Pranik.ai - Democratising Quality Healthcare

P4P PRIVACY POLICY

1. OVERVIEW AND SCOPE

Pranik Technologies Private Limited, operating under the brand name Pranik.ai ("Company," "We," "Us," or "Our"), is committed to protecting the privacy and security of your Personal Data. This Privacy Policy ("Policy") explains how we collect, use, process, store, share, and protect your Personal Data when you use the P4P (Pranik for People) mobile application ("App") and all associated services.

This Policy is prepared in compliance with:

The Digital Personal Data Protection Act, 2023 ("DPDP Act") and rules made thereunder;
The Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT-SPDI Rules");
The Telemedicine Practice Guidelines, 2020 issued by the Board of Governors of the NMC;
Other applicable central and state laws governing health data, consumer protection, and financial services in India.

This Policy applies to all Users of the App, including registered users, guest users, and minors accessing the App through parental consent. By using the App, you consent to the collection and processing of your Personal Data as described in this Policy.

2. DATA FIDUCIARY - WHO IS RESPONSIBLE FOR YOUR DATA

Under the DPDP Act, 2023, the Company is the Data Fiduciary responsible for determining the purposes and means of processing your Personal Data. The details of our Data Fiduciary and Data Protection Officer are:

Data Fiduciary

Pranik Technologies Private Limited (Pranik.ai)

Registered Office

Plot No. 114-116, Gafoornagar, Hyderabad, Telangana - 500018, India

Data Protection & General Support

support@pranik.ai

Website

https://pranik.ai

3. KEY DEFINITIONS

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
"Sensitive Personal Data" means Personal Data relating to health, medical history, biometric data, financial information, and other categories prescribed under applicable law.
"Data Principal" means you, the individual to whom the Personal Data relates.
"Data Fiduciary" means the Company, which determines the purpose and means of processing your Personal Data.
"Data Processor" means any person or entity that processes Personal Data on behalf of the Data Fiduciary.
"Consent" means a free, specific, informed, unconditional, and unambiguous indication of your agreement to the processing of your Personal Data for a specified purpose.
"Anonymized Data" means data from which all personally identifiable information has been irreversibly removed such that no individual can be identified.
"PHA Avatar" means the AI-powered Personal Health Assistant integrated within the App.

4. PERSONAL DATA WE COLLECT

We collect the following categories of Personal Data, depending on the features and services you use:

4.1 Identity and Verification Data

Full name, date of birth, gender.
Government-issued photo identity (Aadhaar, Passport, Voter ID, Driving Licence - number only; full Aadhaar number is not stored).
Photograph (for KYC and profile).
Proof of address (utility bills, rent agreement, or government ID with address).

4.2 Contact and Account Data

Email address, mobile phone number.
Username, encrypted password.
Profile photograph (optional).
Device identifiers (Device ID, OS, app version).

4.3 Health and Medical Data (Sensitive Personal Data)

Medical history, current diagnoses, chronic conditions, allergies, and past surgical history.
Prescriptions, medication lists, and prescription refill information.
Diagnostic reports, lab test results, and radiology reports.
Immunization and vaccination records.
Real-time health monitoring data from wearable devices: vital signs, heart rate, blood pressure, blood oxygen levels, sleep data, step count, and activity data.
Menstrual health and reproductive health data (where voluntarily provided).
Mental health and psychological data (where provided during consultations or wellness interactions).
Diet and nutrition data entered by the User or generated through the diet planning feature.
Fall detection event logs.
Photographs and images of skin or body parts uploaded by the User for the Skin Analyser feature.

4.4 Consultation and Interaction Data

Pre-consultation health intake information submitted through or to the PHA Avatar (in SOAP format, transmitted to the treating doctor).
Voice audio recordings of interactions with the PHA Avatar and teleconsultations with RMPs - retained only for the duration required to process through our secure anonymization pipeline, after which raw audio is permanently and automatically deleted. Anonymized transcripts derived from this processing are retained as clinical records.
Text interaction logs with the PHA Avatar and customer support.
Live video feeds during teleconsultations and camera-based real-time vitals measurements - processed in real-time only. No video files of the User's camera feed are written to or stored on our servers at any point.
Doctor's notes and post-consultation summaries.

