Legal

Privacy Policy

Last updated: 29 April 2026

This Privacy Policy explains how the Nidan team ("Nidan", "we", "us", "our") collects, uses, shares, and protects personal information when you use the Nidan Lab Information System (the "Service"). It also explains the rights of patients and other data principals whose data is processed through Nidan.

Two roles, one product. When laboratories use Nidan, they are the Data Fiduciary for patient data under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"). We are the Data Processor, processing patient data only on the laboratory's documented instructions. For data we collect about laboratory staff and account holders directly, we act as the Data Fiduciary.

1. Data we collect

Account data (we are the fiduciary)

Name, work email, mobile number, organisation name, role, and password (stored as a salted hash).
Login activity, IP address, device, and browser metadata for security and audit logs.
Billing contact details and tax identifiers (GSTIN) where applicable.

Customer Data (we are the processor)

Catalog data — tests, panels, packages, rate lists, sections.
Patient records — demographics, contact details, identifiers, history of orders and reports.
Order, specimen, result, and report data generated through laboratory operations.
Quality records — QC runs, EQA, CAPA, audits, critical-value notifications, complaints, incidents.
Billing and invoicing data attached to orders.

Telemetry

Aggregated, de-identified usage statistics that help us improve the Service.
Error reports and performance traces. We strip personally identifying fields wherever feasible.

2. How we use data

To provide, maintain, and improve the Service.
To authenticate users and protect accounts.
To deliver reports to patients via WhatsApp and email when laboratories instruct us to do so.
To respond to support requests.
To prepare invoices, recover dues, and meet tax obligations.
To detect, investigate, and prevent fraud, abuse, or violations of our Terms.
To comply with applicable law and lawful requests from authorities.

We do not sell personal data, and we do not use Customer Data to train third-party machine-learning models.

3. Lawful basis

We process account data on the basis of your consent and the necessity to perform the contract between us. We process Customer Data only on the documented instructions of the laboratory, which is the Data Fiduciary for that data.

We share data only with:

Sub-processors — cloud hosting, email delivery, WhatsApp Business messaging, payment processing, and customer support tooling. Each is bound by a written data-processing agreement consistent with this policy.
Authorities — where disclosure is required by law, regulation, court order, or to protect the rights, safety, or property of Nidan, our customers, or the public.
Successors — in the event of a merger, acquisition, or asset sale, in which case we will give you advance notice and the opportunity to delete your data before the transfer.

Sub-processors

Cloud hosting

Hosted in India. We use a major Indian-region cloud provider (e.g. AWS Mumbai, DigitalOcean Bengaluru). Production Customer Data does not leave India without your prior written consent.

WhatsApp delivery

Meta WhatsApp Business API (and any successor messaging provider) for outbound report delivery. Patient phone numbers and report PDFs are transmitted only when the laboratory enables this feature.

Email delivery

Transactional email service for password reset, account notifications, and report delivery.

Error monitoring

Application performance and error reporting tooling, with personal identifiers redacted before transmission.

Payments

Indian payment gateway for subscription billing. Card data is handled by the gateway and is not stored by Nidan.

5. Storage and transfers

Production Customer Data is stored in India. Backup snapshots are encrypted at rest and stored in the same region. Where we process data outside India for limited operational purposes (for example, transactional email or error monitoring), we apply contractual safeguards consistent with the DPDP Act.

6. Retention

Customer Data is retained while your subscription is active.
After cancellation, Customer Data is retained for ninety (90) days to allow export, after which it is deleted from production systems. Encrypted backup copies age out within an additional ninety (90) days.
Account, billing, and tax records may be retained for longer periods where required by Indian law.
Audit logs are retained for security and compliance purposes for up to thirty-six (36) months.

7. Security

Data is encrypted in transit (TLS) and at rest.
Access to Customer Data by Nidan personnel is role-based, multi-factor authenticated, and audited.
We follow secure-development practices, including code review, dependency scanning, and periodic penetration testing.
We test our incident response plan and notify affected laboratories of personal-data breaches without undue delay, in line with the DPDP Act and other applicable law.

8. Your rights

If you are a Nidan account holder, you have the right to access, correct, update, or delete the personal data we hold about you, and to withdraw consent where consent is the basis of processing. Write to privacy@nidan.in to exercise these rights.

If you are a patient or other data principal whose data has been processed through Nidan by a laboratory, please contact the laboratory directly. The laboratory is the Data Fiduciary and is best placed to action your request. We will support the laboratory in responding within the timelines required by law.

9. Cookies and tracking

We use a small number of cookies that are strictly necessary for the Service to function (session, CSRF, and load balancing). Marketing pages may use minimal first-party analytics to understand aggregate traffic; we do not use cross-site tracking pixels or third-party advertising cookies.

10. Children's data

Patient records processed through Nidan may include data of minors when laboratories collect samples from paediatric patients. We process such data only on the laboratory's instructions and apply the same protections as for adult records. We do not knowingly collect personal data directly from children for our own use.

11. Changes to this policy

We may update this Privacy Policy from time to time. Where a change materially affects your rights, we will notify you in advance through the Service or by email. The "Last updated" date at the top of this page reflects the latest change.

12. Grievance officer and contact

For privacy questions, complaints, or to raise a grievance under the DPDP Act, contact our Grievance Officer:

Email — privacy@nidan.in
Phone — +91 98XXX XXXXX
Address — [Registered office address, City, State, PIN], India

We will acknowledge grievances within seventy-two (72) hours and respond substantively within fifteen (15) days, or sooner where required by law.

Heads up: this document is a starting point provided in good faith. Please have it reviewed by Indian legal counsel before relying on it commercially, customise the bracketed placeholders (registered office, contact details, sub-processor list), and keep it in sync with your DPDP Act compliance programme.