OUSHVAA
Privacy

Privacy policy.

Starter draft, not lawyer-vetted. Written to DPDP Act 2023, IT Rules 2011 (SPDI), and medical-device SaaS conventions, but Indian counsel review is required before this binds MedevIQ to any paying customer. If you are a customer reading this in good faith, treat it as our intended posture; the final binding text will be the version signed in your Master Services Agreement.

Last updated: 2026-05-27 · Effective: 2026-05-27

This Privacy Policy explains how Oushvaa Technologies ("Oushvaa," "we," "us," "our") collects, uses, shares, and protects personal data through the MedevIQ product, including the marketing site at medeviq.ai, the authenticated workspace, the MedevIQ API, and related services (together, the "Service"). This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules") of India.

We act as the Data Fiduciary (controller) for the personal data we collect directly from you. Where you process personal data of others through your use of the Service (for example, by uploading a document containing third-party information), you are the Data Fiduciary and we act as your Data Processor under the terms of our Data Processing Agreement.

1. What we collect

1.1 Account and access information

When you request access to MedevIQ, we collect your name, work email address, organization name, role, country, and the access narrative you submit (a free-text description of how you intend to use the Service). We collect additional administrative metadata when access is granted, including the access tier and the date your access was provisioned.

1.2 Authentication metadata

The Service uses Supabase Auth for the authenticated workspace and Cloudflare for edge protection. Authentication providers supply us with your authenticated email address and authentication timestamps. We do not receive your authentication credentials or any third-party identity provider tokens.

1.3 Query content

The natural-language questions you submit to the MedevIQ API, the canonical query parameters you supply (device name, manufacturer, UDI, GMDN class, regulator, country, etc.), and the structured results returned are stored in our cache for performance and to provide features such as Saved Answers, Watchlists, and Compare. Query content is associated with your account identifier.

1.4 Documents you upload

When you upload a document (PDF, DOCX, XLSX) for parsing — for example a label, package insert, internal SOP, or regulatory filing — the file is stored in encrypted object storage (Cloudflare R2) for the duration of your account or until you delete it. Extracted text and structured fields derived from the document are stored alongside metadata (filename, file type, size, SHA-256 hash, upload timestamp). You are responsible for the lawful basis on which you upload documents containing third-party personal data. See Section 6 (Your Responsibilities).

1.5 Operational telemetry

Standard HTTP request metadata: request path, timestamp, HTTP status code, response time, IP address (last octet truncated for retention beyond 14 days), User-Agent string, and Cloudflare-derived geolocation (country only). We do not deploy advertising or behavioral tracking cookies. We do not use Google Analytics or comparable third-party analytics on authenticated surfaces.

1.6 Communications

Email correspondence you send to [email protected], [email protected], or other Oushvaa addresses; messages submitted through the in-product feedback widget; transactional emails we send to you (watchlist alerts, weekly briefings, account notifications). Content of email is retained for legitimate business and audit purposes per Section 4.

2. How we use it (purposes & lawful basis)

We process personal data only for the purposes stated below, with the lawful basis indicated:

  • Provision the Service (account, authentication, access enforcement) — necessary for performance of contract.
  • Operate and improve the Service (cache, performance, debugging, security monitoring) — legitimate interest of providing a reliable service.
  • Deliver requested features (Saved Answers, Watchlists, Document parsing, Compare, briefings) — necessary for performance of contract.
  • Communicate with you (transactional messages, security notices, support replies) — necessary for performance of contract.
  • Maintain audit and compliance records (security audits, regulator obligations, dispute resolution) — legal obligation; legitimate interest.
  • Detect and prevent abuse (rate-limit enforcement, fraud detection, intrusion response) — legitimate interest in service integrity.

We do not sell personal data. We do not use personal data to train third-party generative AI models. We do not use your query content to train any model without your explicit, opt-in consent.

3. Who we share with (sub-processors)

We engage the following sub-processors to operate the Service. Each is bound by a written agreement requiring confidentiality, security commitments, and processing only on documented instructions:

  • Cloudflare, Inc. (USA) — edge compute (Workers, Pages), authentication front-end (Access), object storage (R2), DNS, DDoS protection, edge AI embeddings.
  • Supabase Inc. (USA, infrastructure in AWS ap-south-1 / Mumbai) — managed PostgreSQL for cache, watchlists, document metadata, and authenticated session storage. Project identifier: sahrvukeczulzwzkkmft.
  • Anthropic PBC (USA) — Claude API for the natural-language synthesis layer; query content is sent at inference time. Anthropic has committed not to train on API inputs per their published policy.
  • Resend, Inc. (USA) — transactional email delivery (watchlist alerts, weekly briefings, account notifications).
  • GitHub, Inc. (USA, a Microsoft subsidiary) — source-code hosting and CI/CD for the Service. Customer data does not flow through GitHub.

A current, dated sub-processor list is also available on request to [email protected]. We will provide reasonable advance notice of new sub-processors to Enterprise customers via the contractual notice mechanism in their access agreement and the DPA.

3.1 Cross-border transfers

Personal data may be transferred to and processed in countries other than India where our sub-processors operate, including the United States. Cross-border transfers are permitted under Section 16 of the DPDP Act subject to the Central Government's notifications. Where required, we rely on equivalent contractual safeguards (Standard Contractual Clauses where applicable) and our sub-processors' self-certifications under recognized cross-border frameworks.

3.2 Disclosure to regulators or law enforcement

We disclose personal data to government, regulatory, or law-enforcement authorities only when (a) compelled by a valid Indian court order, statutory request, or other legally enforceable demand; or (b) required to protect against imminent risk to life, safety, or system integrity. We notify affected Data Principals of any disclosure to the extent permitted by law.

