Data Processing Agreement

Last Updated: 06 March 2025

Pursuant to and where necessary under applicable laws in India, including without limitation the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (until they remain applicable), the Digital Personal Data Protection Act 2023 and the Rules issued thereunder (effective from when notified by the Government of India) and any other applicable laws which may come into existence regarding the protection of personal data, personal information or privacy (collectively, the “Data Protection Regulations”) in respect of my engagement with GeneSilico I, the undersigned (I) hereby undertake to abide by the following terms and also give my consent (as relevant) to GeneSilico:

  1. I understand that during the course of my engagement with GeneSilico, I will be provided access to the application / website operated by GeneSilico (each a Platform) which is an analytical tool which uses Artificial Intelligence (AI) to analyze patient’s historical personal data by aggregating information, which assists oncologists in identifying specific treatment regimens tailored to patient needs.
  2. I understand that in order for me to gain access to the Platform, GeneSilico will collect the following personal data from me:
    (i) first and last name;
    (ii) phone number;
    (iii) e-mail address; and
    (iv) password for the Platform.
    I understand that the personal data collected from and processed on the Platform will be used solely for the purpose of my engagement with GeneSilico and for the purpose of providing services to the patients registered on the Platform. 
  3. I confirm that my consent is fully informed, given voluntarily and is within the meaning of “consent” in accordance with the Data Protection Regulations.
  4. I agree that this Consent is deemed to be made by me again on the date on which the Digital Personal Data Protection Act 2023 comes into effect in India.
  5. I understand and acknowledge that if I wish to exercise my rights to review, correct, or amend my personal information, or withdraw my consent for the processing of my personal Information, to the extent available to me under the applicable Data Protection Regulations, at any time, I will exercise my rights by providing notice in writing served on GeneSilico at privacy@genesilico.ai. I understand and acknowledge that any such withdrawal of my consent will be without prejudice to any act(s) that may have been done pursuant to my Consent at any time prior to the withdrawal of my consent.
  6. I understand and acknowledge that this consent is without prejudice to the rights of GeneSilico to share, transfer, disclose, use and/or otherwise deal with my personal information in any way as required or otherwise permitted by the laws of India or any other applicable law.
  7. I further understand that I will receive access to the personal information of third parties, i.e. patients and other natural persons registered with the platform (collectively, the Personal Information on Platform) in the course of my engagement with GeneSilico to the extent relevant and required for me to offer my services to GeneSilico. I am performing services on behalf of GeneSilico and processing the Personal Information on the Platform on behalf of GeneSilico. Accordingly, I am a Data Processor as per the Data Protection Regulations and accept and acknowledge my role as a Data Processor and agree to fulfil all obligations of a Data Processor under the Data Protection Regulations, including:  
    • Complying with GeneSilico’s privacy policies and notices on the Platform whenever I handle any Personal Information on the Platform. 
    • Processing the Personal Information on the Platform only in accordance with the express instructions provided by GeneSilico and always in compliance with the Data Protection Regulations.
    • Implementing all appropriate technical and organizational measures to ensure the security of Personal Information on the Platform. These measures include, but are not limited to, encryption, access control, logging, monitoring, and regular reviews to detect and prevent unauthorized access to Personal Information on the Platform. I will maintain data backups, retain relevant logs and data for at least one year, and take reasonable steps to ensure the confidentiality, integrity, and availability of the Personal Information on the Platform.
    • In the event of a data breach involving Personal Information on the Platform, I will immediately, without any undue delay and irrespective of whether it is a working day, inform GeneSilico of the breach with (i) a detailed description of the breach; (b) the consequences of the breach; (c) the measures that I propose to implement to mitigate the risk of the breach; (d) where to contact me regarding the breach (the “Breach Notice”). Once GeneSilico has received the Breach Notice, GeneSilico will assess and inform me of the next steps. I undertake to take all such steps as informed by GeneSilico and within the timelines informed by GeneSilico to ensure that the effect of any such breach is minimised and further undertake to provide all necessary information and assistance to GeneSilico to perform all actions and submit all such reports that it is statutorily required to do on the occurrence of such breach.
    • In the event that consent to process Personal Information on the Platform is withdrawn by any patient, GeneSilico will immediately notify me of such withdrawal. I agree to, without undue delay, stop processing the processing of and erase all such Personal Information on the Platform of the relevant patient. Should any patient directly inform me that they are revoking consent for the processing of their Personal Information on the Platform, I will promptly inform GeneSilico and both parties will then ensure that such Personal Information on the Platform of the relevant patient is deleted from our respective systems.
    • I agree to erase and securely destroy all Personal Information on the Platform upon the termination of the Agreement or if instructed by GeneSilico to do so, due to any legitimate reason including compliance with any applicable laws. In the event of erasure/destruction upon GeneSilico‘s instructions, GeneSilico acknowledges that the performance of services by me may be affected. 
    • I agree to adhere to any orders, restrictions or directives imposed by the Government of India concerning the storage and transfer of Personal Information on the Platform to foreign states, entities, or agencies under their control. 
    • I will provide all necessary assistance to GeneSilico in responding to any patient's requests related to access to, rectification of, erasure of, and, or, updating of their Personal Information on the Platform as made available to the Parties. 
    • I agree to indemnify, defend, and hold harmless GeneSilico, its employees, and affiliates from any claims, damages, or losses arising from my failure to comply with the obligations set forth in this agreement. 
    • I will only use any Personal Information on the Platform solely for the purpose of providing services to GeneSilico and will not use such Personal Information on the Platform for any reason other than as set out in the privacy policy for patients.
    • I will forthwith erase any such Personal Information on the Platform from my systems as is specifically directed by GeneSilico from time to time.  
    • I will ensure that I am requesting the minimum necessary Personal Information on the Platform from the patient to accomplish the intended authorized purpose.
    • I will not disclose the Personal Information on the Platform to any third party. 
    • I will report to GeneSilico promptly the discovery of any type of discrepancies, anomalies, or errors detected in the Personal Information on the Platform I receive from GeneSilico or collect directly from the patient. 
    • I will not disclose or utilize the Personal Information on the Platform in any way that violates any patient confidentiality obligations or any applicable laws. I agree that all Personal Information on the Platform, including any derivatives resulting from the manipulation or compilation thereof, are Confidential Information of GeneSilico and that nothing herein grants any rights thereto to me. I will not disclose or utilize Personal Information on the Platform in any way that violates patient or physician confidentiality obligations or any applicable laws. 
    • I will not manipulate, aggregate, integrate, compile, merge, reorganize, regenerate, transfer or otherwise use or disclose the Personal Information on the Platform for any purpose except for operations as expressly instructed by GeneSilico. 
    • I will not make any alteration to the content of the Personal Information on the Platform and will not engage in the marketing, sale or other commercialization, whether direct or indirect, of the Personal Information on the Platform (whether in identified or de-identified format). 
    • Without limiting the foregoing, I will not enter into any agreement with a third party that enables the third party to commercialize the Personal Information on the Platform or use the Personal Information on the Platform for marketing purposes, and I will include provisions in my agreements with third parties preventing the commercialization or marketing of Personal Information on the Platform by such third parties, if and as relevant. 
    • I will ensure that the systems I use to access the Platform are secure with appropriate physical, administrative and technical safeguards to protect the confidentiality, integrity and availability of the Personal Information on the Platform and to ensure compliance with all applicable laws. I will cooperate with any required audit of security measures, including hardware and software components, as may be required for purposes of applicable laws.
    • I specifically agree that if I engage any persons, through contract or otherwise (each, an Assistant), to discharge my obligations towards GeneSilico under this engagement, I will ensure that: (i) the personal data provided by GeneSilico is only disclosed to such Assistants on a ‘need to know’ basis; and (ii) each Assistant independently executes this ‘Data Processing Agreement’ with GeneSilico prior to them processing any personal data under this engagement.