4.5 Financial and Payment Data

Payment card details (processed via PCI-DSS-compliant third-party payment gateways; card details are not stored by the Company).
UPI IDs or net banking details used for transactions.
Billing address, transaction history, and receipts.
Health insurance policy number and insurance provider details (where applicable).

4.6 Location and Device Data

GPS location data (used for hospital/clinic locator, emergency services, and location-based health alerts - with your consent).
Device type, operating system, browser type, IP address, and app usage logs.
Accelerometer and gyroscope data (used for fall detection feature - with your consent).

4.7 Emergency and Safety Data

Emergency contact names and phone numbers.
Emergency button activation logs.
Fall detection event data and emergency alert dispatch records.

4.8 Marketing and Preference Data

Communication preferences (opted-in marketing channels: email, SMS, push notifications).
Search history and browsing behaviour within the App (for personalised health content).
Health interests and wellness goals stated by the User.

4.9 Data We Do NOT Collect

We do NOT collect or store:

Full Aadhaar numbers (we use a masked/partial Aadhaar or CKYC process).
Biometric data (fingerprints, iris scans) beyond what is required by applicable law for identity verification.
Raw payment card numbers (all card data is tokenized through our payment gateway partners).
Video recordings of any kind - live video feeds (teleconsultations, camera-based vitals) are processed in real-time only. No video files are written to or stored on our servers at any point.
Raw voice audio beyond the pipeline processing window - raw audio is permanently deleted within 24 hours of the anonymization pipeline completing.

5. HOW WE COLLECT YOUR PERSONAL DATA

Directly from you: During registration, account setup, health intake forms, teleconsultation sessions, lab booking, and diet planning.
Through the PHA Avatar: Voice and text interactions with the AI assistant.
From wearable devices and health apps: Via integrations with platforms such as Google Fit, Apple HealthKit, and compatible wearable manufacturers (subject to your consent and the respective platform's terms).
From healthcare providers: Diagnostic labs, hospitals, and clinics may transmit your reports and records to the App with your consent.
From your device: Location, accelerometer/gyroscope (fall detection), camera, and microphone (teleconsultation), with your explicit permission.
Automatically: App usage logs, session data, crash reports, and device metadata collected via analytics tools.

6. PURPOSES OF PROCESSING AND LEGAL BASIS

We process your Personal Data only for specified, clear, and lawful purposes. The table below sets out each processing activity, the data involved, the purpose, the legal basis under the DPDP Act, 2023, and - where we rely on Legitimate Use - a written justification confirming that our interest does not override your rights as a Data Principal:

Processing Activity

Data Involved

Purpose

Legal Basis

Justification (Legitimate Use balancing test)

Identity Verification (KYC)

Name, DOB, Govt. ID, Photo

KYC compliance; fraud prevention

Consent; Legal Obligation

Mandatory under KYC regulations. Failure to verify enables fraud and service misuse. Privacy impact is proportionate - limited to verification only.

Account Creation & Auth.

Name, email, phone, password

Create account; secure login

Contract; Consent

Necessary to perform the service contract. Only credentials required for authentication are collected.

Health Records (EHR)

Medical history, prescriptions, diagnostics, immunization

Accurate diagnosis; continuity of care

Consent; Legitimate Use (healthcare delivery)

Clinical continuity is inseparable from healthcare delivery. Failure to process EHR impairs patient safety. Accessible only to treating providers chosen by the User.

Wearable & Vital Data

Heart rate, BP, SpO2, sleep, activity

Real-time health monitoring; personalised insights

Consent

Explicit consent and active device connection required. Fully revocable. Proportionate to the health benefit the User explicitly seeks.

