Privacy Policy

Data Controller: Dr. Mohamed Mabrooq Mufeeth, trading as AI MediLabs
Address: 79-119, Perumal Kulam Street, Kottar, Agasteeswaram, Nagercoil, Kanyakumari, Tamil Nadu, India 629002
Data Protection Officer: dpo@aimedilabs.com
Contact for Privacy Queries: privacy@aimedilabs.com | general@aimedilabs.com

Last updated: March 2026  •  Applies to all AimediLabs users (free tools, Patient Dashboard, Healthcare Workspace). Compliant with India's Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Our Commitment to Privacy

AimediLabs is committed to protecting your health data and personal information. This policy explains what information we collect (and don't collect), how we use it, how we protect it, and your rights regarding your data.

Core principle: You own your data. We encrypt it, protect it, never sell it, and follow HIPAA guidelines for health information.

2. Free Tools (No Login Required)

What We Don't Collect

When you use AimediLabs free tools anonymously (without logging in), AimediLabs does NOT:

• Collect, store, or retain your health data or inputs
• Create a user profile or identify you personally
• Track your health history or medical information
• Link your data to an account or identity

Real-Time Processing, No Storage

Free tools (lab interpreters, drug checkers, calculators, etc.) process your inputs instantly and discard them immediately after your session ends. Nothing is saved on our servers. This is why free tools are completely anonymous.

What We May Collect Automatically (Anonymous)

We may automatically collect limited, anonymized technical data:

• General geographic location (country/region, not street address)
• Browser type and operating system
• Pages visited and time spent on site
• Referring source (Google search, direct link, etc.)
• Device type (mobile, desktop, tablet)
• General performance metrics (page load time)

This data cannot identify you and is used only for analytics and platform improvement.

3. Registered Accounts (Patient Dashboard & Healthcare Workspace)

What We Collect With Your Consent

When you register for Patient Premium (₹500/month) or Healthcare Professional Premium (₹900/month), we collect:

• Email address and password (bcrypt hashed)
• Name and role (patient, healthcare professional, student, researcher, etc.)
• Health data YOU choose to upload (medical records, lab results, visit notes, prescriptions, etc.)
• Health history and context YOU provide to the AI chat
• Clinical notes and workspace activity (for healthcare professionals)
• Device information and access logs (for security)

Data Ownership & Control

You own all your data. You can:

• View all your stored data anytime
• Download your entire health record in standard formats (FHIR, PDF, etc.)
• Share specific records with doctors, specialists, or family members with time-limited access
• Revoke sharing permissions anytime
• Delete any or all data — it will be permanently removed

4. How We Protect Your Data

Encryption

All health data at rest is encrypted using AES-256 encryption. Data in transit uses TLS/SSL (HTTPS). Even our staff cannot read your encrypted health data.

Access Controls

• Only you can access your account with your login credentials
• Session tokens expire after 24 hours (or 30 days with "remember me")
• We log all access to your data (who, when, from where)
• Suspicious login attempts trigger security alerts

Infrastructure Security

• Encrypted database backups
• Regular security audits and penetration testing
• Secure cloud infrastructure (with DLP controls)
• No storage of PHI/PII on public networks or unencrypted backups

5. How We Use Your Data

To Provide Services

• Powering the unified AI chat that learns your health context
• Generating personalized health insights and recommendations
• Secure sharing with healthcare providers
• Patient progress tracking and health timeline visualization

For Platform Improvement (Aggregated Only)

• Analyzing anonymized, aggregated patterns to improve tools and features
• Training AI models on de-identified data to improve accuracy
• Identifying which tools are most helpful to different user groups

What We Do NOT Do

• We do NOT sell your data to pharmaceutical companies, insurance, or advertisers
• We do NOT profile you for ad targeting
• We do NOT share your data with third parties without explicit consent (except for legal compliance)
• We do NOT use your health data for purposes other than providing our service

6. Cookies & Tracking

Session Cookies

We use cookies to:

• Keep you logged in: Session tokens stored in cookies (httpOnly, secure, sameSite)
• Remember your preferences: Theme (light/dark mode), language, timezone
• CSRF protection: Security tokens to prevent cross-site attacks

Analytics Cookies

We use Google Analytics to understand how users interact with AimediLabs (pages visited, time on site, traffic sources). This data is anonymized and aggregated. You can:

• Opt out via Google Analytics Settings
• Use your browser's "Do Not Track" setting
• Disable cookies in your browser (may affect functionality)

Third-Party Advertising Cookies

Google AdSense may use cookies to serve relevant ads based on your browsing history. You can manage ad preferences through Google Ad Settings or opt out via the NAI opt-out tool.

7. Third-Party Services

AI Providers

AimediLabs uses third-party AI models for generating responses:

• Google Gemini (for medical text extraction and analysis)
• OpenAI GPT-4o (for chat and clinical reasoning)
• DeepSeek (open-source fallback model)

When you use the chat, your health data and questions are sent to these providers' API endpoints. These providers follow their own privacy policies. We send only necessary data for the chat response, not your complete health record.

