Privacy Policy

Who We Are
Scope of This Policy
What Data We Collect
How We Use Your Data
Legal Bases for Processing
Data Sharing & Disclosures
International Transfers
Cookies & Tracking
Data Retention
Your Rights
Healthcare & Research Data
Security
Children's Privacy
Changes to This Policy
Contact & Grievance Officer

1. Who We Are

Dritiva ("Dritiva", "we", "us", or "our") is a human intelligence firm providing outsourced AI training data, human feedback, and model evaluation services for healthcare and biopharmaceutical AI companies. Our registered business operates from India.

Data Controller: Dritiva
Email: info@dritiva.com
Phone: +91 7506221809
Website: https://www.dritiva.com

2. Scope of This Policy

This Privacy Policy applies to:

Visitors to our website at www.dritiva.com
Prospective and current business clients who contact us or engage our services
Clinical experts, annotators, and researchers who work with us or apply to join our panel
Patient and caregiver panel participants enrolled in research or annotation projects

This Policy does not govern data processed on behalf of our clients under a separate Data Processing Agreement (DPA). Clients are independently responsible for their own privacy obligations with respect to AI training data and model outputs.

3. What Data We Collect

3.1 Data You Provide Directly

Contact & Inquiry Data: Name, email address, phone number, company name, job title, and the content of messages sent through our contact form or email.
Expert & Annotator Registration: Professional credentials, specialty, qualifications, CV/resume, NPI or registration numbers, affiliation, geographic location, and availability.
Patient & Caregiver Panel Data: Name, contact details, age bracket, diagnosed conditions (self-disclosed), caregiver relationship, and consent records. This may constitute Sensitive Personal Data under applicable law.

3.2 Data Collected Automatically

IP address, browser type and version, operating system, referring URLs, pages visited, and time spent on pages.
Device identifiers and approximate geographic location derived from IP.
Cookie and session data (see Section 8).

3.3 Data From Third Parties

Publicly available professional profile information (e.g., LinkedIn, medical council registries) used to verify expert credentials.
Referral information when you are introduced by a partner or client.

Health Data: Information about a patient's medical condition, diagnosis, or treatment history constitutes Special Category Data (GDPR Art. 9) and Sensitive Personal Data under the DPDP Act 2023. We collect and process such data only with explicit informed consent and under HIPAA-aligned protocols where applicable.

4. How We Use Your Data

Purpose	Data Used	Legal Basis
Responding to enquiries and scoping projects	Contact data, company info	Legitimate interest / Pre-contract
Onboarding and managing clinical annotators	Professional credentials, contact data	Contract performance
Patient panel recruitment and project participation	Health data, contact data, consent records	Explicit consent
Credential verification and COI screening	Professional registration, affiliation data	Legitimate interest / Contract
Delivering AI training, annotation, and evaluation services	All categories relevant to the project	Contract performance
Compliance with legal obligations	All relevant categories	Legal obligation
Improving website and service quality	Usage data, analytics	Legitimate interest (with opt-out)
Sending service-related communications	Email, contact data	Contract / Legitimate interest
Marketing communications (where consented)	Email, contact data	Consent

We do not sell, rent, or trade personal data to any third party for commercial purposes.

5. Legal Bases for Processing

Depending on your location, we rely on the following legal bases:

Consent — for health/sensitive data, marketing communications, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Contract Performance — to fulfil our obligations to clients and annotators under service agreements and engagement contracts.
Legitimate Interests — for business development, website analytics, fraud prevention, and credential verification, where your rights do not override these interests.
Legal Obligation — to comply with Indian law (DPDP Act 2023, IT Act 2000), GDPR, and applicable sector regulations.
Vital Interests — in rare circumstances involving serious risk to health or safety.

6. Data Sharing & Disclosures

We share personal data only in the following circumstances:

Service Delivery: With client AI teams under a binding Data Processing Agreement (DPA) and NDA, strictly for the project scope agreed. Annotator output data is pseudonymised before delivery wherever possible.
Subprocessors: With vetted technology providers (cloud infrastructure, project management tools, video conferencing) under data protection agreements. A current list of subprocessors is available on request.
Professional Verification: With medical councils, licensing bodies, or credential verification services to confirm annotator qualifications.
Legal Requirements: With government authorities, regulators, or courts where required by law, court order, or to protect legal rights.
Business Transfers: In connection with a merger, acquisition, or asset sale, subject to equivalent privacy protections.

No Sale of Data: Dritiva does not sell, license, or rent personal data to data brokers, advertisers, or unrelated third parties under any circumstances.

7. International Transfers

Dritiva operates from India and serves clients globally, including in the United States, European Union, and United Kingdom. When we transfer personal data across borders, we ensure appropriate safeguards are in place:

To the EU/EEA: We rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or adequacy decisions where available.
To the US: Transfers are governed by contractual protections and, for HIPAA-covered data, a Business Associate Agreement (BAA) with the relevant covered entity client.
From India: In compliance with the Digital Personal Data Protection Act 2023 (DPDP Act), we ensure cross-border transfers are to countries listed as permissible by the Government of India, or are subject to appropriate contractual safeguards.

