Privacy Policy

GalenAI Private Limited (“GalenAI”, “we”, “our”, “us”) is committed to safeguarding the privacy and security of the personal data entrusted to us by our customers, their authorised users, and institutional partners.

This Privacy Policy describes how we handle personal data and institutional information in connection with the provision of our subscription-based AI-powered medical learning and productivity platform (the “Services”).

This Privacy Policy forms part of our contractual commitments under the Enterprise SaaS Agreement and is aligned with applicable Global and Indian data protection laws, including:

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000
• Other relevant regulations

By subscribing to and using the Services, you acknowledge and consent to the practices described herein.

1. Categories of Data Processed

Depending on the scope of the Services procured, we may process the following categories of data:

1.1 Institutional and Account Data

• Customer name, institutional details, faculty/student identifiers, and administrative contact information.
• User account details such as email addresses, usernames, passwords, payment mode details, and access preferences.

1.2 Learning and Usage Data

• Study progress, flashcard activity, clinical case responses, AI Co-Pilot interactions, analytics reports, and performance dashboards.
• Wellbeing mode usage insights (e.g., study breaks, stress prompts) in anonymised or aggregated form only.

1.3 Transaction and Billing Data

• Payment-related information such as billing address and GST details.
• Payment credentials are handled exclusively by authorised payment processors; GalenAI does not store full card or bank details.

1.4 Technical and Log Data

• Device identifiers, browser and operating system details, login timestamps, usage patterns, and error logs.
• Raw IP addresses are temporarily processed and immediately hashed for installation attribution purposes (see Section 1.6); they are not stored indefinitely as log data.

1.5 Third-Party or Integrated Data

• Information provided by institutional partners or integrated learning management systems, limited to academic and access-related information.

1.6 Installation Attribution Data

When you tap an advertisement for GalenAI and subsequently install the app, we measure which advertising campaign led to your installation. This processing is conducted solely to assess campaign effectiveness and allocate our marketing budget responsibly. We do not use this data to build user profiles or serve behavioural advertising.

What we collect:

• Campaign parameters from the advertisement link clicked (e.g., utm_source, utm_medium, utm_campaign), which describe the campaign, not you.
• A one-way cryptographic hash of your device's network (IP) address — used only on iOS to match your click to your install. The raw IP address is never stored by GalenAI.
• Device type and operating system version (e.g., "iPhone, iOS 18.2"), used to improve match accuracy where multiple users share a network.
• Play Install Referrer string (Android only), provided by Google Play upon installation, containing the campaign parameters originally embedded in our advertisement link.
• A referral code, only if voluntarily entered during onboarding.

What we do not collect: We do not access your device's advertising identifier (IDFA on iOS or AAID on Android), store your raw IP address, track you across other apps or websites, build a device fingerprint, or share this data with any third party.

Retention: Unmatched advertisement click records are deleted within 72 hours. Upon a successful match, the IP hash is immediately deleted; only campaign metadata (source, campaign name, medium) is retained with your account and deleted upon account deletion.

Legal basis: We rely on your consent, provided when you accept our Terms & Conditions during onboarding. You may opt out by installing the app directly from the app store (without clicking an advertisement link), or by deleting your account at any time.

This processing complies with the Digital Personal Data Protection Act, 2023 (India) and, where applicable, the General Data Protection Regulation (GDPR).

2. Purpose and Basis of Processing

GalenAI processes personal and institutional data only for the following purposes:

• Service Delivery: To provide, operate, and maintain the Services, including account provisioning, personalised learning pathways, multilingual support, and institutional reporting.
• Marketing Attribution: To assess advertising campaign effectiveness without profiling users, as outlined in Section 1.6.
• Improvement and Innovation: To enhance platform features, improve AI models (using de-identified data), and conduct product research and analytics.
• Compliance and Security: To ensure lawful use, protect against fraud or unauthorised access, and comply with applicable laws and regulatory requirements.
• Support and Communication: To respond to support requests, notify about system updates, and share service-related communications.
• Billing and Administration: To process subscription payments, manage invoices, and maintain records for statutory compliance.

Processing is carried out under contractual necessity, compliance with law, and legitimate business interests as defined by applicable Indian regulations.

