This Privacy Policy explains how Neurobit Technologies Private Limited ("Neurobit", "we", "our", "us") collects, uses, shares, and protects personal data when you use MedSathi — our voice-first clinical AI health platform delivered through the MedSathi mobile application, website, and related services (the "Services").
We use the terms "Data Fiduciary" and "Data Principal" as defined in the Digital Personal Data Protection Act, 2023 ("DPDPA"). Neurobit is the Data Fiduciary; you (the user) are the Data Principal.
1. Who we are
| Legal name | Neurobit Technologies Private Limited |
|---|---|
| CIN | U62011RJ2026PTC114467 |
| Date of incorporation | 18 May 2026 |
| Registered office | G-30, Ground Floor, Alankar Plaza, Central Spine, Vidhyadhar Nagar, Jaipur, Rajasthan 302039, India |
| Contact | admin@medsathi.ai |
| Grievance channel | /grievance |
2. The data we collect
We collect only what we need to deliver MedSathi and to meet our legal obligations. Categories include:
Account & contact information
- Name, mobile number, email address, date of birth
- Profile photo (optional)
- Aadhaar or other government-issued identity reference — only where required for KYC ahead of prescription delivery, and processed in accordance with the Aadhaar Act, 2016 and applicable regulations
Health information
- Symptoms, medical history, allergies, current medications, and family history that you share with Dr. Sathi (our AI agent) or that you upload (for example, lab reports)
- Vitals such as heart rate, sleep, hydration, and steps — recorded directly by you or received through integrations you connect (ABDM, Apple Health, Google Fit, Fitbit, Garmin)
- Prescription records issued through the platform and reviewing physician's notes
- Voice recordings of consultations, where you have consented to voice mode
Technical & usage data
- Device identifiers, operating system, app version
- IP address and approximate (city/state-level) location
- Crash logs, performance telemetry, and security events
We do not collect precise (GPS-grade) location, biometric identifiers, or financial-account credentials unless a feature requires it and you have given specific, informed consent at that point.
3. How we use your data
We process your personal data only for purposes we have told you about. The table below summarises each purpose and the legal basis we rely on under the DPDPA.
| Purpose | Legal basis under DPDPA |
|---|---|
| Provide AI-led triage, diet plans, and reminders | Consent (§6) |
| Route prescriptions to a licensed physician for review and sign-off | Consent & necessary for the Service |
| Verify identity for prescription delivery (KYC) | Compliance with law |
| Sync data with ABDM and connected wearables | Explicit consent |
| Improve clinical AI quality and safety | Consent — only after de-identification |
| Send service messages (e.g., Rx ready, appointment) | Necessary for the Service |
| Detect and prevent fraud, abuse, and security incidents | Legitimate use (§7) |
| Comply with court orders or statutory directions | Legal obligation |
4. Sharing
We share personal data only in these situations:
- With doctors on the MedSathi Doctor Network — independent licensed physicians reviewing your AI-generated prescription or providing care. They are bound by professional confidentiality obligations.
- With service providers (Data Processors under the DPDPA) — cloud hosting, voice-recognition, SMS/email, and (when applicable) payment processors. Each processor is bound by a written data-processing agreement and may only process your data on our documented instructions.
- With your other apps and devices (ABDM, Apple Health, Google Fit, Fitbit, Garmin) — only when you connect them.
- For legal reasons — to comply with a lawful order, court direction, or statutory requirement, or to protect rights, safety, or property.
We do not transfer personal data to any jurisdiction notified by the Central Government as restricted under §16 of the DPDPA. Where data is processed outside India, we use contractual safeguards and rely on processors operating to industry-standard security baselines.
5. Security
- Personal data is encrypted in transit (TLS) and at rest.
- Access is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging.
- We run regular vulnerability assessments and follow secure-development practices.
- We are working toward formal SOC 2 Type 2 and ISO 27001 certification but are not yet certified; we will update this section when we are.
If a personal-data breach occurs that is likely to affect you, we will notify you and the Data Protection Board of India in accordance with §8(6) of the DPDPA and the timelines that will be prescribed by rules.
6. How long we keep your data
We retain personal data only as long as we need it for the purposes set out above, or as required by law. Indicative retention windows:
| Account information | While your account is active, plus up to 12 months after account closure |
|---|---|
| Prescription records | As required under the Telemedicine Practice Guidelines, 2020 and Indian medical-records law (currently treated as 3 years from the date of consultation) |
| Voice recordings | Retained only for the duration of the review cycle, then deleted, unless you have asked us to retain them |
| De-identified data for AI improvement | Retained while it remains useful for clinical safety and quality |
| Crash & security logs | Up to 12 months |
You can request earlier deletion at any time — see "Your rights" below.
7. Your rights as a Data Principal
Under §11–14 of the DPDPA you have the right to:
- Access a summary of the personal data we hold about you and how we are processing it.
- Correct, complete, update, or erase your personal data.
- Withdraw consent at any time. Withdrawing consent does not affect processing that has already taken place; we will stop further processing that relied on the withdrawn consent.
- Nominate another individual to exercise your rights in case of death or incapacity.
- Raise a grievance with our grievance channel before approaching the Data Protection Board of India.
To exercise any of these rights, write to admin@medsathi.ai with the subject line "Data Principal Request". We will respond within the timelines prescribed under the DPDPA and its rules.
8. Children
MedSathi is not directed at children under 18. Where a child uses MedSathi under parental supervision, the parent or legal guardian is treated as the consenting Data Principal. We do not knowingly process a child's personal data for tracking, behavioural monitoring, or targeted advertising.
9. Cookies and analytics
The MedSathi website does not currently run third-party tracking pixels or advertising cookies. The MedSathi mobile app uses only first-party identifiers needed for authentication, crash reporting, and product analytics. If this changes, we will update this policy and ask for consent where required.
10. Updates to this policy
We may update this policy as the Services and the legal framework evolve. Material updates will be notified through the app and on this page, with the "Last updated" date refreshed. Where required, we will seek fresh consent before relying on a new purpose of processing.
11. Grievance redressal
If you have any concern about how your personal data is being handled, please raise it through our grievance channel or write to admin@medsathi.ai. We aim to acknowledge within 24 hours and resolve within 15 days, in line with Rule 3(2)(a) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
You may also approach the Data Protection Board of India once it becomes operational under §27 of the DPDPA.
12. Contact
Neurobit Technologies Private Limited
G-30, Ground Floor, Alankar Plaza, Central Spine, Vidhyadhar Nagar, Jaipur, Rajasthan 302039, India
admin@medsathi.ai · Contact form