Privacy Policy & India DPDP Act 2023 Compliance Notice

Be Smart Global, LLC ("DocReport India", "we", "our", or "us"), a Delaware Limited Liability Company, provides the DocReport India B2B SaaS platform. This Privacy Policy is a legally binding agreement governing the processing of personal data within the territorial jurisdiction of the Republic of India. This policy is structured in strict compliance with the **Digital Personal Data Protection (DPDP) Act, 2023** (Act No. 40 of 2023), the **Information Technology Act, 2000**, and the rules framed thereunder, including the **Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011**.

Furthermore, as a digital health infrastructure provider, we align our platform with the guidelines published by the **National Health Authority (NHA)** under the **Ayushman Bharat Digital Mission (ABDM)**, the Electronic Health Record (EHR) standards of the **Ministry of Health and Family Welfare (MOHFW)**, and the Master Circulars on Health Insurance issued by the **Insurance Regulatory and Development Authority of India (IRDAI)**.

This policy applies to all registered healthcare practitioners, hospitals, private clinics, diagnostic centers, third-party administrators (TPAs), and their authorized administrative staff (collectively referred to as "Subscribers" or "Data Fiduciaries") who upload, dictate, or transmit data through our clinical AI copilot, as well as the patients whose administrative and clinical coordinates are processed ("Data Principals").

The DocReport India platform is owned and operated by Be Smart Global, LLC, a corporate entity registered in the State of Delaware, United States of America, under File Number 10620833. Our registered corporate agent and address are as follows:

All financial operations, payment gateway routing, subscription licensing, and corporate accounting are managed through our US bank accounts and our Stripe integration. Subscription fees calculated in Indian Rupees (INR) are billed dynamically and processed securely. Our contact email for all legal, compliance, and data protection inquiries is info@be-smart-business.de.

Under Section 2(i) and Section 2(k) of the DPDP Act 2023, the classification of parties is determined by who decides the purpose and means of processing personal data:

• Subscribing Clinic / Practitioner as the Data Fiduciary: The registered medical practitioner, clinic, or hospital network determines the clinical purpose for compiling medical reports, dictating patient consults, and filing insurance appeals. Therefore, the Subscriber is the Data Fiduciary and bears the primary statutory obligations to the patient (the Data Principal) under the Act, including the obligation to obtain valid consent and provide appropriate notices.
• DocReport India as the Data Processor: We process personal data solely on behalf of the Subscriber in accordance with their instructions and B2B SaaS agreements. Under Section 8(2) of the DPDP Act 2023, we act as a Data Processor. We implement advanced technical and organizational measures to ensure compliance, but we do not interact directly with patients or make clinical determinations.

Under Section 5 of the DPDP Act 2023, we notify you of the specific categories of personal data processed on our platform:

A. Data Fiduciary / Subscriber Account Data

To manage accounts and billing, we collect the following personal and professional details directly from registered practitioners and administrators:

• Full Name and Professional Title (e.g., MD, MBBS, MS).
• Medical Registration Number (issued by the National Medical Commission (NMC) or State Medical Councils).
• Clinic or Hospital Name, physical address, and corporate contact details.
• Email address, telephone number, and authentication credentials (hashed passwords).
• Subscription tier selections, transaction histories, and Stripe billing tokens. We do not store raw credit card numbers locally.

B. Ambient Clinical Dictation and Patient Data

To generate structured clinical documentation, medical necessity letters, prior authorizations, and ABDM-compliant HL7 FHIR payloads, the platform processes:

• Audio recordings and Hinglish/English voice dictation transcripts of clinical consultations.
• Patient demographic data (such as age, gender, diagnostic history).
• Clinical observations, vital signs, physical examination records, and laboratory test results (LOINC and SNOMED CT parameters).
• Insurance claim details, rejection codes, policy numbers, and TPA (Third-Party Administrator) case coordinates.

Under Section 5(1)(a) of the DPDP Act 2023, we process personal data strictly for specified, lawful purposes:

• Clinical Documentation Automation: Converting unstructured spoken audio of doctor-patient interactions into structured SOAP notes, discharge summaries, and consultation letters.
• Insurance Appeal & Claims Optimization: Generating medically justified appeal letters to overturn room rent caps, cashless rejections, or co-payment exclusions under IRDAI guidelines.
• ABDM Interoperability: Packaging clinical data into standard HL7 FHIR JSON bundles for integration with public digital health registries (ABHA numbers) and private health information exchanges.
• Account Administration & Security: Verifying subscriber identity, managing subscriptions, preventing billing fraud, and securing access to the practice dashboard.
• Legal Compliance: Maintaining cryptographically secure, immutable audit logs as mandated by the MoHFW EHR guidelines and IT Act 2000.

To support Subscribers in fulfilling their fiduciary duties of confidentiality under Section 8 of the DPDP Act 2023, the platform implements a zero-trust, zero-knowledge security architecture:

• Browser-Based PII Scrubbing: All patient-identifiable details (such as patient names, Aadhaar numbers, PAN, telephone numbers, and specific addresses) are redacted inside the Subscriber's web browser before any data is sent to our remote servers. Identifiable tokens are replaced with randomized tags (e.g., `[IN_PATIENT_XYZ]`).
• Local Re-identification: The compilation and restoration of redacted data occur strictly in the browser's active memory. The cleartext patient record is never stored on or transmitted to our database, keeping patient PII entirely within the clinic's local environment.
• Sovereign Client-Side Encryption: Stored clinical data is encrypted in the browser using an AES-GCM (256-bit) cryptographic key. This key is generated locally and stored solely in the browser's secure `localStorage`. We only store encrypted ciphertext blobs. If the local key is lost, we cannot decrypt or recover the data.

