1. Who we are
This Privacy Policy explains how GLOAIA Labs (the trading name and consumer-facing brand of Global AutoImmunity Awareness, a proprietorship registered in India) handles the personal information of people who visit our website, create an account, place a diagnostic-test order, or otherwise interact with our services.
Operating entity: Global AutoImmunity Awareness (Proprietorship)
Proprietor: Hemant Dattu Nikalje
Registered office: First Floor, 7, Ujwal Greens, Phase A, Lane No A-20, Sr No 148, Raikar Nagar, Dhayari, Pune, Maharashtra 411041, India
GSTIN: 27AFYPN8073K1ZE
IEC: 3116928894
MSME UAN: MH26D0014884
Website: https://gloaialabs.com
Throughout this document, “we,” “us,” and “our” mean GLOAIA Labs. GLOAIA Labs operates as a diagnostic coordination and laboratory ordering facilitation platform. We do not perform laboratory testing ourselves. We do not provide medical advice, diagnosis, or treatment. Our role is to make specialty diagnostic tests offered by accredited laboratory partners in the United States and, over time, other approved international jurisdictions accessible to patients and practitioners through a coordinated ordering, logistics, and report-access workflow.
2. Scope of this Policy
This Policy applies to personal information we collect when you visit https://gloaialabs.com, create an account, place an order, contact us, receive marketing or transactional communications, or interact with practitioners or laboratories through our platform.
This Policy should be read together with our Terms of Sale and Service, our Cookie Policy, and our Healthcare Disclaimer.
3. Information we collect
3.1 Information you provide directly
- Identity & contact — name, email, phone, country, date of birth, sex assigned at birth
- Patient information (where buyer and patient differ) — patient’s name, DOB, sex assigned at birth, email, phone, relationship to buyer
- Shipping & billing addresses
- Payment-related identifiers — transaction reference, payment method type, last 4 digits of card. We do not collect, store, or have access to your full card number, CVV, or banking credentials — these are handled exclusively by Razorpay (PCI-DSS Level 1 certified)
- Account credentials — email, hashed password, MFA settings
- Order, consultation, and report-access metadata
- Practitioner information (for practitioner accounts) — license number, country of practice, specialty
- Customer support correspondence
3.2 Information we receive from laboratory partners
Test result data (biomarker values, reference ranges, sample collection date, laboratory interpretive notes) and sample status updates.
3.3 Information we collect automatically
Device and connection (IP address, browser type), usage and interaction (pages visited, links clicked), and cookies and similar technologies (see our Cookie Policy).
We do not use your personal or health data for advertising, profiling, behavioural targeting, or marketing-segmentation purposes. We do not sell, rent, license, or trade your information. We do not embed third-party advertising trackers on our website.
3.4 Information we do not collect
- We do not collect full payment-card numbers, CVVs, or net-banking credentials — these flow directly from your device to Razorpay
- We do not collect biometric identifiers
- We do not collect insurance policy numbers, claim histories, or insurer identifiers — we operate on a cash-pay basis
- We do not collect social-media profile data unless you explicitly choose to sign in using a social-identity provider
4. How we use your information
- To provide our services — creating and maintaining your account, placing test orders, coordinating shipping, retrieving reports, processing payments and refunds, handling support requests.
- To verify identity and prevent fraud.
- To comply with legal obligations under applicable tax, financial, customs, healthcare-information, and consumer-protection laws.
- To communicate with you — order confirmations, payment receipts, shipping notifications, report-ready alerts, service-related messages.
- To improve our platform through aggregated, de-identified analytics.
- To meet our internal accounting and recordkeeping requirements.
5. Legal bases for processing
5.1 For users in India (DPDP Act 2023 + DPDP Rules 2025)
- Specified purposes for which you have given consent. Consent collection follows DPDP Rule 3 (itemized, purpose-bound, and revocable as easily as it is granted).
- Legitimate uses as defined under Section 7 of the DPDP Act.
Our processing is designed to align with the operational obligations introduced by the DPDP Rules 2025 (effective 14 November 2025), in particular: Rule 3 (consent), Rule 6 (reasonable security safeguards, see §11), Rule 7 (breach notification), Rule 11 (children & vulnerable groups, see §12), Rule 14 (Data Principal Rights, see §9), and Rule 15 (cross-border data flow, see §7).
5.2 For users in the EEA and UK (GDPR / UK GDPR)
- Performance of a contract (Article 6(1)(b))
- Compliance with a legal obligation (Article 6(1)(c))
- Legitimate interests (Article 6(1)(f))
- Consent (Article 6(1)(a) and Article 9(2)(a))
5.3 For users in the United States
Diagnostic-test ordering for U.S. patients is conducted through accredited U.S. laboratories that operate under HIPAA. GLOAIA Labs is not a HIPAA covered entity.
5.4 Special-category / sensitive personal data
Information relating to your health is treated with additional care. We process this information only where you have provided clear, informed consent, where processing is necessary to perform the contract, or where processing is required by applicable law.
6. With whom we share your information
We share personal information only with parties that are necessary to deliver the service or to meet our legal obligations. We do not sell, rent, license, or trade your personal information.
6.1 Laboratory partners
Our current Laboratory Partners are leading specialty diagnostic laboratories in the United States. Additional laboratory partnerships in Europe, Australia, and other jurisdictions are being progressively developed.
| Laboratory | Specialty area | Website |
|---|---|---|
| Precision Analytical | DUTCH hormone testing | https://dutchtest.com |
| Diagnostic Solutions Laboratory | GI-MAP and gastrointestinal testing | https://www.diagnosticsolutionslab.com |
| Genova Diagnostics | Functional and integrative medicine testing | https://www.gdx.net |
| Cyrex Laboratories | Autoimmunity and food-reactivity testing | https://www.cyrexlabs.com |
| Doctor’s Data | Toxicology, nutrition, and metabolic testing | https://www.doctorsdata.com |
| Alletess Medical Laboratory | Food allergy and food sensitivity testing | https://foodallergy.com |
GLOAIA Labs has been built with HIPAA-aware operational philosophy.
6.2 Practitioners
If you choose to involve a healthcare practitioner, we will share the report and related information with that practitioner only with your authorization. Practitioners using our platform are independent professionals, not employees of GLOAIA Labs.
6.3 Logistics and courier partners
FedEx, UPS, DHL, and equivalent regional carriers receive addressee’s name, address, phone number, and shipment-content descriptors as required.
6.4 Payment processor
Card, UPI, net-banking, and wallet transactions are processed by Razorpay Software Private Limited (PCI-DSS Level 1 certified). We receive a transaction reference and limited payment metadata.
6.5 Technology and infrastructure vendors
Hosting, transactional-email, backup and security services, analytics (privacy-respecting), and similar operational services.
6.6 Professional advisors
Auditors, chartered accountants, lawyers, professional advisors bound by confidentiality.
6.7 Legal and regulatory disclosures
Where required by law, by a binding order of a court or regulatory authority, or to protect safety.
6.8 Business transitions
If the business is transferred, restructured, or reorganized, personal information may be transferred subject to the recipient’s commitment to honor the protections described in this Policy.
7. Cross-border data transfers
GLOAIA Labs is operated from India and coordinates testing through accredited laboratory partners and service providers located in multiple jurisdictions.
Categories of cross-border recipients. Personal data may be processed, stored, or transferred to accredited laboratory partners, courier and logistics providers, payment processors, technology and infrastructure providers, and professional service providers located outside the country in which the data was originally collected — including but not limited to the United States and other jurisdictions in which our partners operate.
Safeguards.
- For users in India, transfers consistent with the DPDP Act 2023 and DPDP Rules 2025 (Rule 15)
- For users in the EEA or UK, transfers are made on the basis of your informed consent at order time and, where appropriate, additional contractual safeguards. We are reviewing Standard Contractual Clauses
- For users in the United States, transfers governed by the partner laboratory’s HIPAA-aligned obligations
8. Data retention
| Category | Typical retention period |
|---|---|
| Account information | While the account is active, plus a reasonable period after closure |
| Order and transaction records | At least eight (8) years (GST/tax-recordkeeping) |
| Laboratory reports | While the account is active; may request earlier deletion subject to statutory exceptions |
| Audit logs | Up to seven (7) years |
| Customer-support correspondence | Up to three (3) years from last interaction |
| Marketing-consent records | Until withdrawn, plus a short retention period to evidence the withdrawal |
9. Your rights
Your Rights Under Applicable Privacy Laws — at a glance
- Access your information
- Correct inaccuracies
- Request deletion where legally permitted
- Withdraw your consent (see §9.4 below)
- Submit complaints or grievances (see §13)
9.1 Rights available to all users
- Access, Correction, Withdrawal of consent, Communication preferences, Grievance
9.2 Additional rights under India’s DPDP Act 2023
- Right to nomination
- Right to grievance redressal — escalate to the Data Protection Board of India after exhausting internal grievance
9.3 Additional rights under GDPR / UK GDPR
- Right to erasure, restriction of processing, data portability, objection, complaint to supervisory authority
9.4 Withdrawal of consent
The DPDP Act 2023 and DPDP Rules 2025 require that withdrawal of consent be as easy as the act of giving it.
- You may withdraw your consent at any time for any processing that relies on consent as its legal basis. Withdrawal will not affect processing that was lawfully completed before you withdrew
- How to withdraw — through the consent banner and in-platform preference centre, or by writing to privacy@gloaialabs.com with the subject line “Withdraw Consent”
- What we will do — acknowledge your request within 5 business days and act on it within 30 calendar days
- Effect of withdrawal — certain Services may become unavailable if the consent you have withdrawn is necessary to provide those Services
9.5 How to exercise your rights
Send a request to privacy@gloaialabs.com with the subject line “Data Rights Request.” We aim to respond within 30 calendar days.
10. Cookies and similar technologies
See our Cookie Policy. You can manage cookies through the consent banner, browser settings, or by writing to privacy@gloaialabs.com.
11. How we protect your information
We implement and continuously enhance reasonable administrative, technical, and organisational safeguards:
- Encryption in transit — TLS 1.2+ across all platform endpoints
- Encryption at rest — AES-256 where applicable
- Access controls — role-based access, principle of least privilege
- Authentication — salted, hashed password storage; we never store passwords in plain text
- Audit logging of system events relevant to security, access, and integrity
- Monitoring — suspicious-activity detection and uptime monitoring
- Vendor and processor contracts requiring confidentiality and reasonable security
- Operational discipline — regular review of security posture
These safeguards are designed to align with DPDP Rules 2025 (Rule 6) and Article 32 of the GDPR. No system can be guaranteed entirely secure. Certain advanced enterprise-grade controls (such as fully automated breach-detection workflows and formal certifications like ISO 27001 and SOC 2) are part of our forward roadmap.
Breach notification. If we become aware of a personal-data breach likely to result in significant risk, we will notify you and the appropriate regulatory authority — including the Data Protection Board of India under DPDP Rule 7 (broadly, 72-hour notification).
12. Children and minors
Our platform is intended for use by adults aged 18 years or older.
Parental or guardian consent. For paediatric testing, a parent or legal guardian must place the order. Where DPDP Rules 2025 (Rule 11) or another applicable law requires verifiable parental consent before processing a child’s personal data, we will request and reasonably verify that consent.
What we do not do. Consistent with DPDP Section 9 and Rule 11:
- We do not knowingly collect personal information from children directly without parental involvement
- We do not engage in behavioural profiling or tracking of children
- We do not present targeted advertising to children
- We do not monetise, sell, rent, or commercially exploit any data relating to a child
Persons with disabilities. We extend the same heightened-protection approach to persons with disabilities whose data is processed through a lawful guardian.
Contact for parents and guardians. privacy@gloaialabs.com.
13. Grievance Officer
| Field | Value |
|---|---|
| Name | Hemant Dattu Nikalje |
| Designation | Founder / Proprietor |
| privacy@gloaialabs.com | |
| Response timeframe | We aim to respond within 3 to 5 business days, and to resolve within 30 calendar days where reasonably possible |
If your concern is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India once it is operational, or to your local data-protection supervisory authority if you are in another jurisdiction.
14. Note on EU Article 27 Representative
GLOAIA Labs is currently operated from India and is not established within the EEA or UK. We have not at present appointed an Article 27 representative. EU and UK residents may exercise their rights by writing to our Grievance Officer at the email above.
15. Updates to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated Policy with an updated “Last Updated” date and, where appropriate, notify you.
16. Governing law and jurisdiction
This Privacy Policy is governed by the laws of India. Any dispute will be subject to the exclusive jurisdiction of the courts of Pune, Maharashtra, India, without prejudice to any non-waivable rights you may have under the laws of your country of residence.
17. Contact
| Channel | Address |
|---|---|
| privacy@gloaialabs.com | |
| Postal | Global AutoImmunity Awareness (GLOAIA Labs) · First Floor, 7, Ujwal Greens, Phase A, Lane No A-20, Sr No 148, Raikar Nagar, Dhayari, Pune, Maharashtra 411041, India |
| Phone | +91 9511890757 (Monday-Saturday, business hours IST) |
For all other queries — orders, shipping, refunds, reports — please contact support@gloaialabs.com.