PHA Avatar Interactions

Voice/text, SOAP intake summaries

Health intake; pre-consultation summary for RMP

Consent

Explicit consent. Directly in the User's interest to facilitate an informed consultation. User controls when the PHA Avatar is engaged.

Teleconsultation Records

Audio/video, chat logs, prescriptions

Remote healthcare; post-consult documentation

Consent; Legal Obligation

Legal obligation under Telemedicine Practice Guidelines 2020 to maintain records. Consent obtained at each session.

Payment Processing

Payment method, billing address, insurance

Process medical payments; insurance claims

Contract; Consent

Necessary to perform the payment contract. Card data not stored by Pranik.ai - handled by PCI-DSS compliant gateway.

Location Data

GPS coordinates

Hospital/clinic locator; emergency response

Consent

Collected only when User actively uses locator or has enabled emergency features. Not continuously tracked.

Emergency & Safety Data

Emergency contacts, fall event logs, alert records

Emergency response; fall detection; contact alerts

Consent; Vital Interests

Vital interests apply where life or physical safety is immediately at risk. Processing is event-triggered - not continuous surveillance.

Diet & Nutrition Data

Diet logs, meal plans, calorie entries

Personalised nutrition planning

Consent

Optional feature - opt-in only. No adverse consequence from withholding.

Fraud Prevention & Security

Device signals, login timestamps, anomaly indicators

Detect unauthorized access; protect accounts

Legitimate Use

It is in our and Users' legitimate interests to secure the platform against fraud and unauthorized access. Limited to anomaly detection - not behavioural profiling. Security directly benefits Users.

Platform Analytics

Anonymized/aggregated usage patterns, crash logs

Improve platform; identify errors

Legitimate Use

It is in our and Users' legitimate interests to maintain a functioning healthcare platform. All data anonymized or aggregated before use. Individual interests are not overridden.

Marketing (opt-in only)

Name, email, phone, health interests

Personalised health marketing (opted-in)

Consent (opt-in)

Consent only - not sent without active opt-in. Fully and easily revocable via App settings or email.

AI Model Training

All data after irreversible anonymization

Train and improve AI models including PHA Avatar

Consent for anonymization; post-anonymization: Legitimate Use

Consent obtained for the anonymization step. Post-anonymization data is not Personal Data under the DPDP Act. Legitimate interest in improving clinical AI benefits all Users. Re-identification is technically impossible.

Regulatory Compliance & Audits

Name, transaction history, medical records, payments

Satisfy legal obligations; maintain audit trails

Legal Obligation

Required under Clinical Establishments Act, Drugs & Cosmetics Act, Income Tax Act, GST, PMLA, and DPDP Act 2023. Processing does not exceed what applicable law mandates.

Parental Consent Verification

Parent name, ID, child name and DOB

Verify guardian consent before processing minor's data

Legal Obligation

Mandatory under Section 9 of the DPDP Act, 2023. No alternative legal basis available for processing a minor's Personal Data.

Note: 'Legitimate Use' under the DPDP Act, 2023 is functionally analogous to 'Legitimate Interests' under GDPR. Where we rely on it, we have conducted an internal balancing test confirming that our interest does not override the fundamental rights and privacy interests of the Data Principal. The balancing test outcome is summarised in the Justification column above.

7. USE OF ANONYMIZED DATA FOR AI MODEL TRAINING AND ANALYTICS

As a health technology company, the continuous improvement of our AI models - including the PHA Avatar and Skin Analyser - is essential to the quality of care we facilitate. We process your data for this purpose as follows:

7.1 Anonymization Process

Before any data is used for AI model training or health analytics, it undergoes a rigorous, multi-step anonymization process designed to irreversibly remove all personally identifiable information. This process complies with the principles of data minimization and privacy by design mandated under the DPDP Act, 2023. Anonymized data is not Personal Data and cannot be used to identify any individual.

