Clarrif

Privacy Policy

Effective Date: 1 Feb 2026

Clarrif (“Company,” “we,” “us,” or “our”) provides an AI-powered platform for diagnostic laboratories, hospitals, and healthcare organizations (“Customers”). This Privacy Policy explains how we collect, process, use, and protect personal data when our Customers use the Clarrif platform (“Service”).

This Policy applies to organizational Customers and their authorized users. Clarrif does not provide services directly to individual patients.

1. Roles and Responsibilities

1.1 Customer as Data Controller

Our Customers (labs, hospitals, clinics):

  • Determine what data is uploaded
  • Determine retention settings
  • Obtain patient consent
  • Control how outputs are used

Customers act as the Data Controller under applicable privacy laws.

1.2 Clarrif as Data Processor

Clarrif acts as a Data Processor and processes data only:

  • On documented instructions from the Customer
  • To provide the Service
  • In accordance with contractual obligations

We do not determine the purpose of processing patient data.

2. Categories of Data Processed

2.1 Customer Account Data

We may collect:

  • Organization name
  • Authorized user name
  • Work email address
  • Phone number (if provided)
  • Billing and usage metadata

This data is used for:

  • Account management
  • Security and audit logs
  • Service delivery
  • Limited service communications
2.2 Lab Report Data (Customer Data)

Customers may upload Lab Reports containing:

  • Diagnostic test values
  • Patient age and gender (if retained)
  • Medical observations
  • Other report-related content

We process this data solely to:

  • Generate AI Outputs
  • Provide dashboard analytics
  • Deliver summaries and related features

We do not use Customer Data for advertising or resale.

4. Data Retention

4.1 Default Retention

Processed Lab Reports and associated AI Outputs are retained for 7 days by default. After the retention period:

  • Data is automatically deleted from active systems
  • Deletion is irreversible unless otherwise contractually agreed
4.2 Configurable Retention

Customers may configure shorter or longer retention periods through platform settings (where available). The Customer is responsible for ensuring retention settings comply with applicable laws and medical record requirements.

4.3 Backup Deletion

Residual system backups are purged according to internal secure deletion schedules.

5. Redaction and Data Minimization

Customers are responsible for ensuring that:

  • Only necessary information is uploaded
  • Sensitive identifiers are removed or redacted

The platform provides:

  • Manual redaction tools
  • Automated redaction features (where enabled)

Clarrif does not guarantee complete removal of all identifiers and relies on Customer oversight.

6. Cross-Border Data Transfers

Data may be processed on secure cloud infrastructure located outside the country of origin, including outside India. By using the Service, Customers confirm that:

  • They have obtained necessary patient consent
  • They are legally authorized to transfer data across borders

We implement contractual and security safeguards for international processing.

7. Third-Party Service Providers (Subprocessors)

Clarrif may use third-party service providers, including:

  • Cloud infrastructure providers
  • AI model providers
  • Email and communication services
  • Monitoring and analytics services

These providers:

  • Process data only on our instructions
  • Are bound by confidentiality and security obligations
  • Do not receive data for marketing purposes
AI Service Providers

We may use third-party artificial intelligence providers to power certain features of the Service, including large language models (LLMs) used for generating summaries and insights. These providers may include, for example:

  • OpenAI
  • Google Cloud AI services (including Gemini models)
  • Other enterprise AI infrastructure providers

Such providers process data solely on our instructions and are bound by confidentiality and data protection obligations. We do not permit these providers to use Customer Data to train public models where contractual controls are available.

8. Security Measures

We implement technical and organizational safeguards including:

  • Encryption in transit (TLS)
  • Encryption at rest
  • Role-based access controls
  • Audit logging
  • Secure infrastructure configuration

However, no system is 100% secure.

9. Lawful Basis and Consent

Clarrif does not directly collect patient consent. The Customer is responsible for:

  • Informing patients about AI-based processing
  • Informing patients about cross-border transfers (if applicable)
  • Providing access to relevant Terms and privacy disclosures
  • Obtaining legally valid consent

Clarrif is not responsible for failure by the Customer to obtain proper consent.

10. Data Subject Rights

Since Customers act as Data Controllers:

  • Requests for access, correction, or deletion of patient data must be directed to the Customer.
  • Clarrif will assist Customers in responding to such requests where required.

11. Data Breach Notification

In the event of a confirmed data security incident affecting Customer Data, Clarrif will:

  • Notify the affected Customer without undue delay
  • Provide reasonable assistance in investigation and mitigation

Customers are responsible for regulatory reporting obligations.

12. Use of Cookies and Analytics

We may use cookies and analytics tools on our website or dashboard to:

  • Understand usage patterns
  • Improve performance
  • Enhance user experience

Analytics data is anonymized where feasible and not used for profiling patients.

13. Children’s Data

Clarrif does not knowingly collect data directly from children. If a Customer uploads reports relating to minors, the Customer confirms that it has obtained necessary parental or guardian consent.

14. Data Deletion Upon Termination

Upon termination of service:

  • Customer Data will be deleted according to configured retention settings
  • Remaining data will be securely purged according to internal schedules

15. Confidentiality

Customer Data is treated as confidential and is accessed only:

  • To maintain or operate the Service
  • By authorized personnel bound by confidentiality obligations

16. Compliance with Laws

Clarrif is designed to support compliance with:

  • India’s Digital Personal Data Protection Act (DPDP)
  • Applicable healthcare data regulations
  • General global privacy standards (where applicable)

However, Customers remain responsible for their own regulatory compliance.

17. Updates to This Policy

We may update this Privacy Policy periodically. Updated versions will be posted with a revised effective date. Continued use of the Service constitutes acceptance of updates.

18. Contact Information

For privacy-related inquiries:

📧 support@clarrif.com

19. Governing Language

If translated, the English version shall prevail in case of inconsistencies.

Last Updated: 1 Feb 2026