Effective date: 2 July 2026 · Applies to naadham.ai, the Naadham clinic console, APIs, and the Naadham AI voice/messaging services.
Naadham is operated by [LEGAL ENTITY NAME], a company incorporated in India with registered office at [REGISTERED ADDRESS] ("Naadham", "we"). Contact: [PRIVACY EMAIL, e.g. [email protected]]. Grievance Officer (India DPDP Act 2023 & IT Act 2000): [NAME], [EMAIL], [ADDRESS] — we acknowledge grievances within 24 hours and resolve within applicable statutory timelines.
| Data | Purpose | Legal basis |
|---|---|---|
| Demo call/chat content, mic audio during a browser demo | run the live demo you start | consent (you start it) |
| "Call me" form: name, phone, interest, consent record, IP | place the demo call you requested; abuse prevention | consent; legitimate interest (fraud/abuse) |
| Contact form: name, email, message | respond to you | legitimate interest / consent |
| Technical logs (IP, user-agent, timestamps), rate-limit counters | security, abuse prevention, debugging | legitimate interest |
| Data | Purpose | Legal basis |
|---|---|---|
| Account: work email, organisation name, hashed password, role | provide the service, authentication | contract |
| Configuration: agent persona, FAQs, schedules, phone numbers | operate your AI receptionist | contract |
| Billing: plan, prepaid balance, usage metering, payment references | billing and receipts (card data is held by our payment processors, never by us) | contract; legal obligation (tax) |
| KYC/verification documents and status | telecom-compliance verification before outbound calling | legal obligation / legitimate interest |
| Support communications | support | contract |
| Data | Purpose |
|---|---|
| Call audio (processed in real time), transcripts, caller phone number and name, call metadata (time, duration, outcome) | answer the call, book the appointment, produce the transcript and quality score the clinic sees |
| Booking details: name, phone, service, appointment time | create the appointment in the clinic's schedule |
| WhatsApp/SMS/web-chat messages with the clinic's AI | respond on the clinic's behalf |
| Consent and do-not-call records for outbound calls | lawful-calling enforcement (see §7) |
Health information. Conversations with a clinic's AI may incidentally include health information a caller chooses to share. We process it solely to provide the service to the clinic, apply strict access controls, and our AI is technically blocked from providing medical advice. The clinic remains the controller of patient data.
We share data only with the infrastructure and AI providers needed to run the service — never for advertising, and we do not sell or "share" (as defined by the CCPA) personal information. The current list, with roles and locations, is maintained at naadham.ai/subprocessors. We may also disclose data when required by law or to protect rights, safety, or the integrity of the service, and in a merger or acquisition (with notice and continuity of this policy's protections).
Our production infrastructure is currently hosted in India (Google Cloud, asia-south1), with certain subprocessors processing data in the US/EU as listed on the subprocessor page. For customers in the UK/EEA we offer the UK IDTA/Addendum and EU Standard Contractual Clauses (2021) as part of our Data Processing terms. As we open regional hosting, tenants will be able to have their data stored in-region; the subprocessor page will always reflect current locations.
| Data | Retention |
|---|---|
| Call audio | processed in real time; not retained as recordings unless a recording feature is explicitly enabled by the clinic |
| Transcripts, bookings, contacts, QA scores | for the life of the clinic's account, or until the clinic deletes them (self-service deletion tools are provided) |
| Consent records | up to 3 years after last activity (legal defence of lawful-calling) |
| Do-not-call entries | indefinitely as a suppression record (removing them would risk calling you again) |
| Account/billing records | as required by tax law (typically 7–8 years in India) |
| Website demo/lead data | up to 12 months |
| Security logs | up to 12 months |
Everyone: opt out of automated calls permanently at any time — tell the AI to stop calling, or use the do-not-call endpoint/form; the number is suppressed on every outbound path.
India (DPDP Act 2023): access, correction, erasure, grievance redressal, nomination. Contact the Grievance Officer (§1). EEA/UK (GDPR): access, rectification, erasure, restriction, portability, objection; complain to your supervisory authority (or the ICO in the UK). California (CCPA/CPRA): know, delete, correct, opt out of sale/sharing (we do not sell or share), non-discrimination. Other regions: we honor the strongest applicable rights in practice.
How: clinics exercise rights in-product (export and deletion tools in the console) or by email; patients contact their clinic (the controller) — and we act on the clinic's instruction, or forward your request to the clinic if you contact us directly. We respond within 30 days (or shorter statutory periods). Identity verification is required for requests.
The website and console use no advertising or analytics cookies. We use: (a) localStorage for your sign-in session and interface preferences (functional, not shared); (b) Cloudflare Turnstile for bot protection on public forms (may set its own functional cookie under Cloudflare's policy); (c) our payment processors' scripts during checkout. Because we use no non-essential trackers, no cookie-consent banner is required; if that changes we will add one.
Per-tenant isolation enforced with database row-level security; passwords stored as salted PBKDF2 hashes; session tokens and API keys stored only as hashes; stored provider secrets encrypted at rest (Fernet/AES); TLS in transit; constant-time credential comparisons; role-based access (staff logins are read-only); rate-limiting and abuse guards on all public endpoints; infrastructure access limited to authorized operators. No method is 100% secure; we notify affected customers and authorities of personal-data breaches as required by law (including within statutory windows such as GDPR's 72 hours).
Our services are B2B and not directed to children. A caller of a clinic may be a minor whose parent/guardian books on their behalf; the clinic controls such data. We do not knowingly collect children's data for our own purposes.
We will post changes here with a new effective date, and notify account owners by email or console notice for material changes. The audit trail of this policy is preserved in version control.
Privacy requests: [PRIVACY EMAIL] · Grievance Officer (India): §1 · Postal: [REGISTERED ADDRESS]. EU/UK representatives will be listed here once appointed.