Privacy Policy
1. Introduction
Mobilab ("Company", "we", "our" or "us") is committed to protecting the privacy and security of personal data collected through the Mobilab Diagnostic Platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our Mobilab Analyzer, the Phlebotomist Android Application, the Client Dashboard, and the associated backend infrastructure. This Policy applies to all users of the Platform, including phlebotomists, client administrators, and other authorised personnel. It also explains the rights of data subjects under applicable Indian law and our obligations as a data processor and/or data controller. We encourage you to read this Policy carefully. By using the Platform, you acknowledge that you have read and understood the terms of this Privacy Policy.
2. Who We Are and Our Role
2.1 Company Identity
​
Mobilab is a healthcare technology company incorporated under the laws of India. We develop and operate a connected diagnostic platform that enables real-time analysis of patient biological samples (blood, serum, plasma) using a proprietary IoT device, a mobile application for phlebotomists, and a cloud-based client dashboard.​
​​
2.2 Data Controller and Processor
​
In the context of data protection law:
• The Company acts as a Data Controller for data collected from users of the Platform
(e.g., phlebotomist login credentials, activity logs, session data).
• The Company acts as a Data Processor on behalf of Clients (Data Controllers) for patient diagnostic data. Clients are responsible for ensuring that they have the appropriate legal basis for collecting and sharing patient data with the Platform. Where Clients or their patients are located in the EEA or UK, Mobilab acts as a GDPR-
compliant data processor and will enter into a Data Processing Agreement (DPA) as
required under Article 28 of the GDPR.
• Client Administrators act as Data Controllers for all data entered into their portal,
including patient bookings and staff user records.
3. Personal Data We Collect
Why We Access Location:
​
3.1 Data Collected from Phlebotomists (Mobile Application)
​
When a phlebotomist uses the Phlebotomist Application, we collect:
• Account Information: Name, employee ID, mobile number, email address, assigned clinic, and role.
• Authentication Data: Login credentials (stored as cryptographic hashes), session tokens, and device identifiers.
• Operational Data: Booking records assigned to the phlebotomist, timestamps of sample collection events, IoT device readings transmitted, and application activity logs.
• Device Metadata: Android device model, OS version, app version, IP address, and approximate location (if location permission is granted and required by the Client).
• Reagent Usage Data: Reagent batch/lot number, test type (e.g., Albumin, Bilirubin), and usage timestamp as transmitted by the Mobilab Analyzer during a test session. This is used for quality assurance, expiry tracking, and post-market surveillance under ISO 13485.
• Consent Records: Timestamp and version of Terms and Conditions and Privacy Policy
accepted at login.
​
3.2 Data Collected from Client Administrators and Dashboard Users
​
When a Client Administrator or other authorised role accesses the Client Dashboard, we collect:
-
Business Account Information: Organisation name, business registration details, contact person name, email address, phone number.
-
User Management Data: Details of users created within the portal (names, emails, roles, assigned clinics).
-
Operational Records: Clinic configurations, booking details, diagnostic reports, and access logs.
-
Authentication and Session Data: Login credentials, session tokens, IP address, browser metadata.
-
Consent Records: Timestamp and version of Terms and Conditions and Privacy Policy accepted.
​
3.3 Patient Diagnostic Data
​
Through the Mobilab Analyzer and Phlebotomist Application, the Platform receives and stores:
-
Sample Readings: Diagnostic values and results from blood, serum, and/or plasma samples.
-
Patient Reference Information: Patient identifiers as entered by the phlebotomist or pre- populated from a Client-created booking (which may include patient name, age, gender, and reference ID).
-
Booking Metadata: Date, time, assigned phlebotomist, assigned clinic, test type, and test outcome.
IMPORTANT: Patient diagnostic data constitutes Sensitive Personal Data or Information (SPDI)
under the IT Rules, 2011 and may constitute health data under the DPDP Act, 2023. It is subject
to heightened security and access controls.
​
3.4 Automatically Collected Technical Data
​
The Platform automatically collects:
• Server access logs (timestamps, request types, response codes, IP addresses);
• Application error and crash logs (for debugging and quality assurance purposes);
• API call metadata and Mobilab Analyzer telemetry.
4. How We Use Personal Data
4.1 Purposes of Processing
We use personal data for the following purposes:
Purposes
Legal Basis / Justification
Service Delivery
Provision and operation of the Platform, transmission and storage of diagnostic data on behalf of Clients. (Contractual necessity / Legitimate interest)
User Authentication &
Security
Verifying user identity, maintaining session integrity, detecting unauthorised access. (Legitimate interest; Legal obligation)
Quality Assurance &
Compliance
Internal audit, device calibration validation, ISO 13485 quality monitoring, and post-market surveillance. (Legal obligation; Legitimate interest)
Technical Support
Diagnosing and resolving application errors, Mobilab Analyzer malfunctions, and connectivity issues. (Legitimate interest)
Legal Obligations
Compliance with applicable Indian laws, regulatory requirements, and judicial/government orders. (Legal obligation)
Communications
Sending system notifications, maintenance alerts, policy updates, and account-related communications. (Contractual necessity; Legitimate interest)
Analytics & Platform
Improvement
Aggregated, anonymised analysis of platform usage to improve functionality and user experience. No individual patient data is used for this purpose. (Legitimate interest)
5. Data Sharing and Disclosure
5.1 Who We Share Data With
We do not sell, rent, or trade personal data. Data may be shared only in the following
circumstances:
​​
-
With Clients: Diagnostic data generated by a Client&'s phlebotomists is made accessible to that Client's authorised Dashboard users. Each Client can only access data generated within their own organisational scope.
