Privacy Policy

1. Who we are

The NirogiAI mobile application is operated by NirogiAI (Pvt) Ltd, a private limited company registered in Sri Lanka with its registered office at:

4/35 Talakotuwa Gardens, Colombo 5, Sri Lanka

In this policy, "NirogiAI", "we", "us", or "our" refers to NirogiAI (Pvt) Ltd. "The app" refers to the NirogiAI Android (and future iOS) mobile application available through the Google Play Store. "You" or "your" refers to the patient using the app.

2. Scope

This policy covers the data the mobile app collects directly from you, the data the app sends to our backend systems on your behalf, and the data we hold about you in those backend systems.

It does not cover the staff-facing web portals (Medical Officer, Specialist, Diagnostic, Admin, Financial, Verification & Cash, Customer Service) used by healthcare professionals to treat patients on NirogiAI. Those portals have a separate operational data-handling story documented internally and are not directly used by patients.

3. What we collect

3.1 Account & identity information

When you create an account and complete the registration gate, the app asks you to provide:

• Your full name, date of birth, gender, and home address.
• Your National Identity Card (NIC) number.
• An email address (we send you a one-time verification code at this address; we do not share it with third parties for marketing).
• A phone number (optional, for direct contact by our customer service team if you raise a support ticket).
• A username and a password you choose. We store only a salted cryptographic hash of the password — never the plaintext.
• A self-portrait photograph and a photograph of your NIC. These are used once for face-similarity verification against your NIC photo and are kept under controlled access thereafter.

3.2 Health information

When you use NirogiAI for a health concern, the app collects:

• Your chief complaint and the symptom narrowing answers you provide.
• Any vital-sign measurements you enter (height, weight, blood pressure, etc.).
• Pre-existing conditions, allergies, current medications, and any other clinical history you provide.
• The AI-generated triage hypotheses, diagnostic-test recommendations, and treatment recommendations produced for you, along with any decisions a medical officer or specialist makes about your case.
• Diagnostic test orders signed by treating clinicians, and diagnostic test results returned by partner laboratories.
• Notes and follow-up actions captured by your treating clinicians.

3.3 Financial information

• Voucher codes you redeem to top up your sponsored wallet.
• Wallet balance and the line-item ledger of debits made by clinicians for medical services they provided to you.
• Refund threads if you contest a charge.

The app does not hold or transmit credit-card numbers, bank account numbers, or other payment credentials. Sponsor top-ups happen outside the patient app.

3.4 Device & usage information

• A Firebase Cloud Messaging (FCM) registration token, so the app can receive push notifications.
• Your preferred app language (English, Sinhala, or Tamil) and notification preferences.
• App version, Android version, and crash reports if the app encounters an error (collected via standard Android system mechanisms).
• Authentication audit data: login timestamps, failed-login counters, and the device that initiated each session.

4. How we use this data

• To operate the service. We use the data to verify your identity, accept your symptoms, run them through our AI-triage pipeline, route them to a medical officer for review, generate diagnostic orders, debit your wallet for services rendered, and notify you of next steps.
• To pay for your care. We use the wallet ledger to settle balances with diagnostic labs, specialists, and partner hospitals on your behalf.
• To verify identity. The selfie and NIC photo are compared by an automated face-similarity service so we can be confident the right person is receiving advice on the right account.
• To communicate. We use your email address for one-time verification codes and your FCM token for push notifications about appointment reminders, test-results-ready alerts, and customer-service responses.
• To improve the service. Aggregated, anonymised usage data informs which features we build next. We do not use your individual health data for any purpose other than your own care.
• To meet legal obligations. We retain certain records as required by Sri Lankan healthcare and consumer-protection law.

5. Who we share it with

5.1 Healthcare professionals treating you

The whole purpose of NirogiAI is to connect you to medical officers, specialists, diagnostic operators, and verification-and-cash operators. These professionals see the health and identity data necessary to treat you. They are bound by clinical confidentiality obligations and access only the data relevant to their role.

5.2 Infrastructure providers

• Microsoft Azure hosts the application backend, including Container Apps, Cosmos databases, the Azure Health Data Services FHIR resource server that holds your structured clinical record, and Key Vault for cryptographic secrets. Data is stored in Microsoft's centralindia Azure region. Microsoft is bound by data-processing agreements covering Azure's healthcare-grade hosting.
• Google Firebase Cloud Messaging delivers push notifications to your device. Firebase receives only the opaque FCM token and the notification payload (title and body of the push); it does not receive your health record or identity data.
• Azure Communication Services sends the verification-code emails and (in the future) hosts video calls between you and specialists.

