Privacy Policy

Welcome to Flabs, a Laboratory Information System (LIS) provided by Diagnoshuttle Private Limited! This Privacy Policy explains how Diagnoshuttle Private Limited ("Flabs", "we", "our", or "us") collects, uses, shares, and safeguards information when you access our website, mobile applications, and LIS software (collectively, the "Services"). Flabs is designed for pathology laboratories, diagnostic centres, and healthcare providers in India, and we take the privacy of laboratory users and the patients they serve very seriously. This Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). By accessing or using our Services, you agree to the practices described in this Policy.

1. Scope and Our Role

Flabs operates in two distinct capacities: • As a Data Fiduciary: When you visit our website, request a demo, subscribe to our newsletter, create a lab account, or otherwise interact with us directly, we determine the purpose and means of processing your personal data and act as a Data Fiduciary under the DPDP Act. • As a Data Processor: When a laboratory or diagnostic centre ("Lab Customer") uses our LIS software to process patient data, test orders, reports, and related records, the Lab Customer is the Data Fiduciary and Flabs acts as a Data Processor processing such data strictly on the Lab Customer's documented instructions and under a written agreement. Patients with questions about how their health data is handled should contact the Lab Customer directly.

2. Information We Collect

Depending on how you interact with our Services, we may collect the following categories of information: • Identity and Contact Data: Name, designation, lab name, email address, phone number, billing address, and GSTIN. • Account and Authentication Data: Username, hashed passwords, role-based access permissions, and login activity logs. • Transaction and Billing Data: Subscription plan, invoices, payment instrument details (processed through PCI-DSS compliant payment gateways; we do not store full card numbers), and tax information. • Patient and Health Data (processed on behalf of Lab Customers): Patient demographics, referring doctor, sample details, test orders, test results, medical history provided for testing, diagnostic images, and reports. This is Sensitive Personal Data or Information under the SPDI Rules. • Technical and Usage Data: IP address, device identifiers, browser type, operating system, pages visited, referring URLs, clickstream data, crash logs, and cookies. • Communications Data: Support tickets, call recordings (with notice), chat transcripts, and feedback you provide. • Google Account Integration Data (optional, lab-initiated): When a Lab Customer connects a Google account to the Flabs CRM to ingest pathology test booking emails, we access the contents of the connected Gmail mailbox in read-only mode via the gmail.readonly OAuth scope, together with OAuth access and refresh tokens required to maintain the connection. See Section 16 for full details. • Marketing Data: Preferences for receiving marketing communications and responses to campaigns. We do not knowingly collect Aadhaar numbers or biometric data unless a Lab Customer configures such fields for their own workflow, in which case the Lab Customer is responsible for obtaining the required consents.

3. How We Collect Information

We collect information when you: • Visit our website, mobile apps, or LIS dashboard. • Register for an account, book a demo, or subscribe to communications. • Upload, enter, or generate data while using the LIS (including patient and test records entered by lab staff). • Communicate with our sales, onboarding, or support teams. • Integrate third-party analysers, HIS/HMS, or payment systems with Flabs. • Participate in surveys, webinars, or events. We also collect data automatically through cookies, pixels, SDKs, and similar technologies to understand how the Services are used and to improve them.

4. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so, including: • Your consent, which you may withdraw at any time. • Performance of a contract with you or your laboratory. • Compliance with applicable laws (including tax, healthcare, and record-keeping obligations). • Legitimate uses permitted under the DPDP Act, such as responding to medical emergencies, preventing fraud, and ensuring information security. For patient health data processed inside the LIS, the Lab Customer (as Data Fiduciary) is responsible for obtaining and maintaining the required patient consents.

5. How We Use Collected Information

We use the information we collect to: • Provide, operate, maintain, and improve the LIS and related Services. • Authenticate users, enforce access controls, and prevent unauthorised use. • Generate test reports, deliver them to patients and referring doctors on behalf of Lab Customers, and enable report sharing via email, SMS, WhatsApp, or portal. • Ingest pathology test booking emails from a Lab Customer's connected Google account to automatically create patient records, test orders, and sample-collection tasks in the Flabs CRM, as further described in Section 16. • Process payments, issue invoices, and manage subscriptions. • Provide customer support, troubleshoot issues, and train our support team. • Send service announcements, security alerts, and transactional notifications. • Send marketing communications where permitted, with an opt-out option. • Generate aggregated and anonymised analytics to improve product performance and build new features; such data cannot be used to re-identify any individual. • Detect, investigate, and prevent fraud, abuse, or security incidents. • Comply with legal obligations and respond to lawful requests from authorities.