3. Data Sharing and Disclosure

GalenAI does not sell or monetise Customer Data. We also do not share data (including Installation Attribution Data, see Section 1.6) with advertising networks or third parties. Data may be disclosed only in the following situations:

• Within the Institution: Certain usage or performance data may be made available to the subscribing institution for academic and administrative purposes.
• Service Providers: Third-party vendors providing hosting, cloud storage, payment processing, analytics, or customer support. These entities are bound by confidentiality and data protection obligations equivalent to those of GalenAI.
• Legal Requirements: Where disclosure is required by law, regulation, or judicial order.
• Corporate Restructuring: In connection with a merger, acquisition, or transfer of assets, subject to confidentiality safeguards.
• Sub processors: Where necessary for hosting or data management, with equivalent data protection commitments in place.

4. Data Protection and Security

GalenAI maintains administrative, technical, and organisational safeguards designed to:

• Protect Customer Data against unauthorised access, alteration, loss, or disclosure.
• Ensure compliance with the Digital Personal Data Protection Act, 2023 and allied regulations.
• Restrict access to Customer Data to authorised personnel only.
• Employ encryption, access control, and monitoring protocols in line with industry standards.

In the event of a confirmed data breach affecting Customer Data, GalenAI shall notify the Customer within 72 hours of discovery and cooperate fully in mitigation and remediation.

5. Data Retention and Deletion

GalenAI retains Customer Data for the duration of the active subscription. Following termination or expiry of the Agreement, Customer Data will remain accessible for retrieval by the User for up to fifteen (15) days at no additional charge.

After this period, GalenAI may continue to retain User Data indefinitely for archival, compliance, backup, and service-improvement purposes, in accordance with applicable data protection and privacy laws. Backups maintained for disaster recovery shall also be retained under the same framework.

Exceptions to indefinite retention: Campaign metadata and unmatched advertisement click records described in Section 1.6 are subject to specific deletion rules and are permanently deleted when you delete your account or within 72 hours, respectively.

6. Rights of Customers and Users

Subject to applicable law, Customers and Authorised Users have the right to:

• Access and obtain copies of their personal data processed by GalenAI.
• Request rectification or correction of inaccurate data.
• Request deletion of personal data, subject to contractual or legal retention requirements.
• Withdraw consent for processing (where consent is the legal basis).

Requests may be submitted by emailing info@galenai.io. Institutional customers may also designate an authorised administrator to coordinate rights requests on behalf of their users.

7. Responsibilities of Institutions

7.1

Where Services are provided to an institution, the institution acts as the primary data controller with respect to its Authorised Users. GalenAI acts as a data processor and will process Customer Data only on the institution's documented instructions, as per the SaaS Agreement and this Privacy Policy.

7.2

All Users, including individual subscribers and institutions, shall take all necessary measures to ensure lawful and ethical use of the Services. Without limitation, Users shall:

• (a) refrain from using the Services for plagiarism, academic dishonesty, or any form of misrepresentation;
• (b) not upload, distribute, or store infringing or unauthorised copyrighted works (including entire textbooks, journal PDFs, or proprietary materials);
• (c) ensure compliance with applicable intellectual property, privacy, and ethical standards under law and institutional codes of conduct; and
• (d) prevent any unauthorised or fraudulent use of the Services.
• (e) Institutions shall further ensure that their Authorised Users comply with these obligations.
• (f) Any misuse or breach by an Authorised User shall be deemed a breach by the Institution.

8. Use of Knowledge Sources and Transformative Outputs

8.1

GalenAI does not copy or reproduce entire textbooks, journals, or other works. Instead, our Services draw on academic and publisher materials and transform them into new educational aids such as explanations, summaries, interactive cases, and learning pathways. These outputs are designed to support study and understanding, with proper references, and are provided only for research, teaching, review, and criticism under fair use or fair dealing principles. GalenAI content is supplementary and does not replace institutionally prescribed textbooks or publisher materials.

8.2

GalenAI respects the intellectual property rights of publishers, authors, and content creators. If you believe that our Services inadvertently reference or infringe your copyright, please contact us immediately at info@galenai.io.

9. International Data Transfers

Although data is primarily processed and stored in India, if cross-border transfers are necessary (e.g., for cloud hosting or analytics), GalenAI shall ensure that equivalent contractual and technical safeguards are applied in line with Indian legal requirements.

10. Children's Data

The Services are designed for medical students, faculty, and professionals. We do not knowingly collect data from individuals under 15 years of age. If such data is identified, GalenAI will delete it promptly.

11. Policy Updates

This Privacy Policy may be revised from time to time to reflect changes in law, technology, or our practices. Updates will be communicated through appropriate channels, including email or in-product notifications. Continued use of the Services after updates constitutes acceptance of the revised Privacy Policy.

12. Contact Details

For all privacy-related queries, rights requests, or concerns, please contact: