This page summarises how MetaboliQ Technologies Pvt. Ltd. (“MetaboliQ”) approaches alignment with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and rules issued thereunder, as they apply to our Services. It is a high-level overview, not a legal opinion or exhaustive compliance statement. Official guidance from the Data Protection Board of India and other regulators may evolve.
We design our Services to support lawful processing of digital personal data in India, including in health-related contexts where consent, notice, and purpose limitation are critical. Specific implementations may vary by product module, deployment (e.g. pilot vs production), and contractual role (data fiduciary vs processor, where applicable).
We work to provide clear notice about what personal data is processed, for what purposes, and with whom it may be shared. Where the DPDP Act requires consent, we aim to obtain it in a granular, informed manner, including for health-related processing where appropriate.
We support processes to address requests to access, correct, erase (where applicable), and grievances, in line with the DPDP Act and our Privacy Policy. Response timelines and exceptions follow applicable law.
We implement reasonable security safeguards appropriate to the nature of the data and risk, including for health and clinical information. This includes technical measures (e.g. encryption in transit where used, access controls) and organisational measures (e.g. training, vendor review).
Error tracking and diagnostics are processed through Sentry under Google Cloud Platform's Data Processing Addendum, providing cross-border-transfer compliance under DPDP Act 2023 § 6. MetaboliQ sends only error metadata and stack traces to Sentry — prescription body, FHIR payload, and patient personally identifiable information are not transmitted. Patient health identifiers (e.g. Aadhaar, phone patterns) are scrubbed from logs before any transmission off-device.
We retain personal data only as long as necessary for stated purposes or as required by law (including clinical and audit retention). We maintain procedures to detect, respond to, and notify concerning personal data breaches as required by the DPDP Act and rules.
MetaboliQ maintains a DPDP Board breach registry. As of 8 May 2026, no notifiable personal data breaches have been recorded. Should an incident occur, details will be published here in accordance with DPDP Act 2023 §8(6) requirements.
For breach inquiries or to report a suspected incident, contact our DPO at tushar.langer@metaboliq.in.
Patient data is processed in GCP asia-south1 (Mumbai, India), ensuring data residency within India as supported by DPDP Act 2023 compliance. MetaboliQ's primary processing occurs in-country, with only non-sensitive error tracking (via Sentry) subject to cross-border transfer under the conditions described in section 4.
We take into account restrictions on processing children’s data under the DPDP Act, including verification and parental consent requirements where applicable.
We document processing activities, conduct risk assessments where appropriate, and engage with partners and customers to clarify roles and responsibilities for shared processing scenarios.
For DPDP-related questions or grievances, contact: tushar.langer@metaboliq.in. You may also have the right to approach the Data Protection Board of India as provided by law.