Privacy Policy (India)

Last updated: May 4, 2026

Cereboffins (“we,” “us,” “our”) is the Data Fiduciary for the personal data described in this Privacy Policy. This Policy explains how we collect, use, store, and share digital personal data when you use our websites, contact forms, and related services in India (the “Services”). It is designed to align with the Digital Personal Data Protection Act, 2023 of India (“DPDPA”) and applicable rules issued thereunder, as updated from time to time.

In this Policy, you are the Data Principal when the personal data is about you. If you do not agree with this Policy, please do not use the Services. Clinical pilots or hospital programs may use separate participant or site notices; where those apply, they govern the relevant processing in addition to this Policy.

  1. What personal data do we collect?

    You provide

    For example: name, work email, hospital or organisation, phone number if you share it, and the content of messages or forms you send us. If you take part in a study or pilot, additional categories may be collected as described in the specific notice for that activity.

    Automatic collection

    We may collect technical data such as device and browser type, IP address (used in aggregate or for security), pages viewed, referring URLs, timestamps, and diagnostic logs—to operate, secure, and improve the Services.

  2. Why and on what basis do we process your data?

    We process personal data for purposes such as: responding to enquiries; operating and securing the Services; communicating service or security updates; analytics to improve performance; compliance with law; and enforcing our terms.

    Under the DPDPA, we rely primarily on your consent where consent is required (for example, non-essential cookies or marketing, where we ask for it). We may also rely on legitimate uses permitted under the DPDPA (such as certain voluntary disclosures by you, employment-related processing where applicable, or compliance with law) where those provisions apply. Where we ask for consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal, subject to contractual or legal restrictions.

  3. Do we share personal data?

    We may share personal data with:

    • Processors and service providers (e.g. hosting, email, analytics) who process data on our instructions and under appropriate contracts.
    • Professional advisers (e.g. lawyers, auditors) where required.
    • Authorities or others when required by applicable Indian law, court order, or lawful request, or to protect life, health, or safety.
    • Business transfers — if we merge, reorganise, or sell assets, personal data may transfer as part of that transaction, subject to law.

    We do not sell personal data in the manner typically described in non-Indian “sale of personal information” regimes.

  4. Cross-border transfers

    If we transfer personal data outside India, we will do so in line with the DPDPA and notifications or conditions issued by the Government of India (including transfers to permitted countries or under approved mechanisms, as applicable from time to time).

  5. How long do we keep data?

    We retain personal data only as long as needed for the purposes above, including legal, regulatory, accounting, or reporting requirements, and then delete or anonymise it in line with our retention practices.

  6. How do we protect data?

    We implement reasonable technical and organisational measures appropriate to the risk. No system is perfectly secure; if you believe data has been compromised, please contact us promptly.

  7. Your rights as a Data Principal (DPDPA)

    Subject to the DPDPA and applicable rules, you may have the right to: obtain a summary of personal data we process and the processing activities; access your personal data in a clear format; seek correction or erasure where applicable; seek grievance redressal through our Grievance Officer; nominate another individual to exercise rights in the event of death or incapacity (as prescribed); and withdraw consent where processing is consent-based. We may need to verify your identity before acting on a request.

    You may also escalate complaints to the Data Protection Board of India in accordance with the DPDPA and procedures published by the Board from time to time.

  8. Children

    Our public websites are not directed at children. If we process a child’s personal data (as defined under the DPDPA and applicable rules), we will do so in line with Indian law—including verifiable parental consent where required for services directed at children. If you believe we have collected a child’s data improperly, contact our Grievance Officer.

  9. Cookies and similar technologies

    We may use cookies and similar technologies for essential functions, preferences, analytics, or (where we obtain consent) marketing. You can control cookies through your browser; blocking some cookies may limit features.

  10. Changes to this Policy

    We may update this Policy to reflect legal, product, or operational changes. We will revise the “Last updated” date and, where the DPDPA or rules require, provide notice through reasonable means (such as a notice on our website or email, where appropriate).

  11. Grievance Officer & contact (India)

    For questions, access requests, corrections, erasure requests, consent withdrawal, or complaints under this Policy, contact our Grievance Officer (also reachable for privacy matters):

    Email: privacy@cereboffins.com

    Postal address (India): Cereboffins, Unit 421, Meridian Towers, Whitefield Main Road, Bengaluru, Karnataka 560103, India

    We will acknowledge and work to resolve grievances within timelines consistent with the DPDPA and any applicable rules once finalised.