Privacy Policy

Privacy Notice

Review Date: 17th Jan 2025

This Privacy Notice explains how SHOPSENSE RETAIL TECHNOLOGIES LIMITED and its subsidiaries and affiliates ("Gauze," "we," "us," or "our") collect, use, and process personal information in connection with our website https://gauze.md, including its webpages and portals, as well as our medical AI platform, products, and services. We may update this Privacy Notice from time to time.
For any inquiries or concerns regarding this Policy, you may contact us via email at help@gauze.md or by mail at:1st Floor, WeWork Vijay Diamond, Opp. SBI Branch, Cross Road B, Ajit Nagar, Kondivita, Andheri East, Mumbai - 400093, Maharashtra, India.

SHOPSENSE RETAIL TECHNOLOGIES LIMITED is a public limited company registered under CIN U52100MH2012PLC236314 and PAN AALCA0442L, with its registered office at 1st Floor, Wework Vijay Diamond, Opp. SBI Branch, Cross Road B, Ajit Nagar, Kondivita, Andheri East, Mumbai - 400093, Maharashtra.
By using our services, you ("you," "your," "Customer," or "User") agree to the collection, use, and processing of your personal data as described in this Privacy Notice.

This Privacy Notice applies when you use our website https://gauze.md and its related webpages or portals (the “Website”), the Gauze Console (the “Application”), or any proprietary products and features offered under the Gauze Console (together, the “Services”).
Our Services also include https://console.gauze.md/, a secure platform where users can create an account and access a demo version of our medical AI solution.
This Privacy Notice is governed by applicable data protection laws, including the General Data Protection Regulation (GDPR) (Regulation 2016/679) and the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), along with national implementations and related regulations. Any capitalized terms used in this Privacy Notice but not specifically defined here will have the meanings set forth in our Universal Terms and Data Processing Agreement.

This Privacy Notice shall be interpreted and governed by the applicable data protection laws, including, without limitation, the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Children’s Online Privacy Protection Act (COPPA), the Information Technology Act 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules), and the Health Insurance Portability and Accountability Act (HIPAA).

By accessing our Website, using our Application, or utilizing our Services, you acknowledge and agree to the data processing practices described in this Privacy Notice, as well as the terms outlined in our Website Terms and related documents. Gauze reserves the right to update or modify this Privacy Notice from time to time. Any changes will be communicated by posting an updated version on our Website or through other appropriate means. Your continued use of the Services following such updates constitutes your acceptance of the revised Privacy Notice.
Gauze is committed to safeguarding your Personal Data and ensuring its secure and lawful processing. As outlined in this Privacy Notice, your Personal Data may be collected, used, or disclosed to third parties acting on behalf of Gauze for legitimate business purposes.
Gauze does not knowingly collect, process, or disclose Personal Data of individuals under the age of 18. If an institution chooses to upload or process data related to a minor patient, such action is undertaken at the institution’s sole discretion and responsibility, and Gauze shall not be held liable for any consequences arising from such processing.

I. About the service

The terms and conditions governing the use of Gauze’s Services are outlined in our Universal Terms, available at https://gauze.md/legal. By accessing or using our Services, you agree to be bound by the applicable terms set forth therein.

II. Personal data

a. What is personal data?

"Personal Data" refers to any information relating to an identified or identifiable natural person ("Data Subject") that is processed through the software for medical or administrative purposes. An identifiable person is one who can be directly or indirectly identified, particularly by reference to identifiers such as a name, patient ID, medical record number, location data, online identifiers, or characteristics specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Personal Data may include patient identifiers (e.g., name, date of birth, gender, patient ID), health and medical data (e.g., diagnostic images, clinical history), technical and usage data (e.g., IP addresses, audit logs), and healthcare professional data (e.g., name, designation). It also encompasses "special categories of personal data," such as health information and biometric data used for diagnostic or identification purposes.

The processing of Personal Data is subject to applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and relevant national healthcare regulations. All data collection, storage, and processing must adhere to strict security and confidentiality measures to safeguard patient privacy and ensure compliance with regulatory requirements.

b. What Personal data does Gauze collect and process?

Gauze receives, processes and stores two distinct sets of personal data. We will process the following personal data on the Services:

b.1 User Profile (Healthcare Professionals and Administrators)

Gauze processes personal data related to authorized users such as physicians, nurses, radiologists, and administrative staff. This includes:

  1. Full Name
  2. Professional Title and Designation
  3. Department and Specialty
  4. Hospital or Institution Name
  5. Professional Contact Information (e.g., email, phone number)
  6. User ID (for authentication and access control)
  7. Activity Logs and Usage History (to track interactions with the system)

b.2 Patient Profile

Gauze processes patient-related personal and health data necessary for diagnosis, treatment, and medical record management. This includes:

  1. Full Name
  2. Patient ID or Medical Record Number
  3. Date of Birth and Age
  4. Gender
  5. Contact Information (if applicable)
  6. Health Data such as medical history, test results, and clinical notes
  7. Medical Imaging Data (e.g., DICOM files, scans, radiology reports)
  8. Date and Time of Registration and Consultations

b.3 Technical usage data

To ensure the security, functionality, and compliance of the Software as a Medical Device (SaMD), technical data is collected and processed during system interactions. This includes:

  1. Device and Network Information: IP address, unique device identifiers, and network performance metrics.
  2. Access and Session Data: URL of accessed services, login timestamps, user authentication records, and session activity logs.
  3. System and Browser Information: Browser type, language preferences, operating system details, and identifying device information.
  4. User Interaction Data: Pages viewed or searched, response times, download errors, length of visits, navigation patterns, and interaction details such as scrolling, clicks, and mouse-overs.
  5. Performance and Security Logs: System performance metrics, error logs, audit trails, and AI model interaction data.

b.4 Personal Data via the Gauze Console

A fourth category of personal data is processed through the Gauze Console platform, where Users upload data for processing. In this context, Gauze acts as a Data Processor, while the User remains the Data Controller for the uploaded data, which may include:

  1. Anonymized patient case information and pseudonymized DICOM images, including embedded metadata.
  2. Content uploaded, posted, or contributed by the User as part of the Services.

By using the Gauze Console, Users acknowledge and agree to the Data Processing Agreement (DPA), which becomes effective upon their first use of the Services. This DPA outlines the nature and scope of the processing that Gauze undertakes on behalf of the User concerning personal data where the User is the Data Controller.

Users may only upload personal data relating to third parties if they have obtained the necessary legal basis, permission, and consent from the Data Subjects (e.g., patients), as required by applicable laws. If the information is sourced from the public domain, Users must ensure compliance with relevant data protection regulations. Users bear sole responsibility for obtaining and maintaining all legally required consents, whether informed, written, explicit, or implicit, from Data Subjects or other data owners. By using the Services, the User represents and warrants that such consents have been duly obtained and will be made available upon request for audit by Gauze.

Gauze relies on Users to provide accurate, complete, and up-to-date information and Users agree to take reasonable measures to ensure data accuracy.

For individuals accessing the Gauze Console to upload their own DICOM images, Gauze will act as the Data Controller in accordance with applicable data protection laws.

III. Why does Gauze process this Personal data?

Gauze processes the Personal Data described in this Privacy Notice for the following purposes:

  1. Account Administration and Service Provision: To verify and manage user accounts, administer account settings, integrate with third-party services, and ensure the delivery, personalization, and enhancement of the Services in accordance with the Terms of Service.
  2. Communication and Notifications: To send alerts, notifications, and marketing communications via email or other means regarding Gauze’s products, services, and those of affiliated entities.
  3. Service Updates and Compliance: To inform users about updates to the Services, changes to terms and conditions, and other relevant notices.
  4. Service Improvement and Analytics: To enhance and develop existing services, introduce new features, and analyze usage patterns for optimization.
  5. Technical Performance and Security: To maintain the technical integrity of the Services, prevent unauthorized access, and ensure compliance with applicable terms of use, including the Universal Terms and any additional agreements related to the Services.
  6. Enforcement of Terms and Protection of Rights: To enforce contractual agreements, protect Gauze’s rights, property, and safety, as well as those of third parties when necessary.
  7. Regulatory and Legal Compliance: To fulfill obligations as a Data Controller and Data Processor, ensuring adherence to the rights of Data Subjects and responding to legal requirements (as outlined in Clause VIII).
  8. Customer Support and Inquiries: To respond to user queries, provide support, and facilitate issue resolution.
  9. Mandatory Legal Compliance: To comply with legal obligations, regulatory requirements, and law enforcement requests, as applicable.

Gauze may process anonymized and de-identified data for the purpose of improving, developing, and enhancing its Services, including but not limited to machine learning, research, and analytical advancements. Such data will be processed in compliance with applicable data protection laws and will not be used to re-identify any individual.

Provision of the Personal Data outlined in Clause II.b.2 is necessary for accessing and utilizing the Services. Without this data, Gauze may be unable to provide the requested services. Processing is required to enter into and maintain a contractual relationship, with Gauze acting as a Data Processor for the collected data.

Certain technical data, as referenced in Clause II.b.3, is collected solely for performance monitoring and issue resolution related to the platform. This data is not used to personally identify users unless required by official legal investigations, as stipulated in Clause VIII.

The processing of Personal Data for the purposes listed above is based on Gauze’s legitimate interest in maintaining IT security, preventing fraud, safeguarding the Services from cyber threats, and improving service functionality.

IV. Disclosure of personal data

Gauze may disclose Personal Data to third parties under certain circumstances, including but not limited to:

  1. Affiliates and Subsidiaries: We may share Personal Data with our affiliated and sister companies for operational, administrative, and business purposes.
  2. Service Providers: We engage third-party service providers for data collection, storage, analytics, advertising, IT support, and other essential services necessary for the operation and enhancement of our Services. These providers are contractually obligated to maintain the confidentiality of Personal Data and are prohibited from sharing it with unauthorized parties.
  3. Marketing and Advertising: Subject to a valid legal basis, such as user consent, we may disclose Personal Data to our advertising and marketing teams to deliver personalized advertisements or to contact you through email, telephone, SMS, or other communication channels.
  4. Legal and Regulatory Authorities: We may disclose Personal Data to public authorities if required to do so by law, regulation, court order, or other legal processes.
  5. Other Third Parties: Personal Data may be disclosed to additional third parties where explicit user consent has been obtained.

Gauze does not sell, commercially exploit, or distribute Personal Data for commercial purposes. All disclosures are made in compliance with applicable laws and contractual obligations.

Please note that our Services may contain links to third-party websites. Any Personal Data collected on such external websites is not governed by this Privacy Notice but is subject to the respective website’s privacy notice.

V. Cookie Statement

Gauze may use cookies and similar tracking technologies on its Website to collect information, including Personal Data, as described in this Privacy Notice. A cookie is a small data file sent to your browser and stored on your device (e.g., computer, mobile phone, or tablet). Cookies may be either first-party cookies, set directly by our Website, or third-party cookies, placed by external providers such as Google.

We use cookies for the following purposes:

  1. Essential Functionality: Certain cookies are necessary to enable Website navigation and core functionalities.
  2. Analytics and Performance: We utilize third-party cookies, such as Google Analytics, to gather aggregated statistical data on Website usage and user interactions.
  3. User Feedback and Compliance: Third-party services like UserSnap facilitate real-time user feedback, and Termly helps manage cookie consent and compliance.
  4. Advertising and Personalization: Third-party advertisers, including Google AdSense, may collect certain information such as your IP address, Internet Service Provider (ISP), and browser type to deliver relevant advertisements.

A detailed list of the cookies used on our Website, along with their specific purposes, is shared below (Refer table in VI).

Managing Cookies:You may disable or restrict third-party cookies through your browser settings. However, doing so may impact certain Website functionalities and your overall user experience.

VII. Your consent

By obtaining our Services, contacting us, or subscribing to our newsletter, you hereby provide your explicit consent to the processing of your Personal Data for the purposes outlined in Section II(b) of this Privacy Notice. This includes, but is not limited to, the processing of your name, gender, contact details, and preferences, as described herein.Furthermore, by accepting Gauze’s Terms of Service, you acknowledge and agree that the processing of your Personal Data is necessary for the performance of our contractual obligations to you, as set forth in Section III of this Privacy Notice.Gauze may also process your Personal Data where required to comply with its legal obligations, including but not limited to regulatory requirements and law enforcement requests, as detailed in Section VIII of this Privacy Notice.

VIII. Data Subject Rights

Data Subjects have certain rights concerning the processing of their personal data, as outlined below:

  • Right to Explicit Consent:  Data Subjects have the right to provide explicit, informed, and unambiguous consent before their medical imaging data is processed or shared. Consent must be obtained by you in a clear and transparent manner, ensuring that patients fully understand how their data will be used. Where exceptions apply, such as processing for public health or research purposes, the necessity of obtaining consent remains fundamental to upholding patients’ rights regarding their personal health information.
  • Right to Make a Subject Access Request (SAR):  Data Subjects have the right to request access to copies of their personal data by submitting a written Subject Access Request (SAR). Such requests may be subject to legal limitations, exemptions, and the rights of other individuals. To process an SAR, Data Subjects may be required to provide proof of identity and, where permitted by law, any applicable administrative fees.
  • Right to Rectification:  Data Subjects have the right to request the correction or completion of any inaccurate or incomplete personal data. Gauze will rectify such data without undue delay, provided that the request is reasonable and verifiable.
  • Right to Withdraw Consent:  Where processing is based on consent, Data Subjects may withdraw their consent at any time. The withdrawal of consent will not affect the lawfulness of any processing carried out before such withdrawal. Upon withdrawal, Gauze will cease processing the personal data unless another legal basis permits continued use.
  • Right to Object to Processing, Including Automated Decision-Making and Profiling:  Data Subjects have the right to object to the processing of their personal data, including processing based on legitimate interests or for marketing purposes. While Gauze does not make automated decisions about Data Subjects, third-party providers, such as credit reference agencies, may conduct automated profiling for business administration purposes. Profiling may also be performed for trend analysis related to Website usage. Gauze will honor valid objections unless there is an overriding legitimate ground for continued processing or another lawful reason to refuse such requests. In relation to marketing communications, valid opt-out requests will be implemented promptly.
  • Right to Erasure ("Right to Be Forgotten"):  Data Subjects may request the deletion of their personal data under certain circumstances, such as when the data is no longer required for its original purpose, when consent has been withdrawn, or when processing was unlawful. Gauze will comply with such requests unless a lawful reason exists for retaining the data, such as regulatory compliance or legitimate business record-keeping obligations.
  • Right to Restriction of Processing:  Data Subjects have the right to request the restriction of their personal data processing under specific circumstances, such as when they contest the accuracy of the data, object to unlawful processing, or require the data for legal claims. Gauze will comply with such requests unless a legal obligation or overriding legitimate reason requires continued processing.
  • Right to Data Portability:  Where applicable, Data Subjects have the right to request a copy of their personal data in a structured, commonly used, and machine-readable format and to have it transferred to another service provider. While Gauze does not consider this right to apply to its Services, any valid requests will be evaluated in accordance with applicable laws. A transfer of data does not automatically imply erasure, and personal data may still be retained for lawful and legitimate purposes.
  • Right to Lodge a Complaint with a Supervisory Authority:  Data Subjects have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data has been processed in violation of applicable laws. While Gauze encourages Data Subjects to contact its support team first to resolve any concerns, they may also exercise their right to approach the appropriate supervisory authority directly.

IX. Restrictions to Data Subject Rights

  • While you have various rights under applicable data protection laws (such as access, rectification, erasure, objection, and data portability), please note that these rights may be subject to restrictions under Article 23 of the General Data Protection Regulation (GDPR).
  • Such restrictions may apply where necessary and proportionate for purposes such as national security, public order, criminal investigations, legal proceedings, or other significant public interests, as defined by Union or Member State law.
  • We will always inform you if and when such legal restrictions apply, unless prohibited by law.

X. Responding to Legal Requests

Gauze may access, retain, and disclose Personal Data if required to comply with a valid legal request, such as a search warrant, court order, subpoena, or similar legal process. Additionally, we may process and share Personal Data when necessary to detect, prevent, or address fraud, unlawful activities, or violations of applicable laws, including as part of investigations pursuant to Article 23(1) of the GDPR or other relevant legal provisions.

XI. Retention of Personal Data

  1. Customer-Initiated Deletion. Gauze provides Customers with the ability to delete Customer Personal Data during the Subscription Term, in accordance with the terms of the Agreement.
  2. Deletion Upon Inactivity. Gauze retains Personal Data of registered users for the duration of their active profile on the Services. If a user remains inactive for a continuous period of one year, all associated Personal Data will be deleted, unless retention is required by applicable law or regulatory obligations.
  3. Deletion Upon Termination. Upon termination or expiration of the Agreement, Customers shall have a period of 90 days to retrieve any remaining Customer Personal Data. After this period, Customer instructs Gauze to automatically delete all remaining Customer Personal Data, including copies, unless otherwise required by applicable law.
  4. Retention Requirements. Gauze does not anticipate retaining anonymized Customer Personal Data under this Agreement. However, in the event such data is retained, Gauze shall not be required to delete or anonymize Customer Personal Data under Sections X.a or X.b to the extent retention is mandated by applicable law, regulatory requirements, or a valid order from a governmental or regulatory authority.

XII. Personal data of children under the age of 18

The Gauze Console and the services provided therein are not intended for, nor marketed to non medical users. We do not knowingly collect or solicit personal information of/from anyone under the age of 18, nor do we permit individuals under 18 to register for our services.

In compliance with the Children’s Online Privacy Protection Act (“COPPA”), the General Data Protection Regulation (“GDPR”), and other applicable personal data protection laws, you must obtain verifiable parental consent (or consent from the child's legal representative) before collecting, using, or disclosing personal data related to a child. If you become aware that we have inadvertently collected personal information from a child under 18 without obtaining verifiable parental consent, you are required to delete such information promptly.

If you are a parent or legal guardian and become aware that your child has provided us with Personal Data without your consent, you may contact us at grievance@gauze.md to exercise your rights, including access, rectification, erasure, restriction of processing, and objection to data processing.

XIII. Security Practices

Gauze is committed to ensuring the security and integrity of Personal Data processed through its Services. We implement industry-leading security measures to safeguard the confidentiality, availability, and integrity of all Personal Data collected, stored, and transmitted. Personal Data collected via our Services is stored in secure environments with restricted access. Only duly authorized personnel, including officers, employees, and agents of Gauze, who require such access for the performance of their duties, are permitted to handle this data.

Any individual found to be in violation of our privacy and security policies is subject to disciplinary action, which may include termination of employment or contract, as well as civil and/or criminal liability. Gauze employs robust security technologies, including multi-layered firewall protections and encryption protocols, to mitigate risks and enhance data protection.

However, despite our best efforts to implement stringent security controls, you acknowledge and agree that:(a) The inherent nature of the Internet poses certain security and privacy limitations beyond our control;(b) We cannot guarantee the absolute security, integrity, or confidentiality of data transmitted between you and our Services; and(c) Information exchanged over the Internet may be subject to interception, unauthorized access, or tampering by third parties.

Gauze continuously reviews and updates its security practices to align with evolving industry standards and regulatory requirements, ensuring the highest level of protection for your Personal Data.

XIV. Grievance Officer

To exercise your rights or address any inquiries or concerns regarding the processing of your personal data, please contact our Grievance Officer at grievance@gauze.md. When submitting your request via email or letter, kindly include your full name, username (if applicable), and the institution with which you are affiliated. Please note that requests for information about the processing of your personal data must be signed by you personally.

XV. Notice of Changes to the Privacy Notice

In the event that we modify this Privacy Notice, we will provide advance notice by posting an updated version of the Privacy Notice on our Services before any changes take effect. Should the amendments require your consent, we will provide additional prominent notification as necessary under the circumstances and obtain your consent in compliance with applicable laws.