ZeptAI logo

Privacy Policy

Effective Date: 06-04-2026

Company Name: ZEPTA FOCUSAI TECHNOLOGY PVT LTD

Contact Email: zeptafocusai@zeptai.com

1. Introduction

This Privacy Policy describes how ZEPTA FOCUSAI TECHNOLOGY PVT LTD (“Company”, “we”, “our”, or “us”) collects, processes, uses, and protects information in connection with its AI-powered healthcare technology platform.

Our platform is designed as a web-based and API-first Software-as-a-Service (SaaS) solution that enables healthcare providers, hospitals, clinics, and partner platforms to integrate AI-driven patient interaction and clinical documentation capabilities into their workflows.

We operate in a healthcare environment where data sensitivity is significantly higher than in general digital services. Information related to patient interactions, symptoms, and clinical context requires enhanced safeguards due to its critical nature.

Accordingly, we follow a privacy-by-design and data minimization approach, ensuring that only necessary data is processed and that strong security controls are applied at every stage.

We are committed to maintaining transparency, protecting user trust, and aligning our practices with applicable laws and globally recognized data protection principles, including:

  • Digital Personal Data Protection Act (DPDP Act), 2023
  • ABDM (Ayushman Bharat Digital Mission) principles
  • HIPAA-aligned safeguards (best practices)

By accessing or using our platform, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

2. Nature of Services

Our platform provides an advanced AI-powered clinical documentation and pre-screening assistant designed to support healthcare professionals by streamlining patient interaction and medical data structuring.

The system operates through a voice-based conversational interface, where patients communicate their symptoms, concerns, and relevant health information. This interaction is processed in real time using artificial intelligence technologies, enabling the transformation of unstructured conversation into structured clinical summaries.

Operational Workflow

  • Patients interact with an AI assistant using voice input
  • The system captures and processes responses in real time
  • Relevant health-related information is extracted and structured
  • A summarized clinical report is generated
  • The report is made accessible to healthcare professionals through integrated systems or dashboards

This workflow reduces repetitive questioning, improves documentation efficiency, and enables faster clinical review.

Scope and Limitations

The platform is strictly designed as a support tool for documentation and workflow enhancement within healthcare environments.

  • It does not replace clinical judgment
  • It does not provide medical advice or recommendations
  • It does not diagnose medical conditions

All outputs generated by the system must be reviewed and validated by licensed healthcare professionals before being used in clinical decision-making.

3. Platform Architecture and SaaS Model

The platform operates as a web-based, API-first Software-as-a-Service (SaaS) infrastructure.

This means:

  • The system is integrated into third-party healthcare platforms such as hospital systems, clinic software, or partner applications
  • The Company does not operate a standalone consumer mobile application
  • The platform is deployed within clinical environments through API integrations

Role Distribution

In this architecture, responsibilities are clearly divided:

API Clients (Healthcare Providers / Platforms)

  • Act as data controllers
  • Collect and manage patient data
  • Define how data is stored and used

Company (ZEPTA FOCUSAI TECHNOLOGY PVT LTD)

  • Acts as a data processor
  • Processes data only to:
    • Enable AI interaction
    • Generate structured summaries
    • Improve system performance using anonymized data

The Company does not independently control or manage full patient records.

4. Information We Process

We follow a strict data minimization approach, ensuring that only relevant and necessary data is processed.

4.1 Patient Interaction Data

During AI interaction, the system may process:

  • Voice input provided by the patient
  • Automatically generated transcripts
  • Health-related information including:
    • Symptoms
    • Medical concerns
    • Patient responses

This data is processed solely for the purpose of generating structured clinical summaries and supporting healthcare workflows.

4.2 Limited Personal Data

Depending on how the API Client implements the system, limited personal information may be involved, such as:

  • Name
  • Phone number

However:

  • The AI system does not require personal identifiers to function
  • Such data is not central to system processing
  • Control of this data remains with the API Client

4.3 Healthcare Provider Data

We may process limited information related to healthcare professionals and organizations:

  • Name of doctor or organization
  • Professional details
  • Contact information
  • Account and usage data

This information is required for authentication, access control, and system functionality.

4.4 Technical and Usage Data

To maintain performance and security, we may process:

  • System logs
  • API usage data
  • Error diagnostics
  • Interaction timestamps

This data is used only for system improvement, monitoring, and security purposes.

