Mira One, operated by KaiOrigin Health Private Limited under license from PreventiveHealth.ai Inc., U.S.A. (collectively referred to as "Mira One", "we", "us", "our") is committed to protecting the privacy, confidentiality, and security of your personal and health data.
This Data Privacy Policy ("Policy") explains how we collect, use, store, share, protect, and retain your data when you use Mira One services. It also explains your rights under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable laws.
Mira One processes Sensitive Personal Data, including Genetic Data. We treat this with the highest standard of care, confidentiality, and legal compliance. We do not sell, rent, or trade your personal or genetic data.
This Policy applies to all services provided under the Mira One brand, including its website, mobile presence, and all health assessment and genetic testing services.
By accessing our website or using our services, you acknowledge that you have read and understood this Policy. We obtain your consent to data processing for service delivery separately through a dedicated consent form at the time you register for the Mira One service.
In this Policy, unless the context requires otherwise:
- "Personal Data" has the meaning given under the DPDP Act, 2023, and includes any data that can identify you directly or indirectly.
- "Sensitive Personal Data" means Personal Data that includes Genetic Data, health and medical data, biometric data, and other categories attracting heightened protection under applicable Indian law.
- "Genetic Data" means data relating to your inherited or acquired genetic characteristics, including data derived from Whole Exome Sequencing (WES) and Pharmacogenomics (PGX) analysis.
- "Data Fiduciary" in this context means KaiOrigin Health Private Limited, operating under the Mira One brand, in its capacity as the entity that alone or jointly with others determines the purpose and means of processing your Personal Data.
- "Data Principal" means you, the individual whose Personal Data is being processed.
- "Data Processor" means any Third-Party Provider that processes Personal Data on behalf of Mira One under a contractual arrangement.
- "DPDP Act" means the Digital Personal Data Protection Act, 2023, and all rules and regulations made thereunder.
- "Consent Manager" means a platform registered under the DPDP Act through which consent may be managed, if applicable.
- Name, date of birth, age, and gender.
- Contact details: email address and mobile phone number.
- Address (for scheduling collection of your blood and urine sample).
- Responses to the Mira One Health Assessment Survey (HAS), including medical history, family history, and lifestyle inputs (nutrition, sleep, physical activity, stress, and related factors).
- Current medications and known allergies, where provided.
- Blood and urine test results and biomarker values.
- Genetic Data derived from Whole Exome Sequencing (WES) and Pharmacogenomics (PGX) analysis, where applicable.
- Derived Reports, interpretations, risk annotations, and counselling notes.
- IP address, browser type and version, device type, and operating system.
- Website and platform usage data, including pages visited, session duration, and interaction logs.
- Cookie data, in accordance with Section 13 of this Policy.
Before we collect any Personal Data from you, we present a notice — in clear, simple English (and other supported regional languages) — describing: (i) the specific Personal Data being collected; (ii) the exact purpose for which it will be used; (iii) how you may exercise your data principal rights; and (iv) how you may complain to the Data Protection Board of India. This notice will be presented to you at the point of consent, separately from this Privacy Policy.
We collect only the data that is necessary and proportionate for the purposes described in this Policy. We do not collect unnecessary data.
We process your Personal Data only on a valid lawful basis. The table below sets out each purpose, the legal basis for processing, and whether you can opt out:
| Purpose of Data Use | Legal Basis | Can You Opt Out? |
|---|---|---|
| Generate your Mira One health Report | Explicit consent + Contract performance | No (core service) |
| Enable interpretation and counselling | Explicit consent + Contract performance | No (core service) |
| Coordinate sample collection and logistics | Contract performance | No (core service) |
| Communicate service updates and support | Legitimate interest / Contract | Yes (non-critical communications) |
| Anonymized research & population health insights | Explicit consent (separate) | Yes — opt out at any time |
| Service quality improvement using anonymized data | Legitimate interest | Yes — opt out at any time |
| Comply with legal and regulatory obligations | Legal obligation | No |
| Fraud prevention and security | Legitimate interest / Legal obligation | No |
We do not sell, rent, or trade your Personal Data or Genetic Data to any third party for commercial or marketing purposes.
