Important Distinction
This Privacy Policy governs personal information collected from website visitors, business contacts, and platform users (e.g., enterprise administrators). It does not govern Protected Health Information (PHI) or clinical data processed by our privacy engine.
Clinical data processing is governed by our Terms of Service, Data Processing Agreements (DPAs), and Business Associate Agreements (BAAs) executed with enterprise clients under HIPAA and applicable Indian health data regulations.
1. Introduction
Synthetix Health ("Synthetix Health," "we," "our," or "us") is a privacy-preserving clinical intelligence company headquartered in India with operations in the United States. We provide infrastructure that enables healthcare institutions, pharmaceutical companies, and research organizations to collaborate using mathematically private synthetic healthcare datasets generated using proprietary privacy-preserving technology.
As a company operating across two of the world's most significant regulatory regimes for data protection and healthcare, we are committed to full compliance with:
- The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) — governing protected health information in the United States;
- India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 (IT Act), including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules);
- The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — governing residents of California;
- India's National Health Policy, the National Digital Health Mission (ABDM) framework, and the Electronic Health Records (EHR) Standards, 2016.
2. Scope and Applicability
This Privacy Policy applies to:
- All individuals who visit our websites (synthetixhealth.com and related domains);
- Enterprise contacts, procurement officers, and business representatives who interact with us in a B2B capacity;
- Platform users (administrators, data stewards, compliance officers) who access the Synthetix Health platform; and
- Any other persons whose personal data we process in the course of our business operations.
This Privacy Policy does not apply to:
- PHI or clinical datasets processed through our privacy engine on behalf of healthcare enterprise clients — such processing is governed by BAAs and DPAs executed with those clients;
- Employees and contractors, whose data is governed by separate internal HR and employment policies.
3. Key Definitions
| Term | Definition |
|---|---|
| Personal Data / Personal Information | Any data that identifies or can reasonably identify a natural person, directly or indirectly. Equivalent to "Personal Information" under the CCPA and "Personal Data" under the DPDP Act. |
| Sensitive Personal Data or Information (SPDI) | Under India's SPDI Rules: passwords, financial data, physical/mental health data, biometric data, sexual orientation, and medical records. Governed by heightened protections. |
| Protected Health Information (PHI) | Individually identifiable health information transmitted or maintained by a covered entity or business associate, as defined under HIPAA (45 CFR §160.103). |
| Data Fiduciary | Under the DPDP Act, 2023 — the entity that determines the purpose and means of processing personal data. Synthetix Health is a Data Fiduciary in respect of our platform users and contacts. |
| Data Principal | Under the DPDP Act — the individual to whom the personal data relates. |
| Business Associate (BA) | Under HIPAA — an entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. |
| Significant Data Fiduciary (SDF) | A category under the DPDP Act designating fiduciaries that process large volumes of sensitive personal data, subject to additional obligations. We assess our classification on an ongoing basis. |
| Privacy Guarantee | A mathematical bound ensuring that no individual's data can be reverse-engineered from synthetic outputs. All synthetic data generated by Synthetix Health is certified under our proprietary privacy framework. |
4. Information We Collect
4.1 Information You Provide to Us
- Account and Contact Data: First and last name, work email, phone number, company name, job title, and login credentials when you request a product demo, register for a trial, or create a platform account.
- Communications and Support Data: Records of your correspondence with our sales, technical, and compliance teams, including support tickets and feedback submissions.
- Contractual and Procurement Data: Business contact details provided during contract negotiation, RFP processes, and vendor onboarding — including details of your organizational role as it relates to processing health data.
4.2 Information We Collect Automatically
- Device and Usage Data: IP address, browser type, operating system, referring URLs, pages viewed, and behavioral interaction data with our Services.
- Cookies and Tracking Technologies: We use cookies, web beacons, pixel tags, and similar tracking technologies as described in our Cookie Policy. You may manage your cookie preferences at any time through our consent management platform.
- Log Data: Server logs including timestamps, error logs, and API access logs necessary for platform security and audit compliance.
4.3 Sensitive Personal Data (India — SPDI Rules)
Heightened Protection for SPDI
Where we process any Sensitive Personal Data or Information (as defined under the SPDI Rules), we obtain explicit prior written consent, implement elevated security controls, and do not transfer such data to third parties without your specific consent — except where required by law.
Categories of SPDI potentially collected include: mental or physical health information of platform users, passwords, and financial account data used for billing.
4.4 What We Do NOT Collect
Synthetix Health does not collect or process, as part of its direct business operations:
- Real patient data, PHI, or EHR records from individuals — our privacy engine processes such data exclusively on behalf of enterprise clients under BAAs;
- Biometric identifiers from platform users;
- Data from children under the age of 18. Our platform is strictly B2B.
5. Legal Basis for Processing
| Processing Activity | US Legal Basis (HIPAA / CCPA) | India Legal Basis (DPDP Act 2023 / SPDI Rules) |
|---|---|---|
| Provisioning and maintaining platform access | Performance of contract; legitimate business interest | Consent (Form as per DPDP); legitimate use under S.7 |
| Customer support and communications | Performance of contract; legitimate business interest | Consent; legitimate use — responding to Data Principal |
| Security monitoring and incident response | Legal obligation (HIPAA Security Rule); legitimate interest | Legal obligation under IT Act, S.43A; legitimate use |
| Analytics and service improvement | Legitimate business interest | Consent (where required); legitimate use for non-sensitive data |
| Marketing and sales outreach (B2B) | Legitimate interest (B2B); opt-out honored | Consent required; withdrawal honored promptly |
| Compliance and regulatory reporting | Legal obligation (HIPAA, state law) | Legal obligation under DPDP Act, IT Act, and sector regulations |
| Processing SPDI (India) | N/A (B2B context) | Explicit prior written consent under SPDI Rules, Rule 5 |
6. How We Use Your Information
- Platform Access and Authentication: To provision, maintain, authenticate, and secure your access to the Synthetix Health platform and associated APIs.
- Security and Compliance: To monitor for unauthorized access, investigate security incidents, maintain audit logs required under HIPAA, HITECH, and the DPDP Act, and comply with regulatory reporting obligations.
- Service Communications: To deliver security updates, technical notices, service announcements, and administrative messages.
- Customer Success and Support: To respond to your technical inquiries, troubleshoot issues, and manage your contractual relationship with us.
- Product Analytics: To understand aggregated usage patterns, improve platform architecture, identify performance bottlenecks, and enhance privacy-preserving capabilities.
- Legal and Regulatory Compliance: To meet applicable legal obligations including HIPAA Security Rule requirements, DPDP Act obligations, CCPA compliance mandates, and tax or accounting requirements.
- Fraud Prevention and Platform Integrity: To detect, prevent, and investigate fraudulent, unauthorized, or illegal activity affecting our platform or our clients.
We Do Not Sell Your Personal Data
Synthetix Health does not and will not sell, rent, or trade your personal information to any third party for monetary or other valuable consideration — consistent with the definitions of "sale" under the CCPA/CPRA and applicable Indian law.
We do not use your personal data to train third-party AI/ML models without your explicit consent.
7. Sharing and Disclosure of Information
7.1 Authorized Disclosures
Service Providers and Subprocessors: We engage trusted third-party vendors for cloud hosting, identity management, analytics, CRM, and customer support. All subprocessors are bound by written data processing agreements. A list of current subprocessors is available upon request.
Corporate Restructuring: In connection with any merger, acquisition, financing, restructuring, or sale of assets, personal data may be disclosed to successor entities. We will provide notice of any such material change prior to transfer.
Legal Requirements and Law Enforcement: We may disclose personal data where required by applicable law, court order, governmental authority, or regulatory body — including MeitY in India, HHS in the US, or any other competent authority.
HIPAA Business Associate Obligations
Where Synthetix Health acts as a Business Associate under HIPAA, we disclose PHI only as expressly permitted or required by the applicable BAA and in accordance with the HIPAA Privacy Rule (45 CFR Part 164). PHI is never disclosed for our own marketing, fundraising, or commercial purposes.
Breach Notification: In the event of a breach of unsecured PHI, we will notify affected covered entities in accordance with the HIPAA Breach Notification Rule (45 CFR §§164.400-414).
7.2 Cross-Border Data Transfers
Synthetix Health operates with corporate infrastructure in India and the United States. Personal data may be transferred between these jurisdictions. We implement the following safeguards:
- Standard Contractual Clauses (SCCs) / Model Contractual Terms for transfers to jurisdictions lacking adequacy decisions;
- Data Localization Assessment for Indian SPDI and data subject to localization requirements;
- HIPAA-Compliant Agreements for all cross-border transfers of PHI;
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
Note on DPDP Act Data Localization
The DPDP Act, 2023 authorizes the Central Government to restrict cross-border transfer of personal data to certain jurisdictions by notification. We continuously monitor such notifications and will comply with any applicable transfer restrictions. Special category sensitive personal data (including health data) may be subject to stricter localization requirements under sector-specific regulations.
