Carelens

Privacy Policy

Last updated: February 2026

1. Overview

LatLng Private Limited ("Carelens", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, with its registered office in Bangalore, Karnataka, India, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws.

2. Data fiduciary information

Under the DPDPA, 2023, LatLng Private Limited acts as the "Data Fiduciary" responsible for processing your personal data. For any queries regarding this Privacy Policy or your personal data, you may contact us at contact@carelens.in.

3. Information we collect

We collect the following categories of personal data and sensitive personal data (as defined under the IT Rules, 2011):

  • Account information: Name, email address, phone number, profile photo (via Google Sign-In or OTP verification)
  • Health records: Medical reports, lab results, prescriptions, discharge summaries, and other health documents that you scan, upload, or enter manually. This constitutes "sensitive personal data" under the IT Rules, 2011.
  • Vital readings: Blood pressure, blood sugar, weight, heart rate, temperature, and SpO2 readings
  • Medication data: Prescription details, dosages, schedules, and medication history
  • Family member profiles: Names, relationships, date of birth, and health records of family members you add
  • Device and usage data: Device type, operating system, app version, and usage analytics (anonymised)

4. Lawful basis and purpose of processing

Under the DPDPA, 2023, we process your personal data based on your explicit, informed consent for the following purposes:

  • Providing health records management, storage, and organisation services
  • AI-powered extraction, analysis, and summarisation of health data from uploaded records
  • Generating health insights, vital trends, and medication interaction information
  • Enabling time-limited, consent-based sharing with healthcare professionals via secure links
  • Sending notifications about medications, appointments, and health reminders
  • Improving our services through anonymised, aggregated analytics (no individual identification possible)

We do not process your data for any purpose beyond what is stated above. Your data is never used for advertising, profiling, behavioural tracking, or sale to third parties.

5. Consent

In accordance with Section 6 of the DPDPA, 2023, we obtain your free, specific, informed, unconditional, and unambiguous consent before processing your personal data. Consent is obtained at the time of account creation and before enabling specific features. You may withdraw consent at any time by deleting your account or adjusting settings in the app. Withdrawal of consent will not affect the lawfulness of processing done prior to withdrawal. Upon withdrawal, we will cease processing your data and delete it within 30 days, subject to legal retention requirements.

6. Children's data

In compliance with Section 9 of the DPDPA, 2023, we do not process personal data of children (below 18 years) without verifiable consent of a parent or lawful guardian. The family feature allows parents and guardians to manage health records for their children. We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children. Children cannot create independent accounts.

7. Data security

In accordance with Section 8(4) of the DPDPA and the IT (Reasonable Security Practices) Rules, 2011, we implement comprehensive security measures including:

  • Encryption: AES-256 encryption at rest and TLS 1.3 in transit for all health data
  • Access control: Role-based access control, multi-factor authentication for internal systems, and principle of least privilege
  • Infrastructure: Hosted on ISO 27001 and SOC 2 Type II certified cloud infrastructure within India
  • Share links: Cryptographically signed, time-limited tokens that expire after 15 minutes
  • Monitoring: 24/7 security monitoring, automated vulnerability scanning, and annual penetration testing

8. Data sharing and disclosure

We do not sell, rent, or trade your personal or health information. Your data is shared only in the following circumstances:

  • With your consent: When you explicitly generate a share link for a healthcare professional or grant access to a doctor
  • Service providers: With trusted third-party service providers (cloud infrastructure, AI processing) who are bound by contractual obligations to protect your data and process it only as instructed by us
  • Legal requirements: When required by law, court order, or government authority under applicable Indian law, including requests from CERT-In, law enforcement, or judicial authorities
  • Safety: To prevent fraud, protect user safety, or address security vulnerabilities

9. Data localisation

All personal and health data is stored on servers located within India (Mumbai and Hyderabad regions). No personal health information is transferred outside Indian borders. Database backups are encrypted and stored in geographically separate Indian data centres. We comply with RBI data localisation norms for any payment data processed.

10. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Upon account deletion, all health records and personal data are permanently erased within 30 days. System logs are retained for 180 days as required by CERT-In Directions, 2022. Anonymised, aggregated data that cannot identify individuals may be retained for service improvement purposes.

11. AI and automated processing

Carelens uses AI to process your health records. You should be aware that:

  • AI processing is performed solely to serve your queries and extract data from your uploaded records
  • Your personal health data is not used to train AI models
  • AI processing happens on secure, India-based infrastructure
  • AI-generated insights are informational and clearly labelled; they do not constitute medical advice
  • You can disable AI features at any time while continuing to use Carelens as a record manager

12. Your rights as a Data Principal

Under the DPDPA, 2023, you have the following rights:

  • Right to access: You can access all your health data stored on Carelens at any time through the app
  • Right to correction: You can update or correct your personal data and health records at any time
  • Right to erasure: You can delete your account and all associated data. Erasure is completed within 30 days, subject to legal retention obligations
  • Right to data portability: You can export your data in a structured, machine-readable format at any time
  • Right to withdraw consent: You can withdraw consent for data processing at any time by adjusting settings or deleting your account
  • Right to grievance redressal: You can raise grievances about data processing with our Grievance Officer, and if unresolved, with the Data Protection Board of India
  • Right to nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the DPDPA

To exercise any of these rights, contact us at contact@carelens.in. Requests are processed within 72 hours.

13. Breach notification

In the event of a personal data breach, we will notify the Data Protection Board of India as required under the DPDPA, 2023, and report to CERT-In within 6 hours as required under the CERT-In Directions, 2022. Affected users will be notified within 72 hours of a confirmed breach, with details about the nature of the breach, data affected, and remedial measures taken.

14. Grievance redressal

In compliance with the IT (Intermediary Guidelines) Rules, 2021, the Consumer Protection (E-Commerce) Rules, 2020, and the DPDPA, 2023, we have appointed a Grievance Officer. All grievances are acknowledged within 48 hours and resolved within 15 days (or 30 days for complex matters). If you are not satisfied with the resolution, you may approach the Data Protection Board of India under the DPDPA, or the appropriate Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019. Contact our Grievance Officer at contact@carelens.in.

15. Cookies and tracking

Our website uses essential cookies required for authentication and platform functionality. We do not use third-party advertising cookies or behavioural tracking. Analytics cookies, if used, are anonymised and do not identify individual users. You can manage cookie preferences through your browser settings.

16. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email or in-app notification at least 15 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Carelens after the effective date constitutes acceptance of the updated policy.

17. Contact us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at contact@carelens.in

LatLng Private Limited
Bangalore, Karnataka, India