Privacy Policy

XrayExplain ("we", "our", or "us"), developed and operated by Ajay Vigneshwar GB, is an AI-powered X-ray analysis platform ("Service") accessible at https://xrayexplain.com. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our Service.

By accessing or using XrayExplain, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

This Policy is governed by and complies with:

• The Information Technology Act, 2000 (India)
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules 2011")
• The Digital Personal Data Protection Act, 2023 ("DPDPA 2023")
• The Consumer Protection Act, 2019 (India), insofar as applicable

Your X-ray images and associated medical information are classified as Sensitive Personal Data or Information (SPDI) under Rule 3 of the IT Rules 2011. We treat this data with the highest degree of care, legal compliance, and ethical responsibility.

• To authenticate you via phone OTP and maintain a secure session.
• To process and analyse your uploaded X-ray image using AI models.
• To generate and deliver your medical analysis report in your chosen language.
• To process your payment through Razorpay.
• To send transactional communications (OTP delivery, payment confirmation) — we send no marketing messages without your separate explicit consent.
• To improve our proprietary AI model accuracy — strictly only if you have explicitly opted in and provided your age, gender, and blood group. Your demographic data is used to ensure our AI performs accurately across diverse patient profiles. As acknowledgement of the value of your contribution, you receive a 15% discount on your report — this discount represents our recognition of the economic value of the data you provide.
• To comply with applicable Indian laws and lawful government or judicial directions.
• To detect, investigate, and prevent fraud, abuse, and security incidents.

• X-ray image data: Automatically and permanently deleted from our servers within 24 hours of upload, regardless of payment or report access status.
• AI-generated report content: Deleted within 24 hours of scan upload alongside the image.
• Account data (phone number, language preference): Retained for as long as your account is active. You may request deletion at any time by emailing aj07.scotia@gmail.com.
• Payment records: Retained for 7 years as mandated by Indian financial and GST compliance regulations. These records contain only transaction metadata — no medical data.
• AI training data (age, gender, blood group) — only if consented: These three demographic fields are retained in anonymised, de-identified form for as long as they contribute to model training. You may withdraw consent at any time by contacting us. Already-processed anonymised demographic data cannot be recalled from completed model training runs.

We do not sell, rent, trade, or commercially exploit your personal data. We share data only in the following strictly limited circumstances:

• AI service providers (e.g., OpenAI, HuggingFace): Your scan image and medical context are transmitted to AI model APIs solely to produce your report. All transmissions occur over TLS (HTTPS). We do not permit these providers to retain or use your data for their own model training — this is governed by our data processing agreements with them.
• Payment processor (Razorpay): Transaction metadata is shared with Razorpay to process your payment. Razorpay is regulated by the Reserve Bank of India (RBI) and is PCI-DSS Level 1 certified.
• Translation provider (Sarvam AI): If you select a regional Indian language, your report text (never the image) is transmitted to Sarvam AI for translation. This provider is subject to its own privacy obligations.
• Legal requirements: We may disclose personal information if required by law, court order, or direction of a competent government authority under Indian law. We will inform you of such disclosure to the extent legally permitted.
• Business transfer: In the event of a merger, acquisition, or dissolution, your data may be transferred to the successor entity. You will be notified at least 30 days in advance and given the option to request deletion.

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS only).
• Scan images are stored in encrypted database fields and are never written to publicly accessible file systems or CDNs.
• Access to production systems is restricted to authorised personnel only, governed by least-privilege principles.
• Authentication uses time-limited OTPs (valid for 10 minutes) with IP-based rate limiting to prevent brute-force attacks.
• Session tokens use rolling expiry and are invalidated immediately on logout.
• Payment data is handled entirely by Razorpay — we never receive, process, or store card or UPI credentials.
• All payment signature verifications are performed server-side using cryptographic HMAC-SHA256, ensuring payment data cannot be tampered with by the client.

Despite our best efforts, no digital system is absolutely secure. In the event of a data breach affecting your SPDI, we will notify you within 72 hours of becoming aware of the breach, as required by applicable Indian law.

Limitation of security warranty: While we implement industry-standard security measures, we cannot guarantee absolute protection against all possible breaches. Our liability for security incidents is limited as described in our Terms and Conditions.

Under the IT Rules 2011 and the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access: Request a summary of personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your account and all associated personal data, except payment records required to be retained by law.
• Right to withdraw consent: Withdraw AI training consent at any time without penalty to your service access.
• Right to grievance redressal: Lodge a formal complaint with our Grievance Officer (details in Section 11).
• Right to nominate: As per DPDPA 2023, you may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

To exercise any right, email aj07.scotia@gmail.com. We will acknowledge your request within 7 days and respond substantively within 30 days.

XrayExplain is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors. If you are a parent or guardian and believe your minor child has used our Service or their X-ray has been uploaded, please contact us immediately at aj07.scotia@gmail.com for immediate data deletion. We will act within 48 hours of such notification.

We use only strictly necessary, functional cookies for session management (authentication tokens). We do not use:

• Advertising or remarketing cookies
• Third-party analytics platforms (e.g., Google Analytics)
• Tracking pixels or fingerprinting technologies
• Cross-site tracking of any kind

As required under Rule 5(9) of the IT Rules 2011 and Section 13 of the DPDPA 2023, our designated Grievance Officer is:

If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India (once constituted under DPDPA 2023) or to the appropriate consumer forum under the Consumer Protection Act, 2019.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. The "Last updated" date will be revised on each update. For material changes — particularly any changes to how we use your SPDI or training data — we will provide at least 15 days' advance notice via the app interface before changes take effect. Continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy.

For any privacy-related questions, data requests, consent withdrawals, or concerns: