Privacy Policy

This Privacy Policy describes how Aethryva Deeptech Pvt. Ltd. ("Aethryva," "we," "us," or "our"), operating under the brand names tachyDx and tachyDx Teams, collects, uses, stores, shares, and protects information when you access or use our products at tachydx.com, in the tachyDx Teams mobile application, and in the tachyDx Teams web console (collectively the "Services"). By accessing or using the Services, you consent to the data practices described in this policy. If you do not agree with these practices, you must discontinue use of the Services.

1. Scope and the two products covered

This policy covers two related products that share the same backend:

tachyDx (tachydx.com): a public clinical knowledge and publishing platform for verified individual physicians. Used for questions, peer answers, research paper publication, and reputation.

tachyDx Teams (the mobile application and the web console at tachydx.com/teams): a private clinical workspace used by hospital staff to manage patient care. The mobile and web clients share the same data. Each hospital has its own isolated workspace; data within one hospital's workspace is not visible to other hospitals or to the general public.

Where a section below applies only to one product, we say so explicitly.

2. Information We Collect

2.1 Information You Provide (both products)

When you register, we collect: your full name, email address, medical license or registration number (NMC, State Medical Council, or equivalent), specialty, institutional affiliation, and verification documents (a photograph or scan of your medical degree or license, and any additional documents you submit).

When you use the Services, we collect content you create: questions, answers, comments, votes, case studies, clinical notes, orders, vitals entries, lab values, medication administration records, and uploaded attachments. If you submit a contact form, we collect your name, email, and message.

2.2 Information Collected Automatically (both products)

When you access the Services we automatically collect: IP address, browser or device type and version, operating system, device identifiers, pages visited, time spent, referring URLs, and interaction data such as clicks and navigation patterns. We use cookies, local storage, and similar tracking technologies for session state, preferences, and analytics.

2.3 Information from Third Parties

If you sign in through external services (ORCID, Google), those providers share basic profile information with us. We may also receive verification information from medical council databases or third-party credential verification services.

2.4 Mobile Application Data (tachyDx Teams mobile only)

The mobile application may collect or use the following on your device, with your permission:

Camera and photo library: when you photograph a vitals monitor, glucometer, lab printout, ECG strip, or scanned document for entry into the patient chart. Images are uploaded to the patient's workspace and processed by our AI extraction service (see Section 5). We do not upload your full camera roll, only the specific images you choose to attach.

Biometric authentication (Face ID, Touch ID, Android fingerprint or face unlock): used only on-device to unlock the application. Biometric data never leaves your device and is never transmitted to us or to any third party.

Push notification tokens: an anonymous device token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). We use it solely to deliver clinical alerts, handoff notifications, and AI-generation completions. The token does not contain personal information. You can disable push at any time from your device settings.

Device identifiers and crash diagnostics: anonymized device model, OS version, and crash logs to diagnose issues. We do not collect IDFA or advertising identifiers, and we do not use mobile analytics SDKs for advertising.

The mobile application does not collect location, microphone, contacts, calendar, health-kit, or motion data.

2.5 Protected Health Information (tachyDx Teams only)

When you use tachyDx Teams as part of a hospital's care delivery workflow, you may enter Protected Health Information (PHI) about patients, including but not limited to: name, age, sex, contact information, admission status, ward, diagnoses, allergies, blood group, vitals readings, fluid balance entries, medication administration records, lab orders, lab results, clinical orders, SOAP encounter notes, SBAR handoff notes, discharge summaries, photographs of monitors and printouts, and uploaded clinical documents.

For PHI processed in tachyDx Teams, your hospital is the data controller (responsible for lawful basis and patient consent) and Aethryva is the data processor (responsible for secure processing on the hospital's behalf). Each hospital's PHI is stored in an isolated Postgres workspace protected by Row Level Security; no other hospital and no public-facing tachyDx user can read it.

3. How We Use Your Information

We use information to verify your identity as a licensed medical professional; operate, maintain, and improve the Services; generate research papers from public discussions on tachydx.com; compute reputation scores and badges; deliver transactional emails (verification status, notifications, inquiries); deliver clinical push notifications and in-app alerts in tachyDx Teams; respond to support requests; analyze aggregate usage to improve performance; enforce our Terms and prevent abuse; and comply with applicable law.

Content created across the Services (including clinical content inside tachyDx Teams, after de-identification) is also used to train and improve our clinical AI products, as described in Section 5 below. PHI is never sold and is never used to advertise or market to your patients.

4. AI Processing and Third-Party Models

Several features in tachyDx and tachyDx Teams use AI services from third-party providers:

Anthropic Claude: used for clinical OCR (extracting numeric values from photographed monitors, glucometers, and lab printouts). Images and extracted text are sent to Anthropic's servers via their API. As of the date of this policy, we do not have a Zero Data Retention agreement with Anthropic; clinical content may be retained transiently by Anthropic in accordance with their API data retention policy. We are migrating to a Business Associate Agreement-eligible deployment for US hospitals before any HIPAA-covered customer launch.