-
With Named Sub-processors: Mobilab uses the following third-party providers who process data on our behalf:
-
Amazon Web Services (AWS) — India region (ap-south-1, Mumbai). Backend server hosting, database, and secure data transmission. AWS holds ISO 27001 and SOC 2 certifications. DPA in place.
-
Google Firebase (Google LLC) — Push notification delivery (FCM) to the Android app. Only device push tokens are shared; no patient diagnostic data is transmitted via Firebase. Google DPA applies. All sub-processors are contractually bound to process data only as instructed by Mobilab. A current sub-processor list is available on request at legal@mobilab.in.
-
-
For Legal Compliance: We may disclose data where required by law, court order, governmental authority, or regulatory body.
-
For Business Continuity: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity under equivalent privacy protections.
-
With Your Consent: In any other circumstance, only with your explicit prior consent.
​
5.2 Cross-Border Data Transfer
The Platform's primary backend infrastructure is hosted in India. If any data is transferred outside India (e.g., to third-party cloud sub-processors or EEA-based Clients), such transfers shall be conducted only in compliance with the DPDP Act, 2023 and applicable cross-border data transfer rules. For transfers involving EEA or UK personal data, Mobilab shall rely on appropriate safeguards as required by the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms in force at tthe time of transfer.
6. Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this Policy, or as required by law:
User Account Data
Retained for the duration of active account plus 3 years after deactivation, or as required by applicable regulations.
Patient Diagnostic
Data
Retained for a minimum of 7 years from the date of the test, in compliance
with applicable medical records regulations in India, unless a Client
requests earlier deletion subject to legal permissibility.
Authentication /
Security Logs
Retained for 2 years for security audit and incident investigation purposes.
Consent Records
Retained for the duration of the user' s engagement with the Platform and 5 years thereafter, as evidence of lawful processing.
Backup Data
Encrypted backups are retained for up to 90 days and then permanently deleted.
Upon expiry of the applicable retention period, data is securely deleted or anonymised using industry-standard methods.
7. Security of Personal Data
7.1 Technical and Organisational Measures
We implement robust technical and organisational measures to protect personal data against
unauthorised access, disclosure, alteration, loss, or destruction. These include:
-
Encryption of all data in transit using TLS 1.2 or higher;
-
Encryption of sensitive data at rest using AES-256 or equivalent;
-
Role-based access control (RBAC) ensuring that users can only access data relevant to their assigned role;
-
Multi-factor authentication (MFA) for privileged access accounts;
-
Regular penetration testing and vulnerability assessments;
-
Secure development lifecycle (SDLC) practices for application code and device firmware;
-
Mobilab Analyzer security in accordance with IEC 62443, including authenticated device pairing and secure firmware updates;
-
Network segmentation to isolate Mobilab Analyzer traffic from general network traffic;
-
Comprehensive audit logging of all data access and modification events;
-
Formal incident response and data breach notification procedures.
​
7.2 Data Breach Notification
In the event of a personal data breach, we will:
-
Investigate and contain the breach promptly;
-
Notify the relevant regulatory authority as required by the DPDP Act, 2023 within the prescribed timeframe;
-
Notify affected Clients and, where appropriate, affected individuals, including details of the nature of the breach and recommended protective steps;
-
Document the breach in our incident register for regulatory audit purposes.
8. Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect tto your personal data:
​
Right to Access
You may request a copy of the personal data we hold about you and information about how it is processed.
Right to Correction
You may request correction of inaccurate or incomplete personal data.
Right to Erasure /
Account Deletion
You may request deletion of your personal data and account by emailing legal@mobilab.in (see How to Request Account Deletion below). Requests are processed within 30 days, subject to legal retention obligations.
Right to Grievance
Redressal
You may raise a complaint with our designated Grievance Officer
(see Section 11) and expect a response within the timeframe required
by law.
Right to Nominate
Under the DPDP Act, you may nominate an individual to exercise your rights on your behalf in the event of your incapacitation or death.
​Right to Withdraw
Consent
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact our Grievance Officer at legal@mobilab.in. We will respond within 30 days (or one calendar month for GDPR requests). Rights may be subject to limitations where they conflict with legal retention obligations. EEA data subjects may escalate to their local supervisory authority if unsatisfied.
How to Request Account or Data Deletion
Google Play and applicable law require us to offer a clear deletion path. To request deletion of your account and/or personal data:
• Email legal@mobilab.in with subject line: Account Deletion Request. Include your full name, registered email, and Client organisation name.
