Contents
About This Policy
This Privacy Policy describes how Labnetworx Health IT Pvt. Ltd. ("Labnetworx", "we", "us", or "our"), a company incorporated under the Companies Act 2013, processes personal data in the course of delivering Enterprise AI implementation, managed AI services, and training solutions to healthcare organisations across India.
This Policy is published in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and any rules notified thereunder, and applies to all personal data processed by us on behalf of our clients (Data Fiduciaries) as well as personal data we collect directly when you interact with our website or contact us.
Plain-language summary: Labnetworx builds and runs AI systems inside your organisation's infrastructure. We do not harvest, sell, or commercialise patient or staff data. Data stays within your environment.
Our Role as Data Processor
Under the DPDP Act, 2023, a Data Fiduciary determines the purpose and means of processing personal data, while a Data Processor processes data on behalf of and under the instructions of a Data Fiduciary.
Labnetworx acts as a Data Processor when deploying and operating AI platforms, analytics pipelines, or managed services within or connected to our clients' environments. In this capacity:
- Our clients (healthcare providers, hospitals, diagnostic laboratories, and health IT organisations) are the Data Fiduciaries;
- We process personal data strictly in accordance with documented contracts, data processing agreements (DPAs), and our clients' lawful instructions;
- We do not use personal data entrusted to us for any purpose beyond the contracted scope;
- We implement appropriate technical and organisational measures to ensure a level of security appropriate to the nature of the data.
Note: Where Labnetworx independently determines the purpose and means of processing (for example, processing contact details of prospective clients), we act as a Data Fiduciary and this Policy applies in that capacity as well.
Personal Data We Process
The categories of personal data we process depend on the services engaged and the instructions of the Data Fiduciary. Typical categories include:
| Category | Examples | Context |
|---|---|---|
| Patient Health Data | UHID, diagnoses, lab results, prescriptions, ABHA number | AI diagnostics & ABDM integration deployments |
| Healthcare Professional Data | Name, NMC/MCI registration, department, contact details | Platform user management |
| Hospital Staff Data | Employee ID, role, access credentials (hashed) | Identity & access management within client systems |
| Website Visitor Data | Name, email, phone, organisation, enquiry text | Contact form submissions on labnetworx.com |
| Training Participant Data | Name, email, job title, attendance, assessment scores | AI training programmes |
We do not intentionally collect data from minors (persons under 18). If we become aware that such data has been provided without appropriate consent, we will promptly take steps to delete it.
Purposes & Legal Basis for Processing
We process personal data for the following purposes, and only to the extent necessary for each purpose:
- Service Delivery: Deploying, configuring, and operating AI/analytics platforms within client infrastructure on the basis of a contractual obligation and the client's consent consent framework.
- ABDM & Regulatory Compliance: Enabling Ayushman Bharat Digital Mission integrations as required under applicable health-sector regulations.
- Security & Fraud Prevention: Monitoring access logs and detecting anomalies to protect the confidentiality and integrity of data.
- Training Programme Administration: Enrolling participants, tracking completion, and issuing certificates of training.
- Client Relationship Management: Responding to enquiries, scheduling demonstrations, and managing contracts — on the basis of legitimate interest or pre-contractual steps.
- Legal Obligations: Complying with orders from the Data Protection Board of India, courts, or other competent authorities.
We will never sell, rent, or share personal data with third parties for advertising, profiling, or any purpose unrelated to the services contracted by the Data Fiduciary.
Data Retention
Personal data processed on behalf of a client (as Data Processor) is retained only for the duration specified in the relevant Data Processing Agreement. Upon contract termination, we will, at the client's direction, securely delete or return all personal data within 30 days, unless retention is required by law.
For data where we act as Data Fiduciary (e.g., website enquiries):
- Contact and enquiry data — retained for up to 24 months from last interaction, or until you request deletion.
- Training participant records — retained for 5 years for certification audit purposes.
