logo

Privacy Policy

Effective Date: April 20, 2025

Definitions

  • "NILALIFE" ("We," "Us," "Our"): Refers to NILALIFE SOLUTIONS Pvt Ltd, a company incorporated under the laws of India.
  • "Facility" ("You," "Your"): Refers to the legal entity (such as a Hospital, Clinic, Laboratory, Pharmacy, or individual practitioner) registered to use and accessing the Services provided by NILALIFE.
  • "User" or "Patient": Refers to an individual whose Personal Data or Protected Health Information is processed by a Facility using the Services, typically a patient of the Facility.
  • "nilaHealth": Refers to the Software-as-a-Service (SaaS) platform provided by NILALIFE for healthcare facility management.
  • "APP": Refers to the mobile applications provided by NILALIFE for iOS and Android platforms, which may be white-labeled under a Facility's brand or provided under the NILALIFE brand, for use by Users and Facility staff.
  • "Services": Refers collectively to nilaHealth, APP, related support, integrations facilitated by NILALIFE (including with IoT Devices), and any other services offered by NILALIFE under the applicable Service Agreement.
  • "IoT Devices": Refers to compatible third-party hardware devices (like vital sign monitors, lab machines, etc.) whose integration with the Services may be facilitated by NILALIFE, but which are sourced from other providers.
  • "Personal Data": Means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act or other applicable data protection laws.
  • "Protected Health Information" (PHI): Refers to individually identifiable health information related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, processed by the Facility through the Services.
  • "Facility Data": Refers to all data, including Personal Data and PHI, that is inputted, generated, migrated, or otherwise processed by the Facility or its Authorized Users through the use of the Services. Facility Data is owned by the Facility.
  • "Biometric Data": As used herein, specifically refers to data such as facial recognition metadata (mathematical representations derived from facial features) processed for identification purposes, where configured and consented to.
  • "Sub-processor": Refers to a third-party vendor engaged by NILALIFE to process Facility Data on behalf of NILALIFE in order to provide parts of the Services (e.g., cloud infrastructure providers, communication providers acting under Our instruction).
  • "Third-Party Services": Refers to applications, software, or services not provided by NILALIFE that are chosen by the Facility and integrated with the Services at the Facility's direction via APIs or other means (e.g., a specific OP booking system contracted directly by the Facility).
  • "Consent": Refers to a clear, affirmative act signifying agreement to the processing of Personal Data for a specified purpose, which may include verification steps like OTP confirmation where applicable.
  • "DPDP Act": Refers to The Digital Personal Data Protection Act, 2023 of India, and its associated rules, as amended from time to time.
  • "HIPAA": Refers to the Health Insurance Portability and Accountability Act of 1996 of the United States. While NILALIFE operates primarily under Indian law, references to HIPAA compliance often pertain to the standards met by certain sub-processors (like cloud providers) or security measures informed by its principles.
  • "Service Agreement": Refers to the specific Master Service Agreement (MSA), Order Form, or other binding agreement executed between NILALIFE and the Facility detailing the specific Services subscribed to, fees, term, SLAs, and other commercial terms.
  • "Terms": Refers to the stipulations outlined in this Terms & Conditions document.
  • "Policy": Refers to the stipulations outlined in this Privacy Policy document.

1. Introduction

This Privacy Policy ("Policy") explains how NILALIFE collects, uses, shares, and protects Personal Data and Protected Health Information (PHI) in connection with the provision of our Services.

This Policy applies to the Facilities that subscribe to our Services and governs the processing of User data facilitated through these Services. It outlines our commitment to safeguarding privacy in compliance with applicable data protection laws in India, including the Digital Personal Data Protection Act, 2023 (DPDP Act).

Please refer to the "Definitions" section above for the specific meaning of capitalized terms used throughout this Policy. Understanding this Policy is important, so please read it carefully.

