How GLOAIA Labs operates within applicable regulatory, statutory, and laboratory-accreditation frameworks.
GLOAIA Labs operates within a global cross-border diagnostic-coordination context. This page consolidates the statutory registrations, regulatory frameworks, laboratory accreditations, and operational compliance controls that govern how we work — across India, the United States, the European Union/United Kingdom, and other jurisdictions we serve.
Note: This page describes our compliance posture and intent. It is not a statutory certification. Where applicable laws require formal audits, certifications, or third-party attestations, those are described as such. Where we operate aligned with a framework without formal certification, we describe it as “designed with reference to” — not as “certified.”
1. Statutory registrations (India)
GLOAIA Labs operates as Global AutoImmunity Awareness — a Sole Proprietorship registered in Pune, Maharashtra, India. Our active statutory registrations:
| Registration | Number | Authority | Purpose |
|---|---|---|---|
| GSTIN (Goods and Services Tax) | 27AFYPN8073K1ZE | Government of India / Maharashtra GST | GST-compliant invoicing for services |
| IEC (Importer Exporter Code) | 3116928894 | Directorate General of Foreign Trade (DGFT) | Authorized cross-border import/export operations |
| MSME UAN (Udyam Aadhaar Number) | MH26D0014884 | Ministry of MSME | Registration as a Micro/Small/Medium Enterprise |
Legal name: Global AutoImmunity Awareness
Proprietor: Hemant Dattu Nikalje
Registered office: First Floor, 7, Ujwal Greens, Phase A, Lane No A-20, Sr No 148, Raikar Nagar, Dhayari, Pune, Maharashtra 411041, India
Copies of the underlying registration certificates can be made available to laboratory partners, regulators, or other entities with a legitimate business need on written request to compliance@gloaialabs.com.
2. Healthcare data and privacy framework
2.1 India — Digital Personal Data Protection (DPDP) Act 2023 + DPDP Rules 2025
India’s primary data-protection regime. The parent Act (DPDP Act 2023) sets the principles; the DPDP Rules 2025 (effective 14 November 2025) provide operational specifics. Our framework addresses:
- Rule 3 — Clear, itemized, revocable consent: We collect specific, purpose-bound consent for the personal data we process. Consent is revocable through the consent banner on our site and through written request to privacy@gloaialabs.com.
- Rule 6 — Reasonable security safeguards: We apply layered security controls including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and limited-data-retention principles.
- Rule 7 — Breach notification (broadly 72-hour clock): Our incident-response protocol is designed to support notification of affected Data Principals and the Data Protection Board of India within the statutory window where required.
- Rule 8 — Erasure on request: Personal data is retained only for the period reasonably necessary. Erasure on data-subject request is operationally supported within the statutory 30-day window.
- Rule 10 & 11 — Children and vulnerable groups: GLOAIA Labs’ platform is intended for adults (18+). Where pediatric testing is ordered, it is placed by a parent or legal guardian.
- Rule 13 — AI security framework: Our AI-assisted features are grounded in a deterministic clinical rule engine. AI outputs are educational; final clinical judgment rests with practitioners.
- Rule 14 — Data Principal rights: You may exercise rights of access, correction, deletion, portability, and withdrawal of consent by writing to privacy@gloaialabs.com. Statutory response window: 30 calendar days.
- Rule 15 — Cross-border data: Our service inherently involves cross-border data flow. We comply with applicable export-control and customs frameworks.
Penalties for non-compliance under the DPDP regime can extend up to ₹250 Crore for failure to implement reasonable security safeguards.
Grievance officer (per DPDP Act §10): Hemant Dattu Nikalje, Founder. Contact: compliance@gloaialabs.com.
2.2 European Union / United Kingdom — GDPR / UK GDPR
- Lawful basis for processing: consent, contractual necessity, and legitimate interest.
- Data Subject Rights: Our processes are designed to support the full GDPR DSAR framework. Statutory response window: 30 calendar days, extendable to 60 in complex cases.
- Cookies and consent: Our cookie consent banner offers granular control. See our Cookie Policy.
- Cross-border data transfers: Where we transfer EU/UK personal data outside the EU/UK, we are progressively implementing appropriate safeguards (such as Standard Contractual Clauses with US Laboratory Partners). EU/UK customers may contact us at privacy@gloaialabs.com for a current summary.
- Data Protection Officer / EU Representative: At our current operational scale, formal DPO appointment is not statutorily required.
Penalties for non-compliance under GDPR can extend up to €20 million or 4% of global annual turnover (whichever is higher).
2.3 United States — HIPAA-aware operational framework
- GLOAIA Labs is not a HIPAA-Covered Entity itself. We are a coordination platform that operates aligned with HIPAA-grade data-handling principles where relevant.
- Business Associate Agreement (BAA) framework: Where required by US Laboratory Partners, we operate within Business Associate Agreement frameworks. BAAs are signed on a per-laboratory basis at the partner’s request.
- Operational alignment: We apply HIPAA-equivalent controls (encryption in transit and at rest, role-based access, audit logging, minimum-necessary data sharing) regardless of formal BAA status.
We use the term “HIPAA-aware” intentionally — to reflect operational alignment without claiming universal HIPAA certification.
2.4 Other jurisdictions
For patients in Singapore (PDPA), Canada (PIPEDA), UAE (PDPL), Australia (Privacy Act 1988), Japan (APPI), and other jurisdictions we currently serve, we apply equivalent or stronger data-handling controls.
For full jurisdictional treatment, please see our Privacy Policy.
3. Laboratory partner accreditations
GLOAIA Labs is CLIA-certified-lab partnered — meaning every Laboratory Partner we work with operates a CLIA-certified facility.
3.1 CLIA — Clinical Laboratory Improvement Amendments (US federal)
The US federal standard for clinical diagnostic laboratories administered by the Centers for Medicare & Medicaid Services (CMS).
3.2 CAP — College of American Pathologists (gold standard)
The most rigorous voluntary accreditation for US clinical laboratories.
3.3 ISO 15189 — International standard for medical laboratories
3.4 Current Laboratory Partners
| Laboratory | Accreditations | Speciality | Reference |
|---|---|---|---|
| Precision Analytical | CLIA-certified, CAP-accredited | DUTCH hormone testing | dutchtest.com |
| Diagnostic Solutions Laboratory | CLIA-certified, CAP-accredited | GI-MAP and gastrointestinal testing | diagnosticsolutionslab.com |
| Genova Diagnostics | CLIA-certified, CAP-accredited | Functional and integrative testing | gdx.net |
| Cyrex Laboratories | CLIA-certified | Autoimmunity and food-reactivity testing | cyrexlabs.com |
| Doctor’s Data | CLIA-certified, CAP-accredited | Toxicology, nutrition, metabolic testing | doctorsdata.com |
| Alletess Medical Laboratory | CLIA-certified | Food allergy and food sensitivity testing | foodallergy.com |
4. Operational security and data-handling controls
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced across all platform endpoints |
| Encryption at rest | AES-256 for data stored in our application and database tiers |
| Access controls | Role-based access with the principle of least privilege; audit logging for sensitive operations |
| Authentication | Strong password requirements with salted, hashed password storage; multi-factor authentication for practitioner and admin tiers is on our forward roadmap |
| Payment data | Card data is processed by Razorpay (PCI-DSS Level 1 certified) — GLOAIA Labs never sees or stores raw card numbers |
| Backup and recovery | Daily database backups; tested restoration procedures |
| Data retention | Personal data retained only for the period reasonably necessary; erasure on data-subject request |
| Vendor management | We evaluate the data-handling posture of all third-party vendors before integration |
| Security incident response | Internal incident-response protocol designed to support statutory breach notification (DPDP Rule 7 broadly 72 hours; GDPR Article 33 72 hours; HIPAA 60 days). Fully automated breach-detection workflows are part of our forward roadmap. |
| Vulnerability disclosure | Responsible-disclosure channel: security@gloaialabs.com — typical response window 48 hours |
5. Consent management
- At account creation: General consent for processing personal data in the context of providing our services
- At checkout: Purpose-specific consent for sharing patient information with the relevant Laboratory Partner
- At cookie banner: Granular consent for functional, analytical, and (where applicable) marketing cookies
- At consultation booking (future): Specific consent for sharing data with the consulting practitioner
All consents are revocable. Withdrawal can be done through the platform’s account settings or via written request to privacy@gloaialabs.com.
6. Children and vulnerable groups
GLOAIA Labs’ platform is intended for adults aged 18 and over.
- Pediatric testing: Must be placed by a parent or legal guardian. A qualified pediatric or family-medicine practitioner should be involved.
- Pregnant or breastfeeding patients: Should consult their healthcare provider before ordering a test.
- Patients on active medical treatment: Should consult their treating physician.
We do not target marketing to children. We do not knowingly collect personal data from children under 18 except through their parent or legal guardian.
7. Cross-border data flow
- Data shared with Laboratory Partners: Limited to the minimum necessary for the test order.
- Cross-border agreements: We are progressively putting in place Standard Contractual Clauses, Business Associate Agreements (where applicable), or equivalent contractual mechanisms with our US Laboratory Partners. Where a specific safeguard is operational, it can be confirmed on request to compliance@gloaialabs.com.
- Customs and biological-sample export: Subject to country-specific export-control rules. See our Shipping & Logistics Policy.
- Trade sanctions and restricted countries: We do not provide services in jurisdictions subject to applicable trade sanctions. See Terms of Sale §25.
8. AI, analytics, and future-feature compliance
- All AI outputs are educational, not clinical. AI surfaces patterns; clinical judgment always rests with qualified healthcare practitioners.
- All AI is grounded in a deterministic clinical rule engine. We do not allow language models to make autonomous health-data decisions or render diagnoses.
- AI features are explicitly framed in our Healthcare Disclaimer (§17).
- No training on patient data without explicit consent.
- PubMed-anchored evidence integration: Educational/informational only — never an endorsement of specific treatment protocols.
9. Grievance officer and data-subject contact
Grievance Officer
Hemant Dattu Nikalje, Founder, GLOAIA Labs
Email: compliance@gloaialabs.com
Postal: First Floor, 7, Ujwal Greens, Phase A, Lane No A-20, Sr No 148, Raikar Nagar, Dhayari, Pune, Maharashtra 411041, India
For:
- Data subject rights requests: privacy@gloaialabs.com
- General compliance and regulatory enquiries: compliance@gloaialabs.com
- Security disclosures: security@gloaialabs.com
10. Continuous compliance and updates
We commit to reviewing applicable regulatory changes at least quarterly, updating this page when our framework changes, publishing material policy changes with clear change logs, and engaging healthcare-aware legal counsel for periodic review.
11. Relationship to other legal documents
- Privacy Policy
- Cookie Policy
- Terms of Sale and Service
- Refund and Cancellation Policy
- Shipping and Logistics Policy
- Healthcare Disclaimer
Where there is any conflict, the document most specific to the matter at hand prevails.