Privacy Policy

DPDP Act 2023 compliant. Consent-first. Data stays in India.

Last updated: 1 May 2026

DPDP Act 2023 Compliant

Naadhi is built consent-first. No patient data is collected without explicit digital consent. Hospitals are the data fiduciary. Naadhi is the data processor.

Overview

Naadhi Health Technologies (“Naadhi”, “we”, “our”) operates the Naadhi Hospital Management System. This Privacy Policy explains how we collect, use, process, and protect data when hospitals and their staff use our platform.

Naadhi operates under the Digital Personal Data Protection (DPDP) Act 2023. The hospital that subscribes to Naadhi is the “data fiduciary” — responsible for patient data decisions. Naadhi is the “data processor” — processing data only as directed by the hospital.

This policy was last updated on 1 May 2026.

Data we collect

Patient data (collected by your hospital, processed by Naadhi)

  • Identity: name, date of birth, gender, ABHA ID, Aadhaar/PAN/Voter ID numbers
  • Contact: phone, email, WhatsApp number, address
  • Clinical: diagnoses (ICD-10), medications, lab results, vitals, clinical notes, discharge summaries
  • Insurance: TPA details, policy numbers, claim records
  • Financial: billing records, payment transactions, insurance settlement amounts

Hospital staff data

  • Identity: name, designation, department, employee ID
  • Credentials: Medical/Nursing Council registration numbers, document expiry dates
  • Attendance: biometric check-in/check-out timestamps
  • Payroll: salary components, bank account details (encrypted at rest)

Platform usage data

  • Login events, IP addresses, browser/device metadata
  • API call logs for security and debugging (retained 90 days)
  • Error logs (no patient PII in error logs)

How we use your data

Provide the HMS platform: scheduling, billing, pharmacy, clinical records
Power Asha AI: generate discharge summaries, TPA pre-auths, roster optimisation, drug interaction checks
Send WhatsApp notifications to patients (with their explicit consent)
ABDM integration: ABHA linking, FHIR record sharing — only after patient consent captured
Compliance: NABH register auto-population, GST e-Invoice, DPDP audit trail
Security monitoring: detect unauthorised access, prevent fraud
We do NOT sell patient data. We do NOT use patient data to train AI models without explicit hospital consent.

DPDP Act 2023 compliance

Consent gate: no patient data is collected before digital consent is obtained and logged
Purpose limitation: data is used only for the purpose stated at consent time
Data minimisation: only fields required for each workflow are collected
Right to access: patients can request a copy of their data via the hospital
Right to correction: patients can request correction of inaccurate data
Right to erasure: patients can request deletion — clinical records retained for 7 years (legal mandate) with access locked
Grievance officer: privacy@naadhi.health — responds within 30 days as required by DPDP Act

Data security

All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Supabase Row Level Security (RLS) enforces strict multi-tenant isolation — no hospital can access another's data
Sensitive credentials (TPA portal passwords, bank accounts) stored in Supabase Vault
Role-based access control: staff see only data their role permits
Audit log of all data access events retained for 2 years
Penetration testing conducted annually
Data hosted in AWS ap-south-1 (Mumbai) — no data leaves India without consent

Data sharing

ABDM / NHA: clinical records shared only after patient grants consent via ABDM consent flow
TPA portals: claim data shared with the TPA only as part of the insurance claim process initiated by the hospital
Payment processors: Razorpay receives transaction amount and metadata — no clinical data
Government portals: PMJAY TMS, CGHS, ESI — only as part of scheme claims initiated by the hospital
We do not share data with advertisers, data brokers, or analytics platforms
Law enforcement: only with a valid court order or as required by Indian law

Data retention

Patient clinical records: retained for 7 years from last visit (MCI guidelines require 3 years; we retain 7 for safety)
Billing records: retained for 8 years (GST compliance)
Audit logs: 2 years
WhatsApp conversation logs: 1 year
Staff payroll records: 10 years
After retention period, data is permanently deleted using NIST 800-88 secure deletion

Contact & grievances

For privacy questions, data requests, or grievances under the DPDP Act 2023, contact our Data Privacy Officer:

Email: privacy@naadhi.health · Response time: within 30 days as mandated by DPDP Act.

For urgent security concerns: security@naadhi.health