Privacy Policy
Last updated: March 2026 · Effective: March 2026
What this means in plain language: Raydiac collects your professional information to verify your identity and run the platform. We never sell your data. Patient data uploaded to the platform is anonymised before it is viewable by anyone. We store only what we need and delete what we don't.
1. Who We Are
Raydiac is operated by [Company Legal Name], a company incorporated in India under the Companies Act 2013, with its registered office at [Registered Address], India. References to “Raydiac”, “we”, “us”, or “our” in this policy refer to this entity.
We operate the platform accessible at raydiac.in and through our mobile application (collectively, the “Platform”). The Platform is a verified professional network and clinical marketplace for radiologists and diagnostic centers in India.
For questions about this Privacy Policy, contact us at: [email protected]
2. Scope of This Policy
This Privacy Policy applies to:
- Radiologists who register and use the Raydiac platform
- Diagnostic centers and hospitals that register and use the Raydiac platform
- Visitors to our website at raydiac.in
This Policy does not apply to patient data. Patient data uploaded to the Platform is automatically anonymised before it is viewable by any user. See Section 8 for our patient data handling practices.
3. Information We Collect
3.1 Radiologist accounts
When you register as a radiologist, we collect:
- Full name and email address
- Mobile phone number
- NMC registration number
- Medical qualification (MD / DNB / DMRD / Fellowship)
- Subspecialties and years of experience
- Institution name, city, and state
- Degree certificate and registration documents (for manual verification cases)
- Profile photograph (optional)
- UPI ID (for marketplace payment disbursements)
- FCM device tokens (for push notifications)
3.2 Diagnostic center accounts
When you register as a diagnostic center, we collect:
- Center name and contact person details
- Business email and mobile number
- GST registration number
- AERB license number and relevant modality certifications
- Business address
- Verification documents
3.3 Platform usage data
When you use the Platform, we collect:
- Cases you post, respond to, or interact with
- Quick Consult threads you participate in
- Report templates you use or create
- Teaching File entries and collections
- Marketplace case activity and transaction history
- Device information, IP address, and browser type
- Log data including access times and pages visited
3.4 Payment data
For marketplace transactions, we collect transaction references and payment confirmation data. We do not store full card numbers or UPI credentials. Payments are processed through our payment gateway partner — their privacy policy applies to payment processing.
3.5 NMC verification data
We query the NMC Indian Medical Register API to verify your registration number. We store your IMR registration data in a separate internal directory linked by reference to your account. Aadhaar numbers returned by the NMC API are never stored anywhere on our systems.
4. How We Use Your Information
We use the information we collect to:
- Verify your identity and professional credentials before granting platform access
- Operate the community feed, Quick Consult, Teaching File, and marketplace features
- Match marketplace cases to appropriately qualified radiologists
- Process payments and generate GST-compliant invoices
- Send push notifications for Quick Consults, case updates, and marketplace activity
- Send the morning case rounds notification (if enabled in your preferences)
- Respond to your support requests
- Improve the Platform based on usage patterns
- Comply with our legal obligations under Indian law
We do not use your information for advertising. We do not sell your data to any third party. We do not allow pharmaceutical companies, medical device companies, or any advertiser to target users through the Platform.
5. Legal Basis for Processing (DPDP Act 2023)
Under the Digital Personal Data Protection Act 2023, we process your personal data on the following bases:
- Consent: You provide consent at registration by accepting these terms.
- Contractual necessity: Processing is necessary to provide the services you have signed up for.
- Legal obligation: Processing necessary to comply with applicable Indian law, including tax, regulatory, and professional standards obligations.
- Legitimate interests: Processing necessary for platform security, fraud prevention, and product improvement, where these interests do not override your rights.
6. Information Sharing
We share your information only in the following circumstances:
With other platform users: Your verified profile information (name, qualification, subspecialty, institution) is visible to other verified users on the platform. This is necessary for the platform to function — a radiologist posting a Quick Consult needs to know who is responding.
With payment processors: Transaction data is shared with our payment gateway partner to process marketplace payments. This sharing is governed by a data processing agreement.
With verification services: Your NMC registration number is shared with the NMC IMR API for verification purposes only.
For legal compliance: We may disclose your information to government authorities or courts when required to do so by applicable Indian law, including in response to court orders or regulatory investigations.
Business transfers: If Raydiac is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you before this occurs.
We do not share your data with any other third party without your explicit consent.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data (radiologist / center) | Duration of account + 3 years after deletion |
| Case data (community feed) | Until deleted by the posting user |
| Quick Consult records | 2 years from consultation date |
| Marketplace case data | 90 days after case completion, then deleted |
| Marketplace reports (PDF) | 90 days after case completion, then deleted |
| Transaction records | 7 years (GST compliance requirement) |
| Teaching File entries | Until deleted by the user |
| Verification documents | Duration of account + 1 year |
| Log and device data | 90 days |
Both parties are notified 7 days before marketplace report deletion and may download their copies.
8. Patient Data — Special Handling
Raydiac is a doctor-to-doctor professional platform. Patients are never users of the Platform. However, DICOM imaging studies containing patient data are uploaded to facilitate clinical consultation.
Automatic anonymisation: Every DICOM file uploaded to the Platform is automatically anonymised server-side using pydicom before it is stored or viewable by any user. The following DICOM tags are removed: Patient Name (0010,0010), Patient ID (0010,0020), Patient Birth Date (0010,0030), Patient Address (0010,1040), Patient Telephone (0010,2154), Institution Name (0008,0080), Institution Address (0008,0081), Operator Name (0008,1070), Referring Physician Name (0008,0090), Study ID (0020,0010), and Accession Number (0008,0050). Patient Age (0010,1010) and Patient Sex (0010,0040) are retained for clinical relevance.
No patient-identifiable data is stored on the Platform at any point. This is not configurable or optional — it is enforced at the point of upload, every time.
Uploading users' responsibility: Users are responsible for ensuring they have appropriate consent or legal authority to upload patient imaging for consultation purposes under applicable Indian law and their institutional policies.
9. Security
We implement the following security measures:
- All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher
- Passwords are stored as bcrypt hashes — never in plain text
- Refresh tokens are stored as bcrypt hashes — never raw
- Access tokens are short-lived JWTs (15-minute expiry)
- DICOM files are stored on access-controlled servers and deleted from temporary storage after processing
- Administrative access to production systems is restricted and logged
- Regular security reviews of our codebase and infrastructure
No security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you in accordance with our obligations under the DPDP Act 2023.
10. Your Rights
Under the Digital Personal Data Protection Act 2023, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data, subject to our legal retention obligations
- Grievance redressal: Lodge a complaint with our Data Protection Officer
To exercise these rights, contact: [email protected]
We will respond to verified requests within 30 days.
Data Protection Officer:
[Name TBD]
[Address]
[email protected]
11. Cookies
See our separate Cookie Policy at raydiac.in/cookies for details of the cookies we use.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the Platform at least 14 days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
13. Contact
For privacy-related questions or to exercise your rights:
Email: [email protected]
Address: [Registered Office Address], India
Grievance Officer: [Name], contact at [email protected] (response within 30 days)