5. Data Storage Model

We follow a minimal and controlled data storage architecture.

Key Principles

  • We do not store full patient medical records
  • We do not maintain long-term identifiable patient profiles
  • We do not function as a primary health record system

Data Location

Patient data is primarily stored and controlled by:

  • API Clients (hospitals, clinics, partner platforms), or
  • User-side systems where applicable

Temporary Processing

Our systems may temporarily process data for:

  • AI interaction
  • Report generation
  • System performance

Such data is:

  • Limited in scope
  • Processed only for defined purposes
  • Not retained longer than necessary

6. AI Training and Data Anonymization

We implement a strict privacy-first AI training framework.

Data Protection Rules

We do not use any personally identifiable information (PII), including:

  • Name
  • Phone number
  • Email address
  • Any identifiable references

Anonymization Process

Before any data is used:

  • Raw interaction data is processed
  • Personal identifiers are automatically removed
  • Data is anonymized and de-identified
  • Only cleaned data is used for training

Voice Data Handling for Training

  • Raw voice recordings are not used in identifiable form
  • Voice may be converted into text
  • Text is anonymized before usage

Type of Data Used

Only non-identifiable data is used, including:

  • Symptom patterns
  • General medical descriptions
  • Interaction structures

Safeguards

  • Data cannot be linked back to individuals
  • No attempt is made to re-identify users
  • Training is limited to improving system accuracy and performance

Consent is a fundamental requirement for the lawful use of the Platform, particularly due to the nature of sensitive health-related data processed through AI-based interactions.

We follow a structured, transparent, and layered consent approach to ensure that users are fully informed and have control over how their data is processed.

Patient consent is obtained prior to initiating any AI-based interaction.

  • A clear and user-friendly consent interface is presented before interaction begins
  • The system does not initiate voice interaction or data processing without explicit user approval

The consent interface informs users about:

  • Voice interaction and potential recording
  • Processing of health-related information
  • Generation of structured clinical summaries
  • Potential sharing of reports with healthcare professionals upon user action

AI interaction begins only after an explicit affirmative action by the user (such as clicking “Agree” or an equivalent action), indicating informed and voluntary consent.


Healthcare professionals (including doctors, clinics, and hospitals) provide consent:

  • At the time of account registration
  • During profile creation or onboarding

By providing such consent, healthcare providers acknowledge that:

  • They are responsible for the lawful use of the Platform
  • They will handle patient data in accordance with applicable laws and professional standards
  • They understand their role as data controllers where applicable


Where the Platform is accessed or integrated through APIs by healthcare providers, hospitals, or third-party applications (“API Clients”), the responsibility for obtaining user consent lies with the respective API Client.

API Clients must ensure that:

  • Explicit, informed, and lawful consent is obtained from patients before initiating any AI interaction
  • Users are clearly informed about:
    • Voice recording and interaction
    • Data processing and report generation
    • Potential sharing of information with healthcare professionals
  • Consent is obtained prior to transmitting any data to the Platform

The Company processes data strictly based on instructions received from API Clients and assumes that all necessary and valid consent has been obtained.

The Company does not independently verify individual consent collection mechanisms implemented by API Clients and shall not be held responsible for any failure by API Clients to obtain valid consent.


Users may:

  • Discontinue use of the Platform at any time
  • Withdraw consent for future data processing

Upon withdrawal:

  • Future processing of data will be stopped
  • Previously processed data may continue to be retained where required for:
    • Legal obligations
    • Operational purposes
    • System integrity

Withdrawal of consent may limit or disable access to certain features of the Platform.

8. Data Sharing Principles

We maintain strict control over how data is shared.

Patient-Controlled Sharing

  • Data is not shared automatically
  • Sharing occurs only when initiated by the patient

Access by Healthcare Professionals

When a patient chooses to share data:

Healthcare professionals may access:

  • Structured reports
  • Relevant interaction data

Post-Sharing Responsibility

Once data is shared:

  • The healthcare provider becomes responsible for handling it
  • The Company does not control further use outside its system

9. API Client Responsibilities

As the Platform operates primarily as an API-based SaaS solution, API Clients (including hospitals, clinics, and partner platforms) have primary responsibility for the collection, control, and management of user data.


