Privacy Policy
Last updated: 18 May 2026
CaladriusHealth.AI is a joint venture between GPracta and Yajur Healthcare, incorporated in India, with operations in Bengaluru, Karnataka.
This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the CaladriusHealth.AI platform, and describes your rights under the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the ABDM Health Data Management Policy (April 2022, v2).
1. Who this policy applies to
This policy applies to:
- Authorised Users of Customer organisations (billing staff, coders, administrators, and managers who access the platform)
- Customer organisation contacts (procurement, IT, and legal representatives)
This policy does not apply to:
- Patients — our platform is B2B; we do not interact with patients directly
- Clinical health records — our platform processes billing and claims data only
- Personal data that Customer organisations collect from their own staff and patients (those organisations are the Data Fiduciary for that data; we process it as a Data Processor on their behalf)
2. Our role under the DPDPA
CaladriusHealth acts as a Data Fiduciary (under DPDPA Section 2(i)) for personal data we independently control — such as account information and billing contacts.
CaladriusHealth acts as a Data Processor (under DPDPA Section 2(k)) for Customer Data submitted by hospitals and clinics through the platform. In that capacity, we process data only on the Customer’s instructions.
3. Personal data we collect and why
As Data Fiduciary
| Category | Examples | Purpose | Legal basis (DPDPA) |
|---|---|---|---|
| Account information | Name, email, designation, phone, organisation | Account setup and management | Consent |
| Contractual information | Organisation name, billing address, GST number | Invoicing and contract performance | Legitimate use |
| Usage metadata | Login events, feature activity, API calls | Security monitoring, service improvement | Legitimate use |
| Support communications | Email and chat with our team | Resolving service issues | Legitimate use |
As Data Processor
| Category | Examples | Purpose |
|---|---|---|
| Claims processing data | Claim IDs, encounter codes, payer identifiers, billing codes | Core RCM functionality |
| Staff workflow data | Coder assignments, approvals, workflow actions | Audit trail and process management |
Important: The platform is designed for billing and claims data only. Customers must not submit clinical health records, patient diagnoses, or treatment information not required for billing.
4. How we use personal data
We use personal data to:
- Provide, maintain, and improve the Service
- Manage Customer accounts and billing
- Detect, prevent, and respond to security incidents
- Comply with DPDPA, ABDM Policy, the IT Act 2000, and other applicable Indian law
- Fulfil obligations to government entity customers (CGHS, PM-JAY, state health schemes) including government audit requirements
- Improve AI models — only with Customer’s prior written consent; anonymised and aggregated data only
We do not:
- Sell personal data
- Use personal data for advertising
- Train AI models on Customer Data without explicit written consent
5. Data residency and sub-processors
All Customer Data is processed and stored on-premises within India. We do not transfer Customer Data outside India.
Primary AI inference is performed by on-premises language models. When optional cloud AI features are used:
| Sub-Processor | Role | Data handling |
|---|---|---|
| Anthropic, PBC (Claude) | Optional cloud AI inference | Inference only; no retention; no model training on Customer Data |
| Google LLC (Gemini) | Optional cloud AI inference | Inference only; no retention; no model training on Customer Data |
Cloud AI features are opt-in and configurable per organisation. For the current list of sub-processors, email Connect@caladriushealth.ai.
6. ABDM compliance
As a registered ABDM HIP and HIU, CaladriusHealth complies with the ABDM Health Data Management Policy (April 2022, v2), including:
- Privacy principles for Data Fiduciaries (Clause 26)
- Transparency and accountability obligations (Clause 27)
- Restrictions on sharing personal data (Clause 31)
- Grievance redressal and incident management (Clauses 32–33)
7. Data retention
| Category | Retention period |
|---|---|
| Account information | Duration of subscription + 3 years |
| Billing and invoicing records | 7 years (GST and tax obligations) |
| Security and usage logs | 1 year |
| Support communications | 2 years |
| Customer Data (as Processor) | Duration of Agreement + 30 days post-termination |
Data is securely deleted or anonymised at the end of each retention period. Under DPDPA Section 8(7), we erase personal data when a Data Principal withdraws consent, or when the original purpose is no longer being served — whichever is earlier — unless retention is required by law.
8. Security
We implement technical and organisational security measures including end-to-end encryption in transit and at rest, role-based access control, multi-factor authentication, daily backups, and regular penetration testing. Full details are in our Security Policy.
In the event of a Personal Data Breach, we will notify affected Customers and the Data Protection Board of India as required by DPDPA Section 8(6).
9. Your rights as a Data Principal
Under Chapter III of the DPDPA, you have the following rights:
Access (Section 11): Request a summary of personal data we hold about you, including processing activities and any sharing with third parties.
Correction and erasure (Section 12): Request correction of inaccurate data, completion of incomplete data, and erasure of data no longer required for its original purpose.
Grievance redressal (Section 13): Raise a grievance with our Grievance Officer. We will respond within 90 days.
Nomination (Section 14): Nominate another individual to exercise your rights in the event of your death or incapacity.
To exercise any of these rights, email Connect@caladriushealth.ai with the subject line “DPDPA Rights Request”.
10. Grievance Officer and Data Protection Officer
In accordance with DPDPA Sections 8(9)–8(10) and Section 13:
Grievance Officer and Data Protection Officer:
Manish Sharma
CaladriusHealth.AI, Bengaluru, Karnataka, India
Email: Connect@caladriushealth.ai
Response time: Within 90 days of receipt
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India under DPDPA Section 27.
11. Changes to this policy
We will give Customer organisation administrators at least 30 days’ written notice of material changes. Continued use of the Service after the effective date constitutes acceptance.