Under Section 6 of the DPDP Act 2023, personal data must be processed based on consent that is free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action:

• Fiduciary Obligation: The Subscribing clinic is responsible for obtaining consent from patients before using the ambient scribe or generating medical documentation. We provide template consent forms in English and Hindi.
• WhatsApp Consent Flow: Subscribing clinics can integrate our WhatsApp automation (via the Evolution WhatsApp API) to send interactive consent templates. The patient must respond with a clear affirmative action (e.g., selecting "Agree" or "हाँ, मैं सहमत हूँ") before ambient recording begins.
• Consent Manager Support: In alignment with Section 6(7) of the Act, we are preparing our infrastructure to integrate with registered Consent Managers designated by the Data Protection Board of India (DPBI), allowing patients to give, manage, review, and withdraw consent through unified digital platforms.

Under Section 6(4) of the DPDP Act 2023, Data Principals have the right to withdraw their consent at any time. The withdrawal of consent must be as easy as the giving of consent:

• Patients can request consent withdrawal by contacting the clinic directly or by opting out via WhatsApp (replying "STOP" or "सहमति वापस लें").
• Upon receiving a withdrawal request, the Subscriber (Data Fiduciary) must stop processing the patient's data and instruct us (the Data Processor) to erase the corresponding records.
• We will delete all encrypted records associated with the patient within 30 days of receiving the instruction, unless retention is required by other applicable Indian laws.

Under Chapter III of the DPDP Act 2023, patients (Data Principals) are granted specific statutory rights. We assist Subscribers in fulfilling these rights:

• Right to Access Information (Section 11): Patients have the right to receive a summary of the personal data processed about them, a description of processing activities, and the identities of all Data Fiduciaries and Data Processors with whom their data has been shared.
• Right to Correction, Completion, Updating, and Erasure (Section 12): Patients have the right to correct inaccurate data, complete incomplete fields, update outdated records, and request the erasure of their personal data.
• Right to Grievance Redressal (Section 13): Patients have the right to register a grievance with the Subscriber or our Data Protection Officer. Under the law, they must exhaust this grievance redressal mechanism before filing a complaint with the Data Protection Board of India.
• Right to Nominate (Section 14): Patients have the right to nominate an individual to exercise their rights in the event of their death or incapacity.

Section 15 of the DPDP Act 2023 outlines specific duties for Data Principals. When exercising rights, patients must:

• Comply with all provisions of applicable laws.
• Avoid impersonating any other individual or providing false information.
• Avoid registering frivolous or false grievances with Data Fiduciaries or the Board.

Under the Act, a Data Principal who violates these duties may be subject to a statutory penalty of up to **₹10,000** imposed by the Data Protection Board of India.

Section 8(7) of the DPDP Act 2023 requires that personal data be erased once the purpose of its collection is served, unless retention is required for compliance with other laws.

Healthcare providers in India are bound by the Electronic Health Record (EHR) guidelines issued by the Ministry of Health and Family Welfare (MOHFW) and regulations of the National Medical Commission (NMC). These guidelines mandate strict retention periods:

• Outpatient Department (OPD) records must be preserved for at least **3 years** from the patient's last visit.
• Inpatient Department (IPD) records and surgical registers must be stored for a minimum of **5 years**.
• Pediatric patient records must be retained until the child reaches the age of majority (18 years) plus an additional **3 years** (totaling 21 years of age).
• Medico-legal cases (MLCs) must be archived indefinitely until final judicial disposal.

These statutory retention mandates override standard erasure requests under the DPDP Act. The Subscribing clinic is responsible for managing these retention schedules. Upon subscription termination, we purge all corresponding encrypted cloud databases within 30 days.

Under Section 16 of the DPDP Act 2023, the transfer of personal data outside India is permitted unless specifically restricted by the Central Government.

Our account administration, billing processing, and system telemetry are hosted in the United States by Be Smart Global, LLC and processed through Stripe. This transfer is necessary to provide the B2B subscription service. Clinical consultation data remains redacted and encrypted, meaning no readable patient personal data is transferred across borders. All B2B contracts incorporate Standard Contractual Clauses (SCCs) and strict data protection agreements to safeguard these transfers.

Under Section 8(5) of the DPDP Act 2023, we implement reasonable security safeguards to prevent personal data breaches:

• Data Encryption: All data is encrypted in transit using TLS 1.3 and at rest in our cloud databases using AES-256.
• Access Control: Role-based access control (RBAC) and Multi-Factor Authentication (MFA) are enforced for all administrative interfaces.
• Breach Notification: In the event of a personal data breach, we will notify the affected Subscribers (Data Fiduciaries) and the Data Protection Board of India (DPBI) without undue delay. The Data Fiduciary is responsible for notifying the affected patients (Data Principals).

In accordance with Section 13 of the DPDP Act 2023, we have established a dedicated grievance redressal mechanism. For any privacy concerns, data access requests, or complaints, please contact our Data Protection Officer (DPO):

If you are not satisfied with our resolution, you have the right to file a complaint directly with the **Data Protection Board of India (DPBI)** through their official portal.