Privacy Policy

Welcome to Terionlabs Technologies Private Limited (“Terionlabs”, “we”, “us”, or “our”). We operate the AI Voice Receptionist service available at https://terionlabs.com and via our mobile and web applications (collectively, the “Service”).

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you use our Service. It is consistent with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws.

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

We collect the following categories of personal data:

2.1 Data You Provide Directly

• Account & Clinic Information: Name, clinic name, email address, phone number, and address when you register a clinic.
• Staff Profiles: Names and email addresses of clinic staff users you onboard.
• Contact Form Submissions: Name, email, phone, and message content submitted via our website contact form.

2.2 Data Collected Automatically

• Call Data: Phone numbers of patients who call clinic DIDs, call duration, timestamps, and AI-generated transcripts.
• Appointment Data: Patient names, phone numbers, and appointment times captured by the AI during calls.
• Usage & Log Data: IP addresses, browser type, device identifiers, pages visited, and session data.
• Cookies: Authentication cookies (JWT), preference cookies, and analytics cookies (see Section 8).

2.3 Data From Third Parties

• Telephony: Call metadata from Knowlarity Communications (our telecom partner).
• Messaging: Delivery status from WhatsApp Business API / Gupshup.

We process your personal data for the following purposes:

• Providing, maintaining, and improving the AI Voice Receptionist Service.
• Booking and managing clinic appointments on behalf of clinic operators.
• Sending WhatsApp appointment reminders to patients.
• Authenticating clinic staff via JWT-based login.
• Responding to support requests and demo inquiries.
• Analysing usage patterns to improve AI accuracy and Service features.
• Complying with legal obligations under Indian law.
• Detecting and preventing fraud, abuse, and security incidents.

We rely on the following legal bases under the DPDP Act 2023: (a) consent of the Data Principal; (b) legitimate interests of operating the Service; and (c) compliance with legal obligations.

We do not sell your personal data. We may share data only with:

• Sub-processors: OpenAI (speech & language AI), Google Cloud (TTS), Knowlarity (telephony), Gupshup / WhatsApp (messaging), AWS (hosting). Each is bound by a data processing agreement.
• Clinic Operators: Patient call data and appointment information is shared with the clinic that owns the DID through which a call was received.
• Legal Authorities: Where required by a court order, law enforcement request, or applicable Indian law.
• Business Transfers: In the event of a merger or acquisition, subject to the acquirer honouring this Privacy Policy.

Terionlabs operates as a Data Processor for personal data of clinic patients. The clinic operator is the Data Fiduciary under the DPDP Act 2023. Clinics are responsible for:

• Obtaining valid patient consent before deploying the AI receptionist.
• Displaying appropriate notices to patients (e.g., “This call may be handled by an AI system and recorded for appointment purposes”).
• Honouring patient requests for data access, correction, and erasure via the Terionlabs dashboard.

• Call transcripts: Retained for 12 months from the call date, then automatically purged.
• Appointment records: Retained for 36 months to support medical audit requirements.
• Account data: Retained for the duration of the active subscription plus 90 days after termination.
• Server logs: Retained for 90 days.

You may request earlier deletion; see Section 9.

We implement industry-standard security measures including:

• AES-256 encryption at rest for all database fields containing personal data.
• TLS 1.2+ encryption in transit for all API and WebSocket communications.
• JWT-based authentication with short expiry and HTTP-only cookies.
• Role-based access control (RBAC) — staff can only access their own clinic's data.
• Regular automated security scans and dependency audits via GitHub Actions.
• Deployment on AWS EC2 instances within India's ap-south-1 region.

No system is 100% secure. In the event of a personal data breach, we will notify affected Data Fiduciaries (clinics) and the Data Protection Board of India within the timeframes specified by law.

We use the following cookies:

• Essential cookies: JWT authentication tokens required for dashboard login. Cannot be disabled.
• Preference cookies: Storing language and UI preferences.
• Analytics cookies: Aggregate, anonymised usage data to improve the product. You may opt out via your browser settings.

We do not use advertising or cross-site tracking cookies.

Under the DPDP Act 2023 and other applicable laws, you have the right to:

• Access: Obtain a summary of personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to retention obligations.
• Grievance Redressal: Lodge a complaint with our Data Protection Officer.
• Nominate: Nominate an individual to exercise your rights in the event of your death or incapacity.

To exercise any right, email privacy@terionlabs.com with subject line “DPDP Rights Request — [Your Name]”. We will respond within 30 days.

Our Service is designed for healthcare professionals and clinic operators. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact us immediately.

Some of our sub-processors (OpenAI, Google) operate outside India. We ensure such transfers comply with the DPDP Act 2023 and use appropriate contractual safeguards (Standard Contractual Clauses or equivalent).

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered clinic administrators at least 15 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

For privacy concerns, data requests, or complaints:

If your concern is not resolved to your satisfaction, you may escalate to the Data Protection Board of India once constituted under the DPDP Act 2023.