Google Gemini: used for the per-patient AI assistant (Eir), summary generation, case study drafting, and SBAR handoff drafting in tachyDx Teams. Text content from the relevant patient's chart is sent to Google's Generative AI API. Google's terms apply.

Every AI output in tachyDx Teams is presented as a draft for clinician review. Clinicians explicitly confirm and sign off on AI-generated content before it becomes a record. AI suggestions are not clinical decisions and are not a substitute for professional medical judgment.

Hospital administrators may disable AI features for their workspace by request. Individual users may opt out of AI features in Settings.

5. Use of Platform Content for AI Development and Public Publication

5.1 Why we collect this content

Aethryva exists to build clinical AI products. The flagship is PriyAI Sentinel, a bedside biochemistry monitor with integrated clinical decision support. Sentinel learns from real clinical reasoning, not from textbook summaries. The content you and other clinicians create on tachyDx and tachyDx Teams is the corpus we use to train PriyAI and the AI assistants integrated into the platform.

5.2 What content is used for AI training

The following categories are used to train and improve our clinical AI:

From the public tachydx.com platform: questions, answers, comments, published research papers, peer commentary, and AI-generated drafts together with the clinician corrections made to them. This content is also published under Creative Commons Attribution 4.0 International (CC BY 4.0), which independently grants Aethryva and any third party the right to use the content for any purpose including AI training, with attribution.

From tachyDx Teams (mobile and web clinical workspace): de-identified SOAP notes, SBAR handoff notes, discharge summaries, vitals entries, fluid balance records, medication administration records, lab values and trends, photographed monitor readings, clinical orders, ground-truth corrections, and the AI-generated drafts that clinicians edit and sign.

5.3 De-identification of clinical content

Before clinical content from tachyDx Teams enters any training dataset, we apply de-identification to remove direct identifiers: patient name, date of birth (replaced with age band), medical record number, contact information, hospital identifier, and any other field that could reasonably re-identify a patient. Training datasets are stored separately from the production patient records, and the production application does not have access to the training datasets.

5.4 How you consent to this use

When a hospital creates a workspace, the hospital administrator accepts these terms on behalf of the hospital. When an individual clinician first signs in to the mobile or web application, the clinician accepts these terms on behalf of themselves. The acceptance is logged with a timestamp and the version of the policy in effect at that time. By accepting, you and your hospital authorize the AI development use described above.

If you do not wish your contributions to be used for AI development, you should not use the Services. If you have used the Services and now wish to stop, you can delete your account or your hospital's workspace under Section 9. Content removed by deletion is excluded from future training cycles. Content that has already been used to train AI models cannot be retrospectively removed from those trained models; we do not re-derive deleted content from the trained models.

5.5 Public publication on tachydx.com

Any content you post on the public tachydx.com platform may be visible to other physicians and to the general public. If a discussion you participate in is published as a research paper, your contributions will be attributed to you by name, specialty, and institution unless you posted anonymously, in which case you will be attributed as "Verified Physician." Published research papers and public discussions are available indefinitely under the CC BY 4.0 license described above. Assume anything you post on tachydx.com will be permanently and publicly accessible.

Content created inside tachyDx Teams (clinical notes, team discussions, patient charts) is NOT publicly visible and is NOT part of the publishing pipeline. It remains private to the hospital workspace, accessible only to authorized team members, and is used for AI training only after the de-identification step described in Section 5.3.

5.6 US hospitals and HIPAA

For US hospitals subject to HIPAA, a Business Associate Agreement that covers AI training use is available on the tachyDx Teams Enterprise plan. Until a BAA is executed, US hospitals should not use tachyDx Teams to process PHI of US patients. Contact enterprise@tachydx.com to initiate.

6. Data Sharing and Disclosure

We do not sell your personal information. We share information only as follows:

With service providers assisting in operations: hosting (Vercel), database and storage (Supabase), email delivery (Resend), AI providers (Anthropic, Google, as described in Section 4), payment processing (Razorpay for research publishing fees).

With your hospital administrators, if you use tachyDx Teams. Hospital admins can view team membership, audit logs, and the PHI their hospital owns. They cannot view PHI of any other hospital.

With regulatory authorities or law enforcement, when required by law, subpoena, or other valid legal process.

With third parties in connection with a merger, acquisition, or asset sale, in which case your information may be transferred. We will notify you and provide a meaningful choice where required by law.

With academic indexing and DOI registration services (Crossref) for published research papers on tachydx.com.

With other users of the public tachydx.com platform, only to the extent your posted content and public profile are inherently visible there.

7. Data Storage, Security, and Residency

Data is stored on infrastructure provided by Supabase and Vercel. Our Supabase project is currently hosted in the Tokyo region (Asia-Pacific North-East). We plan to migrate to the Mumbai region (Asia-Pacific South-1) before our first paying Indian hospital deployment to satisfy in-country processing preferences.

Verification documents and patient attachments (medical degree scans, ECGs, lab printouts) are stored in encrypted storage buckets with restricted access governed by Row Level Security. Medical registration numbers are stored for verification only and are never publicly displayed.

