Privacy Policy

1.1 This Privacy Policy ("Policy") is issued by Kendall Square Technology and Services Private Limited ("Kiora", "we", "our", or "us") in accordance with applicable data protection and privacy laws in India ("Applicable Laws"). This Policy applies to all individuals whose Personal Data is collected, received, generated, or otherwise processed by Kiora, including users, visitors, and viewers of the Digital Platform. This Policy describes the types of personal information we may collect from you or that you may provide through Digital Platforms and other interactions including when availing services ("Services").

1.2 Our aim is to detail how we process Personal Data (as defined below) of individuals in India through Digital Platform and other interactions including: (i) Kiora website available at www.kiora.care (the "Website"); (ii) through social media platforms and (iii) other communication channels such as WhatsApp, emails, surveys, mobile or telephone.

1.3 By accessing our website, mobile application, WhatsApp communication channel, customer-support services, home-visit interface, or by otherwise interacting with any of our digital or offline services, you acknowledge that you have read and understood this Policy. Your Personal Data will be processed only after you provide Consent (as defined below) in accordance this Policy. This Policy applies within the territory of India and to all individuals whose Personal Information is processed by Kiora.

1.4 This Policy shall be read in conjunction with the Terms of Use applicable to Digital Platform, where such Terms of Use are relevant and agreed by you while registering on the Kiora digital platform(s) for availing the Services. In the event of any inconsistency, this Privacy Policy shall prevail with respect to matters relating to the processing of Personal Data.

For the purposes of interpreting this Policy, the following terms shall have the meanings assigned to them below. Any terms that are not defined expressly herein shall be interpreted in accordance with the Digital Personal Data Protection Act, 2023 and The Digital Personal Data Protection Rules, 2025 and, where relevant, with other applicable laws and regulations.

2.1. "AI-Generated Output" refers to analytical summaries, trend evaluations, risk indicators, or interpretive suggestions generated by authorised artificial intelligence systems. These outputs are assistive and subject to clinician review and do not constitute medical advice, diagnosis, or treatment decisions.

2.2. "Child" refers to an individual who has not completed eighteen years of age.

2.3. "Consent" refers to a freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal's agreement to the processing of their Personal Data provided through a clear and explicit affirmative action.

2.4. "Data Fiduciary" refers to Kiora, which determines the purposes and means of processing the Personal Data.

2.5. "Data Principal" refers to the individual to whom the Personal Data relates and includes: (a) The parents or lawful guardians of Child (an individual who has not completed eighteen years of age); and (b) The lawful guardians of persons with disabilities who are unable to provide consent independently. For simplicity and readability, the terms "you," "your," and "Data Principal" refer to the Data Principal as defined above.

2.6. "Data Processor" refers to any person that processes Personal Data on behalf of Kiora in accordance with Kiora's instructions and includes cloud service providers, diagnostic partners, payment gateways, nursing agencies, analytics vendors, IT infrastructure providers, and other technical service providers engaged to support Kiora's operations and Services.

2.7. "Digital Platform" refers to all Kiora's digital systems, including the mobile application, website, backend cloud services, support channels, and third-party integrations.

2.8. "Grievance Officer" refers to the individual designated by Kiora to address grievances, rights requests, corrections, erasure requests, and consent withdrawal.

2.9. "Personal Data" means any data in digital form about an identifiable individual, whether directly or indirectly identifiable. This includes any information that Kiora collects, generates, receives, or processes in connection with its operations, Digital Platform, Services, or other interactions that relates to an identifiable Data Principal. For the purposes of this Policy, the categories of Personal Data collected by Kiora are described in Section 3 of this Policy.

2.10. "Processing" means any wholly or partly automated operation performed on Personal Data. Processing includes activities such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, aligning, combining, indexing, sharing, distributing, disclosing, and erasing or destroying Personal Data.