- Website server logs — retained for 90 days for security monitoring.
Security Safeguards
We implement a privacy-by-design architecture and apply technical and organisational measures proportionate to the risk, including:
- Snowflake-native deployment: Client data is processed within the client's own Snowflake environment — it does not traverse Labnetworx servers.
- Encryption: Data at rest and in transit is encrypted using industry-standard protocols (AES-256, TLS 1.3).
- Access controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) for all systems handling personal data.
- Audit logging: Comprehensive access and activity logs with tamper-evident storage.
- Staff training: All personnel with access to personal data receive mandatory data protection training.
- Incident response: A documented data breach response plan with notification to the Data Fiduciary and, where required, the Data Protection Board of India, within the timelines prescribed under the DPDP Act.
Rights of Data Principals
Under the DPDP Act, 2023, every Data Principal (the individual whose data is processed) holds the following rights. Where Labnetworx is the Data Processor, requests should be directed to the relevant Data Fiduciary (your healthcare provider or employer). Where Labnetworx is the Data Fiduciary, you may exercise these rights directly with us:
Right to Access & Summary
Obtain a summary of personal data being processed and the processing activities undertaken.
Right to Correction
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of personal data where it is no longer necessary for the purpose it was collected, subject to legal retention obligations.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based. Withdrawal does not affect lawfulness of prior processing.
Right to Nominate
Nominate another individual to exercise rights on your behalf in the event of death or incapacity.
Right to Grievance Redressal
Lodge a complaint with our Grievance Officer and, if unsatisfied, escalate to the Data Protection Board of India.
We will respond to rights requests within 30 days of receipt. Requests may be submitted to our Grievance Officer (see Section 10).
Cross-Border Data Transfers
Our primary service architecture is India-resident. Client health data is processed within the client's Snowflake environment, which may be hosted in Indian cloud regions (AWS Mumbai, Azure Central India, or GCP Mumbai) as selected by the client.
Where a client or partner requires cross-border transfer of personal data, such transfers are conducted only to countries or jurisdictions notified as adequate by the Central Government under Section 16 of the DPDP Act, or subject to appropriate contractual safeguards in accordance with applicable law.
We do not transfer personal data internationally without the explicit knowledge and documented approval of the Data Fiduciary.
Sub-Processors
To deliver our services, we may engage trusted sub-processors. We contractually require all sub-processors to implement data protection standards equivalent to those we observe. Current categories of sub-processors include:
- Cloud Infrastructure: Snowflake Inc. (data warehouse & AI platform) — data processed within client's own Snowflake account.
- Communication Services: Email service providers for sending transactional communications (e.g., training confirmations).
- CRM & Business Operations: Tools used for managing client relationships and service delivery workflows.
Clients may request an up-to-date list of sub-processors engaged on their specific deployment by contacting their designated Account Manager or our Grievance Officer.
Key principle: Sub-processors are engaged only under written contracts that impose obligations on them no less stringent than those imposed on Labnetworx by the Data Fiduciary.
Grievance Redressal
In accordance with Section 13 of the DPDP Act, 2023, we have appointed a Grievance Officer to address complaints and queries relating to personal data processing.
Grievance Officer
Labnetworx Health IT Pvt. Ltd.
If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted and operational under the DPDP Act, 2023.
Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Where changes are material, we will notify Data Fiduciaries with whom we have active contracts at least 30 days prior to the changes taking effect, and publish the updated Policy on this page.
The "Effective Date" at the top of this page indicates when the current version came into force. We encourage you to review this Policy periodically.
Contact Us
For any questions about this Privacy Policy, data processing practices, or to exercise your rights as a Data Principal, please contact us:
- Email: privacy@labnetworx.com
- General enquiries: info@labnetworx.com
- Website: www.labnetworx.com
This Policy is governed by the laws of India. Any disputes arising under this Policy shall be subject to the jurisdiction of courts in India.