7.2 Categories of Data Used for AI Training

Voice audio recordings - raw audio is first processed through our secure anonymization pipeline, after which the raw identifiable audio is permanently deleted. Only the resulting anonymized text transcript is used for AI model training. Raw voice audio is never retained for training purposes.
Text interaction logs with the PHA Avatar - anonymized before use.
Anonymized consultation summaries and clinical note patterns.
Skin photographs uploaded for the Skin Analyser - where used for AI model improvement, all personally identifiable information (facial features, body identifiers, metadata) is irreversibly masked through the anonymization pipeline before use. Raw uploaded images are never used for training without this anonymization step.
Population-level health analytics and quality assurance of AI-generated summaries - aggregate and anonymized only.

7.3 We Never Sell Your Data

We do not sell, rent, or otherwise transfer your Personal Data or anonymized data to any third party for commercial gain. Your data - whether identifiable or anonymized - is used only to improve the healthcare services we provide to you and users like you. No third-party advertiser, data broker, or commercial entity receives your data in any form for their own commercial purposes.

7.4 Your Consent and Right to Object

Your explicit consent for the anonymization and use of your data for AI training is obtained through the Consent Notice at registration. You may withdraw consent at any time by contacting dpo@pranik.ai. Withdrawal does not affect processing already carried out. Data already anonymized and incorporated into aggregate models cannot be individually extracted or reversed - this is a technical characteristic of anonymization, not a restriction of your rights.

8. SHARING AND DISCLOSURE OF YOUR PERSONAL DATA

We do not sell your Personal Data. We share your Personal Data only in the following circumstances:

8.1 With Healthcare Providers

Your health data and pre-consultation summaries are shared with the Registered Medical Practitioner (RMP) you consult through the App, and with diagnostic laboratories and hospitals you book through the App, solely for the purpose of providing you healthcare services. You consent to this sharing by initiating a consultation or booking.

8.2 With Data Processors (Service Providers)

We engage third-party Data Processors to support our operations, including:

Cloud hosting and data storage providers (servers located in India, in compliance with applicable data localisation requirements).
Payment gateway providers (PCI-DSS compliant).
Analytics and crash reporting services.
SMS, email, and push notification service providers.
KYC verification and identity check service providers.

All Data Processors are bound by data processing agreements that restrict their use of your data to the purpose for which it was shared and require compliance with applicable data protection laws.

8.3 With Wearable Device and Health Platform Partners

If you connect a wearable device or third-party health platform (e.g., Google Fit, Apple HealthKit), data flows between these platforms and the App are governed by your consent and the respective platform's privacy policy. We are not responsible for the data practices of these third parties.

8.4 With Insurance Providers

If you use insurance-linked features (claims processing, coverage verification), relevant health and financial data is shared with your insurance provider solely for processing your claim or verifying your coverage, with your explicit consent.

8.5 For Legal and Regulatory Compliance

We may disclose your Personal Data to government authorities, law enforcement agencies, regulatory bodies, or courts of competent jurisdiction when required to do so by applicable law, court order, or regulatory mandate. We will, where legally permissible, notify you of such disclosure.

8.6 In Emergency Situations

In a genuine medical emergency, we may share your emergency contact information and relevant health data with emergency medical services or emergency contacts designated by you, to protect your vital interests.

8.7 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets involving the Company, your Personal Data may be transferred to the successor entity, subject to that entity assuming the obligations of this Privacy Policy. You will be notified of any such transfer.

8.8 With Your Explicit Consent

We will share your Personal Data with any other third party only with your prior, explicit, and informed consent.

9. DATA ABOUT NON-USERS AND DATA RECEIVED FROM THIRD PARTIES

This section addresses Personal Data that Pranik.ai may receive about individuals who are not directly registered Users of the P4P App, but whose data enters our systems through third-party integrations, healthcare provider transmissions, or other indirect channels.