9.1 Role of API Clients

API Clients act as data controllers, and are responsible for determining:

  • What data is collected
  • How it is collected
  • How it is used and shared
  • How long it is retained

9.2 Core Responsibilities of API Clients

API Clients must:

  • Obtain valid, explicit, and informed consent from users before initiating any interaction with the Platform
  • Provide clear and transparent privacy notices to users
  • Ensure compliance with all applicable laws, including:
    • Digital Personal Data Protection Act (DPDP Act), 2023
    • Applicable healthcare data regulations
  • Implement appropriate mechanisms for:
    • Data collection
    • Data storage
    • Data retention
    • Data deletion
  • Ensure secure handling and transmission of patient data


API Clients are strictly responsible for implementing appropriate consent mechanisms within their systems.

This includes:

  • Designing user interfaces (such as consent popups or screens)
  • Ensuring that users are informed before any AI interaction begins
  • Preventing data transmission without user consent

Any data transmitted to the Platform through API integrations shall be deemed to have been collected with valid user consent by the API Client.

9.4 Data Handling and Compliance

API Clients are responsible for:

  • Ensuring that data is collected lawfully and ethically
  • Maintaining the accuracy and integrity of data
  • Handling user requests related to:
    • Data access
    • Data correction
    • Data deletion

The Company does not manage or control identifiable user data stored within API Client systems.

9.5 Company Limitation of Responsibility

The Company acts as a data processor and is not responsible for:

  • Failure of API Clients to obtain valid user consent
  • Improper or unlawful handling of data by API Clients
  • Non-compliance with applicable laws or regulations by API Clients
  • Any misuse of the Platform outside its intended purpose

The Company processes data strictly based on API instructions and does not independently control how data is collected or managed by API Clients.

10. Data Retention and Lifecycle Management

We follow a structured retention model.

General Principles

  • Data is retained only as necessary
  • Long-term identifiable storage is avoided
  • Retention aligns with operational and clinical needs

Interaction Data

  • Processed in real time
  • Temporarily stored for system functionality
  • Not retained beyond necessary duration

Voice Data Retention

  • Audio may be stored temporarily for:
    • Validation
    • Quality assurance
    • Clinical review
  • Standard retention:
    • Up to 60–90 days (configurable by API Clients)
  • Doctors may retain specific recordings longer if required
  • If not retained:
    • Data is automatically deleted
    • Or anonymized

Anonymized Data

  • May be retained longer
  • Cannot identify individuals

11. Data Security and Protection Measures

We implement strong safeguards to protect data.

Security Practices

  • Encryption during processing and transmission
  • Role-based access control
  • Secure authentication systems
  • Continuous monitoring

Infrastructure Security

We use secure cloud infrastructure (e.g., Firebase) with:

  • Encryption
  • Access restrictions
  • Secure configurations

Internal Controls

  • Limited system access
  • Minimal human involvement
  • Full logging and monitoring

12. Third-Party Services

We may use trusted third-party providers for:

  • Cloud infrastructure
  • Analytics
  • Technical support

Safeguards

  • Providers are selected based on security standards
  • Bound by confidentiality obligations
  • Used only for defined purposes

Limitation

We do not control third-party internal policies. Users should review their policies where applicable.

13. User Rights and Data Control

We are committed to ensuring transparency and providing users with appropriate control over their data, in accordance with applicable laws and data protection principles.

Subject to legal and operational limitations, users may have the following rights:

Right to Access

Users may request information regarding:

  • What data is being processed
  • The purpose of processing
  • How the data is being used

Right to Correction

Users may request correction of:

  • Inaccurate data
  • Incomplete information

This ensures that healthcare-related information remains accurate and reliable.

Right to Deletion

Users may request deletion of their data where:

  • The data is no longer necessary for the purpose it was collected
  • Consent has been withdrawn
  • There is no legal obligation to retain the data

Users may withdraw consent for data processing at any time. Upon withdrawal:

  • Future processing of data will be stopped
  • Previously processed data may still be retained where required for legal or operational reasons

Important Limitation (API-Based System)

Due to the API-first nature of the platform:

  • Most identifiable data is controlled by API Clients (e.g., hospitals, clinics)
  • Requests related to identifiable patient data may need to be directed to the respective healthcare provider

Post-Sharing Limitation

If a user has shared their data with a healthcare professional:

  • The Company does not control how that data is stored or used outside its system
  • Users may need to contact the healthcare provider directly for further actions

14. Data Breach and Incident Response

We take data security incidents seriously and have structured procedures in place to respond effectively.