Infrastructure

• Cloud hosting for encrypted databases and APIs
• Nginx for reverse proxy and SSL/TLS
• MariaDB for relational data storage
• Weaviate for vector embeddings (RAG search)

Advertising Networks

Google AdSense serves ads on free tools. Google may use cookies and your browsing data for ad targeting.

8. HIPAA Compliance

AimediLabs handles health information and follows HIPAA Security Rule requirements:

• Encryption of data at rest (AES-256) and in transit (TLS)
• Access controls and authentication (bcrypt passwords, JWT tokens)
• Audit logs of all data access and modifications
• Secure disposal of data upon deletion or account termination
• Business Associate Agreements with third-party processors

However, AimediLabs is not a HIPAA-covered entity unless it meets specific healthcare provider definitions. Your data is protected, but consult legal counsel for industry-specific compliance requirements.

9. Data Retention

Free Tools

No data is retained. Session data is discarded immediately after logout or session timeout.

Registered Accounts

• Your account data is retained as long as your account is active
• Upon account deletion, all your data is permanently deleted from all databases and backups within 30 days
• Access logs are retained for 90 days (for security auditing)
• Anonymized analytics data may be retained longer (cannot be linked to you)

10. Your Privacy Rights

Access

You have the right to access all personal and health data we hold about you. Contact us at general@aimedilabs.com and we will provide a complete export within 14 days.

Correction

You have the right to correct inaccurate or incomplete data. You can edit most data directly in your account dashboard.

Deletion

You have the right to delete your account and all associated data. This is permanent and cannot be undone. Data will be purged from all systems within 30 days.

Portability

You have the right to receive your data in standard, machine-readable formats (FHIR, CSV, JSON) for transfer to another provider.

Withdraw Consent

For optional data collection (like analytics), you can withdraw consent anytime by changing your browser settings or contacting us.

Opt-Out of Advertising

You can opt out of personalized advertising through Google Ad Settings, AdChoices, or your browser's privacy settings.

11. Children's Privacy (COPPA)

AimediLabs is not intended for children under 13 years of age. We do not knowingly collect information from children. If you believe a child has created an account or submitted data, contact us immediately at general@aimedilabs.com and we will delete the account and data.

12. International Users

GDPR (European Users)

If you are in the EU/EEA, you have additional rights under GDPR: data access, correction, deletion, portability, and restriction of processing. We process personal data only with your explicit consent.

CCPA (California Users)

If you are in California, you have the right to know, delete, and opt-out of the "sale" of personal data. AimediLabs does not sell your data.

Other Jurisdictions

Other countries may have similar privacy laws (Canada's PIPEDA, Australia's Privacy Act, etc.). We comply with applicable privacy laws in your jurisdiction.

13. Data Breaches & Notification

In the event of a data breach affecting your personal or health data, we will:

• Notify you via email within 72 hours of discovery
• Provide details of what data was compromised and affected users
• Offer free credit monitoring or similar remediation if applicable
• Notify relevant regulators (HIPAA, GDPR, state AGs) as legally required

14. DPDP Act 2023 Compliance (India)

AimediLabs is compliant with India's Digital Personal Data Protection Act, 2023 (DPDP Act).

Your Rights Under DPDP Act 2023

• Right to Know: Request a copy of your personal data. We will respond within 30 days.
• Right to Correct: Request correction of inaccurate or incomplete data.
• Right to Deletion: Request erasure of non-essential data ("Right to be Forgotten").
• Right to Restrict Processing: Restrict how we use your data.
• Right to Withdraw Consent: Withdraw consent anytime without affecting past processing.
• Right to Grievance: File complaints with our Data Protection Officer.

Purpose Limitation

Your data is used ONLY for the stated purposes:

• Providing healthcare services and subscription features
• Processing payments (via Razorpay/PayU)
• Improving platform features (aggregated, anonymized)
• Legal/compliance requirements

Data Minimization

We collect only data essential for providing our service. No excessive data collection.

Storage & Localization

All personal and health data is stored on servers located in India only, as per RBI/DPDP requirements. No data is transferred outside India without explicit consent and legal agreement.

Grievance Officer Contact

For DPDP Act complaints, contact:
📧 dpo@aimedilabs.com
📧 grievance@aimedilabs.com
Response time: Within 30 days of receipt
Address: 79-119, Perumal Kulam Street, Kottar, Agasteeswaram, Nagercoil, Kanyakumari, Tamil Nadu, India 629002

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent changes. Material changes will be announced via email or on-site notification. Continued use constitutes acceptance of the updated policy. We encourage you to review this policy regularly.

16. Contact & Complaints

Privacy Questions

For questions about this policy, your data, or privacy concerns, contact us at general@aimedilabs.com. We will respond within 14 days.

Filing a Complaint

If you believe your privacy rights have been violated, you can:

• Contact us first to resolve the issue
• File a complaint with your local data protection authority (GDPR, CCPA, HIPAA, etc.)
• Seek legal counsel