2. Information We Collect

We collect information necessary to provide and improve our Services:

  • Information Provided by Facilities:
    • Facility registration details (name, address, contact information).
    • Staff user accounts and credentials.
    • Configuration data for the Services.
    • Patient demographic and profile information entered by Facility staff (name, contact details, address, national health ID, etc.).
    • Protected Health Information (PHI) entered during patient care activities (medical history, diagnoses, treatments, prescriptions, lab results, etc.).
    • Data migrated from the Facility's previous systems under a separate Data Usage Agreement.
    • Medical images metadata (parsed from images uploaded by the Facility).
  • Information Provided Directly by Users (e.g., via APP):
    • Information provided during registration or profile setup (if applicable).
    • Communications sent through the app.
    • Data voluntarily entered for specific programs or wellness initiatives.
  • Information Collected Automatically:
    • Usage data regarding interaction with our Services (log data, feature usage).
    • Device information (for mobile apps: device type, OS, unique identifiers).
    • Data from integrated IoT devices (e.g., vital signs, readings), as configured by the Facility.
  • Data Exchanged with Facility-Designated Third Parties: Information received from, or sent to, third-party services (e.g., external booking systems, specific lab interfaces) when the Facility configures and authorizes such integrations with our Services.
  • Biometric Data (Facial Recognition Metadata): With Facility configuration and appropriate consents, we may process facial images using compliant services or local implementations to extract and store anonymized facial recognition metadata (mathematical representations, not the photo itself) linked to a user profile for identification purposes within the Facility or consenting network.

3. How We Use Information

We use the information we collect for the following purposes:

  • To provide, operate, maintain, and improve our Services for Facilities and Users.
  • To enable Facility operations, patient care, appointment scheduling, billing, and reporting.
  • To facilitate secure communication between Facilities, staff, and patients (via SMS, email, app notifications).
  • To enable features like patient identification (including search by name, phone, national ID, or facial metadata with patient consent).
  • To provide support and respond to inquiries.
  • To ensure data security and integrity, including backups and disaster recovery.
  • To perform internal analytics (using anonymized or aggregated data) to understand service usage and improve functionality.
  • To monitor application performance, diagnose technical errors, and improve the stability and reliability of our Services.
  • To personalize user experience (e.g., smart suggestions based on Facility usage patterns).
  • To facilitate integrations configured and authorized by the Facility, enabling data exchange between our Services and the Facility's chosen third-party applications.
  • To facilitate wellness initiatives and potentially share anonymized, aggregated usage data (e.g., engagement metrics for specific wellness content) with collaborating NGOs/non-profits. We never share identifiable PHI with these organizations without explicit user consent for a specific program.
  • To comply with legal obligations and enforce our terms.

4. How We Share Information

We take your privacy seriously and limit data sharing:

  • We Do Not Sell Personal Data: We do not sell personal information or PHI to third parties for marketing or any other purpose.
  • Data Ownership: The Facility primarily owns the data generated through its use of the Services. We act as a data processor or custodian on their behalf.
  • Between Facilities (Patient Consent Required): A key feature allows authorized staff at one Facility to search for an existing patient profile (created at another Facility) using identifiers like name, phone number, facial metadata, or national health ID. Access to view that patient's PHI is strictly conditional upon obtaining explicit consent from the patient via an OTP sent to their registered mobile number at the time of the access request. Facilities using our service agree to this consent mechanism.
  • With Sub-processors: We use trusted third-party service providers (sub-processors) to perform essential functions. These include:
    • Cloud Infrastructure Providers
    • Communication Providers
    • Analytics

We have agreements with these sub-processors requiring them to maintain data confidentiality and security, and we sign BAAs (or equivalent data processing agreements) where applicable. A list of our major sub-processors can be found here: Sub-processors.