9.1 Categories of Non-User Data We May Receive

Medical reports and diagnostic results shared by a laboratory, hospital, or clinic at the registered User's request or with their consent.
Health records transmitted from a third-party electronic health record system to which the User has linked their P4P account.
Emergency contact information provided by the User (name and phone number of a non-user third party).
Data about the User included in documents or communications uploaded to the App by the User themselves (e.g., a scanned prescription that includes a referring doctor's name).

9.2 How We Handle Non-User Data

Non-User Personal Data received through these channels is:

Used solely for the purpose for which it was transmitted - typically to complete the User's health record or facilitate their care.
Not used for marketing, AI model training, or any secondary purpose without a valid legal basis.
Subject to the same security and retention standards as User Personal Data.
Accessible only by the User whose account it relates to, and by their treating healthcare providers, in accordance with the User's instructions.

9.3 Rights of Non-Users

Individuals whose Personal Data has been received through third-party transmission and who are not registered Users of the App may contact our Data Protection Officer at dpo@pranik.ai to: inquire whether their data is held; request its correction or deletion; or raise a grievance. We will respond to such requests in accordance with the DPDP Act, 2023.

10. AUTOMATED DECISION-MAKING AND THE PHA AVATAR

In the interest of transparency, this section explains what decisions the P4P App makes automatically about you, which decisions always involve a human being, and what your rights are in relation to automated processing.

10.1 What the PHA Avatar Does Automatically

The PHA Avatar uses AI to:

Generate a structured pre-consultation health summary (in SOAP format) based on your responses during health intake. This summary is transmitted to your treating doctor as background information - it does not constitute a diagnosis or clinical decision.
Send proactive health reminders (e.g., medication refills, appointment reminders, wellness prompts) based on your health profile and interaction history.
Suggest nearby healthcare providers, labs, or pharmacies based on your location and stated health needs.

10.2 What the PHA Avatar Does NOT Do Automatically

The PHA Avatar does NOT:

Make or communicate a medical diagnosis or clinical assessment to you. Any clinical assessment is made exclusively by a licensed RMP during or after your consultation.
Issue or modify prescriptions. All prescriptions are reviewed and digitally signed by the treating RMP.
Make any decision that produces a legal effect or significantly affects your access to healthcare in a way that cannot be reviewed by a human being.
Flag or restrict your account based solely on automated health data analysis.

10.3 Human Review Is Always Available

In accordance with the principles of human oversight of AI systems, and consistent with best practice under data protection law:

Any health summary generated by the PHA Avatar is reviewed by your treating RMP before any clinical decision is made.
If you believe any AI-generated content about you is inaccurate, you may request its correction by contacting dpo@pranik.ai. Where the inaccuracy is in a pre-consultation summary, you may also raise it directly with your treating doctor at the start of your consultation.
Due to the technical nature of AI language models, it may not always be possible to retroactively correct AI outputs that have already been processed. We will always make a reasonable effort and will notify you of any limitations.

10.4 No Automated Profiling with Legal or Significant Effect

Pranik.ai does not engage in automated profiling that produces decisions with a legal effect on you or that significantly affects your access to essential services (such as insurance eligibility or credit). Any profiling for personalised health content is limited to health and wellness suggestions within the App and does not affect your rights, entitlements, or access to third-party services.

11. SUBPROCESSORS AND THIRD-PARTY DATA PROCESSORS

We engage third-party organisations ("Subprocessors") to process your Personal Data on our behalf in order to deliver the P4P services. All Subprocessors are:

Bound by written data processing agreements that restrict their use of your data to the specific purpose for which it was shared.
Required to implement security standards at least equivalent to those described in Section 14 of this Policy.
Prohibited from sub-contracting the processing of your data to further parties without our prior written authorisation.