3.1. General Notice
Kiora provides clear notice of the categories of Personal Data it collects and processes in accordance with the Applicable Law. The specific categories collected depend on the nature of your interaction with Digital Platform, operations, or other interactions (including as a patient, caregiver, nominee, or healthcare professional).

3.2. Categories of Personal Data
The following categories of personal data may be collected, generated, or received by Digital Platform, operations, services, or other interactions.

• (a) Name, gender, date of birth, address, mobile number, email address, emergency contacts, caregiver details, and guardian information.
• (b) Medical and health-related information of the Data Principal shared with Kiora, including medical records such as diagnosis, prescription, medical tests, bills, etc.,
• (c) Technical and Communication Information related to the following:
  • (i) IP addresses, device identifiers, application logs, location metadata, browser information, timestamps, cookies, analytics data, and performance logs.
  • (ii) Data collected through WhatsApp, SMS, email, telephonic interactions, teleconsultation platforms, and customer-support systems.
  • (iii) Financial and transactional Information related to payment timestamps, subscription details, transaction identifiers, and other transaction metadata
  • (iv) Data shared by attending doctors, caregivers, diagnostic partners, nursing organisations, or hospitals
  • (v) CCTV footage from visits to Kiora premises and photographs or video recordings captured during Kiora-organised events or activities.

3.3. When a healthcare professional engages with Kiora, we may also collect:

• (a) Professional credentials, educational background, affiliations, work history, and information provided through résumés or CVs
• (b) Details of participation in Kiora programs, product-related activities, or professional engagements.
• (c) Information about professional interactions with Kiora, prescribing behaviour relating to Kiora products, and the agreements or financial interactions executed with Kiora.
• (d) Any information voluntarily shared by the Healthcare Professional about themselves or their household
• (e) Information collected during Kiora-hosted events, trainings, or activities attended by the Healthcare Professional.
• (f) Publicly available information relevant to professional practice, such as licensing details, disciplinary records, prior litigation, regulatory proceedings, and due diligence-related data.

3.4. Where Kiora collects any sensitive information (such as health data, payment information, biometrics, etc.), we will do so only with the Data Principal's consent and in accordance with Applicable Laws.

3.5. The information may be collected using various technologies, such as cookies and Internet tags.

4.1. Kiora will use Personal Data to provide Services, where applicable, respond to queries, provide customer service, for audits, trainings, quality improvements, and to fulfil legal and regulatory obligations, ensure security and to communicate with the Data Principal.

4.2. Where Data Principal avails Services, Kiora will process Personal Data to deliver the Services. This includes recording and analysing medical conditions, coordinating nurse visits, enabling nutritional support, and generating clinical summaries. Kiora processes Personal Data to coordinate diagnostic investigations, schedule laboratory tests, receive diagnostic results, evaluate reports, and maintain a longitudinal clinical record for continuity of care.

4.3. AI-assisted systems will be used to generate analytical insights, risk summaries, trend evaluations, and pattern recognition, strictly as assistive clinical tools. All such processing will be done only with explicit consent, where such consent is required under Applicable Law and outputs will be reviewed by qualified clinicians to ensure alignment with the law.

4.4. Personal Data will be processed to manage platform operations, authenticate user accounts, schedule appointments, generate reminders, and support service delivery.

4.5. Kiora may aggregate and/or de-identify data about customers and site visitors and use it to conduct research, data analysis, and to help us develop new products and enhance services at Kiora.

4.6. Kiora will also identify usage trends, recognize new or past visitors and their preferences to determine the effectiveness its promotional campaigns, personalize content and offer Data Principal the opportunity to receive notifications and participate in surveys about Kiora's products or services, our special promotions, unless Kiora receives written notice of Data Principal's intention to opt out of receiving all Kiora's direct marketing communications. To opt out, review Section 6 below.

4.7. Kiora may also process the Data Principal's health and medical information to manage, conduct research, provide patient support programs, distribute and market its products, manage compassionate use and expanded access programs and track adverse event reports subject to applicable consent requirements under Applicable Laws.