The Platform is an analytical tool which uses Artificial Intelligence (AI) to analyze your historical personal data by aggregating information, which assists oncologists in identifying specific treatment regimens tailored to your needs.

2. Scope and Terms of Privacy Policy

For the purpose of this Privacy Policy any reference to ‘you’ means you, the natural person, whose personal data is being voluntarily submitted to and being processed by GeneSilico (the patient). If you are a patient who is under the age of 18, or a person with a disability preventing you from providing valid consent, the reference to ‘you’ includes you as well as your parent(s) or legal guardian(s) (as the case may be) who are consenting to GeneSilico processing your personal data on your behalf. 

For the purpose of this Privacy Policy any reference to ‘personal data’ means any information about the patient by or in relation to which the patient can be identified, as is specifically detailed at Clause 3 (Data Collection) below.

This Privacy Policy describes how we collect, use, store, process, and safeguard the personal data of the patients who provide their personal information to us for the purpose of processing by the Platform, and who access our Platform. 

You hereby provide your free and informed consent to the processing of your personal data by GeneSilico as per the terms set out in this Privacy Policy and such free and informed consent will subsist throughout the duration that you access our Platform, unless revoked by you specifically in writing.

If you do not agree with the terms of this Privacy Policy, you are requested to immediately cease your access to and use of the Platform and services provided through the Platform by GeneSilico. GeneSilico retains the right to refuse services if you fail to accept the terms of the Privacy Policy.

The Platform also collects the following limited personal information from any GeneSilico employee, consultant, publication reviewer, medical oncologist, genetic counselor, and GeneSilico approver (collectively, the GeneSilico Representatives) who have access to the Platform:

  1. their first and last name
  2. their phone number
  3. their e-mail address.
  4. their password.

It is expressly clarified that this privacy policy does not apply to any GeneSilico Representatives, and the processing of their limited personal information collected will be in accordance with the agreements separately executed with each such GeneSilico Representative at the time of their onboarding. We further confirm that each GeneSilico Representative will not have complete access to your personal information on the Platform, and the access levels are determined and allocated by GeneSilico strictly on a need-to-know basis.

3. Data Collection

We collect and process your personal data only to the extent necessary to provide you with our services on the Platform and as specifically set out in this Privacy Policy. The nature of personal data we collect from or about you may vary depending on the purpose for which it is provided to us by you. 

Your free and informed consent and the security and accuracy of your personal information is our utmost priority. For the purpose of maintaining accuracy of all your personal information, your personal information will be orally collected from you by the doctor and, or, counsellor who has been appointed by GeneSilico under a valid agreement, who will explain to you the nature of the personal information collected from you as well as the purpose for which it is collected. Such a doctor and, or, counsellor will only then upload your personal information on the Platform. You will be able to review all your personal information as collected by GeneSilico on the Platform and will be able to request the correction or erasure of any such personal information which is not accurate.  

At the time of the sign up, and during the course of us providing you with services on the Platform, the following personal information will be collected either directly from you, or through a third party that you have authorized to provide us with you personal information, and uploaded on the Platform:

  • Your full name
  • Date of Birth
  • Home Address / Alternative Address 
  • Phone Number 
  • Email address
  • Weight
  • Ethnicity
  • Sex
  • Medical Record Number/ Unique Health Identification Number 
  • Clinical Information 
  • Primary diagnosis and stages of diagnosis
  • Date of Original Diagnosis 
  • Past medical records (prior therapy, prior treatment)
  • Family History including family member name (relation to the patient) 
  • Hospital information (Name, Address, Hospital ID, Point of Contact)
  • Patient status at time of the sample collection
  • Physician Information including Referring Physician Name, Contact number, and Email ID
  • Records/ Reports including Recent Copy of Reports (Blood, pathology, radiology, molecular testing and NGS advance testing) 
  • Pathology Lab’s name, submitting Pathologist Name
  • Details about the biological sample inter alia FFPE Tissue, Fresh Frozen Tissue, Purified DMA, Streck Cell-Free Blood DNA and PaxXgene Blood DNA. 
  • Date of Collection of the biological sample
  • Shipment Details of biological sample including origin of the biological sample, Name of the Courier service used, place shipped from (Name of the hospital or the lab), intended destination of the biological sample, and tracking number of the biological sample
  • Your medical history relevant to our services as provided on the Platform and records including information related to your genetics.
  • Your financial information for billing 
  • Your healthcare insurance records

In addition to the personal data that you submit to us, we automatically collect some information when you visit our Platform. This type of information is listed below: 

  • Our webservers may collect certain information such as your IP address, browser details, device information and usage logs
  • In addition to this, we use cookies to store information for your convenience in accessing the Platform’s features. 
  • We also collect information voluntarily provided by you during your use of the Platform and in respect of which you have not indicated that you do not consent to the use of your personal data, including any documents and analytical results you provide on the Platform. 

