.

Account data

When you sign in with Google, we receive your email address, your name, and a Google account identifier. We use these to create and secure your account and to contact you about the Service. We do not receive your Google password.

Health data (sensitive)

This is the heart of the Service, and it is sensitive personal data. It includes:

  • The blood-test report PDFs you upload.
  • The biomarker values we extract from those reports.
  • The scores, insights, and Recaps we derive from them — including your Depth Score.
  • Profile information you provide so we can read your results in context: date of birth, sex, and ancestry/cohort.

We collect health data only with your consent, and only to provide the Service you asked for. You are never required to upload anything you do not want us to have.

Usage and technical data

Like most online services, we collect standard server logs and technical information — device and browser type, approximate location derived from your IP address, and how you interact with the Service. We use this to keep the Service running, secure, and reliable. We do not run third-party product analytics over your health data.

3. How and why we use your data

We use your data to:

  • Read your uploaded reports and extract the markers from them.
  • Generate your Depth Score, insights, and Recaps.
  • Power the AI agent that answers your questions over your own health record.
  • Maintain your account, authenticate you, and keep the Service secure.
  • Communicate with you about the Service, including changes and important notices.
  • Comply with our legal obligations and enforce our terms.

We do not sell your personal data. We do not use your health data to serve you advertising.

4. Legal bases for processing

For your health data — which is sensitive personal data — our legal basis is your explicit consent, which you give when you upload a report and ask us to process it. You can withdraw that consent at any time (see section 9); withdrawing it does not affect processing we already carried out lawfully.

For account and technical data, we rely on what is necessary to perform our contract with you (providing the Service), our legitimate interests in keeping the Service secure and functional, and compliance with applicable law.

5. Who processes your data on our behalf

We do not run all of our own infrastructure. To provide the Service, we share data with a small set of named processors. We disclose them specifically so you know exactly who touches your data.

  • Cloudflare — our hosting and infrastructure provider. It handles serverless compute, object storage for your uploaded report PDFs, database connection pooling, edge delivery, and our AI gateway.
  • PlanetScale — our managed PostgreSQL database provider. Your core record is stored here. This database is hosted in India (the Mumbai region), which is the primary location of your data.
  • Google Cloud (Vertex AI / Gemini) — processes the blood-report PDFs you upload to extract structured data from them. In other words, the contents of your uploaded reports are sent to Google for AI processing. Google also provides the OAuth sign-in you use to log in.
  • NVIDIA — hosts the language model that writes the insight and Recap copy. This model receives derived and enriched data (your extracted markers and the context we build around them), not the raw report PDF.

Each of these processors handles your data only to perform the function above, under our instructions. We do not run any third-party product analytics over your health data.

6. International transfers and data location

The primary location of your stored data is India (Mumbai). Because some of our processors operate globally, your data — or parts of it — may be processed in other countries when those services run. Where data crosses borders, we rely on the consent you provide and on the contractual protections we have in place with our processors. If you are in the EU/EEA or the UK, transfers out of those regions are made on the basis of appropriate safeguards such as Standard Contractual Clauses.

7. Security

We protect your data with encryption in transit and at rest, least-privilege access controls, and access logging. We restrict who on our side can reach health data and we keep a record of access. No system is perfectly secure, and we do not claim otherwise — but we treat your health record as data that deserves real care, and we build accordingly.

8. How long we keep your data

We keep your data for as long as your account is active, so the Service can read your history and track your trends over time — that longitudinal record is the point of Depth. If you ask us to delete your data, or you close your account, we delete it, subject to any limited retention the law requires. You can also delete individual uploads at any time.

9. Your rights

Whatever regime applies to you, you can:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or out of date.
  • Delete your data, including your uploaded reports.
  • Export your data in a portable form.
  • Withdraw consent to our processing of your health data.

If you are in India, the Digital Personal Data Protection Act, 2023 (the "DPDP Act") is the primary regime that governs how we handle your data, and you have the rights it grants — including the right to access, correction, erasure, grievance redressal, and to nominate another person to exercise your rights. You can raise any concern with our Grievance Officer (section 12).

If you are in the EU/EEA or the UK, you have the rights granted by the GDPR, including access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your data protection authority.

If you are in California, you have the rights granted by the CCPA/CPRA, including the right to know what we collect, to delete it, to correct it, and to opt out of any "sale" or "sharing" of personal information. We do not sell your personal information, and we will not discriminate against you for exercising your rights.

To exercise any of these rights, email privacy@depth.fit. We may need to verify your identity before we act, to protect your health data from anyone pretending to be you.

10. Health data is not medical advice

Depth is not a medical device. The scores, insights, and Recaps we produce are informational and wellness-oriented only. They are not medical advice, diagnosis, or treatment, and they are not a substitute for professional medical care. Always consult a qualified clinician about your health, and never disregard or delay seeking medical advice because of something Depth showed you. In an emergency, contact your local emergency services.

11. Children

Depth is for adults. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18. If you believe a minor has given us data, contact us and we will delete it.

12. Grievance Officer and contact

In line with India's DPDP Act, you can reach our Grievance Officer about any question or complaint relating to your data:

  • Grievance Officer: Raghav Dua
  • Email: dpo@depth.fit
  • Operator: Raghav Dua and Prithvish Baidya
  • Registered address: Bangalore, India

For general privacy questions, email privacy@depth.fit. We will respond within the timelines the applicable law requires.

13. Changes to this policy

We may update this policy as the Service evolves — for example, as wearable and continuous-glucose integrations and at-home blood draws come online. When we make a material change, we will update the effective date above and, where appropriate, notify you. Your continued use of the Service after a change means you accept the updated policy.

See also our Terms of Service.