Effective 01 May 2026
LabOS (“LabOS”, “we”) operates a Laboratory Information Management System for Indian diagnostic labs. This Privacy Policy describes how we collect, use, and protect personal and health information in accordance with India's Digital Personal Data Protection Act, 2023 (“DPDP”) and ISO 15189 / NABL norms.
Each lab using LabOS is the Data Fiduciary for the patient data it processes. LabOS acts as the Data Processor on the lab's behalf and processes data only on documented instructions from the lab.
For owner / staff signup we rely on consent (DPDP §6). For patient PHI processed inside a lab tenant we rely on the legitimate interest of providing healthcare services (DPDP §7) plus the consent the lab captures from the patient at the point of care. Each patient record carries a dpdp_consent flag and timestamp.
__Host- prefixed with HttpOnly,Secure, and SameSite=strict.Patient records are retained for as long as the lab tenant requires, subject to applicable medical-record retention laws. Lab reports stored in R2 are auto-purged after their per-test retention window via a daily sweep. On lab account closure, all tenant data is deleted within 30 days unless the lab requests an export first.
Data Principals (patients, staff) may request access, correction, erasure, and grievance redressal. Patients should contact their lab directly; lab owners can email privacy@med-os.in.
We will notify lab owners by email of material changes to this policy at least 30 days before they take effect.
Grievance Officer: privacy@med-os.in
Postal correspondence: MedOS, Mumbai, India.