Privacy Policy

Eclat Engineering Pvt. Ltd. (“Eclat”, “we”, “us”) is the data controller for personal data processed through the Aroha platform. Eclat is incorporated in India and operates Aroha as a B2B SaaS product deployed to healthcare institutions (“Customers”).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights as a data subject. It applies to all Users accessing Aroha through their institution's subscription.

2.1 Account and Identity Data

• Full name, email address, and institutional role (doctor, admin, student)
• Medical specialty, subspecialty, and department (where provided)
• Hashed password (bcrypt) — we never store plaintext passwords
• Institution affiliation and customer organisation
• External authentication identifiers (when using SSO or MyLOFT handoff)

2.2 Professional Profile Data

• Declared medical interests and subspecialty preferences
• Preferred AI model setting (if configured)
• Geographic region (country, region code)

2.3 Usage and Interaction Data

• AI assistant queries (text of questions submitted)
• Clinical Scribe session audio recordings and transcripts (processed and discarded per session; see §5)
• Flashcard content created or generated by the user
• Saved articles, bookmarks, and digest preferences
• CME course enrolments, lesson completion records, and CPD activity logs
• Certificates issued and credit totals associated with your account
• Feature engagement logs (queries made, sessions started, content viewed)
• IP addresses and user-agent strings at login and consent events

2.4 Consent Records

• Timestamp, document version, IP address, and user agent for each consent acceptance
• Retained for the duration of your account plus 7 years (legal audit requirement)

2.5 Data We Do NOT Collect

• We do not require or request identifiable patient data (PHI)
• We do not collect financial or payment data (handled by institutional procurement)
• We do not collect biometric data

We process personal data on the following legal bases:

• Contractual necessity: Processing your account data to provide the Platform services you or your institution has contracted for.
• Legitimate interests: Improving Platform performance, ensuring security, preventing fraud, and generating aggregated analytics for product development.
• Consent: Recording your explicit acceptance of these Terms and the Privacy Policy. You may withdraw consent at any time, which will require ceasing use of the Platform.
• Legal obligation: Retaining certain records to comply with applicable law, including the Digital Personal Data Protection Act 2023 (India) and any applicable sectoral regulations.

• Providing, operating, and improving the Aroha Platform
• Personalising AI responses and content recommendations to your specialty and interests
• Enforcing usage quotas and subscription entitlements set by your institution
• Sending in-platform notifications about new features, data updates, or policy changes
• Generating aggregated, anonymised analytics for Customers (institutional administrators) on platform engagement — individual user data is never disclosed to other users
• Investigating security incidents, fraud, or Terms violations
• Maintaining the legal audit trail of consent acceptance
• Complying with lawful requests from regulatory authorities or courts of competent jurisdiction

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We do not use your data to train public AI models without your explicit opt-in consent.

The Clinical Scribe feature processes real-time audio through AI speech-to-text providers (“STT Providers”). The following applies:

• Audio streaming: Audio is streamed in real time to the STT Provider configured for your institution (e.g. Deepgram, OpenAI, ElevenLabs, Sarvam AI). Audio is not stored by Eclat after the session ends.
• Transcript retention: Generated transcripts and SOAP notes are retained in the Platform linked to your encounter session, accessible only to you and authorised administrators of your institution.
• Patient data caution: Do not speak identifiable patient information into the Clinical Scribe that is not required for the clinical workflow. You and your institution are responsible for ensuring that use of Clinical Scribe complies with your jurisdiction's health information privacy laws.
• STT Provider data processing: STT Providers process audio under their own data processing agreements. Your institution's administrator is responsible for selecting a provider that meets your institution's compliance requirements.

We share data only as follows:

• AI model providers (e.g. OpenAI, Anthropic, Google): Query text is sent to the provider configured for your customer account. These providers are engaged as data processors under data processing agreements.
• Speech-to-text providers: Audio data during Clinical Scribe sessions, as described in §5.
• Cloud infrastructure providers: Hosting, storage, and database providers (e.g. AWS, Azure, GCP) under standard data processing agreements.
• Your institution (Customer): Aggregated engagement analytics and, where configured, administrator access to encounter session summaries.
• Legal authorities: Where required by law, court order, or to protect the safety of users or third parties.

No data is shared with pharmaceutical companies, medical device manufacturers, or any commercial third party for targeting or profiling purposes.

• Account data: Retained for the duration of your active account plus 2 years following account closure.
• Usage logs and query data: Retained for 12 months in operational databases; anonymised aggregate analytics retained indefinitely.
• Consent records: Retained for 7 years from the date of acceptance for legal audit purposes.
• Clinical Scribe audio: Not retained after session end.
• Transcripts and SOAP notes: Retained for the duration of the encounter session record, subject to your institution's retention policy.

Subject to applicable law (including the Digital Personal Data Protection Act 2023 in India and GDPR where applicable), you have the right to:

• Access: Request a copy of personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data where no legal basis requires retention.
• Portability: Receive your data in a structured, machine-readable format.
• Withdraw consent: Withdraw your consent for processing at any time. Withdrawal does not affect lawfulness of prior processing.
• Objection / Restriction: Object to or request restriction of processing based on legitimate interests.

To exercise these rights, contact us at privacy@eclateng.com. We will respond within 30 days. Some requests may be limited where legal obligations apply.

Note: Your institution's administrator may also have rights to manage data under your institutional account. Contact your institution's data protection officer for institution-wide requests.

Eclat implements industry-standard security controls including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for databases and object storage
• bcrypt password hashing with work factor 12+
• JWT-based authentication with 24-hour token expiry
• Role-based access control with institution and customer scoping
• Structured audit logs for all authentication and data access events
• Regular security reviews and dependency updates

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities without undue delay, and within the timeframe required by applicable law, of becoming aware of the breach.

Aroha is primarily operated from India. AI model providers and infrastructure partners may process data in other jurisdictions. Where data is transferred outside India or the EEA, we ensure appropriate safeguards are in place (standard contractual clauses, adequacy decisions, or equivalent mechanisms) in accordance with applicable data protection law.

Institutional administrators can select data residency zones where multi-region deployment is configured. Refer to your institution's data governance configuration within the Administrator Settings.

Aroha uses browser local storage and session storage for authentication token management, UI state persistence, and offline capability. Specifically: session storage is used to track whether the onboarding tour has been shown in the current browser session; local storage is used to record which per-module guidance banners you have dismissed (keyed by module name, storing only a flag — no personal data). We do not use third-party advertising cookies. We may use functional cookies or storage for session continuity and CSRF protection.

The Platform is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at privacy@eclateng.com.

We may update this Privacy Policy from time to time. Material changes will be communicated via in-platform notification and will require your re-acceptance. The version date at the top of this page reflects when this policy was last revised. Continued use of the Platform following notification of changes constitutes acceptance of the revised policy.

For privacy-related enquiries, requests, or complaints:

If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.