6. Information Security

We follow reasonable security practices and procedures as required under the SPDI Rules and align our controls with recognised frameworks (such as ISO/IEC 27001 principles). Our safeguards include: • Encryption of data in transit using TLS 1.2 or higher. • Encryption of sensitive data at rest. • Role-based access control, least-privilege principles, and audit logging. • Regular vulnerability scans, penetration testing, and security patching. • Secure software development practices and code reviews. • Employee confidentiality agreements and periodic security training. • Business continuity and disaster recovery planning, including periodic backups. No system is completely secure, and we cannot guarantee absolute security. If you believe your account or data has been compromised, please contact us immediately.

7. Sharing with Third Parties

We do not sell or rent personal data. We share information only in the following circumstances: • With Lab Customers: Data entered into the LIS is accessible to the Lab Customer that owns the account and to users they authorise. • With Sub-processors: We engage vetted service providers for cloud hosting, communication (SMS/email/WhatsApp), analytics, payment processing, and customer support. These sub-processors are bound by contractual confidentiality and data protection obligations and may only process data on our instructions. • With Referring Doctors and Patients: Reports and notifications are shared as configured by the Lab Customer. • For Legal Reasons: We may disclose information to comply with law, court orders, or lawful requests from government authorities, or to protect the rights, property, or safety of Flabs, our users, or others. • In Business Transfers: If Flabs is involved in a merger, acquisition, or sale of assets, personal data may be transferred, subject to this Policy and prior notice where required.

8. Data Localisation and International Transfers

Flabs primarily stores personal data and patient health data on servers located in India. Where a sub-processor outside India is used (for example, for global SaaS tooling), we ensure that such transfers comply with the DPDP Act and any restrictions notified by the Central Government, and that appropriate contractual safeguards are in place.

9. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, including providing our services, complying with legal obligations, resolving disputes, and enforcing our agreements. • Account Information: We retain your data for as long as your account is active. • After Account Deletion: Once you request account deletion, we will delete or anonymise your personal data within 30 days, unless retention is required for legal or regulatory purposes. • Legal Requirements: Certain data (such as billing, tax, and transaction records) may be retained for a longer period as required by applicable laws, including a minimum of 8 years for tax records under Indian law. • Medical Records: Patient reports and records processed on behalf of Lab Customers are retained as instructed by the Lab Customer and in line with applicable medical record retention guidelines (typically 3 years or longer). • Google/Gmail Integration Data: OAuth access and refresh tokens are retained in encrypted form only while the Gmail integration remains connected, and are deleted within 7 days of disconnection. Raw email content fetched from Gmail is processed in memory for parsing and is not persisted beyond the time required to create the corresponding CRM record. Structured fields extracted from booking emails (e.g., patient name, contact, test panel) are retained as CRM records per the "Medical Records" retention rule above. • Analytics Data: Aggregated or anonymised data may be retained indefinitely for analytical purposes.

10. Your Rights

Subject to applicable law, including the DPDP Act, you have the right to: • Access the personal data we hold about you and obtain a summary of processing activities. • Correct or update inaccurate or incomplete personal data. • Request erasure of your personal data, subject to our legal and contractual retention obligations. • Withdraw consent previously provided, without affecting the lawfulness of prior processing. • Nominate another individual to exercise your rights in the event of your death or incapacity. • Lodge a grievance with our Grievance Officer and, if unresolved, with the Data Protection Board of India. To exercise any of these rights, please contact us using the details in Section 15. Patients whose data is processed inside the LIS should contact the concerned Lab Customer, who is the Data Fiduciary for that data.

11. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to keep you signed in, remember preferences, analyse usage, and improve performance. You can control cookies through your browser settings, but disabling them may affect certain features of the Services. Where required by law, we request your consent before setting non-essential cookies.

12. Children's Privacy

Our Services are not directed to individuals under 18 years of age, and we do not knowingly collect personal data directly from children. Where a Lab Customer processes a child's health data through the LIS, the Lab Customer is responsible for obtaining verifiable consent from a parent or lawful guardian as required under the DPDP Act.

13. Data Breach Notification

In the event of a personal data breach that is likely to cause harm, we will notify the affected Data Principals, the Data Protection Board of India, and CERT-In within the timelines required under applicable law. We maintain an incident response plan and work with our Lab Customers to contain and remediate incidents affecting their data.

14. Updates to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through the Services or by email and update the "Effective Date" at the top of this Policy. Your continued use of the Services after such updates constitutes acceptance of the revised Policy.

15. Grievance Officer and Contact Us

If you have any questions, concerns, or requests regarding your personal information or this Privacy Policy, or if you wish to exercise your rights, please contact us at: Diagnoshuttle Private Limited Email: hello@flabs.in In accordance with the Information Technology Act, 2000, the SPDI Rules, and the DPDP Act, 2023, you may also reach our Grievance Officer at hello@flabs.in. We will acknowledge your grievance within a reasonable period and endeavour to resolve it within the timelines prescribed by law.

16. Google API Services and Gmail Integration

Flabs CRM offers an optional feature for Customers to connect their Google account so that pathology test booking emails (received from hospitals, aggregators such as Practo or 1mg, corporate B2B clients, and direct patients) can be parsed automatically into structured CRM records. This section describes how that integration works and how we handle data received from Google APIs. 16.1 Scopes requested. We request the following OAuth scope only: https://www.googleapis.com/auth/gmail.readonly — read-only access to messages and settings in the connected Gmail mailbox. We do not request permission to send, modify, delete, archive, or label emails, and we do not access Google Contacts, Calendar, Drive, or any other Google service. 16.2 Data accessed and extracted. After you grant consent, our system reads incoming emails in the connected inbox to identify pathology test booking emails. From these specific emails, we extract structured booking fields — patient name, age, contact number, test panel requested, referring doctor, and sample-collection address — and create corresponding records inside your Flabs CRM tenant. Emails that are not booking emails are ignored. 16.3 Storage, security, and retention. OAuth access and refresh tokens are stored encrypted at rest and are used solely to fetch new booking emails on your behalf. Raw email bodies and headers are processed in memory for parsing and are not retained beyond the time needed to create the corresponding CRM record. Extracted structured CRM records are stored on encrypted infrastructure (TLS 1.2+ in transit, AES-256 at rest) within your Flabs tenant, and are retained in accordance with Section 9. 16.4 Limited Use commitment. Flabs' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Flabs: • Does not use Google user data to serve advertisements of any kind, including retargeting, personalized, or interest-based advertising. • Does not use Google user data to develop, improve, or train generalized or non-personalized artificial intelligence or machine learning models. Any parsing logic used by Flabs is rule-based or relies only on synthetic or separately consented training data. • Does not sell or transfer Google user data to third parties, except as necessary to provide or improve the user-facing booking-ingestion feature, to comply with applicable law, or as part of a merger, acquisition, or asset sale where the receiving party honors this Policy. • Does not allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where data has been aggregated and anonymized for internal operations. 16.5 Revoking access and deleting data. You can revoke Flabs' access to your Google account at any time via: • Your Google Account permissions page at https://myaccount.google.com/permissions — locate "Flabs" and click Remove access, or • The Flabs CRM — navigate to Settings → Integrations → Gmail → Disconnect. Disconnection will cause associated OAuth tokens to be deleted within 7 days. To request deletion of booking records already extracted into your CRM, email hello@flabs.in with the subject line "Gmail Data Deletion Request." We will permanently delete the associated records within 30 days of verification, except where retention is required by applicable medical-records or tax law (see Section 9). 16.6 Lab Customer responsibility. The Gmail integration is initiated and configured by the Lab Customer, who acts as the Data Fiduciary for the mailbox and its contents. Lab Customers are responsible for ensuring they have the right to connect the chosen mailbox and for complying with any applicable patient-consent requirements under the DPDP Act and SPDI Rules in respect of information contained in booking emails.