8. Cookies & Tracking Technologies

Our website uses cookies and similar technologies. We use the following categories:

Cookie Type	Purpose	Duration	Can Opt Out?
Strictly Necessary	Session management, security, form functionality	Session	No (required for site to function)
Analytics	Aggregate usage statistics to improve the website	Up to 13 months	Yes — via cookie banner
Preference	Remember your cookie consent choice	12 months	Yes

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences at any time using your browser settings or the cookie consent banner on our homepage.

9. Data Retention

Data Category	Retention Period	Basis
Website contact / enquiry data	3 years from last contact	Legitimate interest (business development)
Annotator / expert profiles (active)	Duration of engagement + 2 years	Contract performance
Annotator / expert profiles (inactive)	3 years from last project	Legitimate interest (re-engagement)
Patient panel consent records	10 years from last participation	Legal obligation (ICH-GCP, regulatory)
Patient health data used in projects	Per client DPA; typically 5–7 years	Regulatory / Contract
Financial and contractual records	7 years	Legal obligation (Indian tax law)
Website analytics data	13 months (aggregated thereafter)	Legitimate interest

After the applicable retention period, data is securely deleted or irreversibly anonymised.

10. Your Rights

Depending on your jurisdiction, you have the following rights over your personal data:

Right	Description	Applicable Under
Access	Request a copy of the personal data we hold about you	DPDP, GDPR, CCPA
Correction	Request correction of inaccurate or incomplete data	DPDP, GDPR, CCPA
Erasure	Request deletion of your data (subject to legal retention obligations)	DPDP, GDPR, CCPA
Portability	Receive your data in a structured, machine-readable format	GDPR
Restriction	Request we limit processing of your data in certain circumstances	GDPR
Object	Object to processing based on legitimate interests or for direct marketing	GDPR, DPDP
Withdraw Consent	Withdraw consent at any time for consent-based processing	DPDP, GDPR, CCPA
Nominate	Nominate another person to exercise your rights in the event of death or incapacity	DPDP Act 2023
Non-Discrimination	Not be discriminated against for exercising your privacy rights	CCPA

To exercise any right, contact us at info@dritiva.com with subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or as required under applicable law. We may need to verify your identity before processing certain requests.

If you are in the EU/UK and believe we have not addressed your concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

If you are in India and your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India once operational under the DPDP Act 2023.

11. Healthcare & Research Data (Special Provisions)

HIPAA: Where Dritiva processes Protected Health Information (PHI) on behalf of HIPAA-covered entity clients, we act as a Business Associate and execute a Business Associate Agreement (BAA). PHI is handled in accordance with HIPAA Privacy and Security Rule standards.

For patient and caregiver panel participants:

Participation is always voluntary and based on freely given, informed, and specific written consent.
You may withdraw from any project at any time without consequence to your care or any other rights.
Health data collected for research or annotation projects is pseudonymised before being shared with client AI teams.
We do not use patient panel data for purposes beyond the specific project scope disclosed at the time of consent.
Patient data is never used to train Dritiva's own AI models or commercial products.
All research involving patients follows ICH-GCP guidelines and applicable Indian CDSCO requirements for clinical research data.

12. Security

We implement appropriate technical and organisational security measures including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256) for sensitive data categories.
Role-based access controls limiting data access to personnel with a documented need.
NDA requirements for all personnel and annotators before project onboarding.
Regular security assessments and vendor security reviews.
Pseudonymisation of patient data before delivery to clients.
Incident response procedures with notification timelines compliant with GDPR (72 hours) and DPDP Act requirements.

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

13. Children's Privacy

Our website and general services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors without explicit parental or guardian consent. Where paediatric patient data is required for a specific research project, a separate consent framework involving a parent or legally authorised representative is obtained, and additional safeguards apply.

If you believe we have inadvertently collected data from a minor without appropriate consent, please contact us immediately at info@dritiva.com and we will take steps to delete such data.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Post a notice on our homepage for at least 30 days.
Where required by law (e.g., for consent-based processing), seek fresh consent from affected individuals.

We encourage you to review this Policy periodically. Continued use of our website or services after the effective date of any update constitutes acceptance of the revised Policy.

15. Contact & Grievance Officer

For any privacy-related queries, requests, or complaints, please contact:

Grievance Officer / Data Protection Contact
Dritiva
Email: info@dritiva.com
Phone: +91 7506221809
Response time: Within 30 days of receipt

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, Dritiva designates a Grievance Officer to handle data-related complaints from Indian residents. All formal complaints should be submitted in writing to the email address above.

Table of Contents