Anonymized Research Use:
Where we use anonymized or aggregated data for research, population health insights, or product improvement, we apply technical de-identification measures appropriate to the sensitivity of the data such that it can no longer reasonably identify you.
While you may withdraw your consent for research use of your data at any time without affecting your core service, please note that once data has been irreversibly anonymized such that it can no longer reasonably identify you, we will not be able to de-anonymize your data.
Genetic Data is among the most sensitive categories of personal data. It is permanent, heritable, and can reveal information about you and your biological relatives. Mira One treats Genetic Data with the highest level of protection.
The following special provisions apply to your Genetic Data:
- Genetic Data is used exclusively for the purposes for which it was collected (generation of your Mira One Report and associated counselling). It is never used for unrelated research without a separate, specific, and informed consent.
- Mira One does not share identifiable Genetic Data with insurance companies, employers, government agencies (except as required by law), or other third parties not involved in service delivery.
- Genetic findings are probabilistic, not deterministic. They indicate statistical likelihoods based on current scientific knowledge, which may evolve.
- You should be aware that Genetic Data, if disclosed beyond Mira One's control (e.g., in a data breach, or if you choose to share your Report), could potentially be used by third parties such as insurers or employers. Mira One strongly advises caution in the disclosure of your genetic findings beyond your healthcare team.
- Mira One implements technical measures to minimize re-identification risk when using anonymized genetic datasets. However, no anonymization technique is absolute, and we will notify you if there is any material change to our anonymization practices.
Consent for Sensitive Personal Data:
Your explicit, informed consent for the collection and processing of Sensitive Personal Data (including Genetic Data) is obtained through a dedicated consent form completed at the time you register for the service — separately from your acceptance of these Terms. This consent form is specific, granular, and purpose limited as required under the DPDP Act, 2023 or other relevant regulations.
Mira One shares your data only to the extent necessary for service delivery, with the following categories of Third-Party Providers:
| Category | Purpose |
|---|---|
| Diagnostic Laboratories | Sample analysis, genomic sequencing, and biomarker testing |
| Home Collection / Logistics Partners | Sample collection scheduling, transportation, and chain of custody |
| Cloud & Technology Platforms | Secure data storage, report generation, and encrypted communication |
| Clinical Counsellors | Pre- and post-test counselling sessions |
All Third-Party Providers are:
- Contractually bound to confidentiality obligations at least as protective as this Policy.
- Permitted to process your data only for the specific purpose for which it was shared and not for their own independent commercial purposes.
- Subject to Mira One's due diligence review prior to engagement and periodic oversight.
- Required to notify Mira One promptly of any data breach or security incident involving your data.
- Effect of withdrawal on Data Processors: Upon withdrawal of consent, Mira One will, within a reasonable time and in any case no later than 7 (seven) working days, instruct all Data Processors, including diagnostic laboratories, logistics partners, cloud providers, and counselling partners, to cease further processing of your data for the withdrawn purpose. Where retention is not legally required, we will trigger deletion of the affected data across Mira One systems and Data Processor systems. This obligation extends to any use of your data for research or product development.
- Mira One maintains a current list of Data Processors and sub-processors — including their role, country of operation, and data categories handled — at www.preventivehealth.ai/sub-processors. The list is dated and updated whenever a Data Processor is added or replaced. Material additions affecting Sensitive Personal Data will be notified to you by email at least 30 (thirty) days in advance.
Mira One may disclose your data to government authorities, courts, or regulators where required to do so by applicable law or valid legal process. Where legally permissible, we will notify you of such a requirement before disclosure.
All raw Personal Data and Sensitive Personal Data, including Genetic Data, is stored and processed on infrastructure physically located in India. Mira One does not transfer raw Personal Data or Sensitive Personal Data outside India.