5.1. Authorised Disclosures: Kiora may disclose or provide access to the Personal Data of Data Principal strictly on a need-to-know basis to its authorised Service Providers, contractors, and third parties ("Service Provider") who are engaged to perform functions necessary for the delivery, operation, Digital Platform, Services, or other lawful business purposes described in this Policy. Such Service Providers include, without limitation:

• (a) empanelled doctors, nurses, nutritionists, and care-management personnel (whether engaged directly by Kiora or through third-party nursing organisations) for the purposes of monitoring, teleconsultations, home visits, nutritional assessment, and other clinically relevant activities.
• (b) technology and infrastructure partners, including cloud hosting services, WhatsApp and telecommunications platforms, analytics and support vendors, device integration partners, and IT security providers.
• (c) payment processors and financial transaction partners for payment processing and subscription management

5.2. Service Integrations: For certain services, Personal Data may be shared with laboratory partners, diagnostic networks, hospitals, or insurance companies solely for enabling diagnostic assessments, integrating health records, facilitating claims, or providing service-specific functionalities.

5.3. Contractual Safeguards: Every Service Provider receiving Personal Data shall be bound by a written contract or enforceable legal obligation requiring such Service Provider to: (a) maintain the confidentiality of Personal Data; (b) Implement administrative, technical, and organisational safeguards consistent with Applicable Law; (c) process Personal Data exclusively on Kiora's documented instructions and for no other purpose; (d) refrain from retaining, using, disclosing, or transferring Personal Data except to the extent necessary to perform contracted services or purposes described in this Policy; and (e) securely delete or return all Personal Data to Kiora upon termination or expiry of the engagement.

5.4. Prohibition on Sale: Kiora does not sell, rent, license, or otherwise commercially monetise Personal Data. Personal Data may, however, be transferred in the context of a merger, acquisition, investment transaction, corporate restructuring, or sale of Kiora's assets or service lines, provided that the recipient entity assumes the same data-protection obligations set out in this Privacy Policy and processes the Personal Data exclusively for lawful and legitimate purposes consistent with those for which it was initially collected.

5.5. Mandatory Legal Disclosures: Kiora may disclose Personal Data, where required, to comply with Applicable Law, including lawful requests from governmental authorities, law enforcement agencies, regulatory bodies, courts, or tribunal orders. Disclosures may also be made to external professional advisers, such as auditors or legal counsel, to the extent strictly necessary for compliances, dispute resolution, regulatory filings, or legal claims.

5.6. No Unauthorised Sharing: Except as expressly provided in this Clause 5, Kiora shall not disclose Personal Data to any third party without obtaining the specific, and informed consent from the Data Principal, unless such sharing is otherwise permitted under Applicable Law.

5.7 If Data Principal chooses not to share their Personal Data with us, it will affect or limit Kiora's ability to respond to queries, engage with them, or provide the requested products, services, or functionalities, as applicable.

6.1. Kiora obtains consent through explicit and verifiable affirmative actions, such as OTP authentication, digital checkbox confirmations, or digitally recorded acknowledgements. Consent is specific, informed, and freely revocable in accordance with the law.

6.2. Upon withdrawal of consent, Kiora shall cease further processing of the relevant Personal Data, except to the limited extent that retention or continued processing is required or permitted under Applicable Law.

7.1 Kiora will need to process the Personal Data of a Child and of persons with disabilities who are unable to provide valid Consent independently. In such cases, the Consent provided by the parent or lawful guardian, as the case may be, will be treated as the consent of the Data Principal

7.2 Parents or lawful guardians may review, correct, or request deletion of the Personal Data of the Child or the person with a disability by contacting us through the grievance redressal mechanism provided in this Policy.

7.3 Where a Child attains the age of eighteen years, or a person with a disability becomes capable of providing valid Consent, Kiora may require fresh Consent from that individual for the continued processing of their Personal Data.