4. How long we keep it (retention)

  • Account information — for the active life of your account, plus up to 36 months after termination for legitimate audit, dispute, and tax record-keeping.
  • Query content (cache + saved answers) — until you delete the relevant record or close your account. Pinned and shared answers retained while their share link is public.
  • Watchlists and watchlist runs — until you delete the watchlist; historical runs retained for 12 months for audit and change-detection baselines.
  • Uploaded documents (R2 object + extracted text) — until you delete the upload or close your account. Document hashes (SHA-256) retained for 90 days post-deletion for deduplication and abuse detection.
  • Operational telemetry — full request logs for 14 days; aggregated/anonymized telemetry retained indefinitely for capacity planning.
  • Security audit logs — 24 months minimum (alignment with SOC 2 retention norms).
  • Email correspondence — 36 months from the last message in the thread.

Enterprise customers may negotiate longer or shorter retention windows in their Master Services Agreement or DPA. Where you delete personal data, we erase the underlying records within 30 days and remove from standard backups within 90 days; encrypted backup tapes are overwritten on their regular rotation schedule and are not directly addressable.

5. Your rights (Data Principal Rights)

Under the DPDP Act, 2023 you have the following rights with respect to your personal data:

  • Right to information — to obtain a summary of the personal data being processed and the processing activities undertaken.
  • Right to correction, completion, updating, and erasure — to request correction of inaccurate or misleading data, completion of incomplete data, updating of stale data, or erasure of data no longer needed for the purpose for which it was collected.
  • Right to grievance redressal — to lodge a grievance about our handling of your personal data; we will respond within the timeline prescribed by the DPDP Rules.
  • Right of nomination — to nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, email [email protected] from the email address associated with your account. We may request reasonable verification of identity before fulfilling a request. We will respond within 30 days of a verified request, or within the shorter period required by applicable law. There is no fee for the first request in a calendar year; we may charge a reasonable administrative fee for repeat or manifestly unfounded requests.

5.1 Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices) Rules, 2011 and Section 8(10) of the DPDP Act, the following individual is our designated Grievance Officer:

Vishnu Surendranath
Grievance Officer, Oushvaa Technologies
Email: [email protected]
Postal: To be published prior to first paying customer.

If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India under Section 13 of the DPDP Act.

6. Your responsibilities as a user

When you use the Service to process content that includes personal data of third parties (for example, uploading a label or filing that contains sponsor contacts, investigator names, or other personal data), you confirm that:

  • You have the lawful basis (consent, contract, or other ground) to process that data.
  • You have provided the necessary notice to the third-party Data Principals where required.
  • You will not upload protected health information (PHI), bank or payment card data, government identifiers (Aadhaar, PAN, passport), or other categories of personal data we have not been engaged to process, except as expressly contemplated by your access agreement.
  • You will honor erasure and access requests made directly to you by your Data Principals and will instruct us accordingly through the channels in this Policy and the DPA.

We are a Data Processor for any such third-party data and act only on your documented instructions per the Data Processing Agreement.

7. Security

We follow reasonable security practices and procedures appropriate to the nature of the personal data processed and the harm that may result from unauthorized access. Specifically:

  • TLS 1.2+ encryption for all data in transit; HSTS enforced on all public endpoints.
  • AES-256 encryption at rest for primary data stores (Supabase Postgres, Cloudflare R2).
  • Authentication via Supabase Auth with email verification; SSO via your organization's identity provider is supported on Enterprise tier.
  • Principle of least privilege for internal access; access to production data is restricted to authorized personnel and logged.
  • Secrets and API keys held in Cloudflare encrypted secret storage; rotation documented in our internal runbook.
  • SOC 2 Type I attestation is on the v1 roadmap (target Q4 2026); ISO/IEC 27001 alignment in parallel. See the Trust page for current posture.

7.1 Breach notification

In the event of a personal data breach as defined under Section 8(6) of the DPDP Act, we will notify the Data Protection Board of India and each affected Data Principal in the manner and within the timeline prescribed by the DPDP Rules. Notifications will include the nature of the breach, the categories and approximate number of Data Principals affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Children

The Service is intended for use by professionals in the pharmaceutical, biotechnology, regulatory, and healthcare sectors. We do not knowingly collect personal data from children under the age of 18. If we become aware that a child has provided personal data to us, we will delete such data. Where the DPDP Rules prescribe verifiable parental consent for any processing of a child's personal data, we will obtain such consent or refrain from the processing.

9. Automated decision-making

The Service includes AI-assisted features (natural-language query routing, document extraction, narrative synthesis). These features produce informational outputs that you, as the user, review and act upon. The Service does not make automated decisions that produce legal or similarly significant effects on you or any Data Principal without human review. Outputs are cited to source records; you remain responsible for the decisions you make based on those outputs.

10. Changes to this Policy

We may revise this Policy from time to time. Material changes will be announced on this page with an updated effective date and a summary of the change at the top. Substantive changes affecting Enterprise customers will be communicated by email at least 30 days before the change takes effect, per the contractual notice mechanism in your access agreement.

11. Contact

For privacy questions, rights requests, or sub-processor inquiries:
[email protected]

For grievances:
[email protected]

For legal notices:
[email protected]

Early access

MedevIQ is in private preview.

We're onboarding hospitals, manufacturers, regulators and research teams in waves. Tell us how you'd use MedevIQ and we'll get back within a working week.

We'll reply within a working week.

Access by invitation while v1 finalizes.