S
Scanura
LoginRegister
← Back to Home

Privacy Policy & Data Protection

Last updated: June 2026

Compliant with India's DPDP Act, 2023

In short

  • We do not sell your personal or medical data to anyone.
  • Your uploaded reports are encrypted in transit (TLS 1.3) and at rest (AES-256).
  • We store only the analysis metadata (structured results) — raw files are retained only as long as needed.
  • You can delete your data permanently at any time from your dashboard.
  • We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Who We Are

scanura ("we", "us", "our") is a health technology platform operated from India. We provide AI-powered analysis of medical lab reports to help users understand their health data in plain language. We are committed to protecting your privacy and handling your data with the care it deserves.

For the purposes of the DPDP Act, 2023, scanura acts as a Data Fiduciary — we determine the purpose and means of processing your personal data.

2. What Data We Collect

2.1 Account Information

When you register, we collect:

  • Name
  • Email address
  • Phone number (optional)

This data is necessary to create and manage your account and is stored in AWS DynamoDB (ap-south-1, Mumbai region).

2.2 Medical Report Data

When you upload a medical report, we collect:

  • The uploaded file (PDF, JPEG, PNG — max 10 MB)
  • Structured analysis results extracted by AI (test names, values, risk levels, summaries)
  • Patient metadata you provide (name, age, gender)

2.3 Usage Data

We collect anonymised usage analytics (page views, feature interactions) to improve the product. This data is not linked to your identity.

3. How We Use Your Data

We use your data for the following specific purposes:

  • Report analysis: Your uploaded file is sent to AI providers (Google Gemini / NVIDIA) for analysis. The structured results are returned and stored in your account.
  • Service delivery: Displaying your past analyses, tracking trends, generating doctor questions.
  • Account management: Authentication, credit tracking, family member management.
  • Product improvement: Anonymised, aggregated analytics to understand usage patterns.

We do not use your medical data for advertising, marketing, or sell it to third parties. We do not train AI models on your data.

4. Data Storage & Security

4.1 Where Your Data Is Stored

All data is stored in AWS (ap-south-1, Mumbai) — within India. We do not transfer your personal data outside India without explicit consent.

4.2 Encryption

  • In transit: All data is encrypted using TLS 1.3 during upload and download.
  • At rest: Files stored in AWS S3 are encrypted using AES-256 (server-side encryption).
  • Database: DynamoDB uses AWS-managed encryption at rest.

4.3 Access Controls

Only you can access your reports and analyses. Our team has no routine access to user data. Administrative access (for debugging or support) requires multi-factor authentication and is logged.

5. Data Retention & Deletion

  • Account data: Retained as long as your account is active.
  • Uploaded files: Raw report files are processed and retained in S3 only as long as needed for re-analysis. You can delete individual reports from your dashboard at any time.
  • Analysis results: Stored in your account until you delete them or close your account.
  • Inactive accounts: Accounts inactive for 24 months may receive a reminder email. Accounts inactive for 36 months may be deactivated, with data deleted 30 days after notification.

When you delete a report or your account, we delete the corresponding data from DynamoDB. S3 files are removed within 7 days of deletion.

6. Your Rights Under the DPDP Act, 2023

As a Data Principal under the DPDP Act, you have the following rights:

RightWhat It Means
Right to AccessYou can request a copy of all personal data we hold about you.
Right to CorrectionYou can update or correct inaccurate personal data.
Right to ErasureYou can delete your account and all associated data permanently.
Right to Grievance RedressalYou can file a complaint about data handling; we will respond within 30 days.
Right to NominateYou may designate someone to exercise your rights on your behalf.

To exercise any of these rights, email us at privacy@scanura.in.

7. AI & Third-Party Processing

We use third-party AI providers to analyse your uploaded reports:

  • Google Gemini — primary analysis engine
  • NVIDIA NIM — fallback analysis engine

These providers process your report files to extract structured medical data. They do not retain your files after processing. We have data processing agreements with both providers that prohibit using your data for model training or any purpose other than providing the analysis service.

8. Cookies & Tracking

We use:

  • Essential cookies — for authentication and session management (required for the site to function).
  • Google Tag Manager — for anonymised analytics. This is used solely for understanding site usage patterns.

We do not use third-party advertising trackers or sell cookie data.

9. Children's Data

scanura is intended for users aged 18 and above. If you are uploading reports for a minor (your child), you consent to processing their data as their legal guardian under the DPDP Act. We do not knowingly collect data from children directly.

10. Data Breach Notification

In the event of a data breach that is likely to cause harm, we will notify you and the relevant authorities as required under Section 8(6) of the DPDP Act, 2023, within 72 hours of becoming aware of the breach.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or prominent notice on the website. The "Last updated" date at the top reflects the latest revision.

12. Contact Us

For privacy-related questions, data requests, or complaints:

We will respond to all requests within 30 days, as required by the DPDP Act.