  • For Specific Facility Functions: In some cases, a Facility may configure the Services to integrate with another specific third-party service provider (e.g., a separate OP booking module). We will only share data with such providers based on a written agreement with the Facility specifying the data shared and the recipient entity, ensuring appropriate security measures are in place.
  • With Facility-Designated Third Parties: At the Facility's explicit direction and configuration, we may exchange specific Facility Data (including PHI) via APIs with third-party service providers chosen and contracted directly by the Facility (e.g., a specific online booking platform, a legacy billing system).
    • This data exchange is performed solely to enable the integrated functionality requested by the Facility.
    • The Facility is solely responsible for its relationship with these third-party providers, including ensuring the provider's compliance with data protection laws and having appropriate agreements (like DPAs or BAAs) in place with them.
    • NILALIFE is not responsible for the data privacy or security practices of these Facility-designated third parties once data is transmitted to them based on Facility instruction. We recommend Facilities review the privacy policies of their chosen third-party providers.
    • While NILALIFE may have technical agreements (like Data Usage Agreements regarding the API connection itself) with such providers to ensure secure data transit, these providers are not considered sub-processors of NILALIFE for the purpose of providing their service to the Facility.
  • With Collaborating NGOs/Non-Profits: We may share anonymized and aggregated statistical data (e.g., viewership counts for wellness articles) with vetted partner organizations to support community health initiatives. We will never share identifiable PHI unless a User explicitly consents and voluntarily provides information directly to that organization through a specific program facilitated via our platform.
  • Legal Requirements: We may disclose information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, protect user safety, investigate fraud, or respond to a government request.
  • Business Transfers: In the event of a merger, acquisition, or asset sale, user information may be transferred as part of the transaction, subject to continued adherence to this Privacy Policy or notice of changes.

5. Data Security

We implement robust technical and organizational measures to protect data:

  • Encryption: Data is encrypted both at rest (when stored) and in transit (when transmitted).
  • Compliant Infrastructure: We host our Services on reputable cloud platforms (like Azure, AWS, GCP) that maintain certifications like SOC2, ISO/IEC 27001, and offer HIPAA-compliant environments.
  • Access Controls: We implement access controls to limit data access to authorized personnel.
  • Backups: We perform regular data backups to ensure availability and integrity.
  • Migration Security: For data migration from a Facility's old system, we use secure protocols, sign a Data Usage Agreement, and may employ measures like using dedicated, new storage media per migration to prevent contamination.
  • Third-Party Security: We require our sub-processors to maintain appropriate security standards.

While we strive for comprehensive security, no system is impenetrable. We cannot guarantee absolute security. We configure necessary diagnostic and monitoring tools to minimize the collection of sensitive personal data where feasible.

6. Data Retention

We retain personal information and PHI for as long as necessary to provide the Services to the Facility, as instructed by the Facility (the data owner), or as required by applicable law. Backup data is retained according to our backup schedules and policies.

7. Your Rights & Choices (Under DPDP Act & General Privacy)

Users (Patients) generally have rights regarding their personal information, subject to applicable laws:

  • Access: You may have the right to access the PHI held about you by a Facility. Requests should typically be directed to the Facility where you received care.
  • Correction: You may have the right to request correction of inaccurate or incomplete information held by a Facility.
  • Consent Withdrawal: You can withdraw consent for specific data processing activities (like sharing data with another Facility or an NGO program) where consent is the basis for processing.
  • Grievance Redressal: You have the right to lodge complaints regarding data processing. Please contact us or the relevant Facility.

Facilities are primarily responsible for handling user requests regarding data they control. We will assist Facilities in responding to such requests as required.

8. Cookies and Analytics

  • Cookies: We use only essential first-party cookies required for core functionality like user authentication and session management. We do not use third-party tracking cookies for advertising.
  • Analytics: We use SimpleAnalytics.com for website and service analytics. This tool is privacy-focused, does not use cookies, and processes data in compliance with GDPR principles. It helps us understand usage patterns to improve our services without tracking individuals across sites.

9. International Data Transfers

Data is primarily stored and processed primarily within the country or region where the Facility is located on our chosen cloud provider's infrastructure. In any instance where Personal Data is transferred across borders from its region of origin, NILALIFE ensures that such transfers comply with applicable data protection laws.

10. Children's Privacy

Our Services are intended for use by healthcare Facilities and adult Users. We do not knowingly collect personal information from children under the age of 18 without parental consent provided via the healthcare Facility's processes. If we become aware that we have inadvertently collected such information without proper consent, we will take steps to delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify Facilities of significant changes through the Services or via email. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:
NILALIFE SOLUTIONS Pvt Ltd
60/44, JC Champers, Panampilly Nagar
Ernakulam, Kerala - 682036
legalteam@nilalife.com