8. Healthcare Data — Dual Regulatory Framework
| Regulatory Area | Our Compliance Commitment |
|---|---|
| HIPAA Privacy Rule (US) | We execute BAAs with all covered entity clients. PHI is processed exclusively pursuant to the BAA. We maintain a HIPAA-compliant privacy program including workforce training, minimum necessary standards, and access controls. |
| HIPAA Security Rule (US) | Administrative, physical, and technical safeguards required under 45 CFR Part 164, Subpart C, including risk analysis, risk management, audit controls, and transmission security. |
| HITECH Act (US) | Compliance with enhanced enforcement provisions, breach notification requirements, and Business Associate direct liability obligations. |
| DPDP Act, 2023 (India) | We act as Data Fiduciary for personal data of Indian Data Principals. We provide clear, itemized notice prior to consent collection and honor Data Principal rights as enumerated in Sections 12-14. |
| SPDI Rules, 2011 (India) | Sensitive Personal Data is handled with prior written consent and is not disclosed to third parties without specific consent except as required by law. |
| ABDM Health Data Management Policy (India) | Synthetic data generation practices align with the ABDM framework, ensuring outputs cannot be used to re-identify patients. |
| EHR Standards, 2016 (India) | FHIR-format EHR data processing respects the structural and semantic standards specified by MoHFW. |
| State Health Privacy Laws (US) | We assess applicability of state-specific health privacy laws and implement appropriate protections. |
9. Your Privacy Rights
9.1 Rights Under the DPDP Act, 2023 (India)
- Right to Information (S.11): Obtain a summary of the personal data being processed and the processing activities performed.
- Right to Correction and Erasure (S.12): Request correction of inaccurate or incomplete personal data, and request erasure of data no longer necessary for its purpose.
- Right to Grievance Redressal (S.13): Have your grievances redressed by our designated Data Protection Officer / Grievance Officer within prescribed timelines.
- Right to Nominate (S.14): Nominate another individual to exercise your rights in the event of your death or incapacity.
- Consent Withdrawal: Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
9.2 Rights Under the CCPA / CPRA (California Residents)
- Right to Know: The categories and specific pieces of personal information collected, the sources, the business purpose, and the categories of third parties with whom we share information.
- Right to Delete: Request deletion of personal information, subject to applicable exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information. You may submit an opt-out request and we will confirm our non-sale posture.
- Right to Limit Use of Sensitive Personal Information: Restrict our use of sensitive personal information to authorized purposes.
- Right of Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
9.3 Rights Under HIPAA (US Health Data)
If you are a patient whose PHI has been processed through our platform by one of our covered entity clients, your HIPAA rights (including access, amendment, accounting of disclosures, and restriction) are exercisable against that covered entity. Please contact them directly. We will cooperate to support their fulfillment of your rights.
9.4 How to Exercise Your Rights
Submit a Privacy Request
Email: legal@synthetixhealth.com
Subject Line: [Privacy Right Request] — [Your Jurisdiction] — [Right Requested]
Include: Full name, relationship to Synthetix Health (e.g., platform user, website visitor), jurisdiction of residence, and a description of the right you wish to exercise.
Response Timeline: 30 days for DPDP Act / CCPA requests (extendable by 15 days with notice); 30 days for general requests.
Identity Verification: We will verify your identity before processing any rights request.
10. Security: Engineered for Healthcare Compliance
| Security Control | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2+ for all data in transit; mutual TLS (mTLS) for API communications |
| Encryption at Rest | AES-256 encryption for all stored data, including platform user data and audit logs |
| Access Controls | Role-based access control (RBAC); multi-factor authentication (MFA); principle of least privilege |
| Audit Logging | Immutable, queryable Clinical Audit Trail — supporting HIPAA audit control requirements (45 CFR §164.312(b)) |
| Vulnerability Management | Regular penetration testing, vulnerability scanning, and patch management |
| Incident Response | Documented incident response plan; breach notification compliant with HIPAA Breach Notification Rule and DPDP Act |
| Vendor Risk Management | Security assessments of all subprocessors prior to engagement; contractual security obligations |
| Compliance Alignment | HIPAA Security Rule; DPDP Act technical safeguards |
11. Data Retention
| Data Category | Retention Period |
|---|---|
| Platform user account data | Duration of active account + 3 years following closure |
| Business contact and CRM data | Duration of business relationship + 3 years |
| Platform audit logs (Clinical Audit Trail) | Minimum 6 years (consistent with HIPAA — 45 CFR §164.530(j)) |
| Security and access logs | 2 years, subject to active incident investigation holds |
| Financial and billing records | 7 years (US federal tax); as required under Indian accounting law |
| Support and communications records | 3 years from resolution |
| Marketing and consent records | Until withdrawal of consent + 1 year for compliance evidence |
Upon expiration of the applicable retention period, personal data is securely deleted or anonymized in accordance with NIST SP 800-88 guidelines and the DPDP Act's erasure standards.
