Patheazy Labs / Patheasy Diagnostics Private Limited
Privacy Policy
Last updated: June 2026
This Privacy Policy explains how Patheasy Diagnostics Private Limited, operating under the brand name Patheazy Labs, collects, uses, stores, shares and protects digital personal data when you use our website, mobile applications, call centre, home sample collection services, laboratory services, partner collection centres, diagnostic packages, reports, payment services, customer support channels and related services together referred to as the Services.
This policy is intended to be read with our Terms of Service, consent forms, test booking forms, patient declaration forms and any scheme-specific or service-specific notices. If there is any conflict about personal data processing, this Privacy Policy will prevail to the extent of the conflict.
This policy is aligned to the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, to the extent applicable to Patheazy Labs as a Data Fiduciary.
1. Our role under the DPDPA
For most Services, Patheazy Labs decides the purpose and means of processing your personal data and acts as a Data Fiduciary. For some activities, such as services provided on behalf of hospitals, corporate clients, insurers, government programmes or partner laboratories, our role may vary depending on the contractual arrangement.
The individual to whom personal data relates is called the Data Principal. For a child, the Data Principal includes the child's parent or lawful guardian. For a person with disability who cannot act independently under applicable law, it includes the lawful guardian acting on their behalf.
2. Personal data we collect
| Category | Examples |
|---|---|
| Identity and contact data | Name, age/date of birth, gender, mobile number, email address, address, city, pin code, patient ID, booking ID and customer ID. |
| Health and diagnostic data | Doctor prescription, symptoms or clinical notes, medical history, sample details, tests or packages selected, reports, test values, interpretation notes, re-test records and quality-control status. |
| Booking and transaction data | Tests or packages viewed, cart, booking date and time, visit address, phlebotomist assignment, collection status, cancellations, refunds, invoices, payment confirmation and transaction reference. |
| Account and authentication data | Login credentials, OTP verification status, consent records, preferences, support tickets and communication preferences. |
| Device, usage and technical data | IP address, browser or device identifiers, operating system, app version, cookies, pages visited, referral source, logs and fraud-prevention signals. |
| Location data | Address entered by you and, where enabled by you, approximate or precise device location used for serviceability, route planning and home sample collection. |
| Dependent and minor data | Personal data of family members or dependents for whom you book a test, including children where the booking is made by a parent or lawful guardian. |
| Partner or scheme data | Data received from doctors, hospitals, employers, insurers, collection centres, franchisees, government health schemes or other authorised partners, where permitted by law or contract. |
We do not intentionally collect more personal data than is reasonably necessary for the relevant diagnostic, booking, payment, reporting, compliance, safety, quality or support purpose.
3. Sources of personal data
- Directly from you, including through our website, app, call centre, WhatsApp, SMS, forms, customer support, payment flows, sample collection and laboratory visit.
- From your authorised representative, caregiver, family member, parent, lawful guardian, doctor or hospital.
- From collection centres, franchisees, phlebotomists, logistics personnel, partner laboratories, corporate clients, insurers, government programmes or other authorised partners.
- Automatically through cookies, logs, device data and similar technologies when you use our digital Services.
- From payment gateways, banks, fraud-prevention providers, IT service providers and other service providers who support the Services.
4. Purpose of processing
We process personal data only for lawful and specific purposes, including:
- Create and manage bookings, patient profiles, family member profiles and service requests.
- Verify identity, mobile number, address, consent and serviceability.
- Collect samples, route phlebotomists or riders, process tests, generate reports and deliver reports to you, your authorised representative or the referring doctor or hospital.
- Collect payments, issue invoices, process refunds and maintain transaction records.
- Provide customer support, complaint resolution, report correction, re-test management and service updates.
- Maintain laboratory quality, internal audit trails, accreditation records, equipment and process controls, and medico-legal records.
- Comply with applicable laws, court orders, regulatory requirements, public-health obligations and lawful requests from government or law-enforcement authorities.
- Prevent fraud, unauthorised access, misuse, cyber incidents and unsafe activity.
- Improve our services, website, app, operations, pricing, serviceability, turnaround time management and customer experience using aggregated or appropriately protected data where feasible.
