Version 1.0 · Effective 27 April 2026

Privacy Policy

Zyvai Technologies Private Limited / operating as Nadi Health

1. Introduction

Zyvai Technologies Private Limited, a company incorporated under the Companies Act 2013 with CIN U62011DL2026PTC465961, registered at 14/12, 2nd Floor, Kalkaji, New Delhi, South Delhi – 110019, Delhi, India, operates the Nadi Health platform (“Nadi”, “we”, “our”). This Privacy Policy is effective from 27 April 2026.

This Privacy Policy applies to: patients using Sehat (sehatapp.in and the Sehat mobile application), doctors using the Nadi Doctor portal (doctor.nadihealth.co), hospital administrators using the Hospital portal, and all users of Nadi Health services. We are committed to protecting your personal and health data in compliance with the Digital Personal Data Protection Act 2023 (DPDPA), the Information Technology Act 2000, and all applicable Indian regulations.

Zyvai Technologies Private Limited may be required to register as a Significant Data Fiduciary under the DPDPA 2023 upon notification by the Central Government. We will comply with all applicable registration and audit requirements as they are notified.

2. Data We Collect

2.1 Patient Data

Identity: Full name, date of birth, gender, phone number
ABHA linking:Aadhaar numbers are not stored. For ABHA linking, Aadhaar verification is performed through UIDAI’s OTP-based authentication and only a tokenised reference is retained, in compliance with the Aadhaar (Targeted Delivery) Act 2016 and UIDAI regulations
Health records: Prescriptions, diagnoses, vitals, lab reports, vaccination records, clinical photos, consultation notes
Consent records: Which doctors have access, when consent was granted, modified, or revoked
Family vault data: Records of family members managed under your account and cross-member access permissions
Appointment data: Booked slots, check-in timestamps, no-show status, payment information
Communication data: WhatsApp messages sent for OTP, reminders, queue notifications, second opinion updates
Device data (personal data):Firebase Cloud Messaging (FCM) token for push notifications — treated as personal data under DPDPA 2023. FCM tokens are deleted when you log out or uninstall the application. Biometric authentication flag is stored locally on device only and is never transmitted to Nadi servers.

2.2 Doctor Data

Identity: Full name, NMC registration number, specialisations, qualifications
Practice data: Clinic name, address, schedule settings, consultation fee settings
Clinical activity: Prescriptions issued, consultations conducted, care plans enrolled, second opinions answered
Revenue data: Earnings, refund decisions, payout settings, bank account details (post payment integration)

2.3 Automatically Collected Data

IP address and login timestamps for security and audit purposes
OTP request timestamps and role used for role enforcement
Consent acceptance logs: timestamp, method of acceptance, document version, IP address
Cookie data: Essential authentication cookies on web portals (see Section 8)

3. Consent Architecture (DPDPA Section 6)

When a patient scans a clinic QR code or grants consent through any Nadi platform, the following consent states are handled:

Consent State	What Happens
No prior consent	Patient is offered the option to grant consent or check in without granting record access.
Active consent	Patient is automatically checked in. Doctor has full access to consented records.
Lapsed consent	Patient is shown expiry notice and offered renewal or check-in without consent.
Revoked consent	Doctor cannot access records. Patient may re-grant consent at any time.

Consent is recorded with: timestamp, method (QR scan, verbal attestation, WhatsApp confirmation), IP address, and document version. Consent can be revoked at any time from the Sehat app.

4. AI Features and Cross-Border Data Processing

4.1 Cross-Border Transfer Disclosure

Audio data for scribe transcription and prescription images for OCR are processed by Google Vertex AI (Gemini) on Google’s infrastructure, which may involve processing outside India. By using AI features, you explicitly consent to this cross-border transfer for the sole purpose of AI processing. Raw audio and images are deleted after processing completes (maximum 24 hours for audio). Nadi Health will comply with all applicable cross-border data transfer requirements under DPDPA 2023 Section 16 as the Central Government notifies approved countries and frameworks.

4.2 Ambient Scribe

When a doctor starts an AI scribe session with patient consent, audio is recorded and sent to Google Vertex AI (Gemini) for transcription. Raw audio is automatically and permanently deleted after transcription (maximum 24 hours). The resulting SOAP notes and transcript are stored with the consultation record. Scribe requires separate explicit patient consent, distinct from general record-sharing consent.

4.3 Rx Scan (Gemini OCR)

When an assistant scans a handwritten prescription, the image is sent to Gemini for OCR processing. The extracted prescription draft is presented to the doctor for review and approval before entering the patient record. The original scan image is stored in Google Cloud Storage.

