Privacy Policy.

This document is provided as a template draft. The final binding version should be reviewed and signed off by qualified legal counsel before publication.

1. Introduction

This Privacy Policy explains how Axone Health Enterprizes Private Limited (CIN U62013KA2024PTC190583, “Axone”, “we”, “us”) collects, uses, shares, and protects personal data when our customer hospitals deploy the Axone clinical platform. This Policy is written to comply with the Digital Personal Data Protection Act 2023 of India, and is the document we ask every customer, employee, and visitor to read first.

Axone is a data fiduciary for its own corporate records, and a data processor for the patient and clinical information our customer hospitals process through the platform. The hospital remains the data fiduciary for all patient data; this Policy describes our obligations as their processor and the principles we apply uniformly.

2. Definitions

• Personal data - any information about an identified or identifiable natural person.
• Sensitive personal data - personal data revealing health, biometric identifiers, genetic data, or other categories deemed sensitive under the DPDP Act 2023.
• Processing - any operation performed on personal data, whether automated or not.
• Data principal - the natural person to whom the personal data relates.
• Data fiduciary - the person who, alone or jointly with others, determines the purpose and means of processing.
• Data processor - the person who processes personal data on behalf of a data fiduciary.

3. Information we collect

3.1 Account information

When customer-hospital users create accounts, we collect name, work email address, designation, hospital affiliation, and authentication credentials. We do not collect personal identification numbers, Aadhaar, or PAN unless explicitly required for invoicing or statutory compliance.

3.2 Clinical interaction data

When clinicians use voice or text features, the platform processes the clinical conversation to generate structured documentation. The hospital is the data fiduciary for this data; we process it strictly under the hospital’s instructions. Voice data may be transiently buffered for transcription, then discarded; structured outputs are persisted in the hospital’s data store.

3.3 Usage and device data

We collect technical telemetry - IP address, browser/device model, session metadata, performance traces, error logs - to operate the service. We do not link this telemetry to identifiable patient records.

3.4 Marketing site data

The Axone marketing site (this website) collects standard analytics: page views, referrers, anonymised IP. No clinical data is processed by the marketing site.

4. How we use your information

• Service provision. To deliver, operate, monitor, secure, and improve the Axone platform.
• AI model improvement. To improve our specialty-routed clinical models, using only de-identified, aggregated data where the data fiduciary has expressly consented.
• Compliance. To comply with NABH, ABDM, DPDP, and other regulatory obligations applicable to a data processor.
• Communication. To respond to your enquiries, deliver service notifications, and share critical security or compliance updates.
• Billing and contract administration. To invoice, track usage, and administer the contractual relationship with our customer hospitals.

5. Legal basis for processing

We process personal data under one or more of the following legal bases under the DPDP Act 2023 and applicable global standards:

• Consent from the data principal or the data fiduciary, as applicable;
• Contract performance with our customer hospitals;
• Legal obligation imposed on us as a data processor;
• Legitimate interests in operating, securing, and improving the platform, where these interests are balanced against the rights of data principals.

6. Sharing and disclosure

We do not sell personal data, ever. We share personal data only in the following cases:

• Cloud infrastructure providers - to host the platform under contractually committed data-processing agreements (currently Google Cloud Platform, region ap-south1 Mumbai for Indian deployments).
• Regulatory bodies - when required by law, court order, or statutory authority, and only to the minimum extent necessary.
• Customer hospital - every record we process on the hospital’s behalf is, by definition, the hospital’s record.
• Successor entity - in the event of a merger, acquisition, or corporate restructuring, subject to the same data-protection commitments.

7. Data security

We apply security controls aligned with ISO/IEC 27001, including: encryption at rest (AES-256) and in transit (TLS 1.3), strict role-based access controls, hash-chained audit logs, segregated production environments, and continuous vulnerability scanning. Personnel access to production data is logged and reviewed.

8. Data retention

We retain personal data only as long as it is necessary for the purpose for which it was collected. Clinical records processed on behalf of our customer hospitals are retained per the hospital’s retention policy, which must comply with applicable medical-records statutes (typically 8–10 years in India). Account data is retained for the duration of the contract plus a defined statutory archive period.

Specific retention timelines are subject to legal review and will be confirmed in the customer\u2019s Data Processing Agreement.

9. Your rights as a data principal

Under the DPDP Act 2023, you may exercise the following rights through our designated Grievance Officer:

• Access the personal data we hold about you;
• Correct inaccurate or incomplete personal data;
• Erase personal data, subject to statutory retention obligations;
• Portability of structured personal data in machine-readable form;
• Withdraw consent for any processing based on consent;
• Grievance if you believe your rights have been infringed.

10. Cross-border data transfers

For deployments serving Indian hospitals, identifiable patient data is hosted exclusively in Google Cloud ap-south1 (Mumbai) and is not transferred outside Indian jurisdiction without a documented purpose and the explicit instruction of the customer hospital. For deployments in other regions, we host in region-appropriate Google Cloud locations and apply the data-protection law of that jurisdiction.

11. Children’s data

The Axone marketing site and direct services are intended for healthcare providers, not for direct-to-consumer use by minors. Where paediatric clinical data is processed on behalf of customer hospitals, the hospital is responsible for obtaining parental or guardian consent in compliance with the DPDP Act 2023.

12. Cookies and tracking

Our marketing site uses a minimal set of cookies for session continuity and aggregate analytics. We do not use third-party advertising trackers. Specific cookie names and durations will be enumerated in a Cookie Notice, pending legal review.

13. Grievance officer

For any concerns regarding our processing of personal data, please write to our Grievance Officer at team@axonehealth.com. We will respond within the timelines mandated by the DPDP Act 2023.

Grievance Officer name and direct contact details to be confirmed.

14. Changes to this policy

We may update this Policy from time to time. Material changes will be notified to our customer hospitals via email at least 30 days in advance of the effective date. The “Last updated” date at the top of this page will always reflect the current version.

15. Contact us

Axone Health Enterprizes Private Limited
CIN: U62013KA2024PTC190583
WeWork, Vaishnavi Signature, Outer Ring Road, Bellandur, Bengaluru, Karnataka, India
General: team@axonehealth.com
Privacy / Grievance: team@axonehealth.com

View our Terms & Conditions →