Your privacy is important to us. Learn how we collect, use, and protect your information.
Umami TLabs ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our healthcare management platform and services (the "Service").
This policy applies to all users of the Service, including healthcare providers, their staff, and patients whose information is processed through the platform. By using the Service, you consent to the data practices described in this policy.
Umami TLabs is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. We act as a Business Associate to covered entities and implement appropriate administrative, physical, and technical safeguards to protect Protected Health Information (PHI).
We enter into Business Associate Agreements (BAA) with all covered entities and business associates who use our Service to process PHI. All data handling practices described in this policy align with HIPAA requirements.
We collect information that you voluntarily provide to us, including:
When you use the Service, we automatically collect certain information, including:
We may receive information from:
We use the information we collect for the following purposes:
We do not sell, rent, or trade your personal information or PHI. We share information only in the following limited circumstances:
We may share information when you explicitly authorize us to do so, such as when sharing patient records with other healthcare providers or specialists.
We share information with third-party vendors who perform services on our behalf, including:
All service providers are contractually obligated to protect your information and use it only for the purposes we specify. Service providers handling PHI sign Business Associate Agreements.
We may disclose information when required by law, including to:
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your information.
We may share de-identified or aggregated data that cannot reasonably be used to identify you or any patient for research, analytics, or marketing purposes.
We implement comprehensive security measures to protect your information from unauthorized access, disclosure, alteration, or destruction.
256-bit AES encryption for data at rest and TLS 1.3 for data in transit
Role-based permissions, multi-factor authentication, and audit logging
SOC 2 compliant data centers with redundancy and disaster recovery
24/7 security monitoring, intrusion detection, and vulnerability scanning
Automated daily backups with 30-day retention and point-in-time recovery
Regular security training for all staff handling sensitive data
While we implement industry-leading security measures, no system is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials.
We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
While your account is active, we retain all information necessary to provide the Service, including medical records, billing information, and usage data.
After account closure, we retain your information for 90 days to allow for account recovery. After this period, we permanently delete or anonymize your information, except:
Backup copies may persist for up to 30 days after deletion from production systems, after which they are securely destroyed.
You have certain rights regarding your information. The specific rights available to you may vary based on your location and applicable laws.
Request access to the personal information we hold about you
Request correction of inaccurate or incomplete information
Export your data in a structured, machine-readable format
Request deletion of your information (subject to legal retention requirements)
Limit how we process your information in certain circumstances
Object to processing based on legitimate interests or direct marketing
To exercise these rights, please contact us at privacy@umamitlabs.com. We will respond to your request within 30 days.
Most browsers allow you to control cookies through settings. However, disabling cookies may limit your ability to use certain features of the Service. You can manage cookie preferences through your browser settings or our cookie consent tool.
We use analytics services to understand Service usage patterns. These services may use cookies and similar technologies. We configure these services to respect user privacy and comply with applicable regulations.
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
We ensure that international transfers comply with applicable laws through:
Our primary data centers are located in secure facilities with appropriate certifications and compliance standards.
The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13 without parental consent.
If we learn that we have collected personal information from a child under 13 without verification of parental consent, we will delete that information promptly. If you believe we have collected information from a child under 13, please contact us immediately.
Note: Healthcare providers may enter patient information for minors as part of providing medical care. This is permitted under HIPAA and applicable healthcare regulations where parents or guardians have provided consent for treatment.
The Service may contain links to third-party websites, applications, or services that we do not control. This Privacy Policy applies only to our Service.
We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.
When you integrate third-party services (such as lab systems or insurance platforms) with Umami TLabs, data sharing is governed by both our policy and the third party's policies.
In the event of a data breach that affects your information, we will:
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
To exercise these rights, contact us at privacy@umamitlabs.com with "California Privacy Rights" in the subject line.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):
You also have the right to lodge a complaint with a supervisory authority in your country.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
We will notify you of material changes by:
We will provide notice at least 30 days before material changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@umamitlabs.com
Phone: +91-9611373526
Address: Bangalore, India
For HIPAA-related inquiries or to request a Business Associate Agreement, please use the email address above with "HIPAA" in the subject line.