Privacy Policy
Last updated: June 2026 · Effective immediately for all new and existing accounts.
Our Commitment to You
At OnePath Lab, we handle two categories of data: your lab's operational data (staff, tests, billing) and your patients' health data. We treat both with the same level of care — because a breach of medical data doesn't just break trust, it can cause real harm to real people. This document explains exactly what we collect, why, and how we protect it. Plain language. No legalese.
1. Information We Collect
When your lab registers, we collect the lab owner's name, email address, phone number, lab name, address, and billing information required to set up and manage your account.
Information entered by your lab team — patient names, phone numbers, date of birth, test requests, and diagnostic results. This data is your property. We act only as a processor, never as the owner of this data.
We collect anonymized usage logs (pages visited, features used, session duration) to improve product experience. This data cannot be used to identify individual patients.
IP address, browser type, device type, and operating system — collected to ensure compatibility, security, and fraud prevention.
2. How We Use Your Data
To generate automated diagnostic reports, send WhatsApp/SMS notifications to patients on your behalf, and provide the full LIS functionality you've subscribed to.
We may use anonymized, non-identifiable aggregate data to improve our AI interpretation models. This requires explicit opt-in consent and follows strict anonymization protocols.
Subscription billing, invoice generation, and payment processing via Razorpay. Your full card details are never stored on our servers.
To diagnose issues, respond to queries, and provide onboarding/training support to your lab team.
3. Data Security & Encryption
All data exchanged between your browser/app and our servers is encrypted using TLS 1.3 (the same protocol used by banks). No plain-text transmission of any patient data.
Patient records stored in our database are encrypted using AES-256 encryption. Even in the unlikely event of a physical server breach, data remains unreadable.
Hosted on ISO 27001-certified infrastructure (AWS Mumbai region — data stays in India). Automated backups every 4 hours with 30-day retention.
Role-based access ensures your technicians, doctors, and admin staff only see the data they need. Multi-factor authentication is available for all account roles.
4. Data Sharing & Third Parties
AiSensy and other messaging providers receive only the patient's phone number and the pre-formatted report PDF link — nothing else. They are contractually prohibited from using this data for any other purpose.
Razorpay receives only transaction metadata needed to process your subscription payment. Patient data is never shared with payment processors.
We do not sell, rent, or trade your data or your patients' data to advertisers, data brokers, or any third party for commercial purposes. Ever.
We may disclose data if legally required by Indian law (e.g., court order or government directive). We will notify you within 48 hours of receiving such a request unless legally prohibited.
5. Your Rights & Data Control
You can export all your lab data — test masters, patient records, reports — in CSV or PDF format at any time from the Settings > Data Export panel.
If you cancel your subscription, your data is retained for 30 days so you can export it. After 30 days, it is permanently deleted from our servers. You can also request immediate deletion by emailing us.
You can correct any account-level information directly from your dashboard. For data entered by your lab staff, your admin account has full edit access.
If you previously opted in to AI model training, you can withdraw consent at any time from Settings > Privacy. This will not affect your service in any way.
6. Cookies & Tracking
Used for login sessions and security tokens. Cannot be disabled as they are required for the software to function. These never contain personal health data.
We use Mixpanel for anonymized product analytics. You can opt out of analytics tracking from your account Settings > Privacy without affecting functionality.
We do not run ad networks or retargeting pixels on our platform. No Facebook Pixel, no Google Ads tracking, no third-party behavioral profiling.
Questions About This Policy?
If you have any questions about how we handle your data, want to request a data export, or want to report a potential security concern, contact our Data Protection Officer directly.