- Send service communications, reminders, report notifications, safety alerts and operational messages.
- Send marketing communications only where permitted by law and your choices, and not in a manner prohibited for children.
5. Consent, notice and withdrawal
Where consent is required, we will seek your consent through clear affirmative action after giving a notice describing the personal data to be collected and the purpose of processing. Consent may be collected through website or app flows, OTP, checkboxes, written forms, call-centre confirmation, partner booking flows or other auditable methods.
You may withdraw consent at any time by using the options provided in the relevant Service or by contacting us. Withdrawal of consent will not affect processing already completed before withdrawal. After withdrawal, we will stop processing the relevant personal data and cause our Data Processors to stop processing it, unless continued processing is required or authorised by applicable law, medical or laboratory compliance obligations, legal claims, fraud prevention, patient safety, public health, or completion of a service already requested by you.
If withdrawal makes it impossible for us to provide a requested Service, we may be unable to continue that Service, such as processing a booked test, arranging home sample collection, delivering a report or maintaining your account.
6. Certain permitted or legitimate uses
In certain situations, the DPDPA permits processing without fresh consent, such as where you have voluntarily provided personal data for a specified purpose and have not indicated that you do not consent to that use; for compliance with law; for responding to medical emergencies; for public-health related measures; for court or legal proceedings; or other uses permitted under applicable law.
7. Children's data and persons with disability
We may process the personal data of children only with verifiable consent of the parent or lawful guardian, unless an applicable legal exemption permits otherwise. A person booking a test for a child confirms that they are the parent or lawful guardian, or are otherwise legally authorised to provide the child's data and consent.
We do not knowingly undertake tracking or behavioural monitoring of children or targeted advertising directed at children. We do not process children's personal data in a manner that is likely to cause detrimental effect on the child's well-being.
8. How we share personal data
We share personal data only where necessary for the relevant purpose, where authorised by you, where required by contract, or where permitted or required by law. Recipients may include:
- Phlebotomists, riders, collection centres, franchisees and operational staff for booking, collection, logistics and support.
- In-house laboratories, partner laboratories, reference laboratories, doctors, pathologists, microbiologists, genetic or diagnostic experts and report reviewers for test processing, quality control, interpretation and reporting.
- IT, cloud, hosting, analytics, cybersecurity, call-centre, CRM, WhatsApp, SMS, email and customer-support providers.
- Payment gateways, banks, refund processors, fraud-prevention and reconciliation service providers.
- Hospitals, doctors, employers, insurers, government schemes or corporate clients where the booking is made through them or where you authorise such sharing.
- Regulators, accreditation bodies, auditors, courts, law-enforcement agencies, government authorities or public-health authorities where required or permitted by law.
- Professional advisers, insurers, investors or successor entities in connection with audit, legal advice, restructuring, merger, acquisition or business transfer, subject to appropriate safeguards.
We do not sell your personal data. We do not permit service providers to use your personal data for their independent marketing unless you have separately consented or applicable law permits it.
9. Data Processors and partner controls
Where we engage vendors or partners to process personal data on our behalf, we will use valid contracts and appropriate operational controls. Depending on the nature of processing, these controls may include confidentiality obligations, role-based access, security safeguards, breach reporting obligations, data-return or deletion obligations, audit rights and restrictions on onward sharing.
Where a partner laboratory, doctor, hospital, corporate client, insurer or government programme independently decides the purpose and means of processing, that organisation may also be a separate Data Fiduciary. Their own privacy notices and legal obligations may apply.
10. Cookies, analytics and marketing
Our website and app may use cookies, pixels, SDKs or similar technologies for login, security, preferences, analytics, performance, attribution and service improvement. We may send promotional communications about packages, offers, preventive health programmes or other services where permitted by law and your communication preferences. Even after opting out, we may send non-promotional messages such as booking confirmations, OTPs, payment receipts, report links, safety notices or account-related communications.
