Privacy Policy (DPDP Act)

Operator: NaadiOS — a sole proprietorship of Jai Praneeth Marni (Udyam Registration No. UDYAM-TS-09-0243621), Hyderabad, Telangana, India.

Status: complete, pending legal sign-off. This policy is operationally grounded in how the platform actually handles data and has not yet been reviewed by a lawyer. Final wording is confirmed on legal review before production use.

1. Who this policy covers

This policy is for NaadiOS, a clinic-operated patient messaging and workflow platform used for appointment operations, reminders, follow-ups, staff workflows, billing support, and related clinic communications. The clinic is the primary controller / Data Fiduciary for the patient and staff data it processes; NaadiOS acts as the clinic's Data Processor, except for limited security and platform-administration processing NaadiOS performs on its own initiative.

2. Website and demo requests

NaadiOS also collects limited personal and business-contact information from website visitors and prospective clinic customers who submit the public demo-request form before they become a clinic customer.

This information is used only for evaluating and following up on demo or signup interest, including sales contact and onboarding discussions. It is not used as clinic-operational messaging data.

This website lead information is not WhatsApp or patient messaging data, and it is not patient operational data processed on behalf of a clinic. It is retained for a reasonable period for sales follow-up, onboarding administration, and related internal recordkeeping, and can be deleted on request where applicable.

Submitting the public demo-request form does not by itself create a clinic-customer relationship or start clinic-operational data processing. That separate processing begins only if and when the clinic is onboarded to the platform.

3. Data we process

NaadiOS is not a diagnosis engine, treatment-recommendation engine, or emergency-response channel, and must not be operated as one.

4. Why we process data

The platform processes personal data only for limited clinic-operational purposes: account creation and access control; appointment scheduling and patient communication; reminders, follow-ups, and staff workflow coordination; consent recording and communication governance; billing and payment support; service reliability, fraud and abuse prevention, and audit logging; and legal, contractual, and security compliance. The platform does not use patient data for unrelated advertising or resale.

5. Legal bases

Where required, processing relies on one or more of: patient consent for WhatsApp and similar clinic communications; performance of the clinic's service relationship with the patient; compliance with legal or regulatory obligations; legitimate operational and security interests where permitted by law; and employment or contractor administration for clinic staff accounts. Where the clinic relies on consent, the clinic is responsible for the consent language, collection channel, recordkeeping, and withdrawal path.

6. Consent and messaging rules

WhatsApp consent is treated as channel-specific; send eligibility is tied to active consent state in the runtime trust model. The clinic decides the patient-facing consent copy. Patients are told messaging is for appointment and clinic-support workflows and not for emergencies. Sensitive-health messaging is minimized.

7. Sharing and service providers (sub-processors)

8. Cross-border processing

Primary database storage and application compute are both hosted in India (Supabase and/or Google Cloud, Mumbai ap-south-1 / asia-south1, depending on migration stage). Transactional email is delivered via Resend, which may process data outside India. Some limited processing therefore occurs outside India even though primary storage and compute are in India.

9. Retention

Retention is limited to what is needed for ongoing clinic operations, auditability and dispute handling, security investigations, and legal or regulatory obligations. Patient data export and erasure are available via operator-run Data Subject Request (DSR) tooling (authorized, audit-logged, approval-gated). Financial and audit records are retained and anonymized rather than deleted.

10. Security

The platform uses role-based access controls, salted-and-hashed dashboard PINs with per-credential lockout, server-side session-token hashing, structured request logging with PHI scrubbing, cross-instance rate limiting on authentication and public routes, and webhook ingress controls including shared-secret validation and inbound replay protection. These controls reduce risk but do not eliminate it.

11. Data subject rights

Subject to applicable law, patients and staff may access their personal data, correct inaccurate data, withdraw consent where consent is the basis, request deletion (subject to legal and operational retention limits), and raise a grievance. To exercise these rights, contact privacy@naadios.com. Requests are identity-verified and fulfilled using the platform's DSR tooling.

12. Children and sensitive data

Clinics using the platform for pediatric or other sensitive contexts must obtain any legally required guardian or representative authorization and avoid over-disclosing sensitive health details in messages.

13. Changes

Material changes to this policy are announced to clinics and, where appropriate, to patients, before they take effect.

14. Contact