4. Data Usage

We will only process your personal data for the purposes as specifically outlined below:

  • For registering you on the Platform, to enable your access to the Platform and all its features. 
  • For providing uninterrupted services and assistance with respect to your treatment including but not limited to conducting a consultation and detailing the risk assessment for relevant the patient, providing insight to assist with the patient’s treatment, sending appointment reminders, sending kits to collect your specimens for tests, or any use incidental to the above. 
  • For billing and collection of payments (from you or your insurance provider) towards the assistance and services pertaining to your treatment including but not limited to verifying your health insurance coverage (or a third person’s health insurance coverage if the patient is covered under the third person’s insurance policy).
  • For internal management and administrative operations.
  • For your Genomic Counseling with GeneSilico’s Genetic Counselor to determine whether you will require the Next Generation Sequencing (NGS) testing. 
  • To analyze your genetic material with the help of our testing services and generate the report from your NGS test. 
  • For billing purposes and to verify your healthcare insurance. 
  • To communicate with you on email or text message regarding our health related products and services that may be of interest to you including treatment options or alternative treatment.
  • To comply with applicable legal and regulatory requirements including court orders, to process payments under applicable law such as taxes, or to exercise GeneSilico’s legal rights in any manner whatsoever. 
  • To process any queries, requests and, or grievances raised by you against GeneSilico and/or the Platform. 
  • For any other purpose to the extent necessary to meet any obligation towards you.
  • If you are the parent / lawful guardian of a patient who is under 18 years of age or a person with a disability preventing them from providing valid consent, we will collect your personal data to verify your identity and consent before processing the patient’s data. 

As GeneSilico’s Platform is an AI analytical tool, we de-identify and anonymize your personal data and feedback on the Platform to:

  • Combine your de-identified and anonymized data with de-identified and anonymized data of third party service providers and consultants engaged by GeneSilico to create the ‘Analytics Database’ for the Platform.
  • Improve and update GeneSilico’s precision oncology gene panel and GeneSilico’s genetic tests.
  • Improve and refine GeneSilico’s AI agents including by sharing anonymized data with third party large language models such as those provided by Open AI and Anthropic.
  • Enable third-party large language models to aid in improving the functioning of GeneSilico’s AI. 
  • Contribute to our variant classification program.
  • Conduct clinical research or studies, the results of which may be published in peer-reviewed journals. 
  • Contribute to our internal anonymized registry or publicly available healthcare databases such as the National Center for Biotechnology Information (NCBI), or ClinVar. 

5. Disclosure of personal data

We do not trade, share or sell personal data that you provide us with other organizations who intend to use it only to market their products or services to you. The purpose for which GeneSilico shares your personal data with third parties varies in each case and depends on the purpose for which you provide us with such personal data. Generally, when you submit your personal data to GeneSilico, we may disclose it for the purposes as outlined below:

  • When we perform laboratory tests ordered by your healthcare providers, we may use or disclose your personal data to third party laboratories who process the test orders, perform the tests and provide the results of such test.
  • To support our healthcare operations including monitoring and improving the quality of our testing, evaluating outcomes, assays and protocols, internal training and customer service.
  • To GeneSilico affiliates or third parties engaged by us to perform services for us so that we can ensure continuity of services and assistance to the patients. For completeness, all such third-party entities we disclose your personal data to, will be bound by contract to ensure privacy of your personal data on the same or better terms than as provided by us.
  • If such disclosure is necessary for your treatment, or billing related thereto including but not limited to disclosing such personal data to insurance service providers to verify coverage and process payments, and any incidental disclosures pertaining to such treatment and billing during the regular course of business.
  • Where such disclosure is required by and, or, permitted within the scope of applicable law.
  • With persons authorized by you to take healthcare decisions for you, including to parents or guardians of minors and people with disabilities. Where no such person has been nominated or authorized by the patient, we may disclose your personal data to any persons authorized under applicable laws to act on behalf of you or your estate.
  • To related persons such as family members or relatives who are involved in your healthcare or payment for your healthcare, as requisite. 
  • To assist during any disaster relief including informing family and friends about your location, general health condition, or death. Upon your death, we may disclose your personal data to persons specifically authorized by you, or to persons who were involved in your health care or payment for your health care save and except if you have expressly forbidden such disclosure.
  • With other healthcare providers as specifically requested by you.
  • With entities engaged in organ procurement, banking, and, or transplantation entities, and funeral directors, subject to you (or persons nominated by you to exercise rights over your personal data) specifically requesting for such disclosure. In the absence of any such nomination or authorization, we may disclose your personal data to persons who were responsible for your healthcare (or payment therefor) if we reasonably determine that such disclosure is in your best interest.
  • With group companies, affiliates, and businesses that are legally part of the same group as GeneSilico or that become part of that group, to meet the purpose(s) set out herein. 
  • With courts, tribunals, legal bodies, regulatory authorities, government entities, and any third-parties, to the limited extent required to meet a legal or regulatory obligation.
  • Where GeneSilico reasonably believes that there exists the need to disclose your personal data for satisfying any applicable law, regulation, order, governmental request, or legal process or enforcing any other legal right or claim.
  • With auditors, accountants, lawyers and other professional advisers to the extent that they require access to the information in order to advise us.
  • In cases of merger, acquisition or sale, GeneSilico will transfer your information to the third-party so involved in the transaction, only subject to an agreement by the other party in respect to your information, to process and store your information in a manner consistent with this Privacy Policy. 
  • We may disclose your personal data with direct identifiers such as name and date of birth removed for the purpose of research, healthcare operations (as set out above) and public health activities, subject to executing a separate data use agreement with you in the future.
  • For research and archiving purposes.
  • If such disclosure is necessary to lessen a serious threat to your health or safety or that of another person, and to any authorities who are legally responsible to prevent and control, disease, prevent child abuse and, or neglect, and any other similar harms. 
  • With your employer if we are only providing you services at your employer’s request.
  • With your schools, universities or other institutions if such personal data is pertaining to immunizations.
  • We will obtain your specific consent if we disclose your information for any reason otherwise than as set out herein including but not limited to disclosure to third parties for marketing purposes, disclosures of psychotherapy notes, disclosures that would constitute a sale of personal data.

