Privacy Policy

Effective date: 17 May 2026 · Last updated: 17 May 2026

DiabWellness Private Limited, a company incorporated under the laws of India (“DiabWellness,” “we,” “us,” or “our”), owns and operates diabrainai.com and the DiaBrain branded software and related services for clinical decision support regarding diabetes care. References to DiaBrain in branding, product descriptions or URLs refer to offerings operated by DiabWellness. This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you use our websites, applications, dashboards, onboarding flows, demos, pilots, subscriptions, APIs, integrations, communications, training materials, analytics, telemetry, surveys, billing, authentication, credentials, sandbox or production environments that link to this policy (collectively, the “Services”).

By using our Services or otherwise interacting with us, you acknowledge that your information may be handled as described in this Privacy Policy together with applicable law.

Registered office (India): 9, Ramasami Kovil West Street, Kumbakonam - 612001.
CIN: U72900TN2022PTC150555

1. Scope and applicability

This policy applies to administrators, clinicians, clinicians’ staff members, testers, purchasers, authorised representatives, webinar or trial participants, referral partners, recruiters, regulators (where applicable), complainants and other individuals interacting with DiaBrain offerings operated by DiabWellness (“you”). It does not cover third-party clinics, hospitals, laboratories, pharmacies, insurers, social networks or other processors’ services that merely link off our Sites without being controlled by DiabWellness—their notices govern them.

If you integrate DiaBrain offerings inside an organisation or facility, privacy arrangements with that institution may impose additional safeguards on top of this policy.
Nothing in this policy changes or reduces your separate clinical confidentiality and professional duties.

2. Roles and lawful grounds

Depending on geography and context DiabWellness operates as:

Independent controller for account registration, billing, service communications that are not purely on behalf of a hospital client, usage analytics relating to reliability and abuse prevention, voluntary marketing programmes and similar ordinary business administration.
Processor or service-provider when we host or analyse information solely under written instructions issued by clinics, laboratories, insurers, pharma manufacturers, academia or other lawful controllers—for example delegated electronic health-record feeds, delegated cloud infrastructure or outsourced research annotation—according to contractual data processing annexes referenced in your master services agreement (“DPA”). Such relationships supplement (not weaken) safeguards below.

Where required we rely on one or more of the following lawful bases:

Contract necessity (deliver purchased credits, licences, onboarding, ticketing, SLA reporting).
Legitimate interests (security, auditing, roadmap analytics in pseudonymised or aggregated manner, safeguarding intellectual property).
Legal obligations (tax or accounting retention, subpoena response, narcotics-compliance checks if applicable).
Vital interests (emergency incident triage narrowly scoped), and
Consent (optional webinars, discretionary marketing newsletters, discretionary cookies profiling where opt-in mandates exist).

3. Categories of information we collect

The exact elements depend on the module you activate. Grouped non-exhaustive categories:

Account & contact data: name, designation, speciality, organisational affiliation(s), postal address, geographic region/time zone, business email addresses, institutional phone numbers or mobile numbers voluntarily supplied.
Credentials & security: login identifiers (including pseudonymous handles), cryptographic tokens, SSO assertions, MFA seeds, passphrase recovery hints, workstation posture signals (risk score from device-health checks), intrusion-prevention artefacts.
Clinical & patient-adjacent data: de-identified, pseudonymised, tokenised or otherwise minimised longitudinal diabetological parameters precisely as you choose to import for decision-support—HbA₁c timelines, BMI, fasting/mean plasma glucose surrogates, renal function markers eGFR, comorbidity flags without direct identifiers where feasible, prescriptions you upload, clinician notes excerpts you annotate, adherence widgets, genotype categories if ethically consented externally, pathology PDFs OCR’d into structured tuples we never re-sell wholesale.
Operational telemetry: IP address subsets, timestamps, hashed session IDs, referrer URLs, coarse geolocation inferred at city level, latency metrics, clicked UI components, crashed stack traces devoid of PHI when filters succeed, aggregated GPU utilisation, batch job durations.
Marketing & events: booth badge scans at conferences where you proactively share business cards or QR leads, inbound LinkedIn introductions, voluntarily submitted case study quotes, webinar questions you type into Q&A consoles.
Finance & billing: corporate billing entity, Goods and Services Tax (GST) identifiers or VAT identifiers, purchase order identifiers, hashed payment instrument fingerprints where third-party gateways tokenise PAN last-fours—not full card PANs on our disks except via PCI DSS certified vaults delegated to gateway partners acting as subprocessors.
Support & communications: free-form helpdesk transcripts, voicemail metadata, escalation chains, lawful intercept acknowledgements absent content.

We discourage uploading direct patient identifiers unless your regulatory authority obliges interoperability; when present we segment them cryptographically segregated shards with least-privilege access.

4. Sensitive or special-category data

Health-related information may qualify as sensitive personal data under the Digital Personal Data Protection Act 2023 and analogous regimes. We impose heightened controls: segregation, audit logs, DPIA-trigger flows, clinician training bulletins reminding local-law compliance, anomaly detection for bulk exfiltration, regional residency options piloted where enterprise contracts dictate.

We do not use sensitive categories for unsolicited direct marketing absent explicit granular permission.