8.1. The Personal Data provided to Kiora in connection with Digital Platform, operations, Services, or other interactions may be transferred by Kiora or processed, transferred, stored or disclosed to recipients in a jurisdiction outside India. Such transfers are undertaken for the purpose described under Section 4 of this Policy.

8.2. The Personal Data may be transferred to any jurisdiction worldwide that may not provide the same level of data protection as in India. Where such a transfer happens, Kiora will employ contractual or other reasonable means to ensure appropriate safeguards are in place to protect the data in accordance with our policies and applicable privacy and data protection laws and related cross-border requirements.

8.3. Where Personal Data is processed on cloud infrastructure located outside India, Kiora will ensure compliance with Applicable Laws.

10.1. Subject to the Applicable Laws, the Data Principal has the right to access the Personal Data processed by Kiora, request correction of inaccurate or incomplete Personal Data, withdraw consent where processing is based on consent, and request deletion of Personal Data that is no longer required for the purposes for which it was collected or where continued processing is unlawful. Data Principal also has the right to seek grievance redressal from Kiora's designated grievance officer or Data Protection Officer. The Data Principal also has the right to nominate another individual to exercise their rights under this Policy in accordance with Applicable Laws.

10.2. Kiora may verify the Data Principal's identity before responding to any request relating to the Personal Data, to ensure that such Personal Data is disclosed only to the individual to whom it pertains or to an authorised representative. Where a request is submitted through an authorised representative, Kiora may require documentation establishing the representative's authority.

10.3. Kiora may decline a Data Principal's request for access, correction, erasure, or any other request made under this Privacy Policy, for any one of the following: if Kiora is unable to reasonably verify the identity of the requester or, if the request falls within an exception permitted under Applicable Laws or, if Kiora is required to retain or continue processing the Personal Data in order to comply with legal or regulatory obligations or, for purposes such as dispute resolution or the establishment, exercise, or defence of legal claims. Where a request is refused, Kiora will make reasonable efforts to inform the Data Principal of the same.

10.4. The Data Principal may submit requests relating to their privacy rights through the channels specified in Section 14 of this Privacy Policy. Kiora may retain specific Personal Data submitted in connection with transactions or record-keeping requirements, even after a deletion request, where permitted by Applicable Law.

13.1 When You use the Digital Platform, our servers (which may be hosted by a third-party service provider) may collect information indirectly and automatically about your activities on the Digital Platform, for instance by way of cookies, web beacons or web analytics. This information is maintained distinctly and is not ordinarily used by Kiora to directly identify you except where such information is voluntarily provided by You through the Digital Platform and processed in accordance with this Policy.

13.2 In some cases, we collect this information through cookies, pixel tags, and similar technologies that create and maintain unique identifiers for functional, analytical, and security-related purposes, in accordance with this Policy. Web beacons are graphic image files embedded in a web page that provides information from the user's browser. This allows us to monitor and ascertain the number of users using the Digital Platform and, where applicable, the effectiveness of Digital Platform features and content.

13.3 Web analytics are services provided by third parties in connection with a website. We may use these services to identify usability issues and improve our Digital Platform Experience. These services process technical and usage information in an aggregated manner and are not used by Kiora to track individual browsing behaviour across unrelated websites or applications.

13.4 We will store small text files called cookies in your device to enable certain features of the Digital Platform. These are used to store user preferences experience. You have the option to change your browser or device settings to accept or decline the cookies. Where applicable, users may also manage cookie preferences through controls made available on the Digital Platform. Please note that disabling certain cookies is likely to affect the functionality of the Digital Platform. Any information collected through cookies is used for purposes consistent with this Policy.

13.5 When you provide your mobile phone number and/or e-mail address, Kiora or its authorised service providers may contact you in connection with your use of the Services, Digital Platform, or other lawful interactions with Kiora. Such Service Providers are contractually required to maintain confidentiality and to use the Personal Information only for the purpose it is disclosed. The use of cookies or similar technologies by these third-party service providers is governed by their respective privacy policies and is not covered by this Policy.