6. Cookies

We use cookies and similar tracking technologies to analyze your website usage to improve your user experience. Your cookie preferences while accessing the Platform can be altered through your browser settings.

7. Data Storage and Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected (as mentioned under Clause 4 of this Privacy Policy), in accordance with applicable laws and as outlined in this Privacy Policy, save and except if we are required to retain this personal data for any longer period to comply with applicable laws.

Your personal data is stored securely on encrypted servers hosted in compliance with industry standards and applicable laws. 

8. Data Security Measures

GeneSilico employs robust security measures to protect user data, including:

  • Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
  • Access Controls: Role-based access management and multi-factor authentication (MFA).
  • Regular Audits: Periodic security reviews and vulnerability assessments.
  • Monitoring: Continuous monitoring of systems for suspicious activity.

Backup and Recovery: Secure data backups with disaster recovery protocols.

9. User Rights

You have the right to access, correct, update, review or revoke your consent and request the erasure of your personal data that GeneSilico stores by submitting a written request to GeneSilico. To ensure the security of your personal data we may ask you to provide certain identifiers to verify your identity before processing your request.  We may also require you to provide your reasons for amending or updating personal data to ensure the veracity of your records that we maintain. Please note that we may charge a reasonable fee to provide the collated set of your personal data, if you have requested for such personal data in a specific format. 

You may request to nominate or authorize 1 or more persons to exercise any of the rights set out in this section, on your behalf.

You may access our grievance redressal system to address any concerns or complaints that you may have regarding the processing of your personal data. If you wish to file a grievance, you can do so using the contact details provided below. We shall ensure that there is a speedy redressal of your grievance as soon as reasonably practicable from the date of the receipt, but always within the statutory timelines as applicable, ensuring the effectiveness of the system through appropriate technical and organization measures. 

You acknowledge that deletion of all or some of your personal data may result in GeneSilico being unable to provide you with services, updates and disablement of your access to the Platform. You further acknowledge that any request by you to delete all or some of your personal data will not result in any changes/modification to GeneSilico’s Platform, as GeneSilico’s Platform has already had your personal data and feedback de-identified and anonymized. If you: (i) have any questions regarding this Privacy Policy; (ii) want to exercise your rights as set out in this section; and, or, (iii)  file a complaint or grievance about our privacy practices, you can write to us at privacy@genesilico.ai

10. Compliance

GeneSilico complies with all relevant and applicable privacy and security regulations in all territories of its operations, including but not limited to any sector specific regulations as may be applicable.

11. Breach Notification

In the event of a personal data breach, GeneSilico is committed to informing you without any delay. Upon becoming aware of the breach, we will notify through your user account on our Platform and the communication methods you have registered with us. 

We will take all necessary steps, in compliance with applicable laws, to ensure that your personal data remains secure

12. Third-Party Links

The Platform may contain links to third-party websites. GeneSilico is not responsible for the privacy practices of these external sites. You are encouraged to review the privacy policies of third-party services.

13. Policy Updates

This policy may be updated periodically to reflect changes in practices or regulations. GeneSilico will inform you of any changes in the Privacy Policy via a notification or e-mail or any other reasonable and preferred methods of communication you have previously informed us about. In any case we encourage you to periodically visit and review this Privacy Policy.

14. Contact Us

For questions, concerns, or requests related to this Privacy and Security Policy, contact us:

Email: privacy@genesilico.ai