We use TLS 1.3 in transit, AES-256 at rest, encrypted database backups, signed-URL access for private storage objects, and explicit Row Level Security policies on every table containing PHI or user data. Each hospital's workspace is isolated by team identity at the policy layer.

No method of electronic storage or transmission is one hundred percent secure. You are responsible for maintaining the confidentiality of your account credentials. If you suspect your account has been compromised, contact support immediately.

8. Data Retention

Account data is retained while your account is active. If you request account deletion (see Section 9), we delete or anonymize your personal data within thirty days, except where retention is required by law, dispute resolution, or the integrity of published research papers.

Published research papers and associated contributor attribution are retained indefinitely as a permanent academic record. Verification documents are retained for the duration of your account and for twelve months following account closure.

PHI inside tachyDx Teams is retained according to your hospital's instructions and applicable medical-record retention laws (typically five to ten years in India under DPDP and clinical establishment regulations). When a hospital ends its relationship with us, we provide a complete data export and purge our copy within thirty days unless legally required to retain longer.

9. Account Deletion

You may delete your account at any time:

In the mobile application: open Settings, scroll to Account, tap "Delete Account," confirm. The request is recorded immediately, your sessions are signed out, and your personal data is purged or anonymized within thirty days.

On the web: open your profile settings on tachydx.com and use the "Delete Account" option, or email support@tachydx.com from the address associated with your account.

The thirty-day window is reserved for accidental deletion recovery and for satisfying legal hold requirements. After the window expires, recovery is not possible.

If you are part of a hospital team and you delete your individual account, your historical clinical entries (notes you signed, vitals you logged) remain in the hospital's workspace because the hospital owns that record under medical retention law. Your name will be retained in the audit trail; your profile information will be anonymized.

Deletion stops your content from entering future AI training cycles. However, content already used to train AI models cannot be removed from the trained models themselves; we do not re-derive deleted content from the models. This is the same constraint that applies when a book is removed from a library after others have already read it.

10. Your Rights

Depending on your jurisdiction, you may have these rights regarding your personal data: access, correction of inaccurate data, deletion (subject to Section 8 exceptions), restriction or objection to certain processing, data portability where technically feasible, and withdrawal of consent where processing is based on consent.

To exercise any of these rights, contact support@tachydx.com. We respond within thirty days and may require identity verification before processing.

If you are an Indian resident, your rights under the Digital Personal Data Protection Act 2023 (DPDP) apply. If you are an EEA or UK resident, your rights under the GDPR apply. If you are a California resident, your rights under the CCPA apply. We honor these rights in their respective jurisdictions.

11. International Users and Data Transfers

The Services are operated from India. If you access them from the European Economic Area, the United Kingdom, the United States, or any other jurisdiction, your data will be transferred to and processed in India and other countries where our service providers operate. By using the Services you consent to such transfers. We take reasonable steps to ensure data is treated in accordance with applicable laws.

For US hospitals subject to HIPAA, a Business Associate Agreement is available on the tachyDx Teams Enterprise plan; contact enterprise@tachydx.com.

12. Children

The Services are intended for licensed medical professionals over 18. We do not knowingly collect personal information from individuals under 18 directly. PHI of paediatric patients may be entered into tachyDx Teams by their treating clinicians; in that case the hospital's lawful basis for processing applies, and we act only as processor.

13. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies for session management, authentication persistence, preference storage, and aggregate usage analytics. You can control cookies in your browser settings. Disabling cookies may impair certain features.

14. Mobile App Permissions Summary

The tachyDx Teams mobile application requests the following permissions, all just-in-time when needed:

Camera: to photograph monitors, glucometers, lab printouts, and documents for entry into the patient chart. Required for the photo-to-data feature. You can decline; the feature will be disabled but the rest of the app continues to work.

Photo library (iOS) or storage (Android): to attach existing photographs of clinical documents. Same scope and same opt-out as above.

Biometric authentication: for in-app unlock using Face ID, Touch ID, or Android biometric. Optional, and you can disable in Settings.

Push notifications: for clinical alerts, handoff messages, and AI completion notifications. Optional, and you can disable in your device's OS settings.

The tachyDx Teams mobile application does not request microphone, location, contacts, calendar, motion, health-kit, or background-location permissions.

15. Third-Party Links

The Services may contain links to third-party websites, including ORCID, PubMed, Crossref, and institutional sites. We are not responsible for the privacy practices or content of those sites. Review their policies before using them.

16. Changes to This Policy

We may update this Privacy Policy. When we do, we will revise the "Last updated" date at the top. Continued use after changes constitutes acceptance. We will provide notice for material changes (in-app banner or email).

17. Contact

For privacy questions or requests:

Aethryva Deeptech Pvt. Ltd.
tachyDx, 301, KR Towers, Banjara Hills, Road 12
Hyderabad, India 500034
Email: support@tachydx.com
Enterprise / HIPAA inquiries: enterprise@tachydx.com