Limited cross-border transfer is permitted only in two cases:
- physical samples (blood, urine, buccal swabs) sent to international accredited laboratories where equivalent processing is unavailable in India, with the resulting raw data returned to and stored only on Indian infrastructure; and
- anonymized or aggregated data, where re-identification is not reasonably possible, used for research, quality assurance, or service improvement.
Where any cross-border activity is undertaken, Mira One implements: (i) Standard Contractual Clauses or equivalent contractual safeguards; (ii) transfer only to jurisdictions notified or not restricted by the Central Government under the DPDP Act; (iii) DPO oversight of every cross-border data flow.
You may obtain the current list of countries to which samples are physically shipped by contacting our Data Protection Officer (see Section 12). Your samples may be processed in India or in other jurisdictions, including but not limited to the United States, the United Kingdom, Singapore, and the European Union, depending on the laboratory and technology partners engaged.
Safeguards for Cross-Border Transfers:
For any transfer of your Personal Data outside India, Mira One implements the following safeguards:
- Contractual protections (including Standard Contractual Clauses where applicable) with all international processors.
- Transfer only to jurisdictions that provide a comparable level of data protection, or with appropriate additional safeguards where they do not.
- Compliance with cross-border transfer requirements under the DPDP Act, 2023, including any restrictions notified by the Central Government.
By using Mira One's services, you explicitly consent to the cross-border transfer of your samples, results, and associated data, subject to the safeguards described above.
If you wish to know the specific jurisdictions to which your data may be transferred, please contact our Data Protection Officer (see Section 12).
Mira One uses industry-standard technical and organizational safeguards to protect your data, including:
- Industry-standard transport encryption (TLS 1.2 or higher) for all data in transit, and AES-256 encryption at rest for all Sensitive Personal Data. Highly sensitive identifiers (including Aadhaar, raw genetic sequences, and clinical diagnoses) are additionally protected with field-level encryption and stored using tokenization or secure vault technologies.
- Role-based access controls ensure that only authorized personnel with a business need can access your data.
- Multi-factor authentication for all systems handling Sensitive Personal Data.
- Regular security audits, vulnerability assessments, and penetration testing.
- Physical security controls at all data processing facilities.
While Mira One implements robust safeguards, no system can be guaranteed absolutely secure. In the event of a personal data breach that is likely to result in risk to your rights or interests, Mira One will:
- Notify the Data Protection Board of India without undue delay and, in any event, within the timeframe prescribed under the DPDP Act (and within 6 hours for reportable incidents under CERT-In directions).
- Notify you directly by email at the address on file within 72 hours of becoming aware of the breach, with a description of the nature of the breach, data affected, and steps being taken.
- Take immediate remedial action to contain and mitigate the breach.
- Tamper-proof, append-only audit logs for all access to Personal Data and Sensitive Personal Data. Each access event records the user, request, action (including read/view), timestamp, and purpose. Logs are retained for the period required under applicable law and are available for regulatory inspection.
We retain your Personal Data only for as long as is necessary for the purposes described in this Policy, and in compliance with applicable legal retention obligations. The table below sets out our standard retention periods:
| Data Category | Retention Period |
|---|---|
| Personal identifiers (name, contact, address) | Duration of service relationship + 10 years, or as required by law |
| Health Assessment Survey (HAS) responses | Duration of service relationship + 10 years |
| Blood / urine biomarker results | Minimum 7 years from date of Report (as per applicable health records law) |
| Genetic Data (WES / PGX) | Minimum 7 years unless you request earlier deletion (subject to legal requirements). Maximum 10 years, after which data will be deleted or irreversibly anonymized, unless mandated otherwise by law. |
| Technical / usage data | Minimum 12 months from collection |
| Counselling session records | 10 years from date of session |
| Financial transaction records | 10 years (as required under applicable tax and financial law) |
Upon expiry of the applicable retention period, your data will be securely deleted, anonymized, or pseudonymized.
