Privacy Policy

NyraAI Healthcare Technologies (“NyraAI,” “we,” “us,” or “our”) operates the website at www.nyraai.io and related AI-powered healthcare services (collectively, the “Services”). This Privacy Policy explains what personal information we collect, how we use it, the choices you have, and the safeguards we apply.

We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. By using the Services you confirm that you have read and understood this Policy.

We collect the following categories of information:

Information you provide

• Contact details — name, email, phone number, and message content when you submit our contact form or request a demo.
• Appointment details — preferred specialty, location, and reason for visit when you use the hospital finder.
• Account & billing data — if you transact on /payments, our processor receives card or UPI details directly; we receive a transaction reference only.
• Communications — emails, support tickets, and feedback you send us.

Information collected automatically

• Device & usage data — IP address, browser, operating system, referring URL, pages viewed, and timestamps.
• Cookies & similar technologies — see our Cookie Policy for the full list.
• Product analytics — anonymous interaction events captured via self-hosted PostHog to understand which features are useful.

Information from third parties

• Verified hospital and clinic listings from our partners and public registries; this is not personal data about you.

We do not knowingly collect medical records, diagnoses, or other regulated health information through this website. Any data exchanged with treating providers occurs directly between you and the hospital.

We process personal data for the following purposes:

• To respond to enquiries, schedule demos, and route appointment requests.
• To operate, maintain, and improve the Services and the hospital finder.
• To debug errors, prevent abuse, and protect the integrity of the platform.
• To send transactional communications (e.g., booking confirmations, security alerts).
• To send marketing communications, where you have given consent — you can withdraw consent at any time.
• To comply with applicable law and respond to lawful requests by authorities.

Under the DPDP Act, our lawful basis is either your consent or, for legitimate uses such as responding to a request you initiated, a certain legitimate use as defined in §7 of the Act.

We share data only as described below. We do not sell your personal data.

• Service providers — hosting (Vercel, AWS), database (PostgreSQL), object storage (AWS S3), analytics (self-hosted PostHog), email delivery, and payment processors — each bound by contractual confidentiality and security obligations.
• Hospitals & clinics — when you book or request an appointment, we forward only the details required to fulfil that request to the selected provider.
• Legal & safety — to comply with applicable law, enforce our terms, or protect rights, property, or safety.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.

We retain personal data only as long as needed for the purposes set out in this Policy or as required by law. Typical retention periods:

• Contact form submissions: 24 months from last interaction.
• Appointment requests: 36 months for service quality and audit.
• Analytics events: 13 months, then aggregated.
• Server logs: 90 days, then deleted or anonymised.

When retention is no longer necessary we securely delete or irreversibly anonymise the data.

We apply technical and organisational measures aligned with ISO 27001 and the IT Rules, 2011, including:

• TLS 1.2+ encryption in transit and AES-256 encryption at rest.
• Role-based access control with the principle of least privilege.
• Audit logging, automated backups, and regular vulnerability scans.
• Vendor due-diligence and data-processing agreements with all sub-processors.

No system is perfectly secure. If we become aware of a personal-data breach likely to cause harm, we will notify affected users and the Data Protection Board of India as required by law.

Subject to applicable law, you have the right to (a) access the personal data we hold about you, (b) request correction or update, (c) request erasure, (d) withdraw consent at any time, (e) nominate another person to exercise your rights in the event of death or incapacity, and (f) lodge a grievance with our Grievance Officer.

To exercise any right, email privacy@nyraai.io. We respond within 30 days. We may verify your identity before fulfilling sensitive requests.

The Services are not directed to children under 18. We do not knowingly collect personal data from children. If a parent or guardian believes their child has provided information to us, please contact us and we will delete it promptly.

Our primary infrastructure is in India. Some service providers (e.g., analytics, email delivery) may process data in other jurisdictions. When data is transferred outside India we ensure the recipient applies safeguards consistent with the DPDP Act and that contractual protections (Standard Contractual Clauses or equivalent) are in place.

The Services may contain links to third-party websites, including individual hospital portals. We are not responsible for the privacy practices of those sites. Review their policies before sharing personal information.

We may update this Policy from time to time. Material changes will be notified via the website and, where appropriate, by email. The “Effective” date at the top of this page indicates when the latest version took effect.

For privacy questions or to file a grievance under the DPDP Act, contact our Grievance Officer:

• Email: privacy@nyraai.io
• General contact: hello@nyraai.io
• Web: /contact