01Identity of Data Fiduciary
MEDRIC DIGITAL (OPC) PRIVATE LIMITED (‘Company’) operates the Medeor Platform and is the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 (DPDPA).
All personal data and Clinical Data uploaded to or processed through the Platform is stored on Microsoft Azure cloud infrastructure (South India / Central India region) within India.
No personal data is transferred outside India without express user consent and compliance with applicable cross-border restrictions under the DPDPA.
This Privacy Policy applies to all Users — Medical Centres, Doctors, and Patients — and is governed by the DPDPA, the IT (SPDI) Rules 2011, and all other Applicable Laws.
02Data We Collect — Patients
Identity data: Full name, date of birth, gender.
Contact data: Mobile number, email address.
Sensitive Personal / Health Data: Medical history, diagnoses, prescriptions, laboratory test and any other health information entered by Doctors during consultations through the Platform.
Appointment data: Booking history, appointment status, cancellations, and no-shows.
Financial data: Transaction reference numbers and appointment fee amounts paid. Full card details are not stored — payment processing is handled by Cashfree Payments India Private Limited.
Device and usage data: IP address, device identifier, browser type, operating system, usage logs, and session metadata.
03Data We Collect — Doctors & Medical Centres
Doctor professional credentials: Full name, medical registration number, specialisation, qualifications, and experience.
Doctor identity and contact data: Email address, mobile number.
Doctor activity data: Appointment records, prescriptions issued, Clinical Data entered, and platform usage logs.
Medical Centre institutional data: Registered name, CEA/state registration number, establishment address, and operational details.
Medical Centre administrator data: Names, designations, and contact details of authorised administrators.
Medical Centre financial data: Appointment volumes, Commission settlement records, and billing history.
04Purpose and Legal Basis for Processing
Operating the Platform and providing core features (appointment booking, prescription management, record storage) — Contractual necessity.
Verifying user credentials and preventing fraudulent registrations — Legitimate interest and legal compliance.
Processing Commission payments and financial settlements — Contractual necessity.
Sending transactional communications (appointment confirmations, reminders, receipts) — Contractual necessity and consent.
Complying with legal obligations under Applicable Laws, including responding to regulatory and law enforcement demands — Legal obligation.
Detecting and investigating fraud, misuse, and security incidents — Legitimate interest.
Improving Platform performance using anonymised and aggregated analytics — Legitimate interest.
Health data (Sensitive Personal Data under SPDI Rules) is processed only with explicit informed consent obtained through the Patient Consent Policy, strictly for facilitating Healthcare Services.
05Data Storage and Security
All data is stored on Microsoft Azure. Application secrets and API credentials are stored exclusively in Azure Key Vault — no sensitive credentials are exposed in application code.
Role-based access controls: Doctors access only their own patients’ records; Medical Centres access only their affiliated doctors’ records; Patients access only their own records.
Regular vulnerability assessments and penetration testing (at minimum annually).
06Data Sharing and Disclosure
We do not sell personal data to any third party.
With Medical Centres and Doctors: Patient data is shared only to the extent necessary for the provision of Healthcare Services for which the Patient has booked an Appointment.
With Cashfree Payments India Private Limited: Transaction and payment data is shared solely for processing Appointment Fee payments from Patients and remitting net settlement amounts to Medical Centres. Cashfree does not receive or store Clinical Data.
With legal and regulatory authorities: We will disclose personal data where required by law, court order, or government demand, or where necessary to protect the rights, property, or safety of the Company, Users, or third parties.
With professional advisors (lawyers and auditors) under strict confidentiality obligations.
07Your Rights as Data Principal
Right of Access: Request a copy of personal data we hold about you, within thirty (30) days of request.
Right of Correction and Completion: Request correction of inaccurate or incomplete personal data.
Right of Erasure: Request deletion of personal data, subject to statutory retention obligations.
Right to Withdraw Consent: Withdraw consent to processing of Sensitive Personal Data at any time, subject to consequences for Platform functionality.
Right to Grievance Redressal: Lodge a complaint with the Company’s Grievance Officer and, if unresolved, with the Data Protection Board of India.
To exercise any right, contact our Grievance Officer at admin@medeorapp.com. We will acknowledge requests within 48 hours and respond within 30 days.
We may require identity verification before processing any data rights request.
08Grievance Officer
Name: Naveen Paul Wilson
Designation: Grievance Officer, Medeor Platform
Email: admin@medeorapp.com
The Grievance Officer will acknowledge complaints within 48 hours and provide a substantive response within 30 days.
09Amendments
We reserve the right to update this Privacy Policy at any time.
Continued use of the Platform following notification constitutes acceptance of the revised Policy.