5.3 AI processing

NirogiAI's symptom triage uses large-language models from Anthropic, accessed directly through Anthropic's HIPAA-eligible API endpoint. When the app runs symptom triage, we send Anthropic a context bundle containing your symptoms, your relevant medical history, and the questions a medical officer would normally consider. Anthropic processes this information to return triage hypotheses; per Anthropic's data-handling commitments, the data is not used to train their models.

You can opt out of having your data processed by AI at any time using the AI opt-out toggle in your Profile tab. When AI opt-out is enabled, your case is routed directly to a human medical officer without going through the AI triage step. This may delay how quickly you receive a response.

5.4 Diagnostic labs

When a clinician orders diagnostic tests on your behalf, we may transmit the order details (your name, NIC, test names, the ordering clinician's identity, and a signed verification token) to partner laboratories. The laboratory returns the results to NirogiAI on completion. We are progressively integrating with laboratories' REST APIs; today, most orders flow through a walk-in paper PDF process where you carry the printed order to the lab in person.

5.5 Sponsors

If a sponsor (typically an overseas family member of yours) funds the wallet you spend on care, the sponsor sees that their funds have been credited to your wallet and may see high-level summaries of how much has been spent — but not your detailed clinical record.

5.6 Legal disclosures

We may disclose your data to a Sri Lankan court, regulator, or law enforcement authority if compelled to do so by valid legal process. We will notify you of any such disclosure unless prohibited by law.

5.7 We do not sell your data

We do not sell, rent, or trade your personal or health data to advertisers, data brokers, insurers, or any other third party for marketing or profiling purposes.

6. Where we store it

Primary data residency is Microsoft Azure's centralindia region (datacenters located in Pune, India). For the time being, this region is the closest geographically-low-latency region with Azure Health Data Services and the full set of services NirogiAI relies on. We are evaluating a future expansion to a Sri Lanka-resident region as Microsoft and other cloud providers bring those online.

Where data needs to cross borders (for example, to reach Anthropic's US-based API endpoints), the transfer is encrypted in transit and governed by standard contractual data-handling protections.

7. How long we keep it

• Account & identity data: as long as your account is active, plus 12 months after closure, after which it is deleted.
• Health records: retained as long as needed to provide you with continuity of care, and for the longer of (a) 7 years after the most recent encounter, or (b) the period required by Sri Lankan healthcare records-retention rules in force at the time. After this, records are anonymised and aggregated for service-improvement purposes, or deleted.
• Audit logs & security trails: 12 months for ordinary access logs; 7 years for security-sensitive events such as failed-login lockouts and signing-key rotations.
• Push tokens: until you sign out, uninstall the app, or the token is invalidated by Firebase.

8. Your rights

You have the following rights, exercisable at any time:

• Right to access. Request a copy of the data we hold about you.
• Right to correction. Correct or update your registration details directly in the app, or contact us for fields not editable in-app.
• Right to deletion. Request deletion of your account and the data associated with it. We will delete or anonymise the data within 30 days, subject to retention obligations we are legally required to meet (for example, clinical records under healthcare law).
• Right to withdraw AI consent. Use the AI opt-out toggle in your Profile tab to prevent your data from being sent to Anthropic's AI for triage.
• Right to object to processing. If you believe we are processing your data unlawfully, contact us so we can investigate.
• Right to complain. If you believe we have not met our obligations under Sri Lanka's Personal Data Protection Act No. 9 of 2022, you may complain to the Data Protection Authority of Sri Lanka.

9. Security

We protect your data using:

• TLS 1.2 or higher for every connection between the app and our backend, with our root certificates pinned in the app's network security configuration.
• Hardware-backed encryption-at-rest for the session token stored on your Android device, rooted in your device's Keystore.
• Salted, slow-hashed passwords (we never see your plaintext password and cannot recover it — only reset it).
• Account lockout after repeated failed logins, with operator-monitored security events.
• Per-role authorisation on every backend API call — a medical officer can read clinical context, a financial controller can read settlements; no role can read everything.
• Quarterly rotation of cryptographic signing keys for diagnostic order signatures.

10. Children's privacy

NirogiAI's mobile app is intended for use by adults (18+) who have agreed to the Terms of Use. If we discover that we have collected data from a child without parental consent, we will delete that data promptly.

If you are using NirogiAI to facilitate care for a minor child for whom you are the legal guardian, you are the data subject for the purposes of this policy; please ensure you understand and agree to it before providing the child's data.

11. Changes to this policy

We may update this policy from time to time to reflect changes in the app, in the law, or in our service providers. When we do, we will update the "Last updated" date at the top of this page. Material changes will additionally be notified to you through an in-app message before they take effect.