Legal

Privacy Policy

Last updated 4 June 2026Framework DPDP Act 2023Version 0.1 — pilot
Draft layout — placeholder text. Structured and ready for the lawyer's final copy under India's DPDP Act 2023. Replace each section's body; the layout will hold.

The short version

We collect the minimum needed to run the tool for verified doctors. We never want patient-identifying data, we don't sell anything, and you can delete your account and logs at any time.

01 What we collect

DataWhy
Email addressAccount creation and sign-in
Password (hashed)Authentication, stored by Supabase Auth
NMC / SMC registration numberVerifying licensed-physician status
Licensed-physician attestationEligibility record
Query & response textDelivering and improving the service
IP address & user agentSecurity, abuse monitoring, diagnostics

02 How we use your data

  • Operate the service you request;
  • Improve quality — reviewing cases where output was incorrect, incomplete, or unsafe;
  • Aggregate analytics — counts and patterns, never individual physician tracking;
  • Abuse detection — identifying non-clinical or guardrail-bypassing use.

We do not sell, rent, or share your data with third parties for their own commercial use.

03 No patient-identifiable information

You are instructed never to enter patient names, MRNs, contact details, or any identifiers. Logs are intended to contain only de-identified clinical descriptions.

04 Third-party processors

ProcessorRole
SupabaseDatabase & authentication hosting
OpenAIProcesses query text via API to generate responses; contractually committed not to train on API data
VercelApplication hosting & request diagnostics

Each acts as a processor under our instructions.

05 Cross-border processing

When generating a response, your query text is processed through OpenAI's US infrastructure. By using the service you acknowledge this cross-border transfer. No physician data is retained by our processors beyond their stated service-operation windows.

06 Retention

Account data is retained for the lifetime of your account. During the pilot, query and response logs are retained for product improvement. You can request deletion of your account and all associated logs at any time.

07 Your rights under the DPDP Act

You may access, correct, or delete your personal data, and withdraw consent. Manage most of this from your profile, or contact our grievance officer below.

08 Data fiduciary & grievance officer

Data fiduciary: CliniKnow [legal entity]. For any privacy request or grievance, contact our Grievance Officer at ankit@cliniknow.com. We aim to respond within the timelines set by the DPDP Act.