Document Changelog.

Full redraft to align with the DPDP Act 2023, introduce granular consent obligations, update company structure, and add consumer-facing service level commitments.

• DPDP Act 2023 compliance — Definitions updated; Sensitive Personal Data and Genetic Data provisions brought in line with India's Digital Personal Data Protection Act, 2023. Material
• Granular consent framework — New dedicated consent step introduced at service registration. Separate consent items for sample collection, data processing, HAS data use, results delivery, data sharing, and international transfer. Material
• Minor / guardian path — Added explicit provisions for services accessed on behalf of minors under 18, including guardian authorization requirements and liability allocation. Material
• Service level commitments — Report delivery timelines formalized: estimated date communicated at initiation; delay beyond 12 weeks triggers status update; delay beyond 16 weeks entitles user to full refund. New
• Refund policy restructured — Cancellation tiers clarified with explicit timeframes (48 hrs / 24–48 hrs / <24 hrs / post-collection). Refund processing time stated as 15 working days. Updated
• Re-testing provisions — Complimentary re-collection added for sample failures attributable to Mira One or its laboratory partners. New
• Report accuracy & correction — 60-day dispute window added; corrected report at no charge where laboratory or sequencing error confirmed. New
• Grievance Redressal Officer — Designated officer (Sujata Mane) named with contact details, 7-day acknowledgement and 30-day resolution commitments. New
• Company structure updated — KaiOrigin Health Private Limited (India) under license from PreventiveHealth.ai Inc. (U.S.A.) now explicitly named. Updated
• Governing law & jurisdiction — Exclusive jurisdiction confirmed as Courts in Mumbai, Maharashtra, India. 30-day good faith negotiation required before formal proceedings. Updated
• Termination provisions — Mira One and user termination rights, notice periods, and applicable refund on termination clarified. Updated

Founding Terms of Service for the PreventiveHealth.ai / Mira One platform, covering basic service scope, payment, and user obligations.

Comprehensive redraft for DPDP Act 2023 compliance, introducing lawful basis framework, Data Protection Officer, formal data rights table, retention schedules, and AI/LLM safeguard provisions.

• DPDP Act 2023 compliance — Full alignment with India's Digital Personal Data Protection Act, 2023, including Data Fiduciary / Data Principal definitions and purpose-limitation requirements. Material
• Lawful basis table — Explicit lawful basis documented for each data processing purpose, including opt-out rights per category. Material
• Genetic Data — special provisions — Dedicated section added: purpose limitation, no sharing with insurers or employers, re-identification risk controls, and notification obligations for anonymization practice changes. Material
• Data retention schedules — Explicit retention periods defined per data category (personal identifiers, HAS, biomarkers, genetic data, counselling records, financials). New
• Data Principal rights table — Eight named rights (Access, Correction, Erasure, Portability, Withdraw Consent, Grievance, Automated Decisions, Nominate) with plain-language explanations. FHIR R4 / ABDM portability support added. New
• Data Protection Officer appointed — Vinayak Pai named as DPO with contact details; primary point of contact for all data protection matters. New
• Grievance Officer named — Sujata Mane designated as Grievance Officer (Section 11) with 48-hour acknowledgement and 30-day resolution commitments. New
• Third-party accountability strengthened — Withdrawal cascade to Data Processors formalized (7 working days); sub-processor list published at /sub-processors; 30-day advance notice for material additions. Updated
• International transfer safeguards — Explicit statement that raw Personal Data and Genetic Data stays on Indian infrastructure; cross-border exceptions limited to physical samples and anonymized data; Standard Contractual Clauses referenced. Updated
• Security provisions expanded — AES-256 at rest, TLS 1.2+ in transit, field-level encryption for sensitive identifiers, tamper-proof audit logs, 72-hour breach notification to users, and 6-hour CERT-In reporting added. Updated
• Automated processing & AI safeguards — New section: LLM/AI use disclosed; identifiable data never sent to AI systems; pseudonymization required; clinical review of all automated outputs mandated; no training of third-party AI on user data. New
• Children's privacy — Expanded minor provisions: verified parental consent required; 60-day window for minor to provide independent consent on turning 18 before data deletion. Updated
• Business transfer — Explicit 30-day advance notice required before Genetic Data or Sensitive Personal Data transfer in non-court-approved business transfers. New
• Plain-language notice commitment — Pre-collection notice in clear English (and regional languages) added as a formal obligation (Section 3.5). New

Founding Privacy Policy for the PreventiveHealth.ai platform, covering data collection, GeneClinicX app privacy, sample storage, and basic consent provisions.