NEUROLENS PRIVACY POLICY

Effective Date: 01-12-2025
Issued By: SAHCHI HEARING AND SPEECH SOLUTIONS PRIVATE LIMITED (“Gabify”)
Applies to: Neurolens Web App (B2B)

1. INTRODUCTION

This Privacy Policy governs processing of personal data, sensitive personal data, AI-generated data, audio/video content, and child-related information through the Neurolens web application.

Neurolens is exclusively accessible to:

• Therapists
  
• Clinical professionals
  
• Psychologists
  
• Paediatricians
  
• Special educators
  
• Hospitals, clinics, and schools
  
• NGOs serving children
  

Neurolens is a clinical support tool, not a diagnostic replacement.

2. DATA CATEGORIES COLLECTED IN NEUROLENS

Neurolens collects sensitive clinical data. Categories include:

2.1 Child & Patient Data

• Name/unique ID
  
• Age, DOB
  
• Developmental history
  
• Therapy records
  
• Clinical observations
  
• Parent questionnaires
  

2.2 Audio & Video Data

Captured during assessments:

• Speech samples
  
• Behavior recordings
  
• Eye contact & gesture data
  
• Interaction recordings
  

Use Cases:

• Screening
  
• Expert supervision
  
• Internal AI model training (only with explicit consent)
  

2.3 AI Interaction Data

• Prompts entered by clinicians
  
• AI-generated reports
  
• Confidence scores
  
• Screening outputs
  

2.4 Metadata

• Device information
  
• IP address
  
• Session logs
  
• Browser environment
  

2.5 Organization Data

• Institution identifiers
  
• User accounts
  
• Roles & permissions
  

3. PURPOSE OF DATA PROCESSING

Neurolens processes data for:

3.1 Clinical Use

• Generating preliminary assessments
  
• Digitizing screening workflows
  
• Supporting clinician decision-making
  

3.2 AI Processing

• Model inference
  
• Pattern recognition
  
• Screening suggestion generation
  

3.3 AI Improvement

Only with explicit consent, we use de-identified data for:

• Internal model training
  
• Feature improvement
  
• Performance evaluation
  

3.4 Enterprise Use

• User access management
  
• Activity logs
  
• Compliance audits
  

3.5 Security

• Abuse detection
  
• Monitoring unauthorized activity
  

4. LEGAL BASIS FOR PROCESSING

Processing is based on:

1. Explicit consent (child data, audio/video, AI training)
   
2. Performance of services (enterprise contracts)
   
3. Compliance with Indian laws
   
4. Legitimate interests (security, fraud prevention)
   

5. DISCLOSURE & DATA SHARING

Neurolens may disclose de-identified, consented data to:

• Cloud service providers
  
• AI infrastructure providers
  
• Security audit firms
  
• Enterprise administrators
  

Neurolens does NOT share data with:

• Advertisers
  
• Marketing companies
  
• Third parties not involved in service delivery
  

6. AI TRAINING & DATA USE

6.1 Explicit Consent Requirement

Audio/video data and clinical records are used for AI improvement strictly when:

• Consent is obtained from parent/guardian
  
• Enterprise customer authorizes usage
  
• Data is de-identified
  
• Protected from re-identification
  

6.2 No Automated Decision Making

AI outputs are assistive, not directive.
Decisions must be made by a certified expert.

7. CHILD DATA PROTECTION

Neurolens enforces special safeguards:

• Mandatory parental/guardian consent
  
• Restricted access only to verified clinicians
  
• Additional encryption layers
  
• Minimal collection principle
  
• No data use for profiling or advertising
  

8. SECURITY PRACTICES

Neurolens uses:

• AES-256 encryption at rest
  
• TLS 1.2+ encryption in transit
  
• Role-based access control
  
• Multi-layer authentication
  
• Audit logs
  
• Cloud infrastructure with ISO-certified providers
  

9. RETENTION POLICY

• Audio/video recordings: 12 months
  
• Assessment reports: As agreed with institution
  
• Logs: 12–24 months
  

Deletion requests may be submitted through enterprise administrators.

10. USER RIGHTS

Users may request:

• Data access
  
• Rectification
  
• Deletion
  
• Restricted processing
  
• Download of assessment reports
  

Certain clinical data may require institutional approval for deletion.

11. DATA PROCESSOR & CONTROLLER ROLES

• Institution (School/Clinic/Hospital) = Data Fiduciary
  
• Gabify/Neurolens = Data Processor

12. BREACH NOTIFICATION

In the event of a data breach:

• Institutions are notified promptly
  
• Authorities are notified as required
  
• A remediation plan will be executed
  

13. INTERNATIONAL TRANSFERS

If cloud systems host data outside India:

• Standard contractual safeguards
  
• Encryption
  
• Regional compliance
  

14. CONTACT & GRIEVANCE

Email: info@gabify.life
Response time: 30 days

15. UPDATES TO THIS POLICY

Updated copies will be made available in the Neurolens dashboard.