Privacy Policy

Effective date: 2 July 2026 · Applies to naadham.ai, the Naadham clinic console, APIs, and the Naadham AI voice/messaging services.

The two-role summary. Naadham has two very different privacy roles: (1) for clinic accounts and website visitors we are the data fiduciary / controller — we decide how that data is used; (2) for patients and callers of our clinic customers (call audio, transcripts, bookings) we are a data processor / service provider — the clinic is the controller and we act only on its instructions under our Data Processing terms. Patients: your first point of contact for privacy requests is your clinic; we support every request they pass to us.

1. Who we are

Naadham is operated by [LEGAL ENTITY NAME], a company incorporated in India with registered office at [REGISTERED ADDRESS] ("Naadham", "we"). Contact: [PRIVACY EMAIL, e.g. [email protected]]. Grievance Officer (India DPDP Act 2023 & IT Act 2000): [NAME], [EMAIL], [ADDRESS] — we acknowledge grievances within 24 hours and resolve within applicable statutory timelines.

2. What we process, and why

2.1 Website visitors (we are controller)

DataPurposeLegal basis
Demo call/chat content, mic audio during a browser demorun the live demo you startconsent (you start it)
"Call me" form: name, phone, interest, consent record, IPplace the demo call you requested; abuse preventionconsent; legitimate interest (fraud/abuse)
Contact form: name, email, messagerespond to youlegitimate interest / consent
Technical logs (IP, user-agent, timestamps), rate-limit counterssecurity, abuse prevention, debugginglegitimate interest

2.2 Clinic customers and their staff (we are controller)

DataPurposeLegal basis
Account: work email, organisation name, hashed password, roleprovide the service, authenticationcontract
Configuration: agent persona, FAQs, schedules, phone numbersoperate your AI receptionistcontract
Billing: plan, prepaid balance, usage metering, payment referencesbilling and receipts (card data is held by our payment processors, never by us)contract; legal obligation (tax)
KYC/verification documents and statustelecom-compliance verification before outbound callinglegal obligation / legitimate interest
Support communicationssupportcontract

2.3 Patients & callers of clinics (we are processor on the clinic's instructions)

DataPurpose
Call audio (processed in real time), transcripts, caller phone number and name, call metadata (time, duration, outcome)answer the call, book the appointment, produce the transcript and quality score the clinic sees
Booking details: name, phone, service, appointment timecreate the appointment in the clinic's schedule
WhatsApp/SMS/web-chat messages with the clinic's AIrespond on the clinic's behalf
Consent and do-not-call records for outbound callslawful-calling enforcement (see §7)

Health information. Conversations with a clinic's AI may incidentally include health information a caller chooses to share. We process it solely to provide the service to the clinic, apply strict access controls, and our AI is technically blocked from providing medical advice. The clinic remains the controller of patient data.

3. AI processing — the honest specifics

4. Subprocessors & recipients

We share data only with the infrastructure and AI providers needed to run the service — never for advertising, and we do not sell or "share" (as defined by the CCPA) personal information. The current list, with roles and locations, is maintained at naadham.ai/subprocessors. We may also disclose data when required by law or to protect rights, safety, or the integrity of the service, and in a merger or acquisition (with notice and continuity of this policy's protections).

5. Where data lives & international transfers

Our production infrastructure is currently hosted in India (Google Cloud, asia-south1), with certain subprocessors processing data in the US/EU as listed on the subprocessor page. For customers in the UK/EEA we offer the UK IDTA/Addendum and EU Standard Contractual Clauses (2021) as part of our Data Processing terms. As we open regional hosting, tenants will be able to have their data stored in-region; the subprocessor page will always reflect current locations.

6. Retention

DataRetention
Call audioprocessed in real time; not retained as recordings unless a recording feature is explicitly enabled by the clinic
Transcripts, bookings, contacts, QA scoresfor the life of the clinic's account, or until the clinic deletes them (self-service deletion tools are provided)
Consent recordsup to 3 years after last activity (legal defence of lawful-calling)
Do-not-call entriesindefinitely as a suppression record (removing them would risk calling you again)
Account/billing recordsas required by tax law (typically 7–8 years in India)
Website demo/lead dataup to 12 months
Security logsup to 12 months

7. Your rights & choices

Everyone: opt out of automated calls permanently at any time — tell the AI to stop calling, or use the do-not-call endpoint/form; the number is suppressed on every outbound path.

India (DPDP Act 2023): access, correction, erasure, grievance redressal, nomination. Contact the Grievance Officer (§1). EEA/UK (GDPR): access, rectification, erasure, restriction, portability, objection; complain to your supervisory authority (or the ICO in the UK). California (CCPA/CPRA): know, delete, correct, opt out of sale/sharing (we do not sell or share), non-discrimination. Other regions: we honor the strongest applicable rights in practice.

How: clinics exercise rights in-product (export and deletion tools in the console) or by email; patients contact their clinic (the controller) — and we act on the clinic's instruction, or forward your request to the clinic if you contact us directly. We respond within 30 days (or shorter statutory periods). Identity verification is required for requests.

8. Cookies & similar technologies

The website and console use no advertising or analytics cookies. We use: (a) localStorage for your sign-in session and interface preferences (functional, not shared); (b) Cloudflare Turnstile for bot protection on public forms (may set its own functional cookie under Cloudflare's policy); (c) our payment processors' scripts during checkout. Because we use no non-essential trackers, no cookie-consent banner is required; if that changes we will add one.

9. Security

Per-tenant isolation enforced with database row-level security; passwords stored as salted PBKDF2 hashes; session tokens and API keys stored only as hashes; stored provider secrets encrypted at rest (Fernet/AES); TLS in transit; constant-time credential comparisons; role-based access (staff logins are read-only); rate-limiting and abuse guards on all public endpoints; infrastructure access limited to authorized operators. No method is 100% secure; we notify affected customers and authorities of personal-data breaches as required by law (including within statutory windows such as GDPR's 72 hours).

10. Children

Our services are B2B and not directed to children. A caller of a clinic may be a minor whose parent/guardian books on their behalf; the clinic controls such data. We do not knowingly collect children's data for our own purposes.

11. Changes

We will post changes here with a new effective date, and notify account owners by email or console notice for material changes. The audit trail of this policy is preserved in version control.

12. Contact

Privacy requests: [PRIVACY EMAIL] · Grievance Officer (India): §1 · Postal: [REGISTERED ADDRESS]. EU/UK representatives will be listed here once appointed.