ANNEXURES

ANNEXURE A — DATA CATEGORIES COLLECTED

This annexure lists all categories of Personal Data and Sensitive Personal Data collected by Gabify and Neurolens.

A. PERSONAL DATA (General Users, Clinicians, Institutions)

CategoryExamplesPurpose
Identity DataName, email, phone, institution details, designationAccount creation, onboarding
Professional DataLicense number, specialization, certificatesEligibility verification
Login MetadataDevice, browser, IP, session logsSecurity, fraud prevention
Communication DataEmails, inquiries, support historyCustomer support

B. SENSITIVE PERSONAL DATA (Children & Patients)

CategoryExamplesPurpose
Child IdentifiersName, age, DOB, genderScreening & record management
Developmental HistoryMilestones, delays, clinical notesAssessment accuracy
Behavioral ObservationsEye contact, gestures, interaction responsesScreening and clinician insights
Speech-Language SamplesAudio clips, vocalizationsAI-supported analysis
Video RecordingsAssessment videos, behavioral clipsClinical documentation
Therapy HistoryCurrent interventions, goalsContextual understanding
Family BackgroundParent questionnaire detailsClinical context

C. AI SYSTEM DATA

CategoryExamplesPurpose
AI Interaction LogsPrompts, clinician inputsService improvement
AI OutputsSuggestions, insightsReport generation
Training Data (De-Identified)Audio/video snippets, textual summariesModel refinement

Only used with explicit consent.

D. TECHNICAL & SECURITY DATA

  • Device metadata
  • Behavior analytics
  • Crash logs
  • Error logs
  • Authentication attempts

Used for platform reliability & security.

ANNEXURE B — USER RIGHTS UNDER THE DPDP ACT, 2023

Under India’s Digital Personal Data Protection Act (DPDP), individuals (or guardians in case of children) have the following rights:

1. Right to Access Information

Users can request:

  • What data is collected
  • Why it is collected
  • Who it is shared with
  • How long it will be stored

Institutions must facilitate this via Gabify.

2. Right to Correction

Users can request correction of:

  • Incorrect personal details
  • Outdated information
  • Incomplete records

3. Right to Erasure

Users may request deletion of:

  • Audio/video recordings
  • Identifiable personal data
  • Uploaded forms

Exceptions apply when retention is legally required.

4. Right to Nominate

A guardian/parent may authorize another adult to exercise rights on behalf of the child.

5. Right to Grievance Redressal

Individuals can file complaints:

  • With Gabify’s Grievance Officer
  • Escalate to DPDP Data Protection Board

6. Right to Withdraw Consent

Users may withdraw:

  • Screening consent
  • Recording consent
  • AI training consent

This applies prospectively, not retroactively.

ANNEXURE C — SAMPLE DATA PROTECTION IMPACT ASSESSMENT (DPIA)

This sample DPIA helps institutions conduct mandatory risk assessments when using Neurolens.

1. PROJECT OVERVIEW

  • Name: Neurolens Deployment
  • Purpose: AI-assisted screening
  • Data Subjects: Children & caregivers
  • Data Types: Sensitive personal data

2. RISK IDENTIFICATION MATRIX

Risk CategoryExamplesSeverityMitigation
PrivacyChild video exposureHighEncryption, RBAC
SecurityUnauthorized accessHighAccess limits
EthicalAI misinterpretationMediumHuman review
OperationalData lossMediumBackups, DRP
LegalConsent gapsHighMandatory consent templates

3. BENEFIT ANALYSIS

  • Early identification of developmental delays
  • Reduced clinician documentation time
  • Streamlined school/clinic workflows
  • Digital record-keeping
  • Improved parent-clinician communication

4. STAKEHOLDER ANALYSIS

  • Institution administrators
  • Clinicians
  • Parents/guardians
  • Children
  • Gabify technology team

5. MITIGATION CONTROLS

Gabify provides:

  • Secure infrastructure
  • DPA agreement
  • Access control logs
  • Consent management framework
  • Data minimization practices

6. DPIA FINAL OUTCOME

The institution certifies:

  • Risks are mitigated
  • Consent workflows are in place
  • Staff has been trained
  • Gabify meets required safeguards

ANNEXURE D — STANDARD CONTRACTUAL CLAUSES (SCCs) FOR ENTERPRISE CLIENTS

These SCCs apply when:

  • Hospitals
  • Schools
  • NGOs
  • Clinics
  • Government agencies

use Gabify as a Data Processor.

SCC 1 — PURPOSE

To ensure lawful, secure, and transparent processing of child and clinical data.

SCC 2 — OBLIGATIONS OF THE ENTERPRISE CLIENT (DATA FIDUCIARY)

  • Collect valid consent
  • Ensure lawful data entry
  • Provide access to correction/deletion requests
  • Train staff in ethical use

SCC 3 — OBLIGATIONS OF GABIFY (DATA PROCESSOR)

  • Process only under instruction
  • Maintain security controls
  • Report incidents
  • Restrict sub-processors
  • Delete/return data upon termination

SCC 4 — DATA TRANSFER SAFEGUARDS

If data is stored or mirrored internationally:

  • Encryption ensured
  • Contracts applied
  • DPDP compliance maintained

SCC 5 — AUDIT & ASSESSMENT

Enterprises may request:

  • Security documentation
  • Policy evidence
  • Certifications
  • Logs (as allowed)

SCC 6 — LIABILITY AND LIMITATION

  • Gabify liable only for its own breaches
  • Not liable for institutional misuse
  • Maximum liability: as per commercial contract

SCC 7 — GOVERNING LAW

Indian law governs SCCs unless mutually agreed otherwise.