11.1 Categories of Subprocessors

Cloud Infrastructure and Hosting Providers: Server infrastructure for data storage and application hosting (data centres located in India).
Payment Gateway Providers: PCI-DSS compliant processors handling payment card and UPI transactions.
Identity Verification (KYC) Providers: Services used for government ID verification and address verification.
Diagnostic Laboratory Networks: Labs through which you book tests and receive results.
Communication Service Providers: SMS, email, and push notification delivery platforms.
Analytics and Crash Reporting Services: Anonymized performance and error monitoring tools.
AI and Machine Learning Infrastructure Providers: Compute infrastructure for training and running the PHA Avatar and clinical AI models (processing anonymized data only).
Wearable and Health Platform Partners: Third-party platforms (Google Fit, Apple HealthKit, etc.) with which the App integrates at User request.

11.2 Subprocessor List

We maintain a named list of our current Subprocessors, including the category of data processed and the country of the Subprocessor's data processing location. This list is publicly available at pranik.ai/subprocessors and is updated whenever a new Subprocessor is added or an existing one is removed. We will provide 30 days' prior notice of the addition of any new Subprocessor to our registered Users via in-app notification or email, to allow you to exercise your right to object to the new processing arrangement.

11.3 Transfers to Subprocessors Outside India

Where a Subprocessor processes your Personal Data outside the territory of India, we ensure that such transfer is made only: (a) to a country notified by the Central Government as providing adequate data protection under the DPDP Act, 2023; or (b) under a contractual arrangement that imposes data protection obligations on the Subprocessor equivalent to those applicable under Indian law. We will obtain your consent for any cross-border transfer of Sensitive Personal Data where required by applicable law.

12. DATA STORAGE AND LOCALISATION

Your Personal Data is stored on servers located within the territory of India, in compliance with applicable data localisation requirements under Indian law. We use reputable cloud infrastructure providers with data centres in India. In circumstances where cross-border data transfer is necessary (e.g., for specific analytics or cloud services), we ensure that such transfers comply with the requirements of the DPDP Act, 2023, including ensuring adequate safeguards and obtaining your consent where required.

13. DATA RETENTION - THE FIVE DATA BUCKETS

We retain different categories of data for different periods based on their nature, legal requirements, and the privacy impact of retention. We do not apply a single blanket retention period to all data - different data has fundamentally different retention obligations:

Data Bucket

What It Covers

Retention Period

Legal Basis and Notes

Bucket 1: Clinical Records

EHR, prescriptions, e-signed prescriptions, SOAP summaries, consultation transcripts (text), doctor's notes, diagnostic reports, skin analysis records, uploaded medical images.

Health records: minimum 7 years. Prescriptions: minimum 5 years. Both measured from last consultation.

Clinical Establishments Act; Telemedicine Guidelines 2020; Drugs and Cosmetics Act. Retained even after account deletion.

Bucket 2: Raw Audio

Raw, identifiable voice audio recordings of PHA Avatar interactions and teleconsultations.

Deleted within 24 hours of anonymization pipeline completing. Not retained beyond pipeline.

Collected only to generate anonymized transcripts. Deletion is automatic and permanent once pipeline is confirmed. This is not a clinical record.

Bucket 3: Raw Video

Live video feeds from teleconsultations, camera-based real-time vitals, and Skin Analyser live camera feed.

Never stored. Real-time processing only. No video files are written to our servers at any point.

Video is processed frame-by-frame in real-time. The system architecture has no video recording capability.

Bucket 4: User-Uploaded Images

Skin photographs and medical images explicitly uploaded by the User.

Stored as part of the clinical EHR - retained with Bucket 1 periods. Anonymized before any AI training use.

User may request deletion of uploaded images outside mandatory clinical record periods. Anonymization is irreversible once applied.

Bucket 5: Anonymized AI Data

Irreversibly de-identified audio transcripts and text used for AI model training.

Indefinite - no longer Personal Data once anonymized.

Post-anonymization data is outside the scope of DPDP Act erasure obligations. Cannot be traced to any individual. Cannot be extracted or reversed.

