DPDP Act 2023 — Sub-Processor Transparency. Under Section 6.2 of our Privacy Policy, Mira One maintains and publishes this current list of Data Processors and sub-processors. The list is dated and updated whenever a processor is added or replaced. Material additions affecting Sensitive Personal Data are notified to users by email at least 30 days in advance. Questions? Contact our DPO at vinayak.pai@preventivehealth.ai.
Technology & Infrastructure
Core compute, storage, hosting, and CDN providers that underpin the Mira One platform.
| Processor | Role | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| Google Cloud Platform Google LLC (Alphabet Inc.) | Backend compute (Kubernetes / GKE), API hosting, and infrastructure management | All server-processed data including health assessment responses, consent records, payment metadata, and audit logs. Data stored on India-region infrastructure. | India | Data Processing Agreement; DPDP Act 2023 compliant |
| MongoDB Atlas MongoDB, Inc. | Managed database service for all operational data stores | User profiles (hashed), payment records (hashed identifiers), health assessments, consent records, journey state, audit logs. Stored on India-region cluster. | India | Data Processing Agreement; India-region deployment |
| Cloudflare Pages & Workers Cloudflare, Inc. | Frontend static site hosting (miraone.preventivehealth.ai), CDN, DDoS protection, and API proxy (edge Workers) | IP address, HTTP request metadata, browser/device type, page paths. No personal health or genetic data passes through Cloudflare Workers — edge layer proxies API calls only; no data is logged or retained beyond Cloudflare's standard edge logs. | Global CDN | Data Processing Agreement (GDPR DPA); Cloudflare's edge processes no Sensitive Personal Data |
Payments
Payment processing and transaction management.
| Processor | Role | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| Razorpay Razorpay Software Private Limited | Payment gateway for INR transactions; HMAC-verified webhooks for payment status updates | Payment card / UPI / netbanking credentials (handled entirely within Razorpay's PCI-DSS environment — Mira One does not store or access raw payment credentials). Mira One receives only: Razorpay payment ID, amount, currency, and payment status. | India | RBI-regulated payment aggregator; PCI DSS Level 1; contract with Mira One |
Communications
Transactional email delivery for service notifications.
| Processor | Role | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| Twilio SendGrid Twilio Inc. | Transactional email delivery — payment confirmations, service updates, and HAS submission notifications to the Mira One clinical team | Recipient email address, sender name, email subject and body content. For HAS submission emails to the clinical team: health assessment data, consent flags, and user token (no raw PII transmitted — email address is hashed before storage; the team email contains structured health data in an attachment). | USA | Standard Contractual Clauses (SCCs); Twilio DPA; data used solely for email delivery |
Analytics
Web analytics and behavioral analytics — deployed only with explicit user consent. Both tools are consent-gated and not loaded until the user accepts the analytics consent banner.
| Processor | Role | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| Google Analytics 4 (GA4) Google LLC | Aggregate web analytics — page views, session counts, traffic sources, and funnel analysis | Anonymized usage data: page paths, session duration, device/browser type, approximate geography (city-level). IP addresses are anonymized. No personal health or genetic data is ever sent to GA4. | USA | Explicit user consent (analytics consent banner); Google Ads DPA; SCCs |
| Microsoft Clarity Microsoft Corporation | Behavioral analytics — heatmaps and session insights for UX improvement | Anonymized interaction data: mouse movements, scroll depth, click patterns, session recordings. Clarity is configured to mask all text input fields. No personal health, genetic, or financial data is captured. Loaded only on the public-facing marketing pages — not inside the HAS form. | USA | Explicit user consent (analytics consent banner); Microsoft DPA; SCCs |
Both analytics tools are blocked by default and only activated after the user accepts the cookie consent banner. Consent preference is stored in localStorage['analytics_consent'] and respected on every page visit.
Appointment Scheduling
Booking widgets for counselling sessions and home sample collection.
| Processor | Role | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| DaySchedule DaySchedule Technologies | Embedded scheduling widget for (a) pre-test genetic counselling booking (kkcounselling.dayschedule.com) and (b) home blood sample collection booking (bookyourtest.dayschedule.com) |
Name, email address, phone number, preferred appointment slot, and time zone. Data is used solely to confirm and manage the booking and is not shared further. | India | Contract performance; data used solely for appointment coordination |
Diagnostic Laboratories
Accredited laboratories that process blood, urine, and genetic samples and generate biomarker and sequencing results.
Mira One works with accredited diagnostic and genomic laboratories for biomarker analysis and Whole Exome Sequencing (WES) / Pharmacogenomics (PGX) processing. The specific laboratory partner engaged for any given test depends on the test type, sample origin, and availability of equivalent capability in India.
All laboratory partners are:
- Accredited under relevant national or international standards (NABL, CAP, ISO 15189, or equivalent).
- Bound by contractual confidentiality obligations at least as protective as this Privacy Policy.
- Permitted to process samples and data only for the specific purpose of generating your Mira One Report.
- Prohibited from using your genetic or health data for independent research, commercial purposes, or sharing with any third party without separate, explicit consent.
| Category | Service | Data Processed | Countries of Operation | Legal Basis |
|---|---|---|---|---|
| Blood & Urine Biomarkers | Clinical biochemistry, haematology, metabolic markers, hormone panels, and related biomarker assays | Blood and urine sample; biomarker results returned as structured data for Report generation. No genetic sequences involved. | India | Explicit consent; contract performance; NABL-accredited partners |
| Whole Exome Sequencing (WES) | Genomic sequencing and variant analysis for polygenic risk and hereditary condition assessment | Buccal swab or blood-derived genetic sample; raw sequencing data; variant call files (VCF). Raw sequencing data is returned to and stored solely on Indian infrastructure upon completion. Physical samples may be processed internationally where equivalent accredited capability is unavailable in India. | India · USA · UK · EU · Singapore | Explicit consent (including international transfer consent); Standard Contractual Clauses for cross-border transfers; DPO oversight |
| Pharmacogenomics (PGX) | Drug-gene interaction analysis and medication response profiling | Blood-derived or buccal genetic sample; PGX panel results. Same data sovereignty rules as WES apply. | India · USA · UK · EU · Singapore | Explicit consent (including international transfer consent); Standard Contractual Clauses; DPO oversight |
To obtain the current list of specific laboratory partners and the jurisdictions to which your sample may be sent, contact our Data Protection Officer at vinayak.pai@preventivehealth.ai.
Home Collection & Logistics
Phlebotomy and sample transport partners who physically collect and ship samples to laboratories.
| Category | Service | Data Processed | Country | Legal Basis |
|---|---|---|---|---|
| Home Phlebotomy / Collection Centre | Trained phlebotomist dispatched to the user's preferred location, or partner walk-in collection centres, for blood and urine sample collection | Name, contact number, address (for scheduling and dispatch), appointment time. No genetic or biomarker data is shared with the collection partner — their role ends at physical hand-off of the sealed, labelled sample. | India | Contract performance; contractual confidentiality obligations |
| Sample Logistics & Cold-Chain Transport | Temperature-controlled transport of biological samples from collection point to laboratory — domestic or international where required for WES/PGX | Sample tracking ID (anonymized), pickup and drop-off address, handling instructions. Logistics partners do not have access to the identity of the user linked to the sample. | India · International | Contract performance; chain-of-custody protocols; contractual confidentiality obligations |
Changes to This List & Contact
This list is reviewed and updated whenever a sub-processor is added, replaced, or removed. The "Last updated" date at the top of this page reflects the most recent revision.
In accordance with Privacy Policy §6.2, material additions or changes affecting Sensitive Personal Data will be communicated to registered users by email at least 30 days before the new processor begins processing your data.
For questions about this list, to request details about specific laboratory partners, or to exercise your data rights, contact our Data Protection Officer:
- DPO: Vinayak Pai
- Email: vinayak.pai@preventivehealth.ai
- Address: 7th Floor, Manikchand Galleria, Model Colony, Pune, Maharashtra, India – 411016