Privacy Policy

GalenAI Private Limited (“GalenAI”, “we”, “our”, “us”) is committed to safeguarding the privacy and security of the personal data entrusted to us by our customers, their authorised users, and institutional partners.

This Privacy Policy describes how we handle personal data and institutional information in connection with the provision of our subscription-based AI-powered medical learning and productivity platform (the “Services”).

This Privacy Policy forms part of our contractual commitments under the Enterprise SaaS Agreement and is aligned with applicable Global and Indian data protection laws, including:

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000
• Other relevant regulations

By subscribing to and using the Services, you acknowledge and consent to the practices described herein.

1. Categories of Data Processed

Depending on the scope of the Services procured, we may process the following categories of data:

1.1 Institutional and Account Data

• Customer name, institutional details, faculty/student identifiers, and administrative contact information.
• User account details such as email addresses, usernames, passwords, payment mode details, and access preferences.

1.2 Learning and Usage Data

• Study progress, flashcard activity, clinical case responses, AI Co-Pilot interactions, analytics reports, and performance dashboards.
• Wellbeing mode usage insights (e.g., study breaks, stress prompts) in anonymised or aggregated form only.

1.3 Transaction and Billing Data

• Payment-related information such as billing address and GST details.
• Payment credentials are handled exclusively by authorised payment processors; GalenAI does not store full card or bank details.

1.4 Technical and Log Data

• Device identifiers, IP address, browser and operating system details, login timestamps, usage patterns, and error logs.

1.5 Third-Party or Integrated Data

• Information provided by institutional partners or integrated learning management systems, limited to academic and access-related information.

2. Purpose and Basis of Processing

GalenAI processes personal and institutional data only for the following purposes:

• Service Delivery: To provide, operate, and maintain the Services, including account provisioning, personalised learning pathways, multilingual support, and institutional reporting.
• Improvement and Innovation: To enhance platform features, improve AI models (using de-identified data), and conduct product research and analytics.
• Compliance and Security: To ensure lawful use, protect against fraud or unauthorised access, and comply with applicable laws and regulatory requirements.
• Support and Communication: To respond to support requests, notify about system updates, and share service-related communications.
• Billing and Administration: To process subscription payments, manage invoices, and maintain records for statutory compliance.

Processing is carried out under contractual necessity, compliance with law, and legitimate business interests as defined by applicable Indian regulations.

3. Data Sharing and Disclosure

GalenAI does not sell or monetise Customer Data. Data may be disclosed only in the following situations:

• Within the Institution: Certain usage or performance data may be made available to the subscribing institution for academic and administrative purposes.
• Service Providers: Third-party vendors providing hosting, cloud storage, payment processing, analytics, or customer support. These entities are bound by confidentiality and data protection obligations equivalent to those of GalenAI.
• Legal Requirements: Where disclosure is required by law, regulation, or judicial order.
• Corporate Restructuring: In connection with a merger, acquisition, or transfer of assets, subject to confidentiality safeguards.
• Sub processors: Where necessary for hosting or data management, with equivalent data protection commitments in place.

4. Data Protection and Security

GalenAI maintains administrative, technical, and organisational safeguards designed to:

• Protect Customer Data against unauthorised access, alteration, loss, or disclosure.
• Ensure compliance with the Digital Personal Data Protection Act, 2023 and allied regulations.
• Restrict access to Customer Data to authorised personnel only.
• Employ encryption, access control, and monitoring protocols in line with industry standards.

In the event of a confirmed data breach affecting Customer Data, GalenAI shall notify the Customer within 72 hours of discovery and cooperate fully in mitigation and remediation.

5. Data Retention and Deletion

GalenAI retains Customer Data for the duration of the active subscription. Following termination or expiry of the Agreement, Customer Data will remain accessible for retrieval by the User for up to fifteen (15) days at no additional charge.

After this period, GalenAI may continue to retain User Data indefinitely for archival, compliance, backup, and service-improvement purposes, in accordance with applicable data protection and privacy laws. Backups maintained for disaster recovery shall also be retained under the same framework.

6. Rights of Customers and Users

Subject to applicable law, Customers and Authorised Users have the right to:

• Access and obtain copies of their personal data processed by GalenAI.
• Request rectification or correction of inaccurate data.
• Request deletion of personal data, subject to contractual or legal retention requirements.
• Withdraw consent for processing (where consent is the legal basis).

Requests may be submitted by emailing info@galenai.io. Institutional customers may also designate an authorised administrator to coordinate rights requests on behalf of their users.

7. Responsibilities of Institutions

7.1

Where Services are provided to an institution, the institution acts as the primary data controller with respect to its Authorised Users. GalenAI acts as a data processor and will process Customer Data only on the institution's documented instructions, as per the SaaS Agreement and this Privacy Policy.

7.2

All Users, including individual subscribers and institutions, shall take all necessary measures to ensure lawful and ethical use of the Services. Without limitation, Users shall:

• (a) refrain from using the Services for plagiarism, academic dishonesty, or any form of misrepresentation;
• (b) not upload, distribute, or store infringing or unauthorised copyrighted works (including entire textbooks, journal PDFs, or proprietary materials);
• (c) ensure compliance with applicable intellectual property, privacy, and ethical standards under law and institutional codes of conduct; and
• (d) prevent any unauthorised or fraudulent use of the Services.
• (e) Institutions shall further ensure that their Authorised Users comply with these obligations.
• (f) Any misuse or breach by an Authorised User shall be deemed a breach by the Institution.

8. Use of Knowledge Sources and Transformative Outputs

8.1

GalenAI does not copy or reproduce entire textbooks, journals, or other works. Instead, our Services draw on academic and publisher materials and transform them into new educational aids such as explanations, summaries, interactive cases, and learning pathways. These outputs are designed to support study and understanding, with proper references, and are provided only for research, teaching, review, and criticism under fair use or fair dealing principles. GalenAI content is supplementary and does not replace institutionally prescribed textbooks or publisher materials.

8.2

GalenAI respects the intellectual property rights of publishers, authors, and content creators. If you believe that our Services inadvertently reference or infringe your copyright, please contact us immediately at info@galenai.io.

9. International Data Transfers

Although data is primarily processed and stored in India, if cross-border transfers are necessary (e.g., for cloud hosting or analytics), GalenAI shall ensure that equivalent contractual and technical safeguards are applied in line with Indian legal requirements.

10. Children's Data

The Services are designed for medical students, faculty, and professionals. We do not knowingly collect data from individuals under 15 years of age. If such data is identified, GalenAI will delete it promptly.

11. Policy Updates

This Privacy Policy may be revised from time to time to reflect changes in law, technology, or our practices. Updates will be communicated through appropriate channels, including email or in-product notifications. Continued use of the Services after updates constitutes acceptance of the revised Privacy Policy.

12. Contact Details

For all privacy-related queries, rights requests, or concerns, please contact: