India DPDP notice

Scope

This notice is intended for clinics, hospitals, resellers and users located in India. It complements the Privacy/GDPR policy and is aligned with the Digital Personal Data Protection Act, 2023 for NanoCareRIP services offered in India.

Roles under DPDP

For license management, accounts, billing, support and service security, RB3L FRANCE acts as Data Fiduciary for the processing it determines.

For patient documents, DICOM identifiers, secure patient PDFs and clinical workflow data, the clinic or hospital remains the primary Data Fiduciary. RB3L FRANCE acts as Data Processor when it processes those data on customer instructions.

Personal data processed

NanoCareRIP may process customer account data, license identifiers, serial numbers, machine IDs, AET names, printer identifiers, page counters, support logs, billing references, IP address, user-agent and security audit events.

When secure patient PDF mode is enabled, the service may process patient-document metadata, hashed patient identifiers, download tokens, expiry dates and download traces. The system is designed to minimize stored patient data.

Purposes

• Activate and verify NanoCareRIP licenses.
• Authorize DICOM print jobs and page quotas.
• Provide customer accounts, support, audit and fraud prevention.
• Generate, store and deliver secure patient PDFs when enabled by the clinic.
• Maintain billing records and operational security.

Consent and withdrawal

Where processing relies on consent, consent must be specific, informed and capable of being withdrawn. Withdrawal requests can be sent to nanocare@RB3L.com.

For patient workflows, the clinic or hospital is responsible for collecting, documenting and managing patient consent or another valid basis required by applicable Indian healthcare rules.

Rights and grievance redressal

Data Principals may request access to information, correction, erasure where applicable, grievance redressal and nomination according to the DPDP Act.

Grievance Officer and responsible contact for India privacy requests: Mr RABEL P, reachable at nanocare@RB3L.com. RB3L FRANCE targets an initial response within 30 days, or will route patient-data requests to the relevant clinic when the clinic is the responsible Data Fiduciary.

If the grievance is not resolved through this channel, the Data Principal may use remedies available before the Data Protection Board of India when applicable.

Children and patient data

NanoCareRIP is not directed to children as end users. However, patient documents may include pediatric patient data when the clinic sends such documents through its DICOM or PDF workflow.

The clinic remains responsible for any parental or guardian consent and healthcare compliance obligations for children or persons with disabilities.

Processors and transfers

The service may use infrastructure and technical providers including Contabo for VPS hosting in India/Germany, OVH for the domain name, payment providers when billing is enabled, and authorized technical subcontractors.

Data may be accessed or transferred outside India only when required for hosting, support, security, billing or legal obligations, and subject to contractual and technical controls.

Security and breach handling

NanoCareRIP uses access controls, hashed passwords, API secrets, audit logs, local/VPS storage controls and encrypted PDFs when secure patient PDF mode is enabled.

Security incidents involving personal data should be reported to nanocare@RB3L.com. RB3L FRANCE will coordinate with the affected clinic and applicable authorities where notification is required.

Retention

Licenses, accounts, billing data, print logs and audit logs are retained only for operational, support, accounting, security and anti-fraud needs.

Patient PDF retention is configurable by the clinic. The demonstration server default is 180 days unless configured otherwise. Expired documents should be deleted or made unavailable according to the configured retention policy.