Upon expiry of applicable retention periods, Personal Data is securely deleted or irreversibly anonymized. Financial and payment records are retained for a minimum of 8 years under the Income Tax Act, GST regulations, and PMLA.

14. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act, 2023, you have the following rights with respect to your Personal Data. You may exercise these rights by contacting dpo@pranik.ai or through the App's Privacy Settings:

14.1 Right of Access and Information

You have the right to obtain confirmation of whether we process your Personal Data, a summary of the Personal Data held, and information about the processing activities and Data Processors with whom your data has been shared.

14.2 Right to Correction and Updation

You have the right to request correction of inaccurate or misleading Personal Data and to have incomplete data completed.

14.3 Right to Erasure

You have the right to request deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected, or upon withdrawal of consent. This right is subject to legal retention obligations - data required to be retained by law cannot be erased prior to the expiry of the mandatory retention period.

14.4 Right to Data Portability

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to request that it be transmitted to another Data Fiduciary, to the extent technically feasible.

14.5 Right to Withdraw Consent

You may withdraw your consent for any specific processing activity at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of certain consents may affect your ability to use specific features of the App.

14.6 Right to Grievance Redressal

You have the right to seek redress for any grievance relating to the processing of your Personal Data. You may contact our DPO at dpo@pranik.ai. We commit to acknowledging your grievance within 72 hours and resolving it within 30 days of receipt. If your grievance is not resolved to your satisfaction, you have the right to escalate the matter to the Data Protection Board of India, once established under the DPDP Act, 2023.

14.7 Right of Nomination

In accordance with the DPDP Act, 2023, you have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights under this Policy in respect of your Personal Data. To make a nomination, please contact dpo@pranik.ai.

15. CHILDREN'S PRIVACY AND PARENTAL CONSENT

The App is not directed to children below the age of 18 years. In compliance with Section 9 of the DPDP Act, 2023, we do not knowingly collect Personal Data of children without verifiable parental consent. Where a minor wishes to use the App:

A parent or legal guardian must provide verifiable consent on the minor's behalf, by completing the Parental Consent Verification process within the App.
We collect the parent's full name, government-issued ID, phone number, and email address, and the child's full name and date of birth, for the sole purpose of consent verification.
We will not process a child's Personal Data for behavioural monitoring or targeted advertising.
Parents may, at any time, withdraw consent for the processing of their child's Personal Data or request its deletion, by contacting dpo@pranik.ai.

16. SECURITY OF YOUR PERSONAL DATA

We implement a comprehensive set of technical and organizational security measures to protect your Personal Data from unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
Role-based access controls ensuring that only authorized personnel can access Personal Data.
Multi-factor authentication for system access.
Regular security audits, vulnerability assessments, and penetration testing.
Data minimization practices - we collect only what is necessary.
Employee training on data privacy and security.
Incident response and breach notification procedures.

While we strive to protect your Personal Data, no method of transmission over the internet or method of electronic storage is entirely secure. In the event of a personal data breach that is likely to result in harm to you, we will notify you and the Data Protection Board of India (once established) as required by applicable law.

17. COOKIES AND TRACKING TECHNOLOGIES

The App uses cookies and similar tracking technologies (such as SDKs, pixels, and device identifiers) for purposes including:

Maintaining your session and authentication state.
Remembering your preferences and settings.
Analytics and performance monitoring (e.g., crash reports, feature usage).
Fraud detection and security monitoring.

We do not use third-party advertising cookies or cross-site tracking cookies for behavioural advertising purposes within the App. You may control cookie and tracking preferences through your device settings and the App's Privacy Settings. Note that disabling certain cookies or tracking may affect the functionality of the App.

18. THIRD-PARTY SERVICES AND LINKS

The App integrates with or provides links to third-party services, including wearable device platforms, mapping services, payment gateways, insurance portals, and laboratory networks. These third-party services have their own privacy policies, and we are not responsible for their data practices. We encourage you to review the privacy policies of any third-party service you access through or in connection with the App.

