LabMatrix AI
Book a demo WhatsApp

Legal · Privacy

Privacy Policy

LabMatrix AI — a product of ShiningStar Technologies (sole proprietorship)

Last updated: 25 June 2026  ·  Governing law: India (DPDP Act, 2023 & DPDP Rules, 2025)

These terms take effect on the date above and govern your use of LabMatrix. For any question, data request, or grievance, email founder@labmatrixai.com.

1. Who we are & what this policy covers

LabMatrix AI (“LabMatrix”, “the Platform”, “we”, “us”) is a multi-tenant pathology-laboratory management platform operated by ShiningStar Technologies, a sole proprietorship registered in India (Udyam UDYAM-UP-14-0054683), having its place of business at K/591, Katra, Nawabganj, Barabanki, Uttar Pradesh – 225001.

This policy explains what personal data the Platform processes, why, how we protect it, and the rights available to individuals under India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) and the DPDP Rules, 2025.

2. Our role: Processor and Fiduciary

For patient data, the laboratory is the “Data Fiduciary” and LabMatrix is the “Data Processor.” Your laboratory decides which patient data to collect and why, and obtains the patient’s consent. LabMatrix processes that data only on the laboratory’s instructions, to provide the service.

For data we control directly — such as laboratory staff accounts and the laboratory’s own account/billing relationship with us — LabMatrix acts as a Data Fiduciary.

3. Personal data we process

We process the following categories of personal data, supplied by the laboratory or generated through use of the Platform:

CategoryExamples
Patient identityName, date of birth, gender, phone number, email, postal address (city/state/PIN), preferred language, patient code
Health & clinical dataTest orders, sample types, test results & reference ranges, diagnoses/findings, reports, blood group, allergies, medical notes, AI-assisted interpretations, health scores & trends
Health identifiers / insuranceABHA (Ayushman Bharat Health Account) ID where provided, insurance provider & policy number
Consent recordsConsent type, consent text, grant/withdrawal timestamps, and the IP address from which consent was recorded
Referring-doctor dataName, specialty, medical registration number, phone, email
Laboratory staff (user) dataName, phone, email, role(s), professional qualification & medical-council registration number, designation, signature image, login activity. Passwords are stored only as salted hashes.
Laboratory / business dataLab name, address, GSTIN, logo, and billing/payment records
Technical & security dataIP address, device identifiers (for the doctor app), access logs and audit trails (who changed what, and when)

We do not use patient health data for advertising, and we never sell personal data.

4. Why we process it (purposes)

  • To run the laboratory workflow — patient registration, order, sample handling, result entry/validation/approval, report generation, and billing.
  • To send operational notifications (e.g., one-time passwords for login, report-ready links, critical-value alerts) by SMS, WhatsApp or email.
  • To provide AI-assisted features (e.g., result interpretation and flagging). These are assistive only and are reviewed by qualified laboratory professionals; they are not a substitute for professional judgement.
  • For security, audit, fraud prevention, and to meet legal, regulatory and accreditation obligations (e.g., medical record-keeping, NABL).

5. Legal basis & consent

Where LabMatrix acts as a Processor, we process patient data on the documented instructions of the laboratory, which is responsible for obtaining valid consent from the patient (Data Principal). The Platform provides consent-capture tooling to help laboratories record and manage that consent. Where LabMatrix acts as a Fiduciary (e.g., staff and lab-account data), we rely on consent and on the necessity of processing to provide the service and meet legal obligations.

6. How we protect your data (security)

  • Data residency in India — the Platform and its database are hosted in an India region (Mumbai).
  • Tenant isolation — every laboratory’s data is segregated using PostgreSQL Row-Level Security, enforced by a dedicated non-privileged database role.
  • Encryption in transit (HTTPS/TLS), role-based access controls, OTP-based authentication, and least-privilege access.
  • Audit logging of sensitive actions and result changes; regular backups.

7. Where your data is stored

Personal data is stored on servers located in India. If, in future, any sub-processor stores or processes data outside India, we will update this policy and ensure transfers comply with the DPDPA (including any restrictions notified by the Government under Section 16).

8. Sharing & sub-processors

We share personal data only as needed to provide the service:

  • With your laboratory (the Data Fiduciary) and its authorised users.
  • With service providers (sub-processors) under confidentiality obligations — for example, an SMS/WhatsApp gateway (for OTPs and alerts) and our cloud-hosting provider (in India). A current list is available on request.
  • Where required by law — to comply with a legal obligation, court order, or lawful request from a competent authority.

9. Data retention

We retain personal data for as long as the laboratory uses the Platform, and thereafter only as required to meet legal, medical-record-keeping, tax or accreditation obligations, or to resolve disputes. The Platform supports configurable retention policies. On a valid request, data is erased unless we are required by law to retain it.

10. Your rights (Data Principal)

Subject to the DPDPA, individuals have the right to:

  • Access — obtain a summary of the personal data we process about you and the processing activities;
  • Correction & completion of inaccurate or incomplete data;
  • Erasure of personal data, subject to legal retention requirements;
  • Withdraw consent at any time — and withdrawing is as easy as giving it;
  • Grievance redressal and to nominate another person to exercise rights in case of death or incapacity.

How to exercise: patients should first contact the laboratory that registered them (the Data Fiduciary). You may also contact our Grievance Officer (Section 12), who will assist or route the request appropriately.

11. Children’s data

Where a patient is a child (under 18) or a person with a disability who has a lawful guardian, the laboratory is responsible for obtaining verifiable consent from the parent/guardian before the data is processed. We do not knowingly process a child’s personal data without such consent, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

12. Grievance Officer & contact

For any question, request, or complaint about your personal data, contact:

Grievance Officer
ShiningStar Technologies (LabMatrix AI)
Email: founder@labmatrixai.com

We will acknowledge and respond to grievances within the timelines required under the DPDPA and the DPDP Rules (and in any case within 90 days).

13. Data breaches

We maintain reasonable security safeguards to prevent personal-data breaches. In the event of a breach, we will notify the affected laboratory and, where required, the Data Protection Board of India and affected individuals, in the manner and timelines prescribed by the DPDP Rules.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified through the Platform or by email, and the “Last updated” date above will be revised.