11. Retention and deletion
We retain personal data only for as long as necessary for the purpose for which it was collected, for providing Services, for laboratory and medical record obligations, for accounting or tax requirements, for accreditation and audit, for legal claims, for fraud prevention, for dispute resolution, or where retention is required or authorised under applicable law.
| Data type | Indicative retention approach |
|---|---|
| Account and profile data | Until account closure or inactivity-based deletion, unless retention is needed for law, disputes, security or completed services. |
| Booking, invoice and payment records | As required for tax, accounting, audit, fraud prevention and transaction record obligations. |
| Diagnostic reports, sample records and lab quality records | As required by applicable clinical, laboratory, accreditation, medico-legal and contractual obligations. |
| Support and grievance records | For the time needed to resolve the matter and maintain evidence of resolution. |
| Marketing preferences | Until you opt out or the data is no longer needed for the stated purpose. |
| Technical logs | For security, debugging, fraud prevention, analytics and legal compliance, generally for limited periods unless needed for investigation. |
When personal data is no longer required, we will delete, de-identify, anonymise or securely archive it according to applicable law and internal retention schedules.
12. Security safeguards
We use reasonable technical and organisational safeguards to protect personal data in our possession or control, including safeguards applied by our Data Processors. Depending on the system and data type, these safeguards may include access controls, authentication, encryption or secure transmission, audit logs, monitoring, backups, network security, staff training, confidentiality obligations, vulnerability management and incident-response processes. No system is perfectly secure, so you should keep login credentials, report links, passwords and OTPs confidential.
13. Personal data breach
In the event of a personal data breach, we will take reasonable steps to contain, assess and remediate the incident and provide intimation to affected Data Principals and the Data Protection Board of India in the form, manner and timelines prescribed under applicable law.
14. Your rights under the DPDPA
Right to access information: Request a summary of your personal data being processed, processing activities undertaken by us, and information about Data Fiduciaries and Data Processors with whom your personal data has been shared, where applicable.
Right to correction, completion and updating: Ask us to correct inaccurate or misleading data, complete incomplete data or update outdated data.
Right to erasure: Ask us to erase personal data for which consent was given, unless retention is necessary for the specified purpose or for compliance with law.
Right to withdraw consent: Withdraw consent for processing based on consent.
Right of grievance redressal: Raise a grievance regarding our processing of your personal data or exercise of your rights.
Right to nominate: Nominate another individual to exercise your rights in the event of death or incapacity, in the manner permitted by applicable law.
Consent Manager: Where available under law and supported by our systems, give, manage, review or withdraw consent through a registered Consent Manager.
15. How to exercise your rights or raise a grievance
You may contact us using the details below. We may verify your identity, booking details, mobile number, email address or other information before acting on a request. We may refuse or limit a request where permitted by law, including where the request is not verifiably authentic, conflicts with legal retention obligations, affects another person's rights, compromises security, or relates to records required for medical, laboratory, tax, audit or legal purposes.
We will respond within the period required under applicable law. If you are dissatisfied with our response, you may escalate the matter as permitted under the DPDPA, including to the Data Protection Board of India after exhausting our grievance redressal mechanism, where applicable.
Privacy questions, rights requests and grievances: email purchase@patheazy.co.in
Postal address: 2nd Floor, Shalimar Tower, Vibhuti Khand, Lucknow, Uttar Pradesh, 226010, India
Responsible privacy contact: Grievance Officer / Data Protection Contact
16. Duties of Data Principals
You are responsible for providing information that is accurate and verifiably authentic, not impersonating another person, not suppressing material information, not registering false or frivolous grievances or complaints, and complying with applicable law while using the Services. If you book a test for another person, you confirm that you are authorised to provide their data and receive their report or communications.
17. Cross-border processing
We primarily process data for India-based Services. Some service providers, cloud systems, support tools or technology partners may process or store personal data outside India. We will comply with applicable Indian law on cross-border transfers, including any restrictions notified by the Central Government and any sector-specific laws that impose a higher degree of protection or restriction for health, diagnostic or other personal data.
18. Third-party websites and links
Our Services may contain links to third-party websites, payment gateways, social media platforms, map services, partner portals or external services. Their privacy practices are governed by their own policies. We are not responsible for the privacy or security practices of third-party services that we do not control.
19. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in law, rules, business practices, technology, services, security practices or operational requirements. We will update the Last updated date and provide additional notice where required by applicable law.