Detection and Response

In the event of a data breach or suspected security incident, we may:

  • Identify and assess the nature and scope of the issue
  • Contain and isolate affected systems
  • Prevent further unauthorized access
  • Analyze potential impact on users

Mitigation Measures

We take immediate steps to:

  • Secure affected data
  • Restore system integrity
  • Implement corrective measures

Notification

Where required by applicable laws or risk assessment:

  • Affected users may be notified within a reasonable timeframe
  • Relevant authorities may also be informed

Continuous Improvement

We regularly improve our systems by:

  • Conducting security reviews
  • Updating safeguards
  • Enhancing monitoring mechanisms

15. Communication Policy

We maintain a strict policy regarding communication with users.

Permitted Communication

We may contact users for:

  • Service-related updates
  • System notifications
  • Operational alerts
  • Account-related information

Restrictions

We do not:

  • Send promotional or marketing messages without explicit consent
  • Use personal data for advertising or profiling

User Control

Users may manage communication preferences where applicable.

16. Financial Data and Payments

We maintain strict limitations regarding financial data.

Patient Data

  • We do not collect or store financial information from patients
  • This includes:
    • Bank account details
    • Debit/credit card information
    • Payment credentials

Payment Handling

Payments related to services are handled by:

  • Healthcare providers (API Clients), or
  • Secure third-party payment gateways

Security Assurance

  • We do not store sensitive financial credentials
  • Payment processing is handled through secure and compliant systems

17. Regulatory Alignment

We design our platform and policies to align with recognized data protection frameworks and best practices.

We align with principles under:

Digital Personal Data Protection Act (DPDP Act), 2023

Including:

  • Consent-based data processing
  • Purpose limitation
  • Data minimization
  • Accountability and security safeguards

Healthcare Data Framework (India)

We consider principles aligned with:

Ayushman Bharat Digital Mission (ABDM)

Including:

  • Patient-centric data ownership
  • Consent-driven data sharing
  • Secure digital health ecosystem

International Best Practices

We follow HIPAA-aligned safeguards for:

  • Data protection
  • Access control
  • Confidentiality

Important Clarification

  • We do not claim formal certification under DPDP, ABDM, or HIPAA unless explicitly obtained
  • Our systems are designed to align with their principles and expectations

18. AI System Disclaimer

The platform operates strictly as an assistive system designed to enhance documentation efficiency.

System Limitations

The system:

  • Does not provide medical advice
  • Does not diagnose medical conditions
  • Does not recommend treatments or medications

Nature of Outputs

  • Outputs are generated based on user-provided input and automated processing
  • These outputs are intended solely for documentation support
  • They must be reviewed and validated by healthcare professionals

Reliance Limitation

Any reliance on system outputs without professional review is at the user’s own risk.

19. Medical Responsibility

Healthcare professionals using the platform retain full responsibility for all aspects of patient care.

Responsibilities Include

  • Diagnosis of medical conditions
  • Selection of treatment plans
  • Prescription of medications
  • Clinical decision-making

Platform Limitation

The platform:

  • Does not influence clinical judgment
  • Does not replace professional expertise

All medical decisions must be made independently by qualified professionals.

20. Data Minimization Commitment

We strictly follow a data minimization principle in system design and operations.

Core Practices

  • Collect only necessary data
  • Avoid unnecessary sensitive data collection
  • Limit access to authorized systems only
  • Regularly review and remove excess data

Benefits

This approach:

  • Reduces privacy risks
  • Enhances system security
  • Ensures responsible data handling

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in services
  • Legal or regulatory requirements
  • Operational improvements

Update Process

  • Revised versions will be published with an updated effective date
  • Significant changes may be communicated through appropriate channels

User Acceptance

Continued use of the platform after updates constitutes acceptance of the revised Privacy Policy.

22. Contact Information

For any questions, concerns, or requests related to this Privacy Policy or data practices, users may contact us:

  • Company: ZEPTA FOCUSAI TECHNOLOGY PVT LTD
    C/o Rajinder Prasad, F-156, South City, Raibar, B R A University, Lucknow, Lucknow, Uttar Pradesh, India, 226025
  • Email: zeptafocusai@zeptai.com

Response Commitment

We aim to:

  • Respond in a timely manner
  • Address concerns responsibly
  • Provide necessary support regarding data-related queries

Final Acknowledgment

By using the platform, you confirm that you have read, understood, and agreed to this Privacy Policy and its terms.