• Phlebotomist accounts can also be deactivated by your Client Administrator via the Client Dashboard.
• Mobilab will confirm receipt within 72 hours and complete the deletion within 30 days, except where data must be retained under law (see Section 6).
• Post-deletion, you will receive written confirmation. Anonymised aggregate data may be retained and cannot be linked back to you.
9. Cookies and Tracking Technologies
The Client Dashboard (web application) uses cookies and similar technologies to:
-
Maintain user session state and authentication;
-
Remember user preferences and dashboard configurations;
-
Collect anonymised analytics data for platform performance monitoring.
Essential session cookies are required for the Dashboard to function and cannot be disabled without impacting usability. Non-essential analytics cookies may be declined through your browser settings. The Phlebotomist Mobile Application does not use browser cookies but uses device tokens for session management.
10. Android App Permissions
The Mobilab Phlebotomist Application (Android) requests the following device permissions. We request only permissions necessary for the app to function. No permission is used for advertising or shared with third parties for marketing purposes.​
Permission
Purpose
Purpose
BLUETOOTH /
BLUETOOTH_ADMIN
(Android 11 and below)
You may request a copy of the personal data we hold about you and information about how it is processed.
Required
BLUETOOTH_SCAN /
BLUETOOTH_CONNECT
(Android 12+)
Scanning for and connecting to the Mobilab Analyzer under Android 12+ Bluetooth permission model.
Required
ACCESS_FINE_LOCATION /
ACCESS_COARSE_LOCATI
ON
Required by Android OS to perform Bluetooth device scanning. Mobilab does not store or use location data for any purpose beyond enabling device pairing.
Required
CAMERA
Scanning QR codes on Reagent vials or patient booking references for quick data entry.
Required
INTERNET
Transmitting diagnostic data and device readings to the Mobilab backend server (AWS) over a secure HTTPS connection.
Required
ACCESS_NETWORK_STATE
Checking network connectivity before attempting data transmission to ensure no data loss.
Required
READ_EXTERNAL_STORAGE /
WRITE_EXTERNAL_STORAGE (Android 9 and below)
Saving diagnostic reports or temporary test data locally on the device before upload. Not used on Android 10+.
Required
RECEIVE_BOOT_COMPLETED
Restarting background services (e.g., pending sync) after device reboot to ensure no data is lost.
Required
POST_NOTIFICATIONS
(Android 13+)
Displaying test completion alerts and sync status notifications to the phlebotomist.
Required
Permissions are requested at runtime (at the point of first use) in accordance with Android best practices. You may revoke any permission through your device Settings at any time; however, revoking required permissions will limit or prevent core app functionality.
11. Children's Data
The Platform is designed for use by professional healthcare personnel and business administrators. We do not intentionally collect personal data from individuals under the age of 18 directly through Platform registration. However, patient records processed through the Platform may include minors, where samples are collected in a clinical context by authorised phlebotomists on behalf of a Client. Such data is treated as sensitive personal data and handled with the highest level of security and access control.
12. Grievance Officer and Contact
In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the Company has designated a Grievance Officer to address data protection concerns:
Mobilab has designated a Grievance Officer to handle all data protection and privacy concerns. Contact details for the Grievance Officer are available on our website at www.mobilab.in or by emailing legal@mobilab.in. All complaints will be acknowledged within 72 hours and resolved within 30 days.
If you are not satisfied with the outcome of your complaint, you may escalate the matter to the Data Protection Board of India, once constituted under the DPDP Act, 2023. EEA and UK data subjects additionally retain the right to lodge a complaint with their local data protection supervisory authority (e.g., the ICO in the UK, or the relevant EU Member State supervisory authority).
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify users through the Platform interface at next login and update the effective date at the top of this document. We encourage you to review this Policy periodically.
Continued use of the Platform after notification of changes constitutes acceptance of the revised Privacy Policy.
14. Standards and Regulatory Compliance Reference
This Privacy Policy has been prepared with reference to the following standards and regulations:
Permission
Purpose
DPDP Act, 2023 (India)
​Primary legal framework for personal data protection in India; governs data principal rights, obligations of data fiduciaries and processors, and breach notification.
IT Act, 2000 (India)
Provides the foundational legal framework for electronic records, digital signatures, cybercrime, and data protection (including SPDI Rules, 2011).
SPDI Rules, 2011
Defines sensitive personal data, consent requirements, and
security standards for body corporate handling such data.
ISO/IEC 27001:2022
Information Security Management System (ISMS) standard governing access control, asset management, encryption, incident response, and business continuity.
ISO 13485:2016
Quality management standard for medical devices; governs design, production, and post-market surveillance of the IoT diagnostic device and associated software.
IEC 62443
Industrial cybersecurity standards applied to Mobilab Analyzer security, network segmentation, and secure communication protocols.
Medical Devices Rules, 2017
(India)
Regulatory framework for manufacture, import, and sale of medical devices in India, applicable to the IoT diagnostic device.