Business Transfer:
In the event of a merger, acquisition, or business transfer approved by a court, tribunal, or competent authority under applicable Indian law, your data may be transferred to the successor entity as permitted under the DPDP Act. In all other business transfers not requiring such approval, Mira One will notify you at least 30 days in advance before your Genetic Data or Sensitive Personal Data is transferred. In any scenario, the successor entity will be required to honor the terms of this Privacy Policy.
Under the DPDP Act, 2023 and other applicable laws, you have the following rights in respect of your Personal Data:
| Right | What It Means |
|---|---|
| Right to Access | You may request a summary of the Personal Data we hold about you and the purposes for which it is processed. |
| Right to Correction | You may request correction of inaccurate or incomplete Personal Data. |
| Right to Erasure (Deletion) | You may request deletion of your Personal Data, subject to legal retention obligations. Note: deletion of Genetic Data may be limited where retention is required by law. |
| Right to Data Portability | You may request a copy of your Personal Data in a structured, commonly used, machine-readable format. For health and genetic data, Mira One supports export in FHIR R4 / JSON formats compatible with the Ayushman Bharat Digital Mission (ABDM) framework, where technically feasible, to enable transfer to another provider or your ABHA-linked health record. |
| Right to Withdraw Consent | You may withdraw your consent for specific data processing activities at any time. Withdrawal does not affect the lawfulness of prior data processing. Such withdrawal of consent will not apply to the reversal of data processing that has already been completed prior to receipt of your withdrawal request. Furthermore, data already incorporated into anonymized or aggregated datasets cannot be de-anonymized and may continue to be used in a non-identifiable form. Certain records may also be retained, where required, under applicable law, regulatory obligations, fraud prevention requirements, or medical record retention standards. Core service delivery may be impacted by the timing of any withdrawal of consent. |
| Right to Grievance Redressal | You have the right to raise a complaint with our Grievance Officer (see Section 11) and to escalate to the Data Protection Board of India. |
| Right re Automated Decisions | Where a Mira One Report involves automated processing that produces a significant finding affecting you, you have the right to request human review of that output. |
| Right to Nominate | Under the DPDP Act, you may nominate another individual to exercise your data rights in the event of your death or incapacity. |
To exercise any of the above rights, submit a written request to our Data Protection Officer at the contact details in Section 12. We will respond within 30 (thirty) days. For complex requests, we may extend this period by a further 30 days with notice to you.
Mira One has appointed a dedicated Grievance Officer in accordance with the DPDP Act, 2023 and the Consumer Protection Act, 2019. All privacy-related complaints should be addressed to:
| Name | Sujata Mane |
| Designation | Grievance Officer |
| sujata.mane@preventivehealth.ai | |
| Postal Address | Mira One — Grievance Officer, 7th Floor, Manikchand Galleria, Model Colony, Pune, Maharashtra, India – 411016 |
| Acknowledgement Time | Within 48 hours of receipt of complaint |
| Resolution Time | Within 30 (thirty) working days of receipt, extendable by 30 days with notice |
Escalation:
If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint internally to the Data Protection Officer (DPO) at the contact details provided in Section 12. The DPO will conduct an independent review of your complaint and respond within 20 (twenty) working days of receipt of the escalation.
Mira One has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this Policy and applicable data protection law. The DPO is the primary point of contact for all data protection matters.
| DPO Name | Vinayak Pai |
| vinayak.pai@preventivehealth.ai | |
| Office Address | 7th Floor, Manikchand Galleria, Model Colony, Pune, Maharashtra, India – 411016 |
The DPO may be contacted directly for: data subject rights requests, privacy compliance queries, consent management, and notifications of potential data breaches by third parties.
Mira One uses cookies and similar tracking technologies on its website:
- Essential / Functional Cookies: To enable core website functionality (login sessions, security). These are strictly necessary and cannot be opted out of.
- Analytics Cookies: To understand aggregate user behavior to improve our platform. Deployed only with your consent.