18.1 ABDM / NDHM Integration

The App may integrate with the Ayushman Bharat Digital Mission (ABDM) and National Digital Health Mission (NDHM) infrastructure, including ABHA (Ayushman Bharat Health Account) IDs, health lockers, healthcare registries, and consent manager services. Where such integration is enabled:

Data flows through ABDM infrastructure are governed by the ABDM Data Policy and consent framework issued by the National Health Authority, in addition to this Privacy Policy.
Your ABHA ID and linked health records are managed in accordance with the National Health Authority's published policies and the consent you provide through the ABDM consent manager.
We will comply with all ABDM sandbox and production integration policies as published by the National Health Authority from time to time.
You may manage your ABDM consents independently through your ABHA account in addition to the consent controls within this App.

If and when ABDM integration is activated in the App, we will update this section with specific details of the data flows involved. Until then, no data is transmitted to or from ABDM infrastructure.

18.2 Third-Party AI and Machine Learning Infrastructure

We use third-party cloud and AI infrastructure providers as Subprocessors to operate our AI features including the PHA Avatar. We confirm the following explicitly:

No Personal Data or Sensitive Personal Data - including your health records, consultation summaries, or identity data - is transmitted to any third-party foundation model provider or general-purpose AI platform.
Third-party AI infrastructure providers process only anonymized or synthetic data. All data is irreversibly de-identified before it reaches any third-party AI compute environment.
Primary storage and processing of all Personal Data remains on servers located within India. Only anonymized data may be processed on infrastructure outside India, and only under the transfer safeguards described in Section 11.3.

18.3 Cross-Border Transfer - Future Regulatory Compliance

In addition to the transfer safeguards set out in Section 11.3, the Company will comply with any future notifications, adequacy decisions, or transfer restrictions issued by the Central Government of India under the DPDP Act, 2023, as and when published. Where new transfer rules require changes to our data processing arrangements, we will update this Policy and notify you in accordance with Section 20.

18.4 App Availability in Indian Languages

We are progressively making the App and its key legal notices - including this Privacy Policy and the Consent Notice - available in major Indian languages where reasonably practicable. Where you require this Policy or the Consent Notice in a specific Indian language, please contact support@pranik.ai and we will endeavour to provide it. Language availability will be expanded over time and announced through in-app notifications.

19. MARKETING COMMUNICATIONS

We may send you marketing communications (by email, SMS, or push notification) about health-related products, services, and offers that may be of interest to you, only where you have opted in to receive such communications. You may opt out of marketing communications at any time by:

Clicking the "Unsubscribe" link in any marketing email.
Replying "STOP" to any marketing SMS.
Adjusting your notification preferences in the App settings.
Contacting support@pranik.ai.

Withdrawal of marketing consent does not affect the delivery of transactional communications (such as appointment confirmations, prescription refill alerts, lab report notifications, and emergency alerts), which are necessary for service delivery.

20. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or the App's features. For material changes, we will provide at least 30 (thirty) days' prior notice through in-app notification or by email to your registered address. The updated Policy will be published on the App and at pranik.ai/privacy-policy. Your continued use of the App after the notice period constitutes acceptance of the revised Policy. If you do not agree to the revised Policy, you must discontinue use of the App and may request deletion of your account.

21. GRIEVANCE REDRESSAL

For any privacy-related concerns, requests, or grievances, please contact support@pranik.ai

Address

Plot No. 114-116, Gafoornagar, Hyderabad, Telangana - 500018, India

Response Time

Acknowledgement within 72 hours; Resolution within 30 days

Escalation

Data Protection Board of India (once constituted under DPDP Act, 2023)

22. ACKNOWLEDGEMENT

By using the P4P App, you confirm that you have read, understood, and agree to the collection and processing of your Personal Data as described in this Privacy Policy.