5. Sources of information

Direct submissions through forms or SDKs,
Federated SSO identity providers,
HIS/LIS/EHR exports you voluntarily wire,
Payment processors,
Open professional directories corroborating your specialty licensure,
Public watchdog bulletins alerting us about compromised credentials,
Anonymised research corpora permissively relicensed,
Inferences lawful under your controller instructions (risk clusters, phenotype archetypes—not individualised advertising dossiers).

6. Cookies, pixels, offline storage repositories

We utilise:

Strictly necessary cookies for TLS session continuity, nonce CSRF stamping, outage banners.
Functional persistence (preferred theme, pinned guideline locale).
Analytics cookies or equivalent localStorage keys only once an appropriate lawful basis exists in your jurisdiction; you may revoke via browser controls or banner toggles refreshed each major release.

Do Not Track interoperability is not uniformly standardised; nevertheless we downgrade optional trackers when plausible signals emerge.

7. How we use information

Provision, customise, troubleshoot, patch, degrade-gracefully, capacity-plan environments hosting decision-support,
Fulfil onboarding, invoicing, tax audit evidence, SLA metrics,
Train or validate analytical models using aggregated or suitably de‑identified datasets where legally permitted,
Communicate outages, billing and security-critical notices,
Detect fraud, unauthorised credential sharing banned by enterprise contracts, brute-force anomalies,
Cooperate proportionately with supervisory authorities and courts,
Publish de-identified statistics on glycaemic phenotype distributions with k-anonymity thresholds,
Archive backups rotationally,
Manage personnel operations if you apply for employment,
Investigate misconduct or serious integrity concerns reported through approved channels,

8. Disclosure & recipients

We disclose information only:

to vetted service providers who process data under contract (for example cloud hosting, support tooling, messaging and billing), bound by confidentiality and security obligations,
to professional advisers (such as accountants and lawyers) bound by confidentiality,
to a successor organisation in connection with a merger, reorganisation or sale of assets,
to law enforcement or regulators where required by applicable law or compulsory process,
to you, your organisation or authorised patients as instructed by applicable agreements,
with your consent where required for integrations or collaborations you expressly choose.

We do not sell covered personal information in the Californian CPRA monetisation sense. We discourage data brokerage by policy.

9. International transfers

Infrastructure shards may traverse India, Singapore, United States-East, European Union—Ireland hubs among others chosen for latency optimisation. Contracts incorporate Standard Contractual Clauses, adequacy decisions, Transfer Impact Assessments, supplementary technical measures encryption-in-transit and at selective rest.

10. Retention

Contractual artefacts: lifespan of enterprise agreement plus seven fiscal years,
Billing artefacts: mandated statutory windows,
Security logs rolling 13–400 days tiers depending anomaly score,
Clinical pseudonym blobs: durations per DPA Annex schedule—typically until consent revoked plus cooling-off,
Marketing suppressions indefinite even after erasure cascade to honour opt-outs,
Backups ephemeral mirrors overwritten faster than archival vaults,
Research sandbox synthetic archives reviewed triennially for continued utility.

Upon expiry of applicable retention periods we delete or anonymise information so identification is reasonably unlikely unless law requires archival retention.

11. Security program

Baseline ISO 27001-inspired control mapping even if certification pending,
Penetration tests minimum annually,
Bug bounty discretionary channel,
Developer secure-SDL hooks integrating SAST and DAST,
Hardware security module escrow for master keys,
Break-glass runbooks,
Routine phishing simulations for staff,
Supply-chain CVE triage SLA.

No online service is unconditionally secure; vigilance persists.

12. Your rights

Jurisdiction permitting, you may request:

Access,
Rectification,
Erasure where no overriding lawful retention applies,
Restriction,
Portability in machine-readable format where technically feasible,
Object to certain processing,
Withdraw consent anytime without retroactively annulling lawful prior processing,
Nominate a representative,
Appeal supervisory authority decisions.

We verify identity appropriately before granting access or making changes to minimise fraud. Depending on jurisdiction you may escalate concerns to supervisory authorities.

13. Children

Services target licensed healthcare ecosystems—not minor entertainment. We neither knowingly solicit nor profile children under eighteen for commercial profiling. Institutional paediatric research datasets must originate from ethically approved guardianships.

14. Automated decision-making transparency

CDSS prompts may probabilistically highlight drug combos; thresholds tunable—but final prescribing remains human clinician responsibility. Meaningful explanations of model lineage, freshness, representative cohort caveats surfaced contextually—not buried solely in appendix PDFs—in alignment with clinician wellbeing.

15. Third-party links

Hyperlinked regulatory bulletins open separate tabs; our disclaimers lapse once you exit diabrainai.com.

16. Policy updates

We may revise materially with:

banners,
emails,
in-app modals,
version hash footers.

Continued interaction after fourteen-day conspicuous notice equals acceptance absent objection pathway where permissible.

17. Contact (DiabWellness Private Limited)

For questions about this Privacy Policy or to exercise applicable privacy rights, contact DiabWellness at support@diabrainai.com (website: diabrainai.com). Formal notices regarding personal data where required by law may also be addressed to our registered office: 9, Ramasami Kovil West Street, Kumbakonam - 612001, India (CIN: U72900TN2022PTC150555).

Terms & Conditions →