- Performance Cookies: To monitor page load speeds and error rates. Deployed only with your consent.
Cookie Consent: When you first visit the Mira One website, a cookie consent banner will be presented. You may accept, decline, or selectively consent to non-essential cookie categories. You may change your preferences at any time through your browser settings or our cookie management tool.
We do not use cookies or tracking technologies to build advertising profiles or to track you across third-party websites.
Mira One's services are designed for individuals aged 18 years and older.
Where services are accessed on behalf of a minor (a person under 18 years), the following rules apply:
- A parent or legal guardian must provide verifiable consent on the minor's behalf. This consent must be specific, informed, and documented, and may include submission of government issued identity documents.
- Mira One will not process a minor's Sensitive Personal Data without verified parental or guardian consent.
- Parents and guardians may access, correct, or request deletion of their minor child's data by contacting the DPO.
- Upon a minor attaining the age of 18, they will be contacted to provide their own independent consent for continued data retention. If such consent is not provided within 60 (sixty) days of reaching majority, the data will be deleted (subject to legal retention obligations).
Mira One does not knowingly collect data from minors without parental consent. If we become aware that data has been collected from a minor without appropriate consent, we will take prompt steps to delete such data.
Mira One's Reports are generated using a combination of automated analysis and clinical review. Automated processing is used to:
- Analyse blood and urine biomarker values against reference ranges.
- Identify genetic variants associated with health risks or drug response patterns.
- Generate risk scores and recommendations based on population-level data and validated clinical models.
All automated outputs are reviewed by qualified clinical professionals before being included in your final Report. No significant finding in your Report is based solely on automated processing without clinical oversight.
You have the right to request human review of any automated finding in your Report that you believe to be inaccurate or that has materially affected you. To exercise this right, contact our DPO (Section 12).
AI and Large Language Models: Where Mira One uses artificial intelligence systems or large language models (LLMs) — whether operated in-house or by a third-party provider — to assist with interpretation, drafting, or counselling support, the following safeguards always apply: (i) raw Personal Data, Sensitive Personal Data, and Genetic Data are never sent to such systems; (ii) data is pseudonymized, tokenized, or de-identified before any AI processing; (iii) direct identifiers (name, contact details, Aadhaar, raw genetic sequences) are never shared with any third-party AI provider; (iv) all AI-assisted outputs are reviewed by qualified clinical professionals before inclusion in your Report or counselling. We do not use your Personal Data to train third-party AI models.
Mira One may update this Policy periodically to reflect changes in law, technology, or our practices. The following process applies:
- Non-material changes (e.g., clarifications, formatting): the updated Policy will be posted with a revised date. No separate notification is required.
- Material changes (i.e., changes that affect your rights, the purposes for which we use your data, or the categories of data we collect): Mira One will notify you by email at least 30 (thirty) days before such changes take effect. Until fresh affirmative consent is received, processing of your Genetic Data for the new or changed purpose will not commence.
- Changes to how Genetic Data is used will always be treated as material and will require fresh, affirmative consent from you.
- If you do not agree to revised terms, you may contact us to request deletion of your data before the changes take effect.
Change History: A summary of material changes to this document, with effective dates, is maintained at www.preventivehealth.ai/legal/changelog. The version and last-updated date at the top of this document reflect the current edition.
Continued use of our services after the effective date of material changes, following appropriate notice, constitutes acceptance of the revised Policy.
This Policy is governed by and shall be construed in accordance with the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the Courts in Mumbai, Maharashtra, India.
| General Privacy Queries | info@preventivehealth.ai |
| Data Protection Officer | Refer to Section 12 |
| Grievance Officer | Refer to Section 11 |
| Website | www.preventivehealth.ai |
| Registered Address | KaiOrigin Health Private Limited, 7th Floor, Manikchand Galleria, Model Colony, Pune, Maharashtra, India – 411016 |
— END OF DATA PRIVACY POLICY —