12. Data Fiduciary Obligations (DPDP Act, 2023)
As a Data Fiduciary operating in India, Synthetix Health fulfills the following obligations:
- Consent Architecture: Free, specific, informed, unconditional, and unambiguous consent using clear and plain-language consent requests.
- Notice Requirements: Notice at the time of, or before, requesting consent — in clear and plain language.
- Purpose Limitation: Processing only for the specified, explicit, and legitimate purposes for which consent was given.
- Data Minimization: Collection limited to what is adequate, relevant, and necessary.
- Data Accuracy: Reasonable steps to ensure personal data is accurate and up to date.
- Storage Limitation: Retention only within the periods outlined in Section 11.
- Security Obligations (S.8): Appropriate technical and organizational measures to protect personal data.
- Grievance Redressal (S.13): Established grievance mechanism with prescribed timeframes.
- SDF Assessment: Continuous assessment of whether processing meets the Significant Data Fiduciary threshold.
12.1 Grievance Officer (India)
Grievance Officer — India
In compliance with the SPDI Rules and the DPDP Act, we have appointed a Grievance Officer for Indian Data Principals.
Contact: legal@synthetixhealth.com
Subject Line: [DPDP Grievance] — [Your Name] — [Nature of Grievance]
Response Timeline: Acknowledgment within 3 working days; resolution within 30 days.
13. Children's Privacy
Our platform and services are intended exclusively for enterprise B2B use by adult professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected such data, we will promptly delete it. Contact us at legal@synthetixhealth.com if you believe we may have collected information from a child.
14. Cookies and Tracking Technologies
| Cookie Category | Purpose | Opt-Out? |
|---|---|---|
| Strictly Necessary | Authentication, security tokens, session management, load balancing | No (required) |
| Functional | Remembering preferences (language, dashboard layout) | Yes — via consent manager |
| Analytics | Aggregated, anonymized usage analytics for platform improvement | Yes — via consent manager |
| Marketing / Targeting | We do not currently use marketing or behavioral targeting cookies | N/A |
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the revised policy with an updated Effective Date, provide in-platform notification at least 30 days before material changes take effect, and for changes affecting the lawful basis of processing under the DPDP Act, obtain fresh consent from affected Data Principals.
16. Contact and Regulatory Authorities
16.1 Contact Us
Synthetix Health — Legal & Compliance
Email: legal@synthetixhealth.com
Subject Line Format: [Privacy Inquiry | Rights Request | DPDP Grievance | HIPAA Request] — [Brief Description]
We aim to acknowledge all inquiries within 2 business days and resolve them within 30 days.
16.2 Regulatory Authorities
| Jurisdiction | Supervisory Authority |
|---|---|
| India (DPDP Act) | Data Protection Board of India (DPBI). Until operationalized, complaints may be directed to MeitY. |
| India (IT Act / SPDI) | Ministry of Electronics and Information Technology (MeitY); Adjudicating Officer under the IT Act, 2000. |
| United States — Federal (HIPAA) | U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) |
| United States — California (CCPA/CPRA) | California Privacy Protection Agency (CPPA) |
| United States — FTC (General) | Federal Trade Commission (FTC) |
Appendix A: Regulatory Reference Summary
| Regulation | Jurisdiction | Key Relevance |
|---|---|---|
| HIPAA Privacy & Security Rules | US (Federal) | PHI processing under BAA; patient rights |
| HITECH Act | US (Federal) | Enhanced enforcement, BA direct liability, breach notification |
| CCPA / CPRA | US (California) | California residents' rights; non-sale confirmation |
| State Health Privacy Laws | US (various) | State-specific health privacy obligations |
| DPDP Act, 2023 | India (Central) | Data Fiduciary obligations; Data Principal rights; consent architecture |
| SPDI Rules, 2011 | India (Central) | Heightened protection for sensitive personal data |
| IT Act, 2000 (S.43A) | India (Central) | Liability for negligent security practices |
| ABDM Health Data Management Policy | India (Central) | Alignment with ABDM consent and interoperability framework |
| EHR Standards, 2016 | India (Central — MoHFW) | FHIR-format EHR processing standards |
| PDPA | Various ASEAN | To be assessed as company expands to Southeast Asia |
Synthetix Health · legal@synthetixhealth.com · Version 2.0 · Effective February 19, 2026