4.4 Second Opinion Structured Response

When a specialist submits a second opinion, our system uses AI to assist with categorising recommendations. All clinical content is authored and reviewed by the specialist doctor. AI assistance is limited to formatting and categorisation only.

4.5 AI Limitations

AI features may produce hallucinations — confident-sounding outputs that are factually incorrect. Doctor review is the mandatory safeguard. No AI feature on Nadi Health is approved by any Indian regulatory body as a medical device.

5. Data Storage and Retention

If you request account deletion, your health records will be retained for a period of 3 years from the date of deletion as required by applicable medical records regulations, after which they will be permanently deleted. You may request a copy of your records before deletion at hello@nadihealth.co.

Data Type	Storage Location	Retention
Health records	GCP Mumbai (Cloud SQL)	Indefinite (patient-controlled); 3 years minimum after account deletion
Documents and images	GCP Mumbai (Cloud Storage)	Indefinite (patient-controlled)
OTP codes	GCP Mumbai (Cloud SQL)	Deleted after 30 minutes
Scribe audio	GCP Mumbai (temporary)	Deleted after transcription (max 24 hours)
WhatsApp tokens	GCP Mumbai (Cloud SQL)	Deleted after use or 48-hour expiry
Clinical audit logs	GCP Mumbai (Cloud SQL)	3 years (prescription, consent, vitals actions)
Login/session logs	GCP Mumbai (Cloud SQL)	90 days
FCM tokens	GCP Mumbai (Cloud SQL)	Deleted on logout or app uninstall
Appointment logs	GCP Mumbai (Cloud SQL)	30 days after appointment

6. Third-Party Data Processors

Processor	Purpose	Data Shared
Google Cloud Platform (Mumbai)	Database, file storage, API hosting	All platform data
Google Vertex AI / Gemini	Scribe transcription, Rx OCR, structured response	Audio, prescription images, opinion text (cross-border, see Section 4.1)
Firebase (Google)	Authentication, push notifications	Phone number, FCM token
MSG91 (production)	WhatsApp OTP and notifications	Phone number, message content
Razorpay (post-incorporation)	Payment processing	Payment amount, order ID

7. Your Rights (DPDPA 2023)

Right to access: View all personal data we hold about you
Right to correction: Request correction of inaccurate personal data
Right to erasure: Request deletion of your data (subject to 3-year medical records retention requirement)
Right to data portability: Receive your health records in a portable format (PDF export)
Right to withdraw consent: Revoke doctor access to your records at any time from the Sehat app
Right to grievance redressal: Contact our Grievance Officer at hello@nadihealth.co
Right to nominate: You may nominate another individual to exercise your data rights in the event of your death or incapacity, as provided under DPDPA 2023

8. Cookies

Our web portals use essential cookies for authentication and session management using Firebase Authentication. We do not use third-party advertising cookies or tracking cookies. You can manage cookie preferences in your browser settings, but disabling essential cookies will prevent you from logging in to any Nadi Health web portal.

9. Security

We implement the following security measures:

All data transmitted over HTTPS/TLS encryption
Firebase Authentication for all user sessions with automatic token expiry
Role-based access control (patient, doctor, assistant, admin)
OTP role enforcement: patient OTPs cannot be used to log into doctor portals and vice versa
Parameterised SQL queries to prevent injection attacks
Rate limiting on all authentication endpoints
6-digit OTPs with exponential backoff on failed attempts
Audit logs of all clinical actions retained for 3 years

10. Data Breach Notification

In the event of a personal data breach, Nadi Health will notify the Data Protection Board of India and affected data principals as required under Section 8(6) of the DPDPA 2023, within the timeframe prescribed by the Board. Notification to affected users will be sent via WhatsApp and email (if registered) describing the nature of the breach, the data affected, and the steps we are taking to address it.

11. Changes to This Policy

We will notify you of material changes to this Privacy Policy via WhatsApp and in-app notification at least 15 days before they take effect. Continued use of Nadi Health services after notification constitutes acceptance of the updated policy. The version of the Privacy Policy accepted by each user is recorded in our systems. Version history is available at nadihealth.co/privacy.

12. Contact and Grievance Officer

Grievance Officer (as required under DPDPA 2023 and IT Act 2000)

Zyvai Technologies Private Limited (Nadi Health)
14/12, 2nd Floor, Kalkaji, New Delhi, South Delhi – 110019, Delhi, India
CIN: U62011DL2026PTC465961 · PAN: AACCZ9993Q
Email: hello@nadihealth.co · Website: nadihealth.co

We will respond to grievances within 30 days as required by the DPDPA 2023 and within 48 hours for acknowledgement as required under the Consumer Protection Act 2019.