Privacy Policy

Last updated: June 2026 · Effective immediately for all new and existing accounts.

NABL Compliant · HIPAA Aligned · ISO 27001 Certified Infrastructure

Our Commitment to You

At OnePath Lab, we handle two categories of data: your lab's operational data (staff, tests, billing) and your patients' health data. We treat both with the same level of care — because a breach of medical data doesn't just break trust, it can cause real harm to real people. This document explains exactly what we collect, why, and how we protect it. Plain language. No legalese.

1. Information We Collect

Account Information

When your lab registers, we collect the lab owner's name, email address, phone number, lab name, address, and billing information required to set up and manage your account.

Patient Data (Lab-Entered)

Information entered by your lab team — patient names, phone numbers, date of birth, test requests, and diagnostic results. This data is your property. We act only as a processor, never as the owner of this data.

Usage Data

We collect anonymized usage logs (pages visited, features used, session duration) to improve product experience. This data cannot be used to identify individual patients.

Device & Browser Data

IP address, browser type, device type, and operating system — collected to ensure compatibility, security, and fraud prevention.

2. How We Use Your Data

Service Delivery

To generate automated diagnostic reports, send WhatsApp/SMS notifications to patients on your behalf, and provide the full LIS functionality you've subscribed to.

AI Model Training

We may use anonymized, non-identifiable aggregate data to improve our AI interpretation models. This requires explicit opt-in consent and follows strict anonymization protocols.

Billing & Payments

Subscription billing, invoice generation, and payment processing via Razorpay. Your full card details are never stored on our servers.

Customer Support

To diagnose issues, respond to queries, and provide onboarding/training support to your lab team.

3. Data Security & Encryption

Encryption in Transit

All data exchanged between your browser/app and our servers is encrypted using TLS 1.3 (the same protocol used by banks). No plain-text transmission of any patient data.

Encryption at Rest

Patient records stored in our database are encrypted using AES-256 encryption. Even in the unlikely event of a physical server breach, data remains unreadable.

Data Centers

Hosted on ISO 27001-certified infrastructure (AWS Mumbai region — data stays in India). Automated backups every 4 hours with 30-day retention.

Access Control

Role-based access ensures your technicians, doctors, and admin staff only see the data they need. Multi-factor authentication is available for all account roles.

4. Data Sharing & Third Parties

WhatsApp / SMS Providers

AiSensy and other messaging providers receive only the patient's phone number and the pre-formatted report PDF link — nothing else. They are contractually prohibited from using this data for any other purpose.

Payment Gateway

Razorpay receives only transaction metadata needed to process your subscription payment. Patient data is never shared with payment processors.

No Data Selling

We do not sell, rent, or trade your data or your patients' data to advertisers, data brokers, or any third party for commercial purposes. Ever.

Legal Disclosure

We may disclose data if legally required by Indian law (e.g., court order or government directive). We will notify you within 48 hours of receiving such a request unless legally prohibited.

5. Your Rights & Data Control

Data Portability

You can export all your lab data — test masters, patient records, reports — in CSV or PDF format at any time from the Settings > Data Export panel.

Account Deletion

If you cancel your subscription, your data is retained for 30 days so you can export it. After 30 days, it is permanently deleted from our servers. You can also request immediate deletion by emailing us.

Data Rectification

You can correct any account-level information directly from your dashboard. For data entered by your lab staff, your admin account has full edit access.

Consent Withdrawal

If you previously opted in to AI model training, you can withdraw consent at any time from Settings > Privacy. This will not affect your service in any way.

6. Cookies & Tracking

Essential Cookies

Used for login sessions and security tokens. Cannot be disabled as they are required for the software to function. These never contain personal health data.

Analytics Cookies

We use Mixpanel for anonymized product analytics. You can opt out of analytics tracking from your account Settings > Privacy without affecting functionality.

No Advertising Cookies

We do not run ad networks or retargeting pixels on our platform. No Facebook Pixel, no Google Ads tracking, no third-party behavioral profiling.

Questions About This Policy?

If you have any questions about how we handle your data, want to request a data export, or want to report a potential security concern, contact our Data Protection Officer directly.