How Vgen23 handles personal, operational, and genomic data across its platform, institutional workflows, and secure analysis infrastructure.
Vgenomics India Private Limited ("Vgenomics," "we," "our," "us") respects your privacy and is committed to safeguarding your personal and genomic data.
This Privacy Policy explains our practices for collecting, storing, processing, transferring, and using your personal information through your use of the Vgen23 platform and services.
Vgen23 is a professional-use platform that standardizes clinical genomics interpretation and reporting workflows. It is for research use only and is not intended for use in diagnostic procedures. It supports qualified professionals in organizing and standardizing genomic analysis and reporting workflows. It does not provide a medical diagnosis. All outputs require professional review and sign-off.
By using our services, you consent to the collection and use of information in accordance with this policy.
Grievance Officer: Sameer Malik
Entity: Vgenomics India Private Limited
Email: help@vgen23.com
Vgenomics operates in two distinct data roles:
When institutional customers such as hospitals, labs, and diagnostic centers use Vgen23 to process patient genomic data, Vgenomics acts as a Data Processor under the DPDPA 2023.
The institutional customer is the Data Fiduciary and determines the purpose and means of processing. We process such data strictly as per the instructions of our institutional customers, as documented in Data Processing Agreements (DPAs).
For personal data of individual users of the platform, such as user names, email addresses, login credentials, professional credentials, and usage telemetry, Vgenomics acts as the Data Fiduciary.
We determine the purpose and means of processing this user account data.
For Derived Data, which is aggregated, de-identified, or anonymized data that does not identify any individual, Vgenomics acts as the Data Fiduciary.
Further details on permitted uses and governance controls are set out in Section 9.
This distinction is critical for understanding your rights and our obligations. If you are a patient whose data is processed through Vgen23, your rights are exercised through the institutional customer, such as the hospital or lab, that is the Data Fiduciary for your data.
Personal Identifiable Information (PII): Name, email address, phone number, institutional affiliation, professional credentials, and login details.
Technical and Usage Data: IP address, location, browser type, operating system, device information, session data, pages visited, features used, and other diagnostic information.
Cookies and Tracking Data: Session cookies, preference cookies, and security cookies.
Genomic Data: Whole exome or whole genome data (VCF files), raw FASTQ where required by the workflow, alignment metadata, QC metrics, and derived analytic outputs generated by the platform.
Clinical Metadata: Phenotypic data, structured clinical terms such as HPO, case notes, and supporting documents as submitted by authorized institutional users.
Reports: Draft and final reports, variant tables, evidence links, and classification records.
We process patient and genomic data only as instructed by our institutional customers. We do not independently determine the purpose of processing such data.
Performance of Contract: To provide platform access, manage accounts, and provide customer support.
Consent: For optional communications, newsletters, and marketing.
Legitimate Interests: To improve services, ensure security, and conduct analytics.
Compliance with Legal Obligations: To meet regulatory requirements.
We process patient and genomic data on the documented instructions of our institutional customers, as set out in the applicable Data Processing Agreement.
The lawful basis for processing is determined by the institutional customer, acting as the Data Fiduciary.
Institutional customers and authorized users represent and warrant that:
They have obtained all necessary patient consents, ethical approvals, and legal authorizations before uploading personal or genomic data.
Uploaded data complies with applicable privacy, medical, and research regulations, including the DPDPA 2023.
For pediatric cases, verifiable guardian consent has been obtained as required by applicable law.
Vgenomics is not responsible for unlawfully obtained or uploaded data. The institutional customer indemnifies Vgenomics for violations arising from their failure to obtain required consents or authorizations.
Provide access to Vgen23 platform features.
Manage user accounts, authentication, and customer support.
Improve functionality, personalize experience, and conduct internal research.
Notify you about service changes, updates, and promotions.
Monitor performance, detect and resolve technical or security issues.
Comply with legal or regulatory obligations.
Process genomic data through the clinical interpretation and reporting workflow as instructed by the institutional customer.
Generate reports and decision-support outputs for professional review.
Maintain audit trails of evidence, decisions, and workflow actions.
Support reanalysis workflows and alerts when evidence changes.
Vgen23 is for research use only and is not intended for use in diagnostic procedures.
It is a professional-use platform that supports qualified professionals in organizing and standardizing genomic analysis and reporting workflows. It does not provide a medical diagnosis.
Outputs generated by the platform are decision-support artifacts and are not intended to replace professional medical judgment.
All outputs require review and sign-off by qualified healthcare professionals. Final clinical decisions are the sole responsibility of the institutional customer and its qualified professionals.
Authorized Service Providers (Sub-processors): Hosting services, IT support, and analytics providers. We maintain a sub-processor register and execute contractual terms with all sub-processors. Changes to sub-processors are notified to institutional customers as per contract.
Institutional Customers: User activity data, audit logs, and platform usage relevant to the customer’s account.
Legal and Regulatory Authorities: To comply with applicable laws, regulations, or valid legal processes.
Corporate Transactions: In cases of mergers, acquisitions, or restructuring.
We do not sell your personal data to third parties.
"Derived Data" means any data, analyses, statistical information, or insights that are in aggregated, de-identified, or anonymized form and that are derived from Submitted Data or from the use of the Services, including variant frequencies and classification trends, analytical and platform performance metrics, benchmarking data, file types and sizes, pipeline diagnostics, error rates, general usage trends, and any other information that has been rendered such that it does not identify any individual patient or data principal.
Vgenomics acts as the Data Fiduciary or controller for Derived Data.
For the avoidance of doubt, Derived Data does not allow for the identification of specific individuals based on the data.
Vgenomics may use Derived Data on a perpetual, worldwide, royalty-free basis for providing and improving the Vgen23 platform and related services, product development and enhancement, research including scientific, statistical, and medical research, analytics and benchmarking, model training and algorithm development, development of new products, tools, and services, aggregated publication, and any other lawful commercial purpose.
Vgenomics does not share any identifiable personal data of patients or data principals with third parties for these purposes. Recipients of Derived Data are contractually prohibited from attempting to re-identify any individual.
De-identification is performed under a documented standard with residual risk assessment.
De-identified datasets are segregated from customer production workspaces.
No re-identification attempts are permitted and this is a contractual prohibition.
Access is limited to approved personnel with strong logging and no bulk export without approval.
Research outputs are aggregated. No customer-identifiable case details are published without explicit permission and ethics clearance.
Unless de-identification is demonstrably irreversible, we treat the dataset as still subject to DPDP-grade safeguards.
We use cookies to enhance user experience, analyze traffic, and improve functionality.
Types include Session Cookies, Preference Cookies, and Security Cookies.
You may disable cookies in your browser, though some features may not work as intended.
User Account Data: Retained for the duration of the account and as required for legal compliance.
Patient and Genomic Data (Processor role): Retained as defined by the institutional customer in the Data Processing Agreement.
Default retention categories are: case workspace data during engagement and customer-controlled; final reports customer-defined, typically 7 to 10 years; VCF and analysis artifacts customer-defined, typically 1 to 5 years; raw FASTQ customer-defined, typically 30 to 365 days.
Audit Trail: Minimum 7 years or as defined by the institutional customer.
Security Logs: Minimum 180 days, in accordance with CERT-In directions.
Backups: 30 to 90 days rolling. Deletion limitations for backup media are documented and communicated to customers.
Upon termination of a customer contract, data is deleted or returned as per the Data Processing Agreement. During the 30 days after termination, Customer Data is available for export, after which it is deleted within 90 days subject to backup cycles and legal holds.
Encryption of data in transit using TLS and at rest.
Role-based access controls and multi-factor authentication for privileged users.
Secure cloud infrastructure with India data residency.
Monitoring, vulnerability management, and periodic audits.
Secure SDLC practices and incident response procedures.
Our security program is designed to align with internationally recognized frameworks including ISO 27001, HIPAA security requirements, and GDPR technical safeguards. Certification processes are underway, and current status is available upon request. While we strive to protect your data, no method of transmission or storage is 100% secure.
We will notify affected institutional customers without undue delay.
We will describe the nature and scope of the incident to the extent known.
We will provide reasonable cooperation to support the customer’s compliance obligations, including notifications to the Data Protection Board of India and affected individuals as required under applicable law, including the DPDPA 2023 as and when its provisions become effective.
We will comply with CERT-In reporting requirements where applicable.
As a registered user of Vgen23, you may exercise your rights directly with us.
India: DPDPA 2023 — Rights include access, correction, erasure, nomination, and grievance redressal with the Data Protection Board of India.
EU/EEA Residents: GDPR — Rights include access, correction, erasure, restriction, objection, portability, and lodging complaints with supervisory authorities.
California Residents: CCPA/CPRA — Rights include knowing what data we collect, deletion, correction, opt-out, and equal service.
If you are a patient whose data is processed through Vgen23, your rights are exercised through the institutional customer, such as the hospital or lab, that uploaded your data.
They are the Data Fiduciary responsible for fulfilling your rights. We will cooperate with our institutional customers to fulfill data principal rights requests as per our contractual obligations.
To exercise your rights as a platform user, contact us at help@vgen23.com. Proof of identity may be required.
Vgen23 is hosted in India. Customer data including genomic data, reports, and clinical metadata resides in India by default.
Production logs required for security and forensics are retained within India jurisdiction where feasible.
No routine cross-border transfers of customer data occur. Any cross-border transfer requires explicit contractual approval, risk assessment, and documented safeguards in compliance with the DPDPA 2023 and other applicable data protection laws.
For international customers, data residency and transfer arrangements are defined in the applicable customer agreement and Data Processing Agreement.
We use third-party service providers for hosting, analytics, and platform operations.
A current list of sub-processors is available upon request and is provided to institutional customers as part of the Data Processing Agreement.
Payment processing is carried out by third-party processors. We do not store card details. Transactions comply with PCI-DSS standards.
Our Service may contain links to third-party websites. We are not responsible for their content or privacy practices.
The Service is not intended for direct use by children under 18.
Genomic data related to minors may only be uploaded by authorized institutional users such as hospitals and labs who have obtained verifiable guardian consent as required by applicable law, including the DPDPA 2023.
Vgenomics supports guardian consent workflows where required by the institutional customer.
Our Service does not currently respond to browser "Do Not Track" signals.
We may update this Privacy Policy periodically.
Changes will be posted with a revised date. For material changes, we may notify institutional customers by email.
Continued use indicates acceptance.
To exercise your rights under DPDPA, GDPR, CCPA, or other applicable laws, contact us at help@vgen23.com.
Requests must include your name and email address, your country or state of residence, a clear description of the requested action, and sufficient details for us to locate